* Update Samba
@ 2016-04-18 21:00 Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 1/5] libtalloc: Update to latest stable Joe MacDonald
` (5 more replies)
0 siblings, 6 replies; 16+ messages in thread
From: Joe MacDonald @ 2016-04-18 21:00 UTC (permalink / raw)
To: openembedded-devel
I'm still doing some testing on this and I haven't built for all the
architectures yet, but it passed at least the most basic smoke-test. Given the
number of outstanding CVEs against our current version of Samba (thanks Armin!
:-)) I think it's best fo rus to update this rather than trying to do any
back-ports, but that also introduces a not-inconsiderable level of risk for
Samba users. So please, if you're one of them, kick the tires on this as soon
as you can (or ping me back letting me know what your thoughts are on this, at
least).
Thanks all.
--
-Joe MacDonald.
:wq
^ permalink raw reply [flat|nested] 16+ messages in thread
* [meta-networking][PATCH 1/5] libtalloc: Update to latest stable
2016-04-18 21:00 Update Samba Joe MacDonald
@ 2016-04-18 21:00 ` Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 2/5] libtdb: " Joe MacDonald
` (4 subsequent siblings)
5 siblings, 0 replies; 16+ messages in thread
From: Joe MacDonald @ 2016-04-18 21:00 UTC (permalink / raw)
To: openembedded-devel
The update of Samba requires a newer version of libtalloc, so update it.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
.../libtalloc/{libtalloc_2.1.3.bb => libtalloc_2.1.6.bb} | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
rename meta-networking/recipes-support/libtalloc/{libtalloc_2.1.3.bb => libtalloc_2.1.6.bb} (91%)
diff --git a/meta-networking/recipes-support/libtalloc/libtalloc_2.1.3.bb b/meta-networking/recipes-support/libtalloc/libtalloc_2.1.6.bb
similarity index 91%
rename from meta-networking/recipes-support/libtalloc/libtalloc_2.1.3.bb
rename to meta-networking/recipes-support/libtalloc/libtalloc_2.1.6.bb
index 8209264..8937311 100644
--- a/meta-networking/recipes-support/libtalloc/libtalloc_2.1.3.bb
+++ b/meta-networking/recipes-support/libtalloc/libtalloc_2.1.6.bb
@@ -9,8 +9,9 @@ SRC_URI = "http://samba.org/ftp/talloc/talloc-${PV}.tar.gz"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/LGPL-3.0;md5=bfccfe952269fff2b407dd11f2f3083b \
file://${COREBASE}/meta/files/common-licenses/GPL-3.0;md5=c79ff39f19dfec6d293b95dea7b07891"
-SRC_URI[md5sum] = "3e285de2228ae67ff0a0f5cec658f627"
-SRC_URI[sha256sum] = "7aa5f75b22d4ef9c737b25515f2a2837ddc13014ff4ac6e58dd9e311f41f2cb0"
+SRC_URI[md5sum] = "707010c6ede5821fd34397f5d9ec6ab8"
+SRC_URI[sha256sum] = "3b8e1a50bacb359d99942e0dd9941cef779ae4b5eb20f138873bd8270cb1d47b"
+
inherit waf-samba
--
1.9.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-networking][PATCH 2/5] libtdb: Update to latest stable
2016-04-18 21:00 Update Samba Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 1/5] libtalloc: Update to latest stable Joe MacDonald
@ 2016-04-18 21:00 ` Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 3/5] libtevent: " Joe MacDonald
` (3 subsequent siblings)
5 siblings, 0 replies; 16+ messages in thread
From: Joe MacDonald @ 2016-04-18 21:00 UTC (permalink / raw)
To: openembedded-devel
The update of Samba requires a newer version of libtdb, so update it.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
.../recipes-support/libtdb/{libtdb_1.3.7.bb => libtdb_1.3.8.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-networking/recipes-support/libtdb/{libtdb_1.3.7.bb => libtdb_1.3.8.bb} (87%)
diff --git a/meta-networking/recipes-support/libtdb/libtdb_1.3.7.bb b/meta-networking/recipes-support/libtdb/libtdb_1.3.8.bb
similarity index 87%
rename from meta-networking/recipes-support/libtdb/libtdb_1.3.7.bb
rename to meta-networking/recipes-support/libtdb/libtdb_1.3.8.bb
index c6a689b..bf6698a 100644
--- a/meta-networking/recipes-support/libtdb/libtdb_1.3.7.bb
+++ b/meta-networking/recipes-support/libtdb/libtdb_1.3.8.bb
@@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/LGPL-3.0;md5=b
SRC_URI = "http://samba.org/ftp/tdb/tdb-${PV}.tar.gz \
file://do-not-check-xsltproc-manpages.patch"
-SRC_URI[md5sum] = "e3741a19c427255acd1e92c5e09d9df7"
-SRC_URI[sha256sum] = "a64d95ca0cc06a28fed24c6e952aed7660cae04983108735d6bc30b925136412"
+SRC_URI[md5sum] = "fa4c9e2f59fcf41441285bca5f5ab481"
+SRC_URI[sha256sum] = "0605ac0427eac9c23bf61ebfd8206a07d5ece198498eab1769cd0cfb6e7de6b1"
S = "${WORKDIR}/tdb-${PV}"
--
1.9.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-networking][PATCH 3/5] libtevent: Update to latest stable
2016-04-18 21:00 Update Samba Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 1/5] libtalloc: Update to latest stable Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 2/5] libtdb: " Joe MacDonald
@ 2016-04-18 21:00 ` Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 4/5] libldb: " Joe MacDonald
` (2 subsequent siblings)
5 siblings, 0 replies; 16+ messages in thread
From: Joe MacDonald @ 2016-04-18 21:00 UTC (permalink / raw)
To: openembedded-devel
The update of Samba requires a newer version of libtevent, so update it.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
.../libtevent/{libtevent_0.9.25.bb => libtevent_0.9.28.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-networking/recipes-support/libtevent/{libtevent_0.9.25.bb => libtevent_0.9.28.bb} (88%)
diff --git a/meta-networking/recipes-support/libtevent/libtevent_0.9.25.bb b/meta-networking/recipes-support/libtevent/libtevent_0.9.28.bb
similarity index 88%
rename from meta-networking/recipes-support/libtevent/libtevent_0.9.25.bb
rename to meta-networking/recipes-support/libtevent/libtevent_0.9.28.bb
index aa61ea6..d0ad748 100644
--- a/meta-networking/recipes-support/libtevent/libtevent_0.9.25.bb
+++ b/meta-networking/recipes-support/libtevent/libtevent_0.9.28.bb
@@ -9,8 +9,8 @@ RDEPENDS_python-tevent = "python"
SRC_URI = "http://samba.org/ftp/tevent/tevent-${PV}.tar.gz"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/LGPL-3.0;md5=bfccfe952269fff2b407dd11f2f3083b"
-SRC_URI[md5sum] = "8d01a2076cb8cd30cab40393d27043df"
-SRC_URI[sha256sum] = "fedeb0d55a11b3593b562ec09b32e44bd67619ed10e5fa10d1868adb1649c669"
+SRC_URI[md5sum] = "945845817918f5cfbe0202d80a7db118"
+SRC_URI[sha256sum] = "04d953379025b1560af5c4ffcce58a3ee84db7aaa09c9f1e3eff5b2945a13529"
inherit waf-samba
--
1.9.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-networking][PATCH 4/5] libldb: Update to latest stable
2016-04-18 21:00 Update Samba Joe MacDonald
` (2 preceding siblings ...)
2016-04-18 21:00 ` [meta-networking][PATCH 3/5] libtevent: " Joe MacDonald
@ 2016-04-18 21:00 ` Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 5/5] samba: " Joe MacDonald
2016-04-22 16:30 ` Update Samba George McCollister
5 siblings, 0 replies; 16+ messages in thread
From: Joe MacDonald @ 2016-04-18 21:00 UTC (permalink / raw)
To: openembedded-devel
The update of Samba requires a newer version of libldb, so update it.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
...not-import-target-module-while-cross-compile.patch | 19 ++++++++++---------
.../libldb/{libldb_1.1.21.bb => libldb_1.1.26.bb} | 4 ++--
2 files changed, 12 insertions(+), 11 deletions(-)
rename meta-networking/recipes-support/libldb/{libldb_1.1.21.bb => libldb_1.1.26.bb} (92%)
diff --git a/meta-networking/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch b/meta-networking/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch
index 2425a55..fdd312c 100755
--- a/meta-networking/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch
+++ b/meta-networking/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch
@@ -3,18 +3,19 @@ we just check whether does the module exist.
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
---- ldb-1.1.17.orig/buildtools/wafsamba/samba_bundled.py 2015-07-16 16:42:12.265127110 +0800
-+++ ldb-1.1.17/buildtools/wafsamba/samba_bundled.py 2015-07-16 16:45:25.717119550 +0800
-@@ -1,7 +1,7 @@
- # functions to support bundled libraries
+Index: ldb-1.1.26/buildtools/wafsamba/samba_bundled.py
+===================================================================
+--- ldb-1.1.26.orig/buildtools/wafsamba/samba_bundled.py
++++ ldb-1.1.26/buildtools/wafsamba/samba_bundled.py
+@@ -2,6 +2,7 @@
+ import sys
+ import Build, Options, Logs
++import imp, os
from Configure import conf
--import sys, Logs
-+import sys, Logs, imp
- from samba_utils import *
+ from samba_utils import TO_LIST
- def PRIVATE_NAME(bld, name, private_extension, private_library):
-@@ -218,17 +218,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
+@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
# versions
minversion = minimum_library_version(conf, libname, minversion)
diff --git a/meta-networking/recipes-support/libldb/libldb_1.1.21.bb b/meta-networking/recipes-support/libldb/libldb_1.1.26.bb
similarity index 92%
rename from meta-networking/recipes-support/libldb/libldb_1.1.21.bb
rename to meta-networking/recipes-support/libldb/libldb_1.1.26.bb
index bdad87d..5458d47 100644
--- a/meta-networking/recipes-support/libldb/libldb_1.1.21.bb
+++ b/meta-networking/recipes-support/libldb/libldb_1.1.26.bb
@@ -17,8 +17,8 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/LGPL-3.0;md5=b
file://${COREBASE}/meta/files/common-licenses/LGPL-2.1;md5=1a6d268fd218675ffea8be556788b780 \
file://${COREBASE}/meta/files/common-licenses/GPL-3.0;md5=c79ff39f19dfec6d293b95dea7b07891"
-SRC_URI[md5sum] = "94ba09c7452fff68df3481686c56677e"
-SRC_URI[sha256sum] = "267bbb7f278068eaf0de27adffda2e691a070a93c5c15ee27c828e87b4c7dbf1"
+SRC_URI[md5sum] = "31780b702b638ad32aa5d9853d257839"
+SRC_URI[sha256sum] = "8843c7a72b980d9413ba6c494c039bccd10c524b37fda2917afb147745d8b2e6"
inherit waf-samba
--
1.9.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [meta-networking][PATCH 5/5] samba: Update to latest stable
2016-04-18 21:00 Update Samba Joe MacDonald
` (3 preceding siblings ...)
2016-04-18 21:00 ` [meta-networking][PATCH 4/5] libldb: " Joe MacDonald
@ 2016-04-18 21:00 ` Joe MacDonald
2016-04-19 9:15 ` Martin Jansa
2016-04-22 16:30 ` Update Samba George McCollister
5 siblings, 1 reply; 16+ messages in thread
From: Joe MacDonald @ 2016-04-18 21:00 UTC (permalink / raw)
To: openembedded-devel
The previous version of Samba had many critical security updates that
would've required significant backporting effort. Update to the latest
stable release instead.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
...1-waf-sanitize-and-fix-added-cross-answer.patch | 60 -
...-Adds-a-new-mode-to-samba-cross-compiling.patch | 112 -
...-readability-of-cross-answers-generated-b.patch | 66 -
...wafsamba-CHECK_SIZEOF-cross-compile-frien.patch | 72 -
.../0005-build-unify-and-fix-endian-tests.patch | 169 -
...sing-of-cross-answers-file-in-case-answer.patch | 36 -
.../samba-4.1.12/01-fix-force-user-sec-ads.patch | 1448 -
.../samba/samba-4.1.12/02-fix-ipv6-join.patch | 266 -
.../samba-4.1.12/03-net-ads-kerberos-pac.patch | 962 -
.../samba/samba-4.1.12/04-ipv6-workaround.patch | 211 -
.../05-fix-gecos-field-with-samlogon.patch | 29894 -------------------
.../06-fix-nmbd-systemd-status-update.patch | 97 -
.../07-fix-idmap-ad-getgroups-without-gid.patch | 42 -
.../08-fix-idmap-ad-sfu-with-trusted-domains.patch | 44 -
.../09-fix-smbclient-echo-cmd-segfault.patch | 35 -
...improve-service-principal-guessing-in-net.patch | 180 -
...x-overwriting-of-spns-during-net-ads-join.patch | 329 -
...ted-spns-from-AD-during-keytab-generation.patch | 159 -
.../samba/samba-4.1.12/13-fix-aes-enctype.patch | 988 -
.../samba/samba-4.1.12/14-fix-dnsupdate.patch | 51 -
.../15-fix-netbios-name-truncation.patch | 154 -
.../16-do-not-check-xsltproc-manpages.patch | 52 -
.../samba-4.1.12/17-execute-prog-by-qemu.patch | 22 -
.../18-avoid-get-config-by-native-ncurses.patch | 22 -
...systemd-daemon-is-contained-by-libsystemd.patch | 42 -
.../samba-4.1.12/21-avoid-sasl-unless-wanted.patch | 10 -
.../00-fix-typos-in-man-pages.patch | 0
...006-avoid-using-colon-in-the-checking-msg.patch | 0
.../16-do-not-check-xsltproc-manpages.patch | 43 +
...-import-target-module-while-cross-compile.patch | 19 +-
.../21-add-config-option-without-valgrind.patch | 0
.../samba/{samba_4.1.12.bb => samba_4.4.2.bb} | 81 +-
32 files changed, 81 insertions(+), 35585 deletions(-)
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/00-fix-typos-in-man-pages.patch (100%)
rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/0006-avoid-using-colon-in-the-checking-msg.patch (100%)
create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/20-do-not-import-target-module-while-cross-compile.patch (79%)
mode change 100755 => 100644
rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/21-add-config-option-without-valgrind.patch (100%)
rename meta-networking/recipes-connectivity/samba/{samba_4.1.12.bb => samba_4.4.2.bb} (82%)
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
deleted file mode 100644
index 69668c0..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 1b32c7d7f148bcf2598799b21dfa3ba1ed824d32 Mon Sep 17 00:00:00 2001
-From: Uri Simchoni <urisimchoni@gmail.com>
-Date: Mon, 18 May 2015 21:12:06 +0300
-Subject: [PATCH 1/7] waf: sanitize and fix added cross answer
-
-When configuring samba for cross-compilation using the cross-answers
-method, the function add_answer receives the standard output and exit code
-of a configuration test and updates the cross-answers file accordingly.
-
-This patch sanitizes the standard output to conform to the cross-answers
-file format - one line of output. It also adds a missing newline.
-
-(Note - at this point add_answer is only ever called with empty output
-but this change is significant for the reminder of this patchset)
-
-Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-
-Upstream-Status: Backport
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- buildtools/wafsamba/samba_cross.py | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
-index 3838e34..fc1d78e 100644
---- a/buildtools/wafsamba/samba_cross.py
-+++ b/buildtools/wafsamba/samba_cross.py
-@@ -19,6 +19,16 @@ def add_answer(ca_file, msg, answer):
- except:
- Logs.error("Unable to open cross-answers file %s" % ca_file)
- sys.exit(1)
-+ (retcode, retstring) = answer
-+ # if retstring is more than one line then we probably
-+ # don't care about its actual content (the tests should
-+ # yield one-line output in order to comply with the cross-answer
-+ # format)
-+ retstring = retstring.strip()
-+ if len(retstring.split('\n')) > 1:
-+ retstring = ''
-+ answer = (retcode, retstring)
-+
- if answer == ANSWER_OK:
- f.write('%s: OK\n' % msg)
- elif answer == ANSWER_UNKNOWN:
-@@ -26,8 +36,7 @@ def add_answer(ca_file, msg, answer):
- elif answer == ANSWER_FAIL:
- f.write('%s: FAIL\n' % msg)
- else:
-- (retcode, retstring) = answer
-- f.write('%s: (%d, "%s")' % (msg, retcode, retstring))
-+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
- f.close()
-
-
---
-1.9.1
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
deleted file mode 100644
index fce3abc..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From add52538b9a0ccf66ca87c7a691bf59901765849 Mon Sep 17 00:00:00 2001
-From: Uri Simchoni <urisimchoni@gmail.com>
-Date: Mon, 18 May 2015 21:15:19 +0300
-Subject: [PATCH 2/7] Adds a new mode to samba cross-compiling.
-
-When both --cross-answers and --cross-execute are set, this means:
-- Use cross-answers
-- If answer is unknown, then instead of adding UNKNOWN to the cross-answers
- file and failing configure, the new mode runs cross-execute to determine the
- answer and adds that to the cross-answers file.
-
-Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-
-Upstream-Status: Backport
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- buildtools/wafsamba/samba_cross.py | 46 ++++++++++++++++++++++++++++----------
- 1 file changed, 34 insertions(+), 12 deletions(-)
-
-diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
-index fc1d78e..3f1ef12 100644
---- a/buildtools/wafsamba/samba_cross.py
-+++ b/buildtools/wafsamba/samba_cross.py
-@@ -45,7 +45,6 @@ def cross_answer(ca_file, msg):
- try:
- f = open(ca_file, 'r')
- except:
-- add_answer(ca_file, msg, ANSWER_UNKNOWN)
- return ANSWER_UNKNOWN
- for line in f:
- line = line.strip()
-@@ -78,7 +77,6 @@ def cross_answer(ca_file, msg):
- else:
- raise Utils.WafError("Bad answer format '%s' in %s" % (line, ca_file))
- f.close()
-- add_answer(ca_file, msg, ANSWER_UNKNOWN)
- return ANSWER_UNKNOWN
-
-
-@@ -86,24 +84,47 @@ class cross_Popen(Utils.pproc.Popen):
- '''cross-compilation wrapper for Popen'''
- def __init__(*k, **kw):
- (obj, args) = k
--
-- if '--cross-execute' in args:
-- # when --cross-execute is set, then change the arguments
-- # to use the cross emulator
-- i = args.index('--cross-execute')
-- newargs = args[i+1].split()
-- newargs.extend(args[0:i])
-- args = newargs
-- elif '--cross-answers' in args:
-+ use_answers = False
-+ ans = ANSWER_UNKNOWN
-+
-+ # Three possibilities:
-+ # 1. Only cross-answers - try the cross-answers file, and if
-+ # there's no corresponding answer, add to the file and mark
-+ # the configure process as unfinished.
-+ # 2. Only cross-execute - get the answer from cross-execute
-+ # 3. Both - try the cross-answers file, and if there is no
-+ # corresponding answer - use cross-execute to get an answer,
-+ # and add that answer to the file.
-+ if '--cross-answers' in args:
- # when --cross-answers is set, then change the arguments
- # to use the cross answers if available
-+ use_answers = True
- i = args.index('--cross-answers')
- ca_file = args[i+1]
- msg = args[i+2]
- ans = cross_answer(ca_file, msg)
-+
-+ if '--cross-execute' in args and ans == ANSWER_UNKNOWN:
-+ # when --cross-execute is set, then change the arguments
-+ # to use the cross emulator
-+ i = args.index('--cross-execute')
-+ newargs = args[i+1].split()
-+ newargs.extend(args[0:i])
-+ if use_answers:
-+ p = real_Popen(newargs,
-+ stdout=Utils.pproc.PIPE,
-+ stderr=Utils.pproc.PIPE)
-+ ce_out, ce_err = p.communicate()
-+ ans = (p.returncode, ce_out)
-+ add_answer(ca_file, msg, ans)
-+ else:
-+ args = newargs
-+
-+ if use_answers:
- if ans == ANSWER_UNKNOWN:
- global cross_answers_incomplete
- cross_answers_incomplete = True
-+ add_answer(ca_file, msg, ans)
- (retcode, retstring) = ans
- args = ['/bin/sh', '-c', "echo -n '%s'; exit %d" % (retstring, retcode)]
- real_Popen.__init__(*(obj, args), **kw)
-@@ -124,7 +145,8 @@ def SAMBA_CROSS_ARGS(conf, msg=None):
-
- if conf.env.CROSS_EXECUTE:
- ret.extend(['--cross-execute', conf.env.CROSS_EXECUTE])
-- elif conf.env.CROSS_ANSWERS:
-+
-+ if conf.env.CROSS_ANSWERS:
- if msg is None:
- raise Utils.WafError("Cannot have NULL msg in cross-answers")
- ret.extend(['--cross-answers', os.path.join(Options.launch_dir, conf.env.CROSS_ANSWERS), msg])
---
-1.9.1
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
deleted file mode 100644
index ec17d9d..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From f7052d633396005563e44509428503f42c9faa97 Mon Sep 17 00:00:00 2001
-From: Jackie Huang <jackie.huang@windriver.com>
-Date: Thu, 12 Nov 2015 01:00:11 -0500
-Subject: [PATCH 3/7] waf: improve readability of cross-answers generated by cross-execute
-
-When generating a result for cross-answers from the (retcode, retstring) tuple:
-- (0, "output") indicated as "output"
-- 1 is interpreted as generic fail code, instead of 255, because most
- if not all tests fail with 1 as exit code rather than 255
-- For failing test, use NO instead of FAIL, because that's not
- necessarily a failure (it could mean that something is NOT
- broken)
-
-Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-
-Upstream-Status: Backport
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- buildtools/wafsamba/samba_cross.py | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
-index 3f1ef12..d1e7006 100644
---- a/buildtools/wafsamba/samba_cross.py
-+++ b/buildtools/wafsamba/samba_cross.py
-@@ -6,7 +6,7 @@ from Configure import conf
- real_Popen = None
-
- ANSWER_UNKNOWN = (254, "")
--ANSWER_FAIL = (255, "")
-+ANSWER_NO = (1, "")
- ANSWER_OK = (0, "")
-
- cross_answers_incomplete = False
-@@ -33,10 +33,13 @@ def add_answer(ca_file, msg, answer):
- f.write('%s: OK\n' % msg)
- elif answer == ANSWER_UNKNOWN:
- f.write('%s: UNKNOWN\n' % msg)
-- elif answer == ANSWER_FAIL:
-- f.write('%s: FAIL\n' % msg)
-+ elif answer == ANSWER_NO:
-+ f.write('%s: NO\n' % msg)
- else:
-- f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
-+ if retcode == 0:
-+ f.write('%s: "%s"\n' % (msg, retstring))
-+ else:
-+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
- f.close()
-
-
-@@ -64,7 +67,7 @@ def cross_answer(ca_file, msg):
- return ANSWER_UNKNOWN
- elif ans == "FAIL" or ans == "NO":
- f.close()
-- return ANSWER_FAIL
-+ return ANSWER_NO
- elif ans[0] == '"':
- return (0, ans.strip('"'))
- elif ans[0] == "'":
---
-1.9.1
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
deleted file mode 100644
index 3fbb770..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 8ffb1892b5c42d8d29124d274aa4b5f1726d7e9f Mon Sep 17 00:00:00 2001
-From: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Date: Mon, 21 Apr 2014 10:18:16 -0300
-Subject: [PATCH 4/7] build: make wafsamba CHECK_SIZEOF cross-compile friendly
-
-Use the same trick as commit 0d9bb86293c9d39298786df095c73a6251b08b7e
-We do the same array trick iteratively starting from 1 (byte) by powers
-of 2 up to 32.
-
-The new 'critical' option is used to make the invocation die or not
-according to each test.
-The default is True since normally it's expected to find a proper
-result and should error out if not.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
-
-Upstream-Status: Backport
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- buildtools/wafsamba/samba_autoconf.py | 28 ++++++++++++++++------------
- 1 file changed, 16 insertions(+), 12 deletions(-)
-
-diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
-index fe110bd..59953d9 100644
---- a/buildtools/wafsamba/samba_autoconf.py
-+++ b/buildtools/wafsamba/samba_autoconf.py
-@@ -304,23 +304,27 @@ def CHECK_FUNCS(conf, list, link=True, lib=None, headers=None):
-
-
- @conf
--def CHECK_SIZEOF(conf, vars, headers=None, define=None):
-+def CHECK_SIZEOF(conf, vars, headers=None, define=None, critical=True):
- '''check the size of a type'''
-- ret = True
- for v in TO_LIST(vars):
- v_define = define
-+ ret = False
- if v_define is None:
- v_define = 'SIZEOF_%s' % v.upper().replace(' ', '_')
-- if not CHECK_CODE(conf,
-- 'printf("%%u", (unsigned)sizeof(%s))' % v,
-- define=v_define,
-- execute=True,
-- define_ret=True,
-- quote=False,
-- headers=headers,
-- local_include=False,
-- msg="Checking size of %s" % v):
-- ret = False
-+ for size in list((1, 2, 4, 8, 16, 32)):
-+ if CHECK_CODE(conf,
-+ 'static int test_array[1 - 2 * !(((long int)(sizeof(%s))) <= %d)];' % (v, size),
-+ define=v_define,
-+ quote=False,
-+ headers=headers,
-+ local_include=False,
-+ msg="Checking if size of %s == %d" % (v, size)):
-+ conf.DEFINE(v_define, size)
-+ ret = True
-+ break
-+ if not ret and critical:
-+ Logs.error("Couldn't determine size of '%s'" % v)
-+ sys.exit(1)
- return ret
-
- @conf
---
-1.9.1
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
deleted file mode 100644
index 5546b6d..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-From 81379b6b14ea725c72953be2170b382403ed8728 Mon Sep 17 00:00:00 2001
-From: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Date: Mon, 21 Apr 2014 10:18:15 -0300
-Subject: [PATCH 5/7] build: unify and fix endian tests
-
-Unify the endian tests out of lib/ccan/wscript into wafsamba since
-they're almost cross-compile friendly.
-While at it fix them to be so by moving the preprocessor directives out
-of main scope since that will fail.
-And keep the WORDS_BIGENDIAN, HAVE_LITTLE_ENDIAN and HAVE_BIG_ENDIAN
-defines separate because of different codebases.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
-
-Upstream-Status: Backport
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- buildtools/wafsamba/wscript | 65 ++++++++++++++++++++++++++++++++++++++++++---
- lib/ccan/wscript | 55 --------------------------------------
- 2 files changed, 62 insertions(+), 58 deletions(-)
-
-diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
-index 7984227..1a2cfe6 100755
---- a/buildtools/wafsamba/wscript
-+++ b/buildtools/wafsamba/wscript
-@@ -390,9 +390,68 @@ def configure(conf):
- else:
- conf.define('SHLIBEXT', "so", quote=True)
-
-- conf.CHECK_CODE('long one = 1; return ((char *)(&one))[0]',
-- execute=True,
-- define='WORDS_BIGENDIAN')
-+ # First try a header check for cross-compile friendlyness
-+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
-+ #define B __BYTE_ORDER
-+ #elif defined(BYTE_ORDER)
-+ #define B BYTE_ORDER
-+ #endif
-+
-+ #ifdef __LITTLE_ENDIAN
-+ #define LITTLE __LITTLE_ENDIAN
-+ #elif defined(LITTLE_ENDIAN)
-+ #define LITTLE LITTLE_ENDIAN
-+ #endif
-+
-+ #if !defined(LITTLE) || !defined(B) || LITTLE != B
-+ #error Not little endian.
-+ #endif
-+ int main(void) { return 0; }""",
-+ addmain=False,
-+ headers="endian.h sys/endian.h",
-+ define="HAVE_LITTLE_ENDIAN")
-+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
-+ #define B __BYTE_ORDER
-+ #elif defined(BYTE_ORDER)
-+ #define B BYTE_ORDER
-+ #endif
-+
-+ #ifdef __BIG_ENDIAN
-+ #define BIG __BIG_ENDIAN
-+ #elif defined(BIG_ENDIAN)
-+ #define BIG BIG_ENDIAN
-+ #endif
-+
-+ #if !defined(BIG) || !defined(B) || BIG != B
-+ #error Not big endian.
-+ #endif
-+ int main(void) { return 0; }""",
-+ addmain=False,
-+ headers="endian.h sys/endian.h",
-+ define="HAVE_BIG_ENDIAN")
-+
-+ if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
-+ # That didn't work! Do runtime test.
-+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
-+ u.i = 0x01020304;
-+ return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
-+ addmain=True, execute=True,
-+ define='HAVE_LITTLE_ENDIAN',
-+ msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
-+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
-+ u.i = 0x01020304;
-+ return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
-+ addmain=True, execute=True,
-+ define='HAVE_BIG_ENDIAN',
-+ msg="Checking for HAVE_BIG_ENDIAN - runtime")
-+
-+ # Extra sanity check.
-+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
-+ Logs.error("Failed endian determination. The PDP-11 is back?")
-+ sys.exit(1)
-+ else:
-+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN"):
-+ conf.DEFINE('WORDS_BIGENDIAN', 1)
-
- # check if signal() takes a void function
- if conf.CHECK_CODE('return *(signal (0, 0)) (0) == 1',
-diff --git a/lib/ccan/wscript b/lib/ccan/wscript
-index a0b5406..5b3a910 100644
---- a/lib/ccan/wscript
-+++ b/lib/ccan/wscript
-@@ -25,61 +25,6 @@ def configure(conf):
- conf.CHECK_CODE('int __attribute__((used)) func(int x) { return x; }',
- addmain=False, link=False, cflags=conf.env['WERROR_CFLAGS'],
- define='HAVE_ATTRIBUTE_USED')
-- # We try to use headers for a compile-time test.
-- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
-- #define B __BYTE_ORDER
-- #elif defined(BYTE_ORDER)
-- #define B BYTE_ORDER
-- #endif
--
-- #ifdef __LITTLE_ENDIAN
-- #define LITTLE __LITTLE_ENDIAN
-- #elif defined(LITTLE_ENDIAN)
-- #define LITTLE LITTLE_ENDIAN
-- #endif
--
-- #if !defined(LITTLE) || !defined(B) || LITTLE != B
-- #error Not little endian.
-- #endif""",
-- headers="endian.h sys/endian.h",
-- define="HAVE_LITTLE_ENDIAN")
-- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
-- #define B __BYTE_ORDER
-- #elif defined(BYTE_ORDER)
-- #define B BYTE_ORDER
-- #endif
--
-- #ifdef __BIG_ENDIAN
-- #define BIG __BIG_ENDIAN
-- #elif defined(BIG_ENDIAN)
-- #define BIG BIG_ENDIAN
-- #endif
--
-- #if !defined(BIG) || !defined(B) || BIG != B
-- #error Not big endian.
-- #endif""",
-- headers="endian.h sys/endian.h",
-- define="HAVE_BIG_ENDIAN")
--
-- if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
-- # That didn't work! Do runtime test.
-- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
-- u.i = 0x01020304;
-- return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
-- addmain=True, execute=True,
-- define='HAVE_LITTLE_ENDIAN',
-- msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
-- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
-- u.i = 0x01020304;
-- return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
-- addmain=True, execute=True,
-- define='HAVE_BIG_ENDIAN',
-- msg="Checking for HAVE_BIG_ENDIAN - runtime")
--
-- # Extra sanity check.
-- if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
-- Logs.error("Failed endian determination. The PDP-11 is back?")
-- sys.exit(1)
-
- conf.CHECK_CODE('return __builtin_choose_expr(1, 0, "garbage");',
- link=True,
---
-1.9.1
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
deleted file mode 100644
index de0d32c..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 649c731526dc1473bd1804d2903d7559e63616da Mon Sep 17 00:00:00 2001
-From: Uri Simchoni <urisimchoni@gmail.com>
-Date: Mon, 4 May 2015 09:12:45 +0300
-Subject: [PATCH 7/7] waf: Fix parsing of cross-answers file in case answer includes a colon
-
-The answer provided in the cross-answers file may include a colon,
-as in:
-Checking uname version type: "#57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014"
-
-Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-
-Upstream-Status: Backport
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- buildtools/wafsamba/samba_cross.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
-index d1e7006..7961212 100644
---- a/buildtools/wafsamba/samba_cross.py
-+++ b/buildtools/wafsamba/samba_cross.py
-@@ -54,7 +54,7 @@ def cross_answer(ca_file, msg):
- if line == '' or line[0] == '#':
- continue
- if line.find(':') != -1:
-- a = line.split(':')
-+ a = line.split(':', 1)
- thismsg = a[0].strip()
- if thismsg != msg:
- continue
---
-1.9.1
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
deleted file mode 100644
index 6c08ccc..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
+++ /dev/null
@@ -1,1448 +0,0 @@
-From 80f3551d4f594438dcc93dd82a7953c4a913badd Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 16 Dec 2013 12:57:20 +0100
-Subject: [PATCH 1/7] s3-lib: Add winbind_lookup_usersids().
-
-Pair-Programmed-With: Guenther Deschner <gd@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-(cherry picked from commit 241e98d8ee099f9cc5feb835085b4abd2b1ee663)
----
- source3/lib/winbind_util.c | 34 +++++
- source3/lib/winbind_util.h | 4 +
- source3/passdb/ABI/pdb-0.1.0.sigs | 311 ++++++++++++++++++++++++++++++++++++++
- source3/wscript_build | 2 +-
- 4 files changed, 350 insertions(+), 1 deletion(-)
- create mode 100644 source3/passdb/ABI/pdb-0.1.0.sigs
-
-diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c
-index b458ebe..f62682b 100644
---- a/source3/lib/winbind_util.c
-+++ b/source3/lib/winbind_util.c
-@@ -342,6 +342,40 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
- return true;
- }
-
-+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
-+ const struct dom_sid *user_sid,
-+ uint32_t *p_num_sids,
-+ struct dom_sid **p_sids)
-+{
-+ wbcErr ret;
-+ struct wbcDomainSid dom_sid;
-+ struct wbcDomainSid *sid_list = NULL;
-+ uint32_t num_sids;
-+
-+ memcpy(&dom_sid, user_sid, sizeof(dom_sid));
-+
-+ ret = wbcLookupUserSids(&dom_sid,
-+ false,
-+ &num_sids,
-+ &sid_list);
-+ if (ret != WBC_ERR_SUCCESS) {
-+ return false;
-+ }
-+
-+ *p_sids = talloc_array(mem_ctx, struct dom_sid, num_sids);
-+ if (*p_sids == NULL) {
-+ wbcFreeMemory(sid_list);
-+ return false;
-+ }
-+
-+ memcpy(*p_sids, sid_list, sizeof(dom_sid) * num_sids);
-+
-+ *p_num_sids = num_sids;
-+ wbcFreeMemory(sid_list);
-+
-+ return true;
-+}
-+
- #else /* WITH_WINBIND */
-
- struct passwd * winbind_getpwnam(const char * name)
-diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h
-index 541bb95..abbc5a9 100644
---- a/source3/lib/winbind_util.h
-+++ b/source3/lib/winbind_util.h
-@@ -58,5 +58,9 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
- size_t num_members,
- uint32_t **pp_alias_rids,
- size_t *p_num_alias_rids);
-+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
-+ const struct dom_sid *user_sid,
-+ uint32_t *p_num_sids,
-+ struct dom_sid **p_sids);
-
- #endif /* __LIB__WINBIND_UTIL_H__ */
-diff --git a/source3/passdb/ABI/pdb-0.1.0.sigs b/source3/passdb/ABI/pdb-0.1.0.sigs
-new file mode 100644
-index 0000000..f4de9c4
---- /dev/null
-+++ b/source3/passdb/ABI/pdb-0.1.0.sigs
-@@ -0,0 +1,311 @@
-+PDB_secrets_clear_domain_protection: bool (const char *)
-+PDB_secrets_fetch_domain_guid: bool (const char *, struct GUID *)
-+PDB_secrets_fetch_domain_sid: bool (const char *, struct dom_sid *)
-+PDB_secrets_mark_domain_protected: bool (const char *)
-+PDB_secrets_store_domain_guid: bool (const char *, struct GUID *)
-+PDB_secrets_store_domain_sid: bool (const char *, const struct dom_sid *)
-+account_policy_get: bool (enum pdb_policy_type, uint32_t *)
-+account_policy_get_default: bool (enum pdb_policy_type, uint32_t *)
-+account_policy_get_desc: const char *(enum pdb_policy_type)
-+account_policy_name_to_typenum: enum pdb_policy_type (const char *)
-+account_policy_names_list: void (TALLOC_CTX *, const char ***, int *)
-+account_policy_set: bool (enum pdb_policy_type, uint32_t)
-+add_initial_entry: NTSTATUS (gid_t, const char *, enum lsa_SidType, const char *, const char *)
-+algorithmic_pdb_gid_to_group_rid: uint32_t (gid_t)
-+algorithmic_pdb_rid_is_user: bool (uint32_t)
-+algorithmic_pdb_uid_to_user_rid: uint32_t (uid_t)
-+algorithmic_pdb_user_rid_to_uid: uid_t (uint32_t)
-+algorithmic_rid_base: int (void)
-+builtin_domain_name: const char *(void)
-+cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *)
-+cache_account_policy_set: bool (enum pdb_policy_type, uint32_t)
-+create_builtin_administrators: NTSTATUS (const struct dom_sid *)
-+create_builtin_users: NTSTATUS (const struct dom_sid *)
-+decode_account_policy_name: const char *(enum pdb_policy_type)
-+get_account_pol_db: struct db_context *(void)
-+get_account_policy_attr: const char *(enum pdb_policy_type)
-+get_domain_group_from_sid: bool (struct dom_sid, GROUP_MAP *)
-+get_primary_group_sid: NTSTATUS (TALLOC_CTX *, const char *, struct passwd **, struct dom_sid **)
-+get_privileges_for_sid_as_set: NTSTATUS (TALLOC_CTX *, PRIVILEGE_SET **, struct dom_sid *)
-+get_privileges_for_sids: bool (uint64_t *, struct dom_sid *, int)
-+get_trust_pw_clear: bool (const char *, char **, const char **, enum netr_SchannelType *)
-+get_trust_pw_hash: bool (const char *, uint8_t *, const char **, enum netr_SchannelType *)
-+gid_to_sid: void (struct dom_sid *, gid_t)
-+gid_to_unix_groups_sid: void (gid_t, struct dom_sid *)
-+grab_named_mutex: struct named_mutex *(TALLOC_CTX *, const char *, int)
-+grant_all_privileges: bool (const struct dom_sid *)
-+grant_privilege_by_name: bool (const struct dom_sid *, const char *)
-+grant_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
-+groupdb_tdb_init: const struct mapping_backend *(void)
-+init_account_policy: bool (void)
-+init_buffer_from_samu: uint32_t (uint8_t **, struct samu *, bool)
-+init_samu_from_buffer: bool (struct samu *, uint32_t, uint8_t *, uint32_t)
-+initialize_password_db: bool (bool, struct tevent_context *)
-+is_dc_trusted_domain_situation: bool (const char *)
-+is_privileged_sid: bool (const struct dom_sid *)
-+local_password_change: NTSTATUS (const char *, int, const char *, char **, char **)
-+login_cache_delentry: bool (const struct samu *)
-+login_cache_init: bool (void)
-+login_cache_read: bool (struct samu *, struct login_cache *)
-+login_cache_shutdown: bool (void)
-+login_cache_write: bool (const struct samu *, const struct login_cache *)
-+lookup_builtin_name: bool (const char *, uint32_t *)
-+lookup_builtin_rid: bool (TALLOC_CTX *, uint32_t, const char **)
-+lookup_global_sam_name: bool (const char *, int, uint32_t *, enum lsa_SidType *)
-+lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
-+lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
-+lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
-+lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **)
-+lookup_unix_group_name: bool (const char *, struct dom_sid *)
-+lookup_unix_user_name: bool (const char *, struct dom_sid *)
-+lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **)
-+lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **)
-+make_pdb_method: NTSTATUS (struct pdb_methods **)
-+make_pdb_method_name: NTSTATUS (struct pdb_methods **, const char *)
-+max_algorithmic_gid: gid_t (void)
-+max_algorithmic_uid: uid_t (void)
-+my_sam_name: const char *(void)
-+pdb_add_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
-+pdb_add_group_mapping_entry: NTSTATUS (GROUP_MAP *)
-+pdb_add_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
-+pdb_add_sam_account: NTSTATUS (struct samu *)
-+pdb_build_fields_present: uint32_t (struct samu *)
-+pdb_capabilities: uint32_t (void)
-+pdb_copy_sam_account: bool (struct samu *, struct samu *)
-+pdb_create_alias: NTSTATUS (const char *, uint32_t *)
-+pdb_create_builtin: NTSTATUS (uint32_t)
-+pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t)
-+pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *)
-+pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *)
-+pdb_decode_acct_ctrl: uint32_t (const char *)
-+pdb_default_add_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
-+pdb_default_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
-+pdb_default_alias_memberships: NTSTATUS (struct pdb_methods *, TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
-+pdb_default_create_alias: NTSTATUS (struct pdb_methods *, const char *, uint32_t *)
-+pdb_default_del_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
-+pdb_default_delete_alias: NTSTATUS (struct pdb_methods *, const struct dom_sid *)
-+pdb_default_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
-+pdb_default_enum_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
-+pdb_default_enum_group_mapping: NTSTATUS (struct pdb_methods *, const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
-+pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
-+pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
-+pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
-+pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
-+pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
-+pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
-+pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
-+pdb_del_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
-+pdb_del_trusted_domain: NTSTATUS (const char *)
-+pdb_del_trusteddom_pw: bool (const char *)
-+pdb_delete_alias: NTSTATUS (const struct dom_sid *)
-+pdb_delete_dom_group: NTSTATUS (TALLOC_CTX *, uint32_t)
-+pdb_delete_group_mapping_entry: NTSTATUS (struct dom_sid)
-+pdb_delete_sam_account: NTSTATUS (struct samu *)
-+pdb_delete_secret: NTSTATUS (const char *)
-+pdb_delete_user: NTSTATUS (TALLOC_CTX *, struct samu *)
-+pdb_element_is_changed: bool (const struct samu *, enum pdb_elements)
-+pdb_element_is_set_or_changed: bool (const struct samu *, enum pdb_elements)
-+pdb_encode_acct_ctrl: char *(uint32_t, size_t)
-+pdb_enum_alias_memberships: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
-+pdb_enum_aliasmem: NTSTATUS (const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
-+pdb_enum_group_mapping: bool (const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
-+pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t **, size_t *)
-+pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *)
-+pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***)
-+pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
-+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***)
-+pdb_find_backend_entry: struct pdb_init_function_entry *(const char *)
-+pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *)
-+pdb_get_acct_ctrl: uint32_t (const struct samu *)
-+pdb_get_acct_desc: const char *(const struct samu *)
-+pdb_get_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
-+pdb_get_backend_private_data: void *(const struct samu *, const struct pdb_methods *)
-+pdb_get_backends: const struct pdb_init_function_entry *(void)
-+pdb_get_bad_password_count: uint16_t (const struct samu *)
-+pdb_get_bad_password_time: time_t (const struct samu *)
-+pdb_get_code_page: uint16_t (const struct samu *)
-+pdb_get_comment: const char *(const struct samu *)
-+pdb_get_country_code: uint16_t (const struct samu *)
-+pdb_get_dir_drive: const char *(const struct samu *)
-+pdb_get_domain: const char *(const struct samu *)
-+pdb_get_domain_info: struct pdb_domain_info *(TALLOC_CTX *)
-+pdb_get_fullname: const char *(const struct samu *)
-+pdb_get_group_rid: uint32_t (struct samu *)
-+pdb_get_group_sid: const struct dom_sid *(struct samu *)
-+pdb_get_homedir: const char *(const struct samu *)
-+pdb_get_hours: const uint8_t *(const struct samu *)
-+pdb_get_hours_len: uint32_t (const struct samu *)
-+pdb_get_init_flags: enum pdb_value_state (const struct samu *, enum pdb_elements)
-+pdb_get_kickoff_time: time_t (const struct samu *)
-+pdb_get_lanman_passwd: const uint8_t *(const struct samu *)
-+pdb_get_logoff_time: time_t (const struct samu *)
-+pdb_get_logon_count: uint16_t (const struct samu *)
-+pdb_get_logon_divs: uint16_t (const struct samu *)
-+pdb_get_logon_script: const char *(const struct samu *)
-+pdb_get_logon_time: time_t (const struct samu *)
-+pdb_get_munged_dial: const char *(const struct samu *)
-+pdb_get_nt_passwd: const uint8_t *(const struct samu *)
-+pdb_get_nt_username: const char *(const struct samu *)
-+pdb_get_pass_can_change: bool (const struct samu *)
-+pdb_get_pass_can_change_time: time_t (const struct samu *)
-+pdb_get_pass_can_change_time_noncalc: time_t (const struct samu *)
-+pdb_get_pass_last_set_time: time_t (const struct samu *)
-+pdb_get_pass_must_change_time: time_t (const struct samu *)
-+pdb_get_plaintext_passwd: const char *(const struct samu *)
-+pdb_get_profile_path: const char *(const struct samu *)
-+pdb_get_pw_history: const uint8_t *(const struct samu *, uint32_t *)
-+pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *, DATA_BLOB *, NTTIME *, struct security_descriptor **)
-+pdb_get_seq_num: bool (time_t *)
-+pdb_get_tevent_context: struct tevent_context *(void)
-+pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **)
-+pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **)
-+pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *)
-+pdb_get_unknown_6: uint32_t (const struct samu *)
-+pdb_get_user_rid: uint32_t (const struct samu *)
-+pdb_get_user_sid: const struct dom_sid *(const struct samu *)
-+pdb_get_username: const char *(const struct samu *)
-+pdb_get_workstations: const char *(const struct samu *)
-+pdb_getgrgid: bool (GROUP_MAP *, gid_t)
-+pdb_getgrnam: bool (GROUP_MAP *, const char *)
-+pdb_getgrsid: bool (GROUP_MAP *, struct dom_sid)
-+pdb_gethexhours: bool (const char *, unsigned char *)
-+pdb_gethexpwd: bool (const char *, unsigned char *)
-+pdb_getsampwnam: bool (struct samu *, const char *)
-+pdb_getsampwsid: bool (struct samu *, const struct dom_sid *)
-+pdb_gid_to_sid: bool (gid_t, struct dom_sid *)
-+pdb_group_rid_to_gid: gid_t (uint32_t)
-+pdb_increment_bad_password_count: bool (struct samu *)
-+pdb_is_password_change_time_max: bool (time_t)
-+pdb_is_responsible_for_builtin: bool (void)
-+pdb_is_responsible_for_our_sam: bool (void)
-+pdb_is_responsible_for_unix_groups: bool (void)
-+pdb_is_responsible_for_unix_users: bool (void)
-+pdb_is_responsible_for_wellknown: bool (void)
-+pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char **, enum lsa_SidType *)
-+pdb_new_rid: bool (uint32_t *)
-+pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
-+pdb_nop_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
-+pdb_nop_enum_group_mapping: NTSTATUS (struct pdb_methods *, enum lsa_SidType, GROUP_MAP **, size_t *, bool)
-+pdb_nop_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
-+pdb_nop_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
-+pdb_nop_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
-+pdb_nop_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
-+pdb_rename_sam_account: NTSTATUS (struct samu *, const char *)
-+pdb_search_aliases: struct pdb_search *(TALLOC_CTX *, const struct dom_sid *)
-+pdb_search_entries: uint32_t (struct pdb_search *, uint32_t, uint32_t, struct samr_displayentry **)
-+pdb_search_groups: struct pdb_search *(TALLOC_CTX *)
-+pdb_search_init: struct pdb_search *(TALLOC_CTX *, enum pdb_search_type)
-+pdb_search_users: struct pdb_search *(TALLOC_CTX *, uint32_t)
-+pdb_set_account_policy: bool (enum pdb_policy_type, uint32_t)
-+pdb_set_acct_ctrl: bool (struct samu *, uint32_t, enum pdb_value_state)
-+pdb_set_acct_desc: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
-+pdb_set_backend_private_data: bool (struct samu *, void *, void (*)(void **), const struct pdb_methods *, enum pdb_value_state)
-+pdb_set_bad_password_count: bool (struct samu *, uint16_t, enum pdb_value_state)
-+pdb_set_bad_password_time: bool (struct samu *, time_t, enum pdb_value_state)
-+pdb_set_code_page: bool (struct samu *, uint16_t, enum pdb_value_state)
-+pdb_set_comment: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_country_code: bool (struct samu *, uint16_t, enum pdb_value_state)
-+pdb_set_dir_drive: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_domain: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_fullname: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_group_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
-+pdb_set_group_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
-+pdb_set_homedir: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_hours: bool (struct samu *, const uint8_t *, int, enum pdb_value_state)
-+pdb_set_hours_len: bool (struct samu *, uint32_t, enum pdb_value_state)
-+pdb_set_init_flags: bool (struct samu *, enum pdb_elements, enum pdb_value_state)
-+pdb_set_kickoff_time: bool (struct samu *, time_t, enum pdb_value_state)
-+pdb_set_lanman_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
-+pdb_set_logoff_time: bool (struct samu *, time_t, enum pdb_value_state)
-+pdb_set_logon_count: bool (struct samu *, uint16_t, enum pdb_value_state)
-+pdb_set_logon_divs: bool (struct samu *, uint16_t, enum pdb_value_state)
-+pdb_set_logon_script: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_logon_time: bool (struct samu *, time_t, enum pdb_value_state)
-+pdb_set_munged_dial: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_nt_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
-+pdb_set_nt_username: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_pass_can_change: bool (struct samu *, bool)
-+pdb_set_pass_can_change_time: bool (struct samu *, time_t, enum pdb_value_state)
-+pdb_set_pass_last_set_time: bool (struct samu *, time_t, enum pdb_value_state)
-+pdb_set_plaintext_passwd: bool (struct samu *, const char *)
-+pdb_set_plaintext_pw_only: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_profile_path: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_pw_history: bool (struct samu *, const uint8_t *, uint32_t, enum pdb_value_state)
-+pdb_set_secret: NTSTATUS (const char *, DATA_BLOB *, DATA_BLOB *, struct security_descriptor *)
-+pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain *)
-+pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *)
-+pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *)
-+pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state)
-+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **)
-+pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
-+pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
-+pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_username: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_set_workstations: bool (struct samu *, const char *, enum pdb_value_state)
-+pdb_sethexhours: void (char *, const unsigned char *)
-+pdb_sethexpwd: void (char *, const unsigned char *, uint32_t)
-+pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *)
-+pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *)
-+pdb_uid_to_sid: bool (uid_t, struct dom_sid *)
-+pdb_update_autolock_flag: bool (struct samu *, bool *)
-+pdb_update_bad_password_count: bool (struct samu *, bool *)
-+pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *)
-+pdb_update_login_attempts: NTSTATUS (struct samu *, bool)
-+pdb_update_sam_account: NTSTATUS (struct samu *)
-+privilege_create_account: NTSTATUS (const struct dom_sid *)
-+privilege_delete_account: NTSTATUS (const struct dom_sid *)
-+privilege_enum_sids: NTSTATUS (enum sec_privilege, TALLOC_CTX *, struct dom_sid **, int *)
-+privilege_enumerate_accounts: NTSTATUS (struct dom_sid **, int *)
-+revoke_all_privileges: bool (const struct dom_sid *)
-+revoke_privilege_by_name: bool (const struct dom_sid *, const char *)
-+revoke_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
-+samu_alloc_rid_unix: NTSTATUS (struct pdb_methods *, struct samu *, const struct passwd *)
-+samu_new: struct samu *(TALLOC_CTX *)
-+samu_set_unix: NTSTATUS (struct samu *, const struct passwd *)
-+secrets_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
-+sid_check_is_builtin: bool (const struct dom_sid *)
-+sid_check_is_for_passdb: bool (const struct dom_sid *)
-+sid_check_is_in_builtin: bool (const struct dom_sid *)
-+sid_check_is_in_unix_groups: bool (const struct dom_sid *)
-+sid_check_is_in_unix_users: bool (const struct dom_sid *)
-+sid_check_is_in_wellknown_domain: bool (const struct dom_sid *)
-+sid_check_is_unix_groups: bool (const struct dom_sid *)
-+sid_check_is_unix_users: bool (const struct dom_sid *)
-+sid_check_is_wellknown_builtin: bool (const struct dom_sid *)
-+sid_check_is_wellknown_domain: bool (const struct dom_sid *, const char **)
-+sid_check_object_is_for_passdb: bool (const struct dom_sid *)
-+sid_to_gid: bool (const struct dom_sid *, gid_t *)
-+sid_to_uid: bool (const struct dom_sid *, uid_t *)
-+sids_to_unixids: bool (const struct dom_sid *, uint32_t, struct unixid *)
-+smb_add_user_group: int (const char *, const char *)
-+smb_create_group: int (const char *, gid_t *)
-+smb_delete_group: int (const char *)
-+smb_delete_user_group: int (const char *, const char *)
-+smb_nscd_flush_group_cache: void (void)
-+smb_nscd_flush_user_cache: void (void)
-+smb_register_passdb: NTSTATUS (int, const char *, pdb_init_function)
-+smb_set_primary_group: int (const char *, const char *)
-+uid_to_sid: void (struct dom_sid *, uid_t)
-+uid_to_unix_users_sid: void (uid_t, struct dom_sid *)
-+unix_groups_domain_name: const char *(void)
-+unix_users_domain_name: const char *(void)
-+unixid_from_both: void (struct unixid *, uint32_t)
-+unixid_from_gid: void (struct unixid *, uint32_t)
-+unixid_from_uid: void (struct unixid *, uint32_t)
-+wb_is_trusted_domain: wbcErr (const char *)
-+winbind_allocate_gid: bool (gid_t *)
-+winbind_allocate_uid: bool (uid_t *)
-+winbind_get_groups: bool (TALLOC_CTX *, const char *, uint32_t *, gid_t **)
-+winbind_get_sid_aliases: bool (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
-+winbind_getpwnam: struct passwd *(const char *)
-+winbind_getpwsid: struct passwd *(const struct dom_sid *)
-+winbind_gid_to_sid: bool (struct dom_sid *, gid_t)
-+winbind_lookup_name: bool (const char *, const char *, struct dom_sid *, enum lsa_SidType *)
-+winbind_lookup_rids: bool (TALLOC_CTX *, const struct dom_sid *, int, uint32_t *, const char **, const char ***, enum lsa_SidType **)
-+winbind_lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
-+winbind_lookup_usersids: bool (TALLOC_CTX *, const struct dom_sid *, uint32_t *, struct dom_sid **)
-+winbind_ping: bool (void)
-+winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *)
-+winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *)
-+winbind_uid_to_sid: bool (struct dom_sid *, uid_t)
-diff --git a/source3/wscript_build b/source3/wscript_build
-index e0432bf..6d6b6aa 100755
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -736,7 +736,7 @@ bld.SAMBA3_LIBRARY('pdb',
- passdb/lookup_sid.h''',
- abi_match=private_pdb_match,
- abi_directory='passdb/ABI',
-- vnum='0',
-+ vnum='0.1.0',
- vars=locals())
-
- bld.SAMBA3_LIBRARY('smbldaphelper',
---
-1.8.5.2
-
-
-From 91debcafd196a9e821efddce0a9d75c48f8e168d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 13 Dec 2013 19:08:34 +0100
-Subject: [PATCH 2/7] s3-auth: Add passwd_to_SamInfo3().
-
-First this function tries to contacts winbind if the user is a domain
-user to get valid information about it. If winbind isn't running it will
-try to create everything from the passwd struct. This is not always
-reliable but works in most cases. It improves the current situation
-which doesn't talk to winbind at all.
-
-Pair-Programmed-With: Guenther Deschner <gd@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 1bb11c7744df6928cb8a096373ab920366b38770)
----
- source3/auth/proto.h | 4 ++
- source3/auth/server_info.c | 116 +++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 120 insertions(+)
-
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index 76661fc..8385e66 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -286,6 +286,10 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
- const char *login_server,
- struct netr_SamInfo3 **_info3,
- struct extra_auth_info *extra);
-+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
-+ const char *unix_username,
-+ const struct passwd *pwd,
-+ struct netr_SamInfo3 **pinfo3);
- struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *orig);
- struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
-diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
-index d2b7d6e..46d8178 100644
---- a/source3/auth/server_info.c
-+++ b/source3/auth/server_info.c
-@@ -24,6 +24,7 @@
- #include "../libcli/security/security.h"
- #include "rpc_client/util_netlogon.h"
- #include "nsswitch/libwbclient/wbclient.h"
-+#include "lib/winbind_util.h"
- #include "passdb.h"
-
- #undef DBGC_CLASS
-@@ -436,6 +437,121 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
- return NT_STATUS_OK;
- }
-
-+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
-+ const char *unix_username,
-+ const struct passwd *pwd,
-+ struct netr_SamInfo3 **pinfo3)
-+{
-+ struct netr_SamInfo3 *info3;
-+ NTSTATUS status;
-+ TALLOC_CTX *tmp_ctx;
-+ const char *domain_name = NULL;
-+ const char *user_name = NULL;
-+ struct dom_sid domain_sid;
-+ struct dom_sid user_sid;
-+ struct dom_sid group_sid;
-+ enum lsa_SidType type;
-+ uint32_t num_sids = 0;
-+ struct dom_sid *user_sids = NULL;
-+ bool ok;
-+
-+ tmp_ctx = talloc_stackframe();
-+
-+ ok = lookup_name_smbconf(tmp_ctx,
-+ unix_username,
-+ LOOKUP_NAME_ALL,
-+ &domain_name,
-+ &user_name,
-+ &user_sid,
-+ &type);
-+ if (!ok) {
-+ status = NT_STATUS_NO_SUCH_USER;
-+ goto done;
-+ }
-+
-+ if (type != SID_NAME_USER) {
-+ status = NT_STATUS_NO_SUCH_USER;
-+ goto done;
-+ }
-+
-+ ok = winbind_lookup_usersids(tmp_ctx,
-+ &user_sid,
-+ &num_sids,
-+ &user_sids);
-+ /* Check if winbind is running */
-+ if (ok) {
-+ /*
-+ * Winbind is running and the first element of the user_sids
-+ * is the primary group.
-+ */
-+ if (num_sids > 0) {
-+ group_sid = user_sids[0];
-+ }
-+ } else {
-+ /*
-+ * Winbind is not running, create the group_sid from the
-+ * group id.
-+ */
-+ gid_to_sid(&group_sid, pwd->pw_gid);
-+ }
-+
-+ /* Make sure we have a valid group sid */
-+ ok = !is_null_sid(&group_sid);
-+ if (!ok) {
-+ status = NT_STATUS_NO_SUCH_USER;
-+ goto done;
-+ }
-+
-+ /* Construct a netr_SamInfo3 from the information we have */
-+ info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3);
-+ if (!info3) {
-+ status = NT_STATUS_NO_MEMORY;
-+ goto done;
-+ }
-+
-+ info3->base.account_name.string = talloc_strdup(info3, unix_username);
-+ if (info3->base.account_name.string == NULL) {
-+ status = NT_STATUS_NO_MEMORY;
-+ goto done;
-+ }
-+
-+ ZERO_STRUCT(domain_sid);
-+
-+ sid_copy(&domain_sid, &user_sid);
-+ sid_split_rid(&domain_sid, &info3->base.rid);
-+ info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
-+
-+ ok = sid_peek_check_rid(&domain_sid, &group_sid,
-+ &info3->base.primary_gid);
-+ if (!ok) {
-+ DEBUG(1, ("The primary group domain sid(%s) does not "
-+ "match the domain sid(%s) for %s(%s)\n",
-+ sid_string_dbg(&group_sid),
-+ sid_string_dbg(&domain_sid),
-+ unix_username,
-+ sid_string_dbg(&user_sid)));
-+ status = NT_STATUS_INVALID_SID;
-+ goto done;
-+ }
-+
-+ info3->base.acct_flags = ACB_NORMAL;
-+
-+ if (num_sids) {
-+ status = group_sids_to_info3(info3, user_sids, num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ goto done;
-+ }
-+ }
-+
-+ *pinfo3 = talloc_steal(mem_ctx, info3);
-+
-+ status = NT_STATUS_OK;
-+done:
-+ talloc_free(tmp_ctx);
-+
-+ return status;
-+}
-+
- #undef RET_NOMEM
-
- #define RET_NOMEM(ptr) do { \
---
-1.8.5.2
-
-
-From c7b7670dc5cd8dbf727258666b6417d67afafb33 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 13 Dec 2013 19:11:01 +0100
-Subject: [PATCH 3/7] s3-auth: Pass talloc context to make_server_info_pw().
-
-Pair-Programmed-With: Guenther Deschner <gd@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 1b59c9743cf3fbd66b0b8b52162b2cc8d922e5cf)
----
- source3/auth/auth_unix.c | 7 +++++--
- source3/auth/auth_util.c | 52 +++++++++++++++++++++++++++++-------------------
- source3/auth/proto.h | 7 ++++---
- source3/auth/user_krb5.c | 5 +----
- 4 files changed, 42 insertions(+), 29 deletions(-)
-
-diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
-index c8b5435..7b483a2 100644
---- a/source3/auth/auth_unix.c
-+++ b/source3/auth/auth_unix.c
-@@ -67,8 +67,11 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
- unbecome_root();
-
- if (NT_STATUS_IS_OK(nt_status)) {
-- if (pass) {
-- make_server_info_pw(server_info, pass->pw_name, pass);
-+ if (pass != NULL) {
-+ nt_status = make_server_info_pw(mem_ctx,
-+ pass->pw_name,
-+ pass,
-+ server_info);
- } else {
- /* we need to do somthing more useful here */
- nt_status = NT_STATUS_NO_SUCH_USER;
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index ceaa706..b225b0d 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -639,14 +639,15 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
- to a struct samu
- ***************************************************************************/
-
--NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
-- char *unix_username,
-- struct passwd *pwd)
-+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
-+ const char *unix_username,
-+ const struct passwd *pwd,
-+ struct auth_serversupplied_info **server_info)
- {
- NTSTATUS status;
- struct samu *sampass = NULL;
- char *qualified_name = NULL;
-- TALLOC_CTX *mem_ctx = NULL;
-+ TALLOC_CTX *tmp_ctx;
- struct dom_sid u_sid;
- enum lsa_SidType type;
- struct auth_serversupplied_info *result;
-@@ -664,27 +665,27 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
- * plaintext passwords were used with no SAM backend.
- */
-
-- mem_ctx = talloc_init("make_server_info_pw_tmp");
-- if (!mem_ctx) {
-+ tmp_ctx = talloc_stackframe();
-+ if (tmp_ctx == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
-- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
-+ qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
- unix_users_domain_name(),
- unix_username );
- if (!qualified_name) {
-- TALLOC_FREE(mem_ctx);
-+ TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
-- if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
-+ if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
- NULL, NULL,
- &u_sid, &type)) {
-- TALLOC_FREE(mem_ctx);
-+ TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_SUCH_USER;
- }
-
-- TALLOC_FREE(mem_ctx);
-+ TALLOC_FREE(tmp_ctx);
-
- if (type != SID_NAME_USER) {
- return NT_STATUS_NO_SUCH_USER;
-@@ -707,7 +708,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
- /* set the user sid to be the calculated u_sid */
- pdb_set_user_sid(sampass, &u_sid, PDB_SET);
-
-- result = make_server_info(NULL);
-+ result = make_server_info(mem_ctx);
- if (result == NULL) {
- TALLOC_FREE(sampass);
- return NT_STATUS_NO_MEMORY;
-@@ -992,25 +993,36 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
- struct passwd *pwd;
- NTSTATUS status;
- struct auth_serversupplied_info *result;
-+ TALLOC_CTX *tmp_ctx;
-
-- pwd = Get_Pwnam_alloc(talloc_tos(), username);
-- if (pwd == NULL) {
-- return NT_STATUS_NO_SUCH_USER;
-+ tmp_ctx = talloc_stackframe();
-+ if (tmp_ctx == NULL) {
-+ return NT_STATUS_NO_MEMORY;
- }
-
-- status = make_server_info_pw(&result, pwd->pw_name, pwd);
-+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
-+ if (pwd == NULL) {
-+ status = NT_STATUS_NO_SUCH_USER;
-+ goto done;
-+ }
-
-+ status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result);
- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-+ goto done;
- }
-
- result->nss_token = true;
- result->guest = is_guest;
-
- /* Now turn the server_info into a session_info with the full token etc */
-- status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
-- TALLOC_FREE(result);
-- TALLOC_FREE(pwd);
-+ status = create_local_token(mem_ctx,
-+ result,
-+ NULL,
-+ pwd->pw_name,
-+ session_info);
-+
-+done:
-+ talloc_free(tmp_ctx);
-
- return status;
- }
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index 8385e66..7abca07 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -206,9 +206,10 @@ bool user_in_group_sid(const char *username, const struct dom_sid *group_sid);
- bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid);
- bool user_in_group(const char *username, const char *groupname);
- struct passwd;
--NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
-- char *unix_username,
-- struct passwd *pwd);
-+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
-+ const char *unix_username,
-+ const struct passwd *pwd,
-+ struct auth_serversupplied_info **server_info);
- NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
- const char *username,
- bool is_guest,
-diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
-index 974a8aa..7d44285 100644
---- a/source3/auth/user_krb5.c
-+++ b/source3/auth/user_krb5.c
-@@ -242,7 +242,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
- */
- DEBUG(10, ("didn't find user %s in passdb, calling "
- "make_server_info_pw\n", username));
-- status = make_server_info_pw(&tmp, username, pw);
-+ status = make_server_info_pw(mem_ctx, username, pw, &tmp);
- }
-
- TALLOC_FREE(sampass);
-@@ -253,9 +253,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
- return status;
- }
-
-- /* Steal tmp server info into the server_info pointer. */
-- server_info = talloc_move(mem_ctx, &tmp);
--
- /* make_server_info_pw does not set the domain. Without this
- * we end up with the local netbios name in substitutions for
- * %D. */
---
-1.8.5.2
-
-
-From 4fbd13598e8bdc6acf41329f71de806de4265f36 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 13 Dec 2013 19:19:02 +0100
-Subject: [PATCH 4/7] s3-auth: Add passwd_to_SamInfo3().
-
-Correctly lookup users which come from smb.conf. passwd_to_SamInfo3()
-tries to contact winbind if the user is a domain user to get
-valid information about it. If winbind isn't running it will try to
-create everything from the passwd struct. This is not always reliable
-but works in most cases. It improves the current situation which doesn't
-talk to winbind at all.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
-
-Pair-Programmed-With: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
-Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104
-
-(cherry picked from commit 40e6456b5896e934fcd581c2cac2389984256e09)
----
- source3/auth/auth_util.c | 87 +++++++++-------------------------------------
- source3/auth/server_info.c | 22 ++++++++++--
- 2 files changed, 36 insertions(+), 73 deletions(-)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index b225b0d..24190af 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -645,98 +645,43 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info **server_info)
- {
- NTSTATUS status;
-- struct samu *sampass = NULL;
-- char *qualified_name = NULL;
-- TALLOC_CTX *tmp_ctx;
-- struct dom_sid u_sid;
-- enum lsa_SidType type;
-+ TALLOC_CTX *tmp_ctx = NULL;
- struct auth_serversupplied_info *result;
-
-- /*
-- * The SID returned in server_info->sam_account is based
-- * on our SAM sid even though for a pure UNIX account this should
-- * not be the case as it doesn't really exist in the SAM db.
-- * This causes lookups on "[in]valid users" to fail as they
-- * will lookup this name as a "Unix User" SID to check against
-- * the user token. Fix this by adding the "Unix User"\unix_username
-- * SID to the sid array. The correct fix should probably be
-- * changing the server_info->sam_account user SID to be a
-- * S-1-22 Unix SID, but this might break old configs where
-- * plaintext passwords were used with no SAM backend.
-- */
--
- tmp_ctx = talloc_stackframe();
- if (tmp_ctx == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
-- qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
-- unix_users_domain_name(),
-- unix_username );
-- if (!qualified_name) {
-- TALLOC_FREE(tmp_ctx);
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
-- NULL, NULL,
-- &u_sid, &type)) {
-- TALLOC_FREE(tmp_ctx);
-- return NT_STATUS_NO_SUCH_USER;
-- }
--
-- TALLOC_FREE(tmp_ctx);
--
-- if (type != SID_NAME_USER) {
-- return NT_STATUS_NO_SUCH_USER;
-- }
--
-- if ( !(sampass = samu_new( NULL )) ) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- status = samu_set_unix( sampass, pwd );
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- /* In pathological cases the above call can set the account
-- * name to the DOMAIN\username form. Reset the account name
-- * using unix_username */
-- pdb_set_username(sampass, unix_username, PDB_SET);
--
-- /* set the user sid to be the calculated u_sid */
-- pdb_set_user_sid(sampass, &u_sid, PDB_SET);
--
-- result = make_server_info(mem_ctx);
-+ result = make_server_info(tmp_ctx);
- if (result == NULL) {
-- TALLOC_FREE(sampass);
-- return NT_STATUS_NO_MEMORY;
-+ status = NT_STATUS_NO_MEMORY;
-+ goto done;
- }
-
-- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
-- &result->info3, &result->extra);
-- TALLOC_FREE(sampass);
-+ status = passwd_to_SamInfo3(result,
-+ unix_username,
-+ pwd,
-+ &result->info3);
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(10, ("Failed to convert samu to info3: %s\n",
-- nt_errstr(status)));
-- TALLOC_FREE(result);
-- return status;
-+ goto done;
- }
-
- result->unix_name = talloc_strdup(result, unix_username);
--
- if (result->unix_name == NULL) {
-- TALLOC_FREE(result);
-- return NT_STATUS_NO_MEMORY;
-+ status = NT_STATUS_NO_MEMORY;
-+ goto done;
- }
-
- result->utok.uid = pwd->pw_uid;
- result->utok.gid = pwd->pw_gid;
-
-- *server_info = result;
-+ *server_info = talloc_steal(mem_ctx, result);
-+ status = NT_STATUS_OK;
-+done:
-+ talloc_free(tmp_ctx);
-
-- return NT_STATUS_OK;
-+ return status;
- }
-
- static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
-diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
-index 46d8178..43711d5 100644
---- a/source3/auth/server_info.c
-+++ b/source3/auth/server_info.c
-@@ -489,10 +489,28 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
- }
- } else {
- /*
-- * Winbind is not running, create the group_sid from the
-- * group id.
-+ * Winbind is not running, try to create the group_sid from the
-+ * passwd group id.
-+ */
-+
-+ /*
-+ * This can lead to a primary group of S-1-22-2-XX which
-+ * will be rejected by other Samba code.
- */
- gid_to_sid(&group_sid, pwd->pw_gid);
-+
-+ ZERO_STRUCT(domain_sid);
-+
-+ /*
-+ * If we are a unix group, set the group_sid to the
-+ * 'Domain Users' RID of 513 which will always resolve to a
-+ * name.
-+ */
-+ if (sid_check_is_in_unix_groups(&group_sid)) {
-+ sid_compose(&group_sid,
-+ get_global_sam_sid(),
-+ DOMAIN_RID_USERS);
-+ }
- }
-
- /* Make sure we have a valid group sid */
---
-1.8.5.2
-
-
-From 76bb5e0888f4131ab773d90160051a51c401c90d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 18 Feb 2014 10:02:57 +0100
-Subject: [PATCH 5/7] s3-auth: Pass mem_ctx to make_server_info_sam().
-
-Coverity-Id: 1168009
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-
-Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3dc72266005e87a291f5bf9847257e8c54314d39)
----
- source3/auth/check_samsec.c | 2 +-
- source3/auth/proto.h | 5 ++--
- source3/auth/server_info_sam.c | 56 +++++++++++++++++++++++++++---------------
- source3/auth/user_krb5.c | 12 +++++----
- 4 files changed, 47 insertions(+), 28 deletions(-)
-
-diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
-index 7ed8cc2..b6cac60 100644
---- a/source3/auth/check_samsec.c
-+++ b/source3/auth/check_samsec.c
-@@ -482,7 +482,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
- }
-
- become_root();
-- nt_status = make_server_info_sam(server_info, sampass);
-+ nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
- unbecome_root();
-
- TALLOC_FREE(sampass);
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index 7abca07..eac3e54 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -190,8 +190,9 @@ bool make_user_info_guest(const struct tsocket_address *remote_address,
- struct auth_usersupplied_info **user_info);
-
- struct samu;
--NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
-- struct samu *sampass);
-+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
-+ struct samu *sampass,
-+ struct auth_serversupplied_info **pserver_info);
- NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
- const struct auth_serversupplied_info *server_info,
- DATA_BLOB *session_key,
-diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c
-index 5d657f9..47087b1 100644
---- a/source3/auth/server_info_sam.c
-+++ b/source3/auth/server_info_sam.c
-@@ -58,39 +58,51 @@ static bool is_our_machine_account(const char *username)
- Make (and fill) a user_info struct from a struct samu
- ***************************************************************************/
-
--NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
-- struct samu *sampass)
-+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
-+ struct samu *sampass,
-+ struct auth_serversupplied_info **pserver_info)
- {
- struct passwd *pwd;
-- struct auth_serversupplied_info *result;
-+ struct auth_serversupplied_info *server_info;
- const char *username = pdb_get_username(sampass);
-+ TALLOC_CTX *tmp_ctx;
- NTSTATUS status;
-
-- if ( !(result = make_server_info(NULL)) ) {
-+ tmp_ctx = talloc_stackframe();
-+ if (tmp_ctx == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
-- if ( !(pwd = Get_Pwnam_alloc(result, username)) ) {
-+ server_info = make_server_info(tmp_ctx);
-+ if (server_info == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
-+ if (pwd == NULL) {
- DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
- pdb_get_username(sampass)));
-- TALLOC_FREE(result);
-- return NT_STATUS_NO_SUCH_USER;
-+ status = NT_STATUS_NO_SUCH_USER;
-+ goto out;
- }
-
-- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
-- &result->info3, &result->extra);
-+ status = samu_to_SamInfo3(server_info,
-+ sampass,
-+ lp_netbios_name(),
-+ &server_info->info3,
-+ &server_info->extra);
- if (!NT_STATUS_IS_OK(status)) {
-- TALLOC_FREE(result);
-- return status;
-+ goto out;
- }
-
-- result->unix_name = pwd->pw_name;
-- /* Ensure that we keep pwd->pw_name, because we will free pwd below */
-- talloc_steal(result, pwd->pw_name);
-- result->utok.gid = pwd->pw_gid;
-- result->utok.uid = pwd->pw_uid;
-+ server_info->unix_name = talloc_strdup(server_info, pwd->pw_name);
-+ if (server_info->unix_name == NULL) {
-+ status = NT_STATUS_NO_MEMORY;
-+ goto out;
-+ }
-
-- TALLOC_FREE(pwd);
-+ server_info->utok.gid = pwd->pw_gid;
-+ server_info->utok.uid = pwd->pw_uid;
-
- if (IS_DC && is_our_machine_account(username)) {
- /*
-@@ -110,9 +122,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
- }
-
- DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
-- pdb_get_username(sampass), result->unix_name));
-+ pdb_get_username(sampass), server_info->unix_name));
-+
-+ *pserver_info = talloc_steal(mem_ctx, server_info);
-
-- *server_info = result;
-+ status = NT_STATUS_OK;
-+out:
-+ talloc_free(tmp_ctx);
-
-- return NT_STATUS_OK;
-+ return status;
- }
-diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
-index 7d44285..e40c8ac 100644
---- a/source3/auth/user_krb5.c
-+++ b/source3/auth/user_krb5.c
-@@ -223,9 +223,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
- * SID consistency with ntlmssp session setup
- */
- struct samu *sampass;
-- /* The stupid make_server_info_XX functions here
-- don't take a talloc context. */
-- struct auth_serversupplied_info *tmp = NULL;
-
- sampass = samu_new(talloc_tos());
- if (sampass == NULL) {
-@@ -235,14 +232,19 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
- if (pdb_getsampwnam(sampass, username)) {
- DEBUG(10, ("found user %s in passdb, calling "
- "make_server_info_sam\n", username));
-- status = make_server_info_sam(&tmp, sampass);
-+ status = make_server_info_sam(mem_ctx,
-+ sampass,
-+ &server_info);
- } else {
- /*
- * User not in passdb, make it up artificially
- */
- DEBUG(10, ("didn't find user %s in passdb, calling "
- "make_server_info_pw\n", username));
-- status = make_server_info_pw(mem_ctx, username, pw, &tmp);
-+ status = make_server_info_pw(mem_ctx,
-+ username,
-+ pw,
-+ &server_info);
- }
-
- TALLOC_FREE(sampass);
---
-1.8.5.2
-
-
-From f9c0adb6237c6e60c33ee6af21f55c0cdefa132c Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 18 Feb 2014 10:19:57 +0100
-Subject: [PATCH 6/7] s3-auth: Pass mem_ctx to auth_check_ntlm_password().
-
-Coverity-Id: 1168009
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-
-Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 4d792db03f18aa164b565c7fdc7b446c174fba28)
----
- source3/auth/auth.c | 50 ++++++++++++++++++-----------
- source3/auth/auth_ntlmssp.c | 6 ++--
- source3/auth/proto.h | 8 +++--
- source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++--
- source3/torture/pdbtest.c | 5 ++-
- 5 files changed, 48 insertions(+), 27 deletions(-)
-
-diff --git a/source3/auth/auth.c b/source3/auth/auth.c
-index c3797cf..dc9af02 100644
---- a/source3/auth/auth.c
-+++ b/source3/auth/auth.c
-@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain)
- *
- **/
-
--NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
-- const struct auth_usersupplied_info *user_info,
-- struct auth_serversupplied_info **server_info)
-+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
-+ const struct auth_context *auth_context,
-+ const struct auth_usersupplied_info *user_info,
-+ struct auth_serversupplied_info **pserver_info)
- {
- /* if all the modules say 'not for me' this is reasonable */
- NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
- const char *unix_username;
- auth_methods *auth_method;
-- TALLOC_CTX *mem_ctx;
-
-- if (!user_info || !auth_context || !server_info)
-+ if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
- return NT_STATUS_LOGON_FAILURE;
-+ }
-
- DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
- user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
-@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
- return NT_STATUS_LOGON_FAILURE;
-
- for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
-+ struct auth_serversupplied_info *server_info;
-+ TALLOC_CTX *tmp_ctx;
- NTSTATUS result;
-
-- mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
-- user_info->mapped.domain_name, user_info->client.account_name);
-+ tmp_ctx = talloc_named(mem_ctx,
-+ 0,
-+ "%s authentication for user %s\\%s",
-+ auth_method->name,
-+ user_info->mapped.domain_name,
-+ user_info->client.account_name);
-
-- result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
-+ result = auth_method->auth(auth_context,
-+ auth_method->private_data,
-+ tmp_ctx,
-+ user_info,
-+ &server_info);
-
- /* check if the module did anything */
- if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
- DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
-- talloc_destroy(mem_ctx);
-+ TALLOC_FREE(tmp_ctx);
- continue;
- }
-
-@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
- auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
- }
-
-- talloc_destroy(mem_ctx);
--
-- if ( NT_STATUS_IS_OK(nt_status))
-- {
-- break;
-+ if (NT_STATUS_IS_OK(nt_status)) {
-+ *pserver_info = talloc_steal(mem_ctx, server_info);
-+ TALLOC_FREE(tmp_ctx);
-+ break;
- }
-+
-+ TALLOC_FREE(tmp_ctx);
- }
-
- /* successful authentication */
-
- if (NT_STATUS_IS_OK(nt_status)) {
-- unix_username = (*server_info)->unix_name;
-- if (!(*server_info)->guest) {
-+ unix_username = (*pserver_info)->unix_name;
-+ if (!(*pserver_info)->guest) {
- const char *rhost;
-
- if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
-@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
- }
-
- if (NT_STATUS_IS_OK(nt_status)) {
-- DEBUG((*server_info)->guest ? 5 : 2,
-+ DEBUG((*pserver_info)->guest ? 5 : 2,
- ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
-- (*server_info)->guest ? "guest " : "",
-+ (*pserver_info)->guest ? "guest " : "",
- user_info->client.account_name,
- user_info->mapped.account_name,
- unix_username));
-@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
- DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
- user_info->client.account_name, user_info->mapped.account_name,
- nt_errstr(nt_status)));
-- ZERO_STRUCTP(server_info);
-+ ZERO_STRUCTP(pserver_info);
-
- return nt_status;
- }
-diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
-index f99bd44..cb7726c 100644
---- a/source3/auth/auth_ntlmssp.c
-+++ b/source3/auth/auth_ntlmssp.c
-@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
-
- mapped_user_info->flags = user_info->flags;
-
-- nt_status = auth_check_ntlm_password(auth_context,
-- mapped_user_info, &server_info);
-+ nt_status = auth_check_ntlm_password(mem_ctx,
-+ auth_context,
-+ mapped_user_info,
-+ &server_info);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index eac3e54..15b1ba0 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
- * struct. When the return is other than NT_STATUS_OK the contents
- * of that structure is undefined.
- *
-+ * @param mem_ctx The memory context to use to allocate server_info
-+ *
- * @param user_info Contains the user supplied components, including the passwords.
- * Must be created with make_user_info() or one of its wrappers.
- *
-@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
- * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
- *
- **/
--
--NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
-- const struct auth_usersupplied_info *user_info,
-+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
-+ const struct auth_context *auth_context,
-+ const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info);
-
- /* The following definitions come from auth/auth_builtin.c */
-diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
-index e5ca474..0c8c9a5 100644
---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -1650,8 +1650,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
- } /* end switch */
-
- if ( NT_STATUS_IS_OK(status) ) {
-- status = auth_check_ntlm_password(auth_context,
-- user_info, &server_info);
-+ status = auth_check_ntlm_password(p->mem_ctx,
-+ auth_context,
-+ user_info,
-+ &server_info);
- }
-
- TALLOC_FREE(auth_context);
-diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
-index 17da455..14d58b9 100644
---- a/source3/torture/pdbtest.c
-+++ b/source3/torture/pdbtest.c
-@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
- return False;
- }
-
-- status = auth_check_ntlm_password(auth_context, user_info, &server_info);
-+ status = auth_check_ntlm_password(mem_ctx,
-+ auth_context,
-+ user_info,
-+ &server_info);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
---
-1.8.5.2
-
-
-From a48bcd84c59b5b2cb8c3e0f5d68b35065bed81d7 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 18 Feb 2014 13:52:49 +0100
-Subject: [PATCH 7/7] s3-auth: Pass mem_ctx to do_map_to_guest_server_info().
-
-Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
-Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
-
-(cherry picked from commit 79e2725f339e7c5336b4053348c4266268de6ca3)
----
- source3/auth/auth_ntlmssp.c | 7 ++++---
- source3/auth/auth_util.c | 12 +++++++-----
- source3/auth/proto.h | 8 +++++---
- 3 files changed, 16 insertions(+), 11 deletions(-)
-
-diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
-index cb7726c..d4fe901 100644
---- a/source3/auth/auth_ntlmssp.c
-+++ b/source3/auth/auth_ntlmssp.c
-@@ -151,10 +151,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
- free_user_info(&mapped_user_info);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
-- nt_status = do_map_to_guest_server_info(nt_status,
-- &server_info,
-+ nt_status = do_map_to_guest_server_info(mem_ctx,
-+ nt_status,
- user_info->client.account_name,
-- user_info->client.domain_name);
-+ user_info->client.domain_name,
-+ &server_info);
- *server_returned_info = talloc_steal(mem_ctx, server_info);
- return nt_status;
- }
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index 24190af..8cf5cb7 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -1536,9 +1536,11 @@ bool is_trusted_domain(const char* dom_name)
- on a logon error possibly map the error to success if "map to guest"
- is set approriately
- */
--NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
-- struct auth_serversupplied_info **server_info,
-- const char *user, const char *domain)
-+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
-+ NTSTATUS status,
-+ const char *user,
-+ const char *domain,
-+ struct auth_serversupplied_info **server_info)
- {
- user = user ? user : "";
- domain = domain ? domain : "";
-@@ -1548,13 +1550,13 @@ NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
- (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
- DEBUG(3,("No such user %s [%s] - using guest account\n",
- user, domain));
-- return make_server_info_guest(NULL, server_info);
-+ return make_server_info_guest(mem_ctx, server_info);
- }
- } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
- if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
- DEBUG(3,("Registered username %s for guest access\n",
- user));
-- return make_server_info_guest(NULL, server_info);
-+ return make_server_info_guest(mem_ctx, server_info);
- }
- }
-
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index 15b1ba0..7b8959f 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -264,9 +264,11 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
- enum auth_password_state password_state);
- void free_user_info(struct auth_usersupplied_info **user_info);
-
--NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
-- struct auth_serversupplied_info **server_info,
-- const char *user, const char *domain);
-+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
-+ NTSTATUS status,
-+ const char *user,
-+ const char *domain,
-+ struct auth_serversupplied_info **server_info);
-
- /* The following definitions come from auth/auth_winbind.c */
-
---
-1.8.5.2
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
deleted file mode 100644
index daa283e..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
+++ /dev/null
@@ -1,266 +0,0 @@
-From 168627e1877317db86471a4b0360dccd9f469aaa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 13 Jan 2014 15:59:26 +0100
-Subject: [PATCH 1/2] s3-kerberos: remove print_kdc_line() completely.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Just calling print_canonical_sockaddr() is sufficient, as it already deals with
-ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
-removed as well. It was pointless because it always derived the port number from
-the provided address which was either a SMB (usually port 445) or LDAP
-connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
-Finally, the kerberos libraries that we support and build with, can deal with
-ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
-resolving the DC name on the kerberos library anymore.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 73 ++++-------------------------------------------
- 1 file changed, 5 insertions(+), 68 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index b026e09..ea14350 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -592,70 +592,6 @@ int kerberos_kinit_password(const char *principal,
- /************************************************************************
- ************************************************************************/
-
--static char *print_kdc_line(char *mem_ctx,
-- const char *prev_line,
-- const struct sockaddr_storage *pss,
-- const char *kdc_name)
--{
-- char addr[INET6_ADDRSTRLEN];
-- uint16_t port = get_sockaddr_port(pss);
--
-- if (pss->ss_family == AF_INET) {
-- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
-- prev_line,
-- print_canonical_sockaddr(mem_ctx, pss));
-- }
--
-- /*
-- * IPv6 starts here
-- */
--
-- DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
-- kdc_name, port));
--
-- if (port != 0 && port != DEFAULT_KRB5_PORT) {
-- /* Currently for IPv6 we can't specify a non-default
-- krb5 port with an address, as this requires a ':'.
-- Resolve to a name. */
-- char hostname[MAX_DNS_NAME_LENGTH];
-- int ret = sys_getnameinfo((const struct sockaddr *)pss,
-- sizeof(*pss),
-- hostname, sizeof(hostname),
-- NULL, 0,
-- NI_NAMEREQD);
-- if (ret) {
-- DEBUG(0,("print_kdc_line: can't resolve name "
-- "for kdc with non-default port %s. "
-- "Error %s\n.",
-- print_canonical_sockaddr(mem_ctx, pss),
-- gai_strerror(ret)));
-- return NULL;
-- }
-- /* Success, use host:port */
-- return talloc_asprintf(mem_ctx,
-- "%s\tkdc = %s:%u\n",
-- prev_line,
-- hostname,
-- (unsigned int)port);
-- }
--
-- /* no krb5 lib currently supports "kdc = ipv6 address"
-- * at all, so just fill in just the kdc_name if we have
-- * it and let the krb5 lib figure out the appropriate
-- * ipv6 address - gd */
--
-- if (kdc_name) {
-- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
-- prev_line, kdc_name);
-- }
--
-- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
-- prev_line,
-- print_sockaddr(addr,
-- sizeof(addr),
-- pss));
--}
--
- /************************************************************************
- Create a string list of available kdc's, possibly searching by sitename.
- Does DNS queries.
-@@ -698,7 +634,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
- char *result = NULL;
- struct netlogon_samlogon_response **responses = NULL;
- NTSTATUS status;
-- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
-+ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
-+ print_canonical_sockaddr(mem_ctx, pss));
-
- if (kdc_str == NULL) {
- TALLOC_FREE(frame);
-@@ -788,9 +725,9 @@ static char *get_kdc_ip_string(char *mem_ctx,
- }
-
- /* Append to the string - inefficient but not done often. */
-- new_kdc_str = print_kdc_line(mem_ctx, kdc_str,
-- &dc_addrs[i],
-- kdc_name);
-+ new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
-+ kdc_str,
-+ print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
- if (new_kdc_str == NULL) {
- goto fail;
- }
---
-1.8.5.3
-
-
-From 3edb3d4084548960f03356cf4c44a6892e6efb84 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 7 Mar 2014 14:47:31 +0100
-Subject: [PATCH 2/2] s3-kerberos: remove unused kdc_name from
- create_local_private_krb5_conf_for_domain().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 10 ++++------
- source3/libads/kerberos_proto.h | 3 +--
- source3/libnet/libnet_join.c | 3 +--
- source3/libsmb/namequery_dc.c | 6 ++----
- source3/winbindd/winbindd_cm.c | 6 ++----
- 5 files changed, 10 insertions(+), 18 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index ea14350..649e568 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -618,8 +618,7 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
- static char *get_kdc_ip_string(char *mem_ctx,
- const char *realm,
- const char *sitename,
-- const struct sockaddr_storage *pss,
-- const char *kdc_name)
-+ const struct sockaddr_storage *pss)
- {
- TALLOC_CTX *frame = talloc_stackframe();
- int i;
-@@ -756,8 +755,7 @@ fail:
- bool create_local_private_krb5_conf_for_domain(const char *realm,
- const char *domain,
- const char *sitename,
-- const struct sockaddr_storage *pss,
-- const char *kdc_name)
-+ const struct sockaddr_storage *pss)
- {
- char *dname;
- char *tmpname = NULL;
-@@ -782,7 +780,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
- return false;
- }
-
-- if (domain == NULL || pss == NULL || kdc_name == NULL) {
-+ if (domain == NULL || pss == NULL) {
- return false;
- }
-
-@@ -815,7 +813,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
- goto done;
- }
-
-- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
-+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
- if (!kdc_ip_string) {
- goto done;
- }
-diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
-index f7470d2..2559634 100644
---- a/source3/libads/kerberos_proto.h
-+++ b/source3/libads/kerberos_proto.h
-@@ -62,8 +62,7 @@ int kerberos_kinit_password(const char *principal,
- bool create_local_private_krb5_conf_for_domain(const char *realm,
- const char *domain,
- const char *sitename,
-- const struct sockaddr_storage *pss,
-- const char *kdc_name);
-+ const struct sockaddr_storage *pss);
-
- /* The following definitions come from libads/authdata.c */
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index a87eb38..68884cd 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2152,8 +2152,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
-
- create_local_private_krb5_conf_for_domain(
- r->out.dns_domain_name, r->out.netbios_domain_name,
-- NULL, smbXcli_conn_remote_sockaddr(cli->conn),
-- smbXcli_conn_remote_name(cli->conn));
-+ NULL, smbXcli_conn_remote_sockaddr(cli->conn));
-
- if (r->out.domain_is_ad && r->in.account_ou &&
- !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
-diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
-index 3cfae79..eb34741 100644
---- a/source3/libsmb/namequery_dc.c
-+++ b/source3/libsmb/namequery_dc.c
-@@ -112,14 +112,12 @@ static bool ads_dc_name(const char *domain,
- create_local_private_krb5_conf_for_domain(realm,
- domain,
- sitename,
-- &ads->ldap.ss,
-- ads->config.ldap_server_name);
-+ &ads->ldap.ss);
- } else {
- create_local_private_krb5_conf_for_domain(realm,
- domain,
- NULL,
-- &ads->ldap.ss,
-- ads->config.ldap_server_name);
-+ &ads->ldap.ss);
- }
- }
- #endif
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 669a43e..be13a57 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -1233,8 +1233,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
- create_local_private_krb5_conf_for_domain(domain->alt_name,
- domain->name,
- sitename,
-- pss,
-- *name);
-+ pss);
-
- SAFE_FREE(sitename);
- } else {
-@@ -1242,8 +1241,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
- create_local_private_krb5_conf_for_domain(domain->alt_name,
- domain->name,
- NULL,
-- pss,
-- *name);
-+ pss);
- }
- winbindd_set_locator_kdc_envs(domain);
-
---
-1.8.5.3
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
deleted file mode 100644
index 26a4caf..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
+++ /dev/null
@@ -1,962 +0,0 @@
-From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 17 Jan 2014 14:29:03 +0100
-Subject: [PATCH 1/8] s3-libads: pass down local_service to
- kerberos_return_pac().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/authdata.c | 6 +-----
- source3/libads/kerberos_proto.h | 1 +
- source3/utils/net_ads.c | 8 ++++++++
- source3/winbindd/winbindd_pam.c | 9 +++++++++
- 4 files changed, 19 insertions(+), 5 deletions(-)
-
-diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
-index 801e551..dd80dc2 100644
---- a/source3/libads/authdata.c
-+++ b/source3/libads/authdata.c
-@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- bool add_netbios_addr,
- time_t renewable_time,
- const char *impersonate_princ_s,
-+ const char *local_service,
- struct PAC_LOGON_INFO **_logon_info)
- {
- krb5_error_code ret;
- NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
- const char *auth_princ = NULL;
-- const char *local_service = NULL;
- const char *cc = "MEMORY:kerberos_return_pac";
- struct auth_session_info *session_info;
- struct gensec_security *gensec_server_context;
-@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- }
- NT_STATUS_HAVE_NO_MEMORY(auth_princ);
-
-- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
-- lp_netbios_name(), lp_realm());
-- NT_STATUS_HAVE_NO_MEMORY(local_service);
--
- ret = kerberos_kinit_password_ext(auth_princ,
- pass,
- time_offset,
-diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
-index 2559634..1151d66 100644
---- a/source3/libads/kerberos_proto.h
-+++ b/source3/libads/kerberos_proto.h
-@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- bool add_netbios_addr,
- time_t renewable_time,
- const char *impersonate_princ_s,
-+ const char *local_service,
- struct PAC_LOGON_INFO **logon_info);
-
- /* The following definitions come from libads/krb5_setpw.c */
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index 89eebf3..5a073b1 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- NTSTATUS status;
- int ret = -1;
- const char *impersonate_princ_s = NULL;
-+ const char *local_service = NULL;
-
- if (c->display_usage) {
- d_printf( "%s\n"
-@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- impersonate_princ_s = argv[0];
- }
-
-+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
-+ lp_netbios_name(), lp_realm());
-+ if (local_service == NULL) {
-+ goto out;
-+ }
-+
- c->opt_password = net_prompt_pass(c, c->opt_user_name);
-
- status = kerberos_return_pac(mem_ctx,
-@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- true,
- 2592000, /* one month */
- impersonate_princ_s,
-+ local_service,
- &info);
- if (!NT_STATUS_IS_OK(status)) {
- d_printf(_("failed to query kerberos PAC: %s\n"),
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index 3f3ec70..61e2cef 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- time_t time_offset = 0;
- const char *user_ccache_file;
- struct PAC_LOGON_INFO *logon_info = NULL;
-+ const char *local_service;
-
- *info3 = NULL;
-
-@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- return NT_STATUS_NO_MEMORY;
- }
-
-+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
-+ lp_netbios_name(), lp_realm());
-+ if (local_service == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+
- /* if this is a user ccache, we need to act as the user to let the krb5
- * library handle the chown, etc. */
-
-@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- true,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- NULL,
-+ local_service,
- &logon_info);
- if (user_ccache_file != NULL) {
- gain_root_privilege();
---
-1.8.5.3
-
-
-From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 3 Mar 2014 12:14:51 +0100
-Subject: [PATCH 2/8] auth/kerberos: fix a typo.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- auth/kerberos/kerberos_pac.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
-index 81f7f21..8f55c8f 100644
---- a/auth/kerberos/kerberos_pac.c
-+++ b/auth/kerberos/kerberos_pac.c
-@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
- }
-
- /**
--* @brief Decode a blob containing a NDR envoded PAC structure
-+* @brief Decode a blob containing a NDR encoded PAC structure
- *
- * @param mem_ctx - The memory context
- * @param pac_data_blob - The data blob containing the NDR encoded data
---
-1.8.5.3
-
-
-From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 10 Mar 2014 15:11:18 +0100
-Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used
- in "net ads kerberos pac".
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/utils/net_ads.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index 5a073b1..ac6346f 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- int ret = -1;
- const char *impersonate_princ_s = NULL;
- const char *local_service = NULL;
-+ int i;
-
- if (c->display_usage) {
- d_printf( "%s\n"
-@@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- return 0;
- }
-
-+ for (i=0; i<argc; i++) {
-+ if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
-+ impersonate_princ_s = get_string_param(argv[i]);
-+ if (impersonate_princ_s == NULL) {
-+ return -1;
-+ }
-+ }
-+ }
-+
- mem_ctx = talloc_init("net_ads_kerberos_pac");
- if (!mem_ctx) {
- goto out;
- }
-
-- if (argc > 0) {
-- impersonate_princ_s = argv[0];
-- }
--
- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
- lp_netbios_name(), lp_realm());
- if (local_service == NULL) {
---
-1.8.5.3
-
-
-From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 11 Mar 2014 16:34:36 +0100
-Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads
- kerberos pac".
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/utils/net_ads.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index ac6346f..c53c8c6 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- return -1;
- }
- }
-+ if (strnequal(argv[i], "local_service", strlen("local_service"))) {
-+ local_service = get_string_param(argv[i]);
-+ if (local_service == NULL) {
-+ return -1;
-+ }
-+ }
- }
-
- mem_ctx = talloc_init("net_ads_kerberos_pac");
-@@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- goto out;
- }
-
-- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
-- lp_netbios_name(), lp_realm());
- if (local_service == NULL) {
-- goto out;
-+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
-+ lp_netbios_name(), lp_realm());
-+ if (local_service == NULL) {
-+ goto out;
-+ }
- }
-
- c->opt_password = net_prompt_pass(c, c->opt_user_name);
---
-1.8.5.3
-
-
-From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 21 Feb 2014 18:56:04 +0100
-Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/authdata.c | 28 +++++++++++++++++-----------
- source3/libads/kerberos_proto.h | 4 ++--
- source3/utils/net_ads.c | 17 ++++++++++++++++-
- source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++-
- 4 files changed, 56 insertions(+), 15 deletions(-)
-
-diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
-index dd80dc2..53e40ef 100644
---- a/source3/libads/authdata.c
-+++ b/source3/libads/authdata.c
-@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
- struct auth_session_info **session_info)
- {
- TALLOC_CTX *tmp_ctx;
-- struct PAC_LOGON_INFO *logon_info = NULL;
-+ struct PAC_DATA *pac_data = NULL;
- NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
-
- tmp_ctx = talloc_new(mem_ctx);
-@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
- }
-
- if (pac_blob) {
-- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
-- NULL, NULL, 0, &logon_info);
-+ status = kerberos_decode_pac(tmp_ctx,
-+ *pac_blob,
-+ NULL,
-+ NULL,
-+ NULL,
-+ NULL,
-+ 0,
-+ &pac_data);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- }
-
-- talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
-+ talloc_set_name_const(pac_data, "struct PAC_DATA");
-
-- auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
-+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
- *session_info = talloc_zero(mem_ctx, struct auth_session_info);
- if (!*session_info) {
- status = NT_STATUS_NO_MEMORY;
-@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- time_t renewable_time,
- const char *impersonate_princ_s,
- const char *local_service,
-- struct PAC_LOGON_INFO **_logon_info)
-+ struct PAC_DATA **_pac_data)
- {
- krb5_error_code ret;
- NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
-@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- size_t idx = 0;
- struct auth4_context *auth_context;
- struct loadparm_context *lp_ctx;
-- struct PAC_LOGON_INFO *logon_info = NULL;
-+ struct PAC_DATA *pac_data = NULL;
-
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
-@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- goto out;
- }
-
-- logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
-- struct PAC_LOGON_INFO);
-- if (logon_info == NULL) {
-+ pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
-+ struct PAC_DATA);
-+ if (pac_data == NULL) {
- DEBUG(1,("no PAC\n"));
- status = NT_STATUS_INVALID_PARAMETER;
- goto out;
- }
-
-- *_logon_info = talloc_move(mem_ctx, &logon_info);
-+ *_pac_data = talloc_move(mem_ctx, &pac_data);
-
- out:
- talloc_free(tmp_ctx);
-diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
-index 1151d66..b2f7486 100644
---- a/source3/libads/kerberos_proto.h
-+++ b/source3/libads/kerberos_proto.h
-@@ -32,7 +32,7 @@
-
- #include "system/kerberos.h"
-
--struct PAC_LOGON_INFO;
-+struct PAC_DATA;
-
- #include "libads/ads_status.h"
-
-@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- time_t renewable_time,
- const char *impersonate_princ_s,
- const char *local_service,
-- struct PAC_LOGON_INFO **logon_info);
-+ struct PAC_DATA **pac_data);
-
- /* The following definitions come from libads/krb5_setpw.c */
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index c53c8c6..19da6da 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
- static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
- {
- struct PAC_LOGON_INFO *info = NULL;
-+ struct PAC_DATA *pac_data = NULL;
- TALLOC_CTX *mem_ctx = NULL;
- NTSTATUS status;
- int ret = -1;
-@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- 2592000, /* one month */
- impersonate_princ_s,
- local_service,
-- &info);
-+ &pac_data);
- if (!NT_STATUS_IS_OK(status)) {
- d_printf(_("failed to query kerberos PAC: %s\n"),
- nt_errstr(status));
- goto out;
- }
-
-+ for (i=0; i < pac_data->num_buffers; i++) {
-+
-+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
-+ continue;
-+ }
-+
-+ info = pac_data->buffers[i].info->logon_info.info;
-+ if (!info) {
-+ goto out;
-+ }
-+
-+ break;
-+ }
-+
- if (info) {
- const char *s;
- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index 61e2cef..a8daae51 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- time_t time_offset = 0;
- const char *user_ccache_file;
- struct PAC_LOGON_INFO *logon_info = NULL;
-+ struct PAC_DATA *pac_data = NULL;
- const char *local_service;
-+ int i;
-
- *info3 = NULL;
-
-@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- NULL,
- local_service,
-- &logon_info);
-+ &pac_data);
- if (user_ccache_file != NULL) {
- gain_root_privilege();
- }
-@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- goto failed;
- }
-
-+ if (pac_data == NULL) {
-+ goto failed;
-+ }
-+
-+ for (i=0; i < pac_data->num_buffers; i++) {
-+
-+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
-+ continue;
-+ }
-+
-+ logon_info = pac_data->buffers[i].info->logon_info.info;
-+ if (!logon_info) {
-+ return NT_STATUS_INVALID_PARAMETER;
-+ }
-+
-+ break;
-+ }
-+
- *info3 = &logon_info->info3;
-
- DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
---
-1.8.5.3
-
-
-From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 11 Mar 2014 18:07:11 +0100
-Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC
- container.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/authdata.c | 29 +++++++++++++++++++++--------
- source3/libads/kerberos_proto.h | 7 ++++++-
- source3/utils/net_ads.c | 5 ++++-
- source3/winbindd/winbindd_pam.c | 8 +++++++-
- 4 files changed, 38 insertions(+), 11 deletions(-)
-
-diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
-index 53e40ef..276408d 100644
---- a/source3/libads/authdata.c
-+++ b/source3/libads/authdata.c
-@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
- {
- TALLOC_CTX *tmp_ctx;
- struct PAC_DATA *pac_data = NULL;
-+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
- NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
-
- tmp_ctx = talloc_new(mem_ctx);
-@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
- }
- }
-
-- talloc_set_name_const(pac_data, "struct PAC_DATA");
-+ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
-+ if (pac_data_ctr == NULL) {
-+ status = NT_STATUS_NO_MEMORY;
-+ goto done;
-+ }
-+
-+ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
-+
-+ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
-+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
-+ pac_blob->data,
-+ pac_blob->length);
-+
-+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
-
-- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
- *session_info = talloc_zero(mem_ctx, struct auth_session_info);
- if (!*session_info) {
- status = NT_STATUS_NO_MEMORY;
-@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- time_t renewable_time,
- const char *impersonate_princ_s,
- const char *local_service,
-- struct PAC_DATA **_pac_data)
-+ struct PAC_DATA_CTR **_pac_data_ctr)
- {
- krb5_error_code ret;
- NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
-@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- size_t idx = 0;
- struct auth4_context *auth_context;
- struct loadparm_context *lp_ctx;
-- struct PAC_DATA *pac_data = NULL;
-+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
-
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
-@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- goto out;
- }
-
-- pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
-- struct PAC_DATA);
-- if (pac_data == NULL) {
-+ pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
-+ struct PAC_DATA_CTR);
-+ if (pac_data_ctr == NULL) {
- DEBUG(1,("no PAC\n"));
- status = NT_STATUS_INVALID_PARAMETER;
- goto out;
- }
-
-- *_pac_data = talloc_move(mem_ctx, &pac_data);
-+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
-
- out:
- talloc_free(tmp_ctx);
-diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
-index b2f7486..3d0ad4b 100644
---- a/source3/libads/kerberos_proto.h
-+++ b/source3/libads/kerberos_proto.h
-@@ -34,6 +34,11 @@
-
- struct PAC_DATA;
-
-+struct PAC_DATA_CTR {
-+ DATA_BLOB pac_blob;
-+ struct PAC_DATA *pac_data;
-+};
-+
- #include "libads/ads_status.h"
-
- /* The following definitions come from libads/kerberos.c */
-@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- time_t renewable_time,
- const char *impersonate_princ_s,
- const char *local_service,
-- struct PAC_DATA **pac_data);
-+ struct PAC_DATA_CTR **pac_data_ctr);
-
- /* The following definitions come from libads/krb5_setpw.c */
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index 19da6da..19c28b1 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- {
- struct PAC_LOGON_INFO *info = NULL;
- struct PAC_DATA *pac_data = NULL;
-+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
- TALLOC_CTX *mem_ctx = NULL;
- NTSTATUS status;
- int ret = -1;
-@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- 2592000, /* one month */
- impersonate_princ_s,
- local_service,
-- &pac_data);
-+ &pac_data_ctr);
- if (!NT_STATUS_IS_OK(status)) {
- d_printf(_("failed to query kerberos PAC: %s\n"),
- nt_errstr(status));
- goto out;
- }
-
-+ pac_data = pac_data_ctr->pac_data;
-+
- for (i=0; i < pac_data->num_buffers; i++) {
-
- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index a8daae51..b41291e 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- const char *user_ccache_file;
- struct PAC_LOGON_INFO *logon_info = NULL;
- struct PAC_DATA *pac_data = NULL;
-+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
- const char *local_service;
- int i;
-
-@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- NULL,
- local_service,
-- &pac_data);
-+ &pac_data_ctr);
- if (user_ccache_file != NULL) {
- gain_root_privilege();
- }
-@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- goto failed;
- }
-
-+ if (pac_data_ctr == NULL) {
-+ goto failed;
-+ }
-+
-+ pac_data = pac_data_ctr->pac_data;
- if (pac_data == NULL) {
- goto failed;
- }
---
-1.8.5.3
-
-
-From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 11 Mar 2014 18:14:39 +0100
-Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac"
- command.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow
-dumping of individial pac buffer types. Ommitting type= or using type=0 will
-dump the whole PAC structure on stdout.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++----------------
- 1 file changed, 77 insertions(+), 38 deletions(-)
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index 19c28b1..f54cf23 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
- return ret;
- }
-
--static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
-+static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv,
-+ struct PAC_DATA_CTR **pac_data_ctr)
- {
-- struct PAC_LOGON_INFO *info = NULL;
-- struct PAC_DATA *pac_data = NULL;
-- struct PAC_DATA_CTR *pac_data_ctr = NULL;
-- TALLOC_CTX *mem_ctx = NULL;
- NTSTATUS status;
- int ret = -1;
- const char *impersonate_princ_s = NULL;
- const char *local_service = NULL;
- int i;
-
-- if (c->display_usage) {
-- d_printf( "%s\n"
-- "net ads kerberos pac [impersonation_principal]\n"
-- " %s\n",
-- _("Usage:"),
-- _("Dump the Kerberos PAC"));
-- return 0;
-- }
--
- for (i=0; i<argc; i++) {
- if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
- impersonate_princ_s = get_string_param(argv[i]);
-@@ -2633,13 +2621,8 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- }
- }
-
-- mem_ctx = talloc_init("net_ads_kerberos_pac");
-- if (!mem_ctx) {
-- goto out;
-- }
--
- if (local_service == NULL) {
-- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
-+ local_service = talloc_asprintf(c, "%s$@%s",
- lp_netbios_name(), lp_realm());
- if (local_service == NULL) {
- goto out;
-@@ -2648,7 +2631,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
-
- c->opt_password = net_prompt_pass(c, c->opt_user_name);
-
-- status = kerberos_return_pac(mem_ctx,
-+ status = kerberos_return_pac(c,
- c->opt_user_name,
- c->opt_password,
- 0,
-@@ -2660,39 +2643,95 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- 2592000, /* one month */
- impersonate_princ_s,
- local_service,
-- &pac_data_ctr);
-+ pac_data_ctr);
- if (!NT_STATUS_IS_OK(status)) {
- d_printf(_("failed to query kerberos PAC: %s\n"),
- nt_errstr(status));
- goto out;
- }
-
-- pac_data = pac_data_ctr->pac_data;
-+ ret = 0;
-+ out:
-+ return ret;
-+}
-
-- for (i=0; i < pac_data->num_buffers; i++) {
-+static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv)
-+{
-+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
-+ int i;
-+ int ret = -1;
-+ enum PAC_TYPE type = 0;
-
-- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
-- continue;
-+ if (c->display_usage) {
-+ d_printf( "%s\n"
-+ "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n"
-+ " %s\n",
-+ _("Usage:"),
-+ _("Dump the Kerberos PAC"));
-+ return -1;
-+ }
-+
-+ for (i=0; i<argc; i++) {
-+ if (strnequal(argv[i], "pac_buffer_type", strlen("pac_buffer_type"))) {
-+ type = get_int_param(argv[i]);
- }
-+ }
-
-- info = pac_data->buffers[i].info->logon_info.info;
-- if (!info) {
-- goto out;
-+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
-+ if (ret) {
-+ return ret;
-+ }
-+
-+ if (type == 0) {
-+
-+ char *s = NULL;
-+
-+ s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA,
-+ pac_data_ctr->pac_data);
-+ if (s != NULL) {
-+ d_printf(_("The Pac: %s\n"), s);
-+ talloc_free(s);
- }
-
-- break;
-+ return 0;
- }
-
-- if (info) {
-- const char *s;
-- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
-- d_printf(_("The Pac: %s\n"), s);
-+ for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) {
-+
-+ char *s = NULL;
-+
-+ if (pac_data_ctr->pac_data->buffers[i].type != type) {
-+ continue;
-+ }
-+
-+ s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type,
-+ pac_data_ctr->pac_data->buffers[i].info);
-+ if (s != NULL) {
-+ d_printf(_("The Pac: %s\n"), s);
-+ talloc_free(s);
-+ }
-+ break;
- }
-
-- ret = 0;
-- out:
-- TALLOC_FREE(mem_ctx);
-- return ret;
-+ return 0;
-+}
-+
-+static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
-+{
-+ struct functable func[] = {
-+ {
-+ "dump",
-+ net_ads_kerberos_pac_dump,
-+ NET_TRANSPORT_ADS,
-+ N_("Dump Kerberos PAC"),
-+ N_("net ads kerberos pac dump\n"
-+ " Dump a Kerberos PAC to stdout")
-+ },
-+
-+ {NULL, NULL, 0, NULL, NULL}
-+ };
-+
-+ return net_run_function(c, argc, argv, "net ads kerberos pac", func);
- }
-
- static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
---
-1.8.5.3
-
-
-From 91ceace4ee8fd141cac5dbe5282bed141c38bee7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 11 Mar 2014 18:16:40 +0100
-Subject: [PATCH 8/8] s3-net: add a new "net ads kerberos pac save" tool.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use "filename=string" to define a file where to save the unencrypted PAC to.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/utils/net_ads.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 52 insertions(+)
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index f54cf23..8b8e719 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -2716,6 +2716,50 @@ static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char
- return 0;
- }
-
-+static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv)
-+{
-+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
-+ char *filename = NULL;
-+ int ret = -1;
-+ int i;
-+
-+ if (c->display_usage) {
-+ d_printf( "%s\n"
-+ "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n"
-+ " %s\n",
-+ _("Usage:"),
-+ _("Save the Kerberos PAC"));
-+ return -1;
-+ }
-+
-+ for (i=0; i<argc; i++) {
-+ if (strnequal(argv[i], "filename", strlen("filename"))) {
-+ filename = get_string_param(argv[i]);
-+ if (filename == NULL) {
-+ return -1;
-+ }
-+ }
-+ }
-+
-+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
-+ if (ret) {
-+ return ret;
-+ }
-+
-+ if (filename == NULL) {
-+ d_printf(_("please define \"filename=<filename>\" to save the PAC\n"));
-+ return -1;
-+ }
-+
-+ /* save the raw format */
-+ if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) {
-+ d_printf(_("failed to save PAC in %s\n"), filename);
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+
- static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
- {
- struct functable func[] = {
-@@ -2727,6 +2771,14 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
- N_("net ads kerberos pac dump\n"
- " Dump a Kerberos PAC to stdout")
- },
-+ {
-+ "save",
-+ net_ads_kerberos_pac_save,
-+ NET_TRANSPORT_ADS,
-+ N_("Save Kerberos PAC"),
-+ N_("net ads kerberos pac save\n"
-+ " Save a Kerberos PAC in a file")
-+ },
-
- {NULL, NULL, 0, NULL, NULL}
- };
---
-1.8.5.3
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
deleted file mode 100644
index a2058f1..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
+++ /dev/null
@@ -1,211 +0,0 @@
-From 942dedb71437cd89932a7f39ca73d65c09aa59be Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 2 Apr 2014 19:37:34 +0200
-Subject: [PATCH] s3-kerberos: make ipv6 support for generated krb5 config
- files more robust.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Older MIT Kerberos libraries will add any secondary ipv6 address as
-ipv4 address, defining the (default) krb5 port 88 circumvents that.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
----
- source3/libads/kerberos.c | 29 +++++++++++++++++++++++++++--
- 1 file changed, 27 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index 649e568..f3c23ea 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -615,6 +615,31 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
- *num_addrs += 1;
- }
-
-+/* print_canonical_sockaddr prints an ipv6 addr in the form of
-+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not
-+* always properly dealt with by some older krb5 libraries. Adding the hard-coded
-+* portnumber workarounds the issue. - gd */
-+
-+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
-+ const struct sockaddr_storage *pss)
-+{
-+ char *str = NULL;
-+
-+ str = print_canonical_sockaddr(mem_ctx, pss);
-+ if (str == NULL) {
-+ return NULL;
-+ }
-+
-+ if (pss->ss_family != AF_INET6) {
-+ return str;
-+ }
-+
-+#if defined(HAVE_IPV6)
-+ str = talloc_asprintf_append(str, ":88");
-+#endif
-+ return str;
-+}
-+
- static char *get_kdc_ip_string(char *mem_ctx,
- const char *realm,
- const char *sitename,
-@@ -634,7 +659,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
- struct netlogon_samlogon_response **responses = NULL;
- NTSTATUS status;
- char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
-- print_canonical_sockaddr(mem_ctx, pss));
-+ print_canonical_sockaddr_with_port(mem_ctx, pss));
-
- if (kdc_str == NULL) {
- TALLOC_FREE(frame);
-@@ -726,7 +751,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
- /* Append to the string - inefficient but not done often. */
- new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- kdc_str,
-- print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
-+ print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
- if (new_kdc_str == NULL) {
- goto fail;
- }
---
-1.9.0
-
-From 60db71015f84dd242be889576d85ccd5c6a1f73b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 16 Apr 2014 16:07:14 +0200
-Subject: [PATCH] s3-libads: allow ads_try_connect() to re-use a resolved ip
- address.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Pass down a struct sockaddr_storage to ads_try_connect.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
----
- source3/libads/ldap.c | 44 ++++++++++++++++++++++++++------------------
- 1 file changed, 26 insertions(+), 18 deletions(-)
-
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index d9bb8e2..8fed8fd 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -228,33 +228,27 @@ bool ads_closest_dc(ADS_STRUCT *ads)
- try a connection to a given ldap server, returning True and setting the servers IP
- in the ads struct if successful
- */
--static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
-+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
-+ struct sockaddr_storage *ss)
- {
- struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
- TALLOC_CTX *frame = talloc_stackframe();
- bool ret = false;
-- struct sockaddr_storage ss;
- char addr[INET6_ADDRSTRLEN];
-
-- if (!server || !*server) {
-+ if (ss == NULL) {
- TALLOC_FREE(frame);
- return False;
- }
-
-- if (!resolve_name(server, &ss, 0x20, true)) {
-- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
-- server ));
-- TALLOC_FREE(frame);
-- return false;
-- }
-- print_sockaddr(addr, sizeof(addr), &ss);
-+ print_sockaddr(addr, sizeof(addr), ss);
-
- DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
- addr, ads->server.realm));
-
- ZERO_STRUCT( cldap_reply );
-
-- if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
-+ if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {
- DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
- ret = false;
- goto out;
-@@ -298,7 +292,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
- ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
-
- ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
-- ads->ldap.ss = ss;
-+ ads->ldap.ss = *ss;
-
- /* Store our site name. */
- sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
-@@ -330,6 +324,7 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
- bool use_own_domain = False;
- char *sitename;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
-+ bool ok = false;
-
- /* if the realm and workgroup are both empty, assume they are ours */
-
-@@ -384,12 +379,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
- DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
- (got_realm ? "realm" : "domain"), realm));
-
-- if (get_dc_name(domain, realm, srv_name, &ip_out)) {
-+ ok = get_dc_name(domain, realm, srv_name, &ip_out);
-+ if (ok) {
- /*
- * we call ads_try_connect() to fill in the
- * ads->config details
- */
-- if (ads_try_connect(ads, srv_name, false)) {
-+ ok = ads_try_connect(ads, false, &ip_out);
-+ if (ok) {
- return NT_STATUS_OK;
- }
- }
-@@ -445,7 +442,8 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
- }
- }
-
-- if ( ads_try_connect(ads, server, false) ) {
-+ ok = ads_try_connect(ads, false, &ip_list[i].ss);
-+ if (ok) {
- SAFE_FREE(ip_list);
- SAFE_FREE(sitename);
- return NT_STATUS_OK;
-@@ -630,9 +628,19 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
- TALLOC_FREE(s);
- }
-
-- if (ads->server.ldap_server)
-- {
-- if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
-+ if (ads->server.ldap_server) {
-+ bool ok = false;
-+ struct sockaddr_storage ss;
-+
-+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
-+ if (!ok) {
-+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
-+ ads->server.ldap_server));
-+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
-+ goto out;
-+ }
-+ ok = ads_try_connect(ads, ads->server.gc, &ss);
-+ if (ok) {
- goto got_connection;
- }
-
---
-1.9.0
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
deleted file mode 100644
index c1dfc06..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
+++ /dev/null
@@ -1,29894 +0,0 @@
-From 538f62edb2cc4c17204620d8a9b3075c7453422b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 4 Sep 2014 12:55:53 +0200
-Subject: [PATCH 002/249] selftest: Fix selftest where pid is used
- uninitialized.
-
-On my system this gets evaluated to 0 so in the end we detect samba to
-be running cause $childpid is set to 0.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10793
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Thu Sep 4 17:09:17 CEST 2014 on sn-devel-104
-
-(cherry picked from commit 6d2f56dbaf84203b351f33179cc3feaf557e0683)
-Signed-off-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
-Autobuild-Date(v4-1-test): Mon Sep 8 23:19:29 CEST 2014 on sn-devel-104
----
- selftest/target/Samba.pm | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
-index ab3851f..b0817fd 100644
---- a/selftest/target/Samba.pm
-+++ b/selftest/target/Samba.pm
-@@ -188,7 +188,12 @@ sub get_interface($)
- sub cleanup_child($$)
- {
- my ($pid, $name) = @_;
-- my $childpid = waitpid($pid, WNOHANG);
-+ my $childpid = -1;
-+
-+ if (defined($pid)) {
-+ $childpid = waitpid($pid, WNOHANG);
-+ }
-+
- if ($childpid == 0) {
- } elsif ($childpid < 0) {
- printf STDERR "%s child process %d isn't here any more\n",
---
-1.9.3
-
-
-From a14c0878c232dcf674008444f80dc0e5d8aada09 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 12:33:25 +0200
-Subject: [PATCH 003/249] auth/credentials: remove pointless talloc_reference()
- from cli_credentials_get_unparsed_name()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 953502925863377b5e566edff4ac68c63e8d151f)
----
- auth/credentials/credentials.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index e636123..e597809 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -669,7 +669,7 @@ _PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *c
- const char *name;
-
- if (bind_dn) {
-- name = talloc_reference(mem_ctx, bind_dn);
-+ name = talloc_strdup(mem_ctx, bind_dn);
- } else {
- cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
- if (domain && domain[0]) {
---
-1.9.3
-
-
-From a9bbf2e55d56b9d2cec944ee32a127fc72e6ce6a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 12:33:25 +0200
-Subject: [PATCH 004/249] auth/credentials: remove pointless talloc_reference()
- from cli_credentials_get_principal_and_obtained()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit b8f09226458dc13cf901f481ede89d8a6bb94ba7)
----
- auth/credentials/credentials.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index e597809..7a4b081 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -267,7 +267,7 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
- }
- }
- *obtained = cred->principal_obtained;
-- return talloc_reference(mem_ctx, cred->principal);
-+ return talloc_strdup(mem_ctx, cred->principal);
- }
-
- /**
---
-1.9.3
-
-
-From 5df785eba8389be9129984c6c5a1e59487685938 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 12:52:17 +0200
-Subject: [PATCH 005/249] auth/credentials: add
- cli_credentials_[set_]callback_data*
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 6ff6778bdc60f1cd4d52cba83bd47d3398fe5a20)
----
- auth/credentials/credentials.c | 11 +++++++++++
- auth/credentials/credentials.h | 8 ++++++++
- 2 files changed, 19 insertions(+)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index 7a4b081..e6a4710 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -114,6 +114,17 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
- return cred;
- }
-
-+_PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
-+ void *callback_data)
-+{
-+ cred->priv_data = callback_data;
-+}
-+
-+_PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
-+{
-+ return cred->priv_data;
-+}
-+
- /**
- * Create a new anonymous credential
- * @param mem_ctx TALLOC_CTX parent for credentials structure
-diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
-index dbc014f..0f498ad 100644
---- a/auth/credentials/credentials.h
-+++ b/auth/credentials/credentials.h
-@@ -332,6 +332,14 @@ bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
- bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
- const char *(*workstation_cb) (struct cli_credentials *));
-
-+void cli_credentials_set_callback_data(struct cli_credentials *cred,
-+ void *callback_data);
-+void *_cli_credentials_callback_data(struct cli_credentials *cred);
-+#define cli_credentials_callback_data(_cred, _type) \
-+ talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
-+#define cli_credentials_callback_data_void(_cred) \
-+ _cli_credentials_callback_data(_cred)
-+
- /**
- * Return attached NETLOGON credentials
- */
---
-1.9.3
-
-
-From 8fd0244ac8fe4998a0931bc9d51b9dfbb182a2e1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 13:21:14 +0200
-Subject: [PATCH 006/249] auth/credentials: add cli_credentials_shallow_copy()
-
-This is useful for testing.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit b3cd44d50cff99fa77611679d68d2d57434fefa4)
----
- auth/credentials/credentials.c | 15 +++++++++++++++
- auth/credentials/credentials.h | 3 +++
- 2 files changed, 18 insertions(+)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index e6a4710..c1c6993 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -125,6 +125,21 @@ _PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
- return cred->priv_data;
- }
-
-+_PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
-+ struct cli_credentials *src)
-+{
-+ struct cli_credentials *dst;
-+
-+ dst = talloc(mem_ctx, struct cli_credentials);
-+ if (dst == NULL) {
-+ return NULL;
-+ }
-+
-+ *dst = *src;
-+
-+ return dst;
-+}
-+
- /**
- * Create a new anonymous credential
- * @param mem_ctx TALLOC_CTX parent for credentials structure
-diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
-index 0f498ad..1377bfa 100644
---- a/auth/credentials/credentials.h
-+++ b/auth/credentials/credentials.h
-@@ -340,6 +340,9 @@ void *_cli_credentials_callback_data(struct cli_credentials *cred);
- #define cli_credentials_callback_data_void(_cred) \
- _cli_credentials_callback_data(_cred)
-
-+struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
-+ struct cli_credentials *src);
-+
- /**
- * Return attached NETLOGON credentials
- */
---
-1.9.3
-
-
-From 52e4028da5db90ce3ee410997ea3464374fec46b Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 13:20:13 +0200
-Subject: [PATCH 007/249] s3:ntlm_auth: remove pointless credentials->priv_data
- = NULL;
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit cfeeb3ce3de5d1df07299fb83327ae258da0bf8d)
----
- source3/utils/ntlm_auth.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
-index b3bbaa4..a5e0cd2 100644
---- a/source3/utils/ntlm_auth.c
-+++ b/source3/utils/ntlm_auth.c
-@@ -228,7 +228,6 @@ static const char *get_password(struct cli_credentials *credentials)
-
- /* Ask for a password */
- x_fprintf(x_stdout, "PW\n");
-- credentials->priv_data = NULL;
-
- manage_squid_request(NUM_HELPER_MODES /* bogus */, NULL, NULL, manage_gensec_get_pw_request, (void **)&password);
- talloc_steal(credentials, password);
---
-1.9.3
-
-
-From bdfb13b91ce8961caeb98b01a75893895e8d484a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 13:22:10 +0200
-Subject: [PATCH 008/249] s4:torture/shell: simplify
- cli_credentials_set_password() call
-
-All we want is to avoid a possible callback...
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 36b3c9506c1ac5549a38140e7ffd57644290069f)
----
- source4/torture/shell.c | 5 +----
- 1 file changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/source4/torture/shell.c b/source4/torture/shell.c
-index d6cc94c..aa85da3 100644
---- a/source4/torture/shell.c
-+++ b/source4/torture/shell.c
-@@ -110,10 +110,7 @@ void torture_shell(struct torture_context *tctx)
- * stops the credentials system prompting when we use the "auth"
- * command to display the current auth parameters.
- */
-- if (cmdline_credentials->password_obtained != CRED_SPECIFIED) {
-- cli_credentials_set_password(cmdline_credentials, "",
-- CRED_SPECIFIED);
-- }
-+ cli_credentials_set_password(cmdline_credentials, "", CRED_GUESS_ENV);
-
- while (1) {
- cline = smb_readline("torture> ", NULL, NULL);
---
-1.9.3
-
-
-From 91c0d6a26823f3057357c6b31bf1f686e5ed0f5e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 13:23:08 +0200
-Subject: [PATCH 009/249] s4:torture/gentest: make use of
- cli_credentials_get_username()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit d36fcaa5f3c4d1ad54d767f4a7c5fa6c8d69c00e)
----
- source4/torture/gentest.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/source4/torture/gentest.c b/source4/torture/gentest.c
-index 91b60e2..586a25b 100644
---- a/source4/torture/gentest.c
-+++ b/source4/torture/gentest.c
-@@ -221,7 +221,8 @@ static bool connect_servers(struct tevent_context *ev,
-
- printf("Connecting to \\\\%s\\%s as %s - instance %d\n",
- servers[i].server_name, servers[i].share_name,
-- servers[i].credentials->username, j);
-+ cli_credentials_get_username(servers[i].credentials),
-+ j);
-
- cli_credentials_set_workstation(servers[i].credentials,
- "gentest", CRED_SPECIFIED);
---
-1.9.3
-
-
-From 9687534ac54b732f73c3f4758055a278eaa0cbb2 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 13:23:41 +0200
-Subject: [PATCH 010/249] s4:torture/rpc: make use of
- cli_credentials_set_netlogon_creds()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit d47bf469b8a9064f4f7033918b1fe519adfa0c26)
----
- source4/torture/rpc/schannel.c | 36 ++++++++++++++++--------------------
- 1 file changed, 16 insertions(+), 20 deletions(-)
-
-diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
-index e0862d2..8203749 100644
---- a/source4/torture/rpc/schannel.c
-+++ b/source4/torture/rpc/schannel.c
-@@ -604,9 +604,9 @@ bool torture_rpc_schannel2(struct torture_context *torture)
- torture_assert(torture, join_ctx != NULL,
- "Failed to join domain with acct_flags=ACB_WSTRUST");
-
-- credentials2 = (struct cli_credentials *)talloc_memdup(torture, credentials1, sizeof(*credentials1));
-- credentials1->netlogon_creds = NULL;
-- credentials2->netlogon_creds = NULL;
-+ credentials2 = cli_credentials_shallow_copy(torture, credentials1);
-+ cli_credentials_set_netlogon_creds(credentials1, NULL);
-+ cli_credentials_set_netlogon_creds(credentials2, NULL);
-
- status = dcerpc_parse_binding(torture, binding, &b);
- torture_assert_ntstatus_ok(torture, status, "Bad binding string");
-@@ -624,8 +624,8 @@ bool torture_rpc_schannel2(struct torture_context *torture)
- credentials2, torture->ev, torture->lp_ctx);
- torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
-
-- credentials1->netlogon_creds = NULL;
-- credentials2->netlogon_creds = NULL;
-+ cli_credentials_set_netlogon_creds(credentials1, NULL);
-+ cli_credentials_set_netlogon_creds(credentials2, NULL);
-
- torture_comment(torture, "Testing logon on pipe1\n");
- if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
-@@ -827,16 +827,12 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
- s->nprocs = torture_setting_int(torture, "nprocs", 4);
- s->conns = talloc_zero_array(s, struct torture_schannel_bench_conn, s->nprocs);
-
-- s->user1_creds = (struct cli_credentials *)talloc_memdup(s,
-- cmdline_credentials,
-- sizeof(*s->user1_creds));
-+ s->user1_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
- tmp = torture_setting_string(s->tctx, "extra_user1", NULL);
- if (tmp) {
- cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
- }
-- s->user2_creds = (struct cli_credentials *)talloc_memdup(s,
-- cmdline_credentials,
-- sizeof(*s->user1_creds));
-+ s->user2_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
- tmp = torture_setting_string(s->tctx, "extra_user2", NULL);
- if (tmp) {
- cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
-@@ -855,15 +851,16 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
- cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
-
- for (i=0; i < s->nprocs; i++) {
-- s->conns[i].s = s;
-- s->conns[i].index = i;
-- s->conns[i].wks_creds = (struct cli_credentials *)talloc_memdup(
-- s->conns, s->wks_creds1,sizeof(*s->wks_creds1));
-+ struct cli_credentials *wks = s->wks_creds1;
-+
- if ((i % 2) && (torture_setting_bool(torture, "multijoin", false))) {
-- memcpy(s->conns[i].wks_creds, s->wks_creds2,
-- talloc_get_size(s->conns[i].wks_creds));
-+ wks = s->wks_creds2;
- }
-- s->conns[i].wks_creds->netlogon_creds = NULL;
-+
-+ s->conns[i].s = s;
-+ s->conns[i].index = i;
-+ s->conns[i].wks_creds = cli_credentials_shallow_copy(s->conns, wks);
-+ cli_credentials_set_netlogon_creds(s->conns[i].wks_creds, NULL);
- }
-
- status = dcerpc_parse_binding(s, binding, &s->b);
-@@ -962,8 +959,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
-
- /* Just as a test, connect with the new creds */
-
-- talloc_free(s->wks_creds1->netlogon_creds);
-- s->wks_creds1->netlogon_creds = NULL;
-+ cli_credentials_set_netlogon_creds(s->wks_creds1, NULL);
-
- status = dcerpc_pipe_connect_b(s, &net_pipe, s->b,
- &ndr_table_netlogon,
---
-1.9.3
-
-
-From de6c67e98d94d003f36fef5472b8133c578b3c01 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 13:24:21 +0200
-Subject: [PATCH 011/249] s4:ntlm_auth: make use of
- cli_credentials_[set_]callback_data*
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit bbd63dd8a17468d3e332969a30c06e2b2f1540fc)
----
- source4/utils/ntlm_auth.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
-index c363c9d..136e238 100644
---- a/source4/utils/ntlm_auth.c
-+++ b/source4/utils/ntlm_auth.c
-@@ -299,10 +299,11 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod
- static const char *get_password(struct cli_credentials *credentials)
- {
- char *password = NULL;
--
-+ void *cb = cli_credentials_callback_data_void(credentials);
-+
- /* Ask for a password */
-- mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n");
-- credentials->priv_data = NULL;
-+ mux_printf((unsigned int)(uintptr_t)cb, "PW\n");
-+ cli_credentials_set_callback_data(credentials, NULL);
-
- manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
- return password;
-@@ -505,8 +506,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
- if (state->set_password) {
- cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
- } else {
-+ void *cb = (void*)(uintptr_t)mux_id;
-+ cli_credentials_set_callback_data(creds, cb);
- cli_credentials_set_password_callback(creds, get_password);
-- creds->priv_data = (void*)(uintptr_t)mux_id;
- }
- if (opt_workstation) {
- cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
---
-1.9.3
-
-
-From 80c611a2b424e4e4a7e6de7ed6b9368bff0d9afb Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 12:41:40 +0200
-Subject: [PATCH 012/249] auth/credentials: keep cli_credentials private
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 9325bd9cb6bb942ea989f4e32799c76ea8af3d3e)
----
- auth/credentials/credentials.c | 1 +
- auth/credentials/credentials.h | 101 +++-------------------------
- auth/credentials/credentials_internal.h | 114 ++++++++++++++++++++++++++++++++
- auth/credentials/credentials_krb5.c | 1 +
- auth/credentials/credentials_ntlm.c | 1 +
- auth/credentials/credentials_secrets.c | 1 +
- 6 files changed, 126 insertions(+), 93 deletions(-)
- create mode 100644 auth/credentials/credentials_internal.h
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index c1c6993..f334465 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -24,6 +24,7 @@
- #include "includes.h"
- #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
- #include "auth/credentials/credentials.h"
-+#include "auth/credentials/credentials_internal.h"
- #include "libcli/auth/libcli_auth.h"
- #include "tevent.h"
- #include "param/param.h"
-diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
-index 1377bfa..cb09dc3 100644
---- a/auth/credentials/credentials.h
-+++ b/auth/credentials/credentials.h
-@@ -25,9 +25,17 @@
- #include "../lib/util/data_blob.h"
- #include "librpc/gen_ndr/misc.h"
-
-+struct cli_credentials;
- struct ccache_container;
- struct tevent_context;
- struct netlogon_creds_CredentialState;
-+struct ldb_context;
-+struct ldb_message;
-+struct loadparm_context;
-+struct ccache_container;
-+struct gssapi_creds_container;
-+struct smb_krb5_context;
-+struct keytab_container;
-
- /* In order of priority */
- enum credentials_obtained {
-@@ -57,99 +65,6 @@ enum credentials_krb_forwardable {
- #define CLI_CRED_NTLM_AUTH 0x08
- #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
-
--struct cli_credentials {
-- enum credentials_obtained workstation_obtained;
-- enum credentials_obtained username_obtained;
-- enum credentials_obtained password_obtained;
-- enum credentials_obtained domain_obtained;
-- enum credentials_obtained realm_obtained;
-- enum credentials_obtained ccache_obtained;
-- enum credentials_obtained client_gss_creds_obtained;
-- enum credentials_obtained principal_obtained;
-- enum credentials_obtained keytab_obtained;
-- enum credentials_obtained server_gss_creds_obtained;
--
-- /* Threshold values (essentially a MAX() over a number of the
-- * above) for the ccache and GSS credentials, to ensure we
-- * regenerate/pick correctly */
--
-- enum credentials_obtained ccache_threshold;
-- enum credentials_obtained client_gss_creds_threshold;
--
-- const char *workstation;
-- const char *username;
-- const char *password;
-- const char *old_password;
-- const char *domain;
-- const char *realm;
-- const char *principal;
-- char *salt_principal;
-- char *impersonate_principal;
-- char *self_service;
-- char *target_service;
--
-- const char *bind_dn;
--
-- /* Allows authentication from a keytab or similar */
-- struct samr_Password *nt_hash;
--
-- /* Allows NTLM pass-though authentication */
-- DATA_BLOB lm_response;
-- DATA_BLOB nt_response;
--
-- struct ccache_container *ccache;
-- struct gssapi_creds_container *client_gss_creds;
-- struct keytab_container *keytab;
-- struct gssapi_creds_container *server_gss_creds;
--
-- const char *(*workstation_cb) (struct cli_credentials *);
-- const char *(*password_cb) (struct cli_credentials *);
-- const char *(*username_cb) (struct cli_credentials *);
-- const char *(*domain_cb) (struct cli_credentials *);
-- const char *(*realm_cb) (struct cli_credentials *);
-- const char *(*principal_cb) (struct cli_credentials *);
--
-- /* Private handle for the callback routines to use */
-- void *priv_data;
--
-- struct netlogon_creds_CredentialState *netlogon_creds;
-- enum netr_SchannelType secure_channel_type;
-- int kvno;
-- time_t password_last_changed_time;
--
-- struct smb_krb5_context *smb_krb5_context;
--
-- /* We are flagged to get machine account details from the
-- * secrets.ldb when we are asked for a username or password */
-- bool machine_account_pending;
-- struct loadparm_context *machine_account_pending_lp_ctx;
--
-- /* Is this a machine account? */
-- bool machine_account;
--
-- /* Should we be trying to use kerberos? */
-- enum credentials_use_kerberos use_kerberos;
--
-- /* Should we get a forwardable ticket? */
-- enum credentials_krb_forwardable krb_forwardable;
--
-- /* gensec features which should be used for connections */
-- uint32_t gensec_features;
--
-- /* Number of retries left before bailing out */
-- int tries;
--
-- /* Whether any callback is currently running */
-- bool callback_running;
--};
--
--struct ldb_context;
--struct ldb_message;
--struct loadparm_context;
--struct ccache_container;
--
--struct gssapi_creds_container;
--
- const char *cli_credentials_get_workstation(struct cli_credentials *cred);
- bool cli_credentials_set_workstation(struct cli_credentials *cred,
- const char *val,
-diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
-new file mode 100644
-index 0000000..5a3655b
---- /dev/null
-+++ b/auth/credentials/credentials_internal.h
-@@ -0,0 +1,114 @@
-+/*
-+ samba -- Unix SMB/CIFS implementation.
-+
-+ Client credentials structure
-+
-+ Copyright (C) Jelmer Vernooij 2004-2006
-+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+#ifndef __CREDENTIALS_INTERNAL_H__
-+#define __CREDENTIALS_INTERNAL_H__
-+
-+#include "../lib/util/data_blob.h"
-+#include "librpc/gen_ndr/misc.h"
-+
-+struct cli_credentials {
-+ enum credentials_obtained workstation_obtained;
-+ enum credentials_obtained username_obtained;
-+ enum credentials_obtained password_obtained;
-+ enum credentials_obtained domain_obtained;
-+ enum credentials_obtained realm_obtained;
-+ enum credentials_obtained ccache_obtained;
-+ enum credentials_obtained client_gss_creds_obtained;
-+ enum credentials_obtained principal_obtained;
-+ enum credentials_obtained keytab_obtained;
-+ enum credentials_obtained server_gss_creds_obtained;
-+
-+ /* Threshold values (essentially a MAX() over a number of the
-+ * above) for the ccache and GSS credentials, to ensure we
-+ * regenerate/pick correctly */
-+
-+ enum credentials_obtained ccache_threshold;
-+ enum credentials_obtained client_gss_creds_threshold;
-+
-+ const char *workstation;
-+ const char *username;
-+ const char *password;
-+ const char *old_password;
-+ const char *domain;
-+ const char *realm;
-+ const char *principal;
-+ char *salt_principal;
-+ char *impersonate_principal;
-+ char *self_service;
-+ char *target_service;
-+
-+ const char *bind_dn;
-+
-+ /* Allows authentication from a keytab or similar */
-+ struct samr_Password *nt_hash;
-+
-+ /* Allows NTLM pass-though authentication */
-+ DATA_BLOB lm_response;
-+ DATA_BLOB nt_response;
-+
-+ struct ccache_container *ccache;
-+ struct gssapi_creds_container *client_gss_creds;
-+ struct keytab_container *keytab;
-+ struct gssapi_creds_container *server_gss_creds;
-+
-+ const char *(*workstation_cb) (struct cli_credentials *);
-+ const char *(*password_cb) (struct cli_credentials *);
-+ const char *(*username_cb) (struct cli_credentials *);
-+ const char *(*domain_cb) (struct cli_credentials *);
-+ const char *(*realm_cb) (struct cli_credentials *);
-+ const char *(*principal_cb) (struct cli_credentials *);
-+
-+ /* Private handle for the callback routines to use */
-+ void *priv_data;
-+
-+ struct netlogon_creds_CredentialState *netlogon_creds;
-+ enum netr_SchannelType secure_channel_type;
-+ int kvno;
-+ time_t password_last_changed_time;
-+
-+ struct smb_krb5_context *smb_krb5_context;
-+
-+ /* We are flagged to get machine account details from the
-+ * secrets.ldb when we are asked for a username or password */
-+ bool machine_account_pending;
-+ struct loadparm_context *machine_account_pending_lp_ctx;
-+
-+ /* Is this a machine account? */
-+ bool machine_account;
-+
-+ /* Should we be trying to use kerberos? */
-+ enum credentials_use_kerberos use_kerberos;
-+
-+ /* Should we get a forwardable ticket? */
-+ enum credentials_krb_forwardable krb_forwardable;
-+
-+ /* gensec features which should be used for connections */
-+ uint32_t gensec_features;
-+
-+ /* Number of retries left before bailing out */
-+ int tries;
-+
-+ /* Whether any callback is currently running */
-+ bool callback_running;
-+};
-+
-+#endif /* __CREDENTIALS_INTERNAL_H__ */
-diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
-index ec6a695..489a959 100644
---- a/auth/credentials/credentials_krb5.c
-+++ b/auth/credentials/credentials_krb5.c
-@@ -26,6 +26,7 @@
- #include "system/gssapi.h"
- #include "auth/kerberos/kerberos.h"
- #include "auth/credentials/credentials.h"
-+#include "auth/credentials/credentials_internal.h"
- #include "auth/credentials/credentials_proto.h"
- #include "auth/credentials/credentials_krb5.h"
- #include "auth/kerberos/kerberos_credentials.h"
-diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
-index 8f143bf..8c6be39 100644
---- a/auth/credentials/credentials_ntlm.c
-+++ b/auth/credentials/credentials_ntlm.c
-@@ -26,6 +26,7 @@
- #include "../lib/crypto/crypto.h"
- #include "libcli/auth/libcli_auth.h"
- #include "auth/credentials/credentials.h"
-+#include "auth/credentials/credentials_internal.h"
-
- _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
- int *flags,
-diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
-index 27ee607..678d167 100644
---- a/auth/credentials/credentials_secrets.c
-+++ b/auth/credentials/credentials_secrets.c
-@@ -28,6 +28,7 @@
- #include "param/secrets.h"
- #include "system/filesys.h"
- #include "auth/credentials/credentials.h"
-+#include "auth/credentials/credentials_internal.h"
- #include "auth/credentials/credentials_proto.h"
- #include "auth/credentials/credentials_krb5.h"
- #include "auth/kerberos/kerberos_util.h"
---
-1.9.3
-
-
-From 96ea01159cfee1e384dbd5966c7eb512d495e322 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 13:39:17 +0200
-Subject: [PATCH 013/249] auth/credentials: get the old password from
- secrets.tdb
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 26a7420c1c4307023b22676cd85d95010ecbf603)
----
- auth/credentials/credentials_secrets.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
-index 678d167..6c1cded 100644
---- a/auth/credentials/credentials_secrets.c
-+++ b/auth/credentials/credentials_secrets.c
-@@ -238,6 +238,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
- bool secrets_tdb_password_more_recent;
- time_t secrets_tdb_lct = 0;
- char *secrets_tdb_password = NULL;
-+ char *secrets_tdb_old_password = NULL;
- char *keystr;
- char *keystr_upper = NULL;
- char *secrets_tdb;
-@@ -285,6 +286,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
- if (NT_STATUS_IS_OK(status)) {
- secrets_tdb_password = (char *)dbuf.dptr;
- }
-+ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
-+ SECRETS_MACHINE_PASSWORD_PREV,
-+ domain);
-+ keystr_upper = strupper_talloc(tmp_ctx, keystr);
-+ status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
-+ &dbuf);
-+ if (NT_STATUS_IS_OK(status)) {
-+ secrets_tdb_old_password = (char *)dbuf.dptr;
-+ }
- }
-
- filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
-@@ -308,6 +318,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
- if (secrets_tdb_password_more_recent) {
- char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
- cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
-+ cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
- cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
- cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
- } else if (!NT_STATUS_IS_OK(status)) {
---
-1.9.3
-
-
-From 74f5c14921f53b95b64dbcbf0352a89d50b20af1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 14:25:54 +0200
-Subject: [PATCH 014/249] auth/credentials: simplify password_tries state
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 8ea36a8e58d499aa7bf342b365ca00cb39f295b6)
----
- auth/credentials/credentials.c | 19 ++++++++++++++-----
- auth/credentials/credentials_internal.h | 2 +-
- 2 files changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index f334465..4ac5356 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -104,7 +104,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
-
- cred->machine_account = false;
-
-- cred->tries = 3;
-+ cred->password_tries = 0;
-
- cred->callback_running = false;
-
-@@ -397,6 +397,7 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
- enum credentials_obtained obtained)
- {
- if (obtained >= cred->password_obtained) {
-+ cred->password_tries = 0;
- cred->password = talloc_strdup(cred, val);
- if (cred->password) {
- /* Don't print the actual password in talloc memory dumps */
-@@ -418,6 +419,7 @@ _PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred
- const char *(*password_cb) (struct cli_credentials *))
- {
- if (cred->password_obtained < CRED_CALLBACK) {
-+ cred->password_tries = 3;
- cred->password_cb = password_cb;
- cred->password_obtained = CRED_CALLBACK;
- cli_credentials_invalidate_ccache(cred, cred->password_obtained);
-@@ -897,12 +899,19 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
- if (cred->password_obtained != CRED_CALLBACK_RESULT) {
- return false;
- }
--
-- cred->password_obtained = CRED_CALLBACK;
-
-- cred->tries--;
-+ if (cred->password_tries == 0) {
-+ return false;
-+ }
-+
-+ cred->password_tries--;
-
-- return (cred->tries > 0);
-+ if (cred->password_tries == 0) {
-+ return false;
-+ }
-+
-+ cred->password_obtained = CRED_CALLBACK;
-+ return true;
- }
-
- _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
-diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
-index 5a3655b..f2f79b9 100644
---- a/auth/credentials/credentials_internal.h
-+++ b/auth/credentials/credentials_internal.h
-@@ -105,7 +105,7 @@ struct cli_credentials {
- uint32_t gensec_features;
-
- /* Number of retries left before bailing out */
-- int tries;
-+ uint32_t password_tries;
-
- /* Whether any callback is currently running */
- bool callback_running;
---
-1.9.3
-
-
-From 8d2c51caeecebc0b7d16fb7cf7b7fe2f2b5d8edd Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 31 Jul 2013 14:32:36 +0200
-Subject: [PATCH 015/249] auth/credentials: use CRED_CALLBACK_RESULT after a
- callback
-
-We only do this if it's still CRED_CALLBACK after the callback,
-this allowes the callback to overwrite it.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
-Autobuild-Date(master): Mon Aug 5 09:36:05 CEST 2013 on sn-devel-104
-(cherry picked from commit b699d404bb5d4385a757b5aa5d0e792cf9d5de59)
----
- auth/credentials/credentials.c | 34 +++++++++++++++++++++++-----------
- 1 file changed, 23 insertions(+), 11 deletions(-)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index 4ac5356..be497bc 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -206,8 +206,10 @@ _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
- cred->callback_running = true;
- cred->username = cred->username_cb(cred);
- cred->callback_running = false;
-- cred->username_obtained = CRED_SPECIFIED;
-- cli_credentials_invalidate_ccache(cred, cred->username_obtained);
-+ if (cred->username_obtained == CRED_CALLBACK) {
-+ cred->username_obtained = CRED_CALLBACK_RESULT;
-+ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
-+ }
- }
-
- return cred->username;
-@@ -275,8 +277,10 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
- cred->callback_running = true;
- cred->principal = cred->principal_cb(cred);
- cred->callback_running = false;
-- cred->principal_obtained = CRED_SPECIFIED;
-- cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
-+ if (cred->principal_obtained == CRED_CALLBACK) {
-+ cred->principal_obtained = CRED_CALLBACK_RESULT;
-+ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
-+ }
- }
-
- if (cred->principal_obtained < cred->username_obtained
-@@ -382,8 +386,10 @@ _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
- cred->callback_running = true;
- cred->password = cred->password_cb(cred);
- cred->callback_running = false;
-- cred->password_obtained = CRED_CALLBACK_RESULT;
-- cli_credentials_invalidate_ccache(cred, cred->password_obtained);
-+ if (cred->password_obtained == CRED_CALLBACK) {
-+ cred->password_obtained = CRED_CALLBACK_RESULT;
-+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
-+ }
- }
-
- return cred->password;
-@@ -502,8 +508,10 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
- cred->callback_running = true;
- cred->domain = cred->domain_cb(cred);
- cred->callback_running = false;
-- cred->domain_obtained = CRED_SPECIFIED;
-- cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
-+ if (cred->domain_obtained == CRED_CALLBACK) {
-+ cred->domain_obtained = CRED_CALLBACK_RESULT;
-+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
-+ }
- }
-
- return cred->domain;
-@@ -561,8 +569,10 @@ _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
- cred->callback_running = true;
- cred->realm = cred->realm_cb(cred);
- cred->callback_running = false;
-- cred->realm_obtained = CRED_SPECIFIED;
-- cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
-+ if (cred->realm_obtained == CRED_CALLBACK) {
-+ cred->realm_obtained = CRED_CALLBACK_RESULT;
-+ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
-+ }
- }
-
- return cred->realm;
-@@ -612,7 +622,9 @@ _PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cre
- cred->callback_running = true;
- cred->workstation = cred->workstation_cb(cred);
- cred->callback_running = false;
-- cred->workstation_obtained = CRED_SPECIFIED;
-+ if (cred->workstation_obtained == CRED_CALLBACK) {
-+ cred->workstation_obtained = CRED_CALLBACK_RESULT;
-+ }
- }
-
- return cred->workstation;
---
-1.9.3
-
-
-From a498324b38326a874616b0bab1e5a9cd29b664ce Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 17 May 2013 16:02:59 +0200
-Subject: [PATCH 016/249] s3-net: pass down ndr_interface_table to
- connect_dst_pipe().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 93e92faca9c99cd91878c2f48fb244233b16aa0f)
----
- source3/utils/net_proto.h | 2 +-
- source3/utils/net_rpc.c | 4 ++--
- source3/utils/net_rpc_printer.c | 10 +++++-----
- source3/utils/net_util.c | 4 ++--
- 4 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
-index 3f99e14..03fb312 100644
---- a/source3/utils/net_proto.h
-+++ b/source3/utils/net_proto.h
-@@ -416,7 +416,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
- const char *server_name);
- NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
- struct rpc_pipe_client **pp_pipe_hnd,
-- const struct ndr_syntax_id *interface);
-+ const struct ndr_interface_table *table);
- int net_use_krb_machine_account(struct net_context *c);
- int net_use_machine_account(struct net_context *c);
- bool net_find_server(struct net_context *c,
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index c5c4d6c..4503f59 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -3654,7 +3654,7 @@ static NTSTATUS rpc_share_migrate_shares_internals(struct net_context *c,
-
- /* connect destination PI_SRVSVC */
- nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
-- &ndr_table_srvsvc.syntax_id);
-+ &ndr_table_srvsvc);
- if (!NT_STATUS_IS_OK(nt_status))
- return nt_status;
-
-@@ -4140,7 +4140,7 @@ static NTSTATUS rpc_share_migrate_security_internals(struct net_context *c,
-
- /* connect destination PI_SRVSVC */
- nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
-- &ndr_table_srvsvc.syntax_id);
-+ &ndr_table_srvsvc);
- if (!NT_STATUS_IS_OK(nt_status))
- return nt_status;
-
-diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c
-index ba34de1..1e42e6f 100644
---- a/source3/utils/net_rpc_printer.c
-+++ b/source3/utils/net_rpc_printer.c
-@@ -1578,7 +1578,7 @@ NTSTATUS rpc_printer_migrate_security_internals(struct net_context *c,
-
- /* connect destination PI_SPOOLSS */
- nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-- &ndr_table_spoolss.syntax_id);
-+ &ndr_table_spoolss);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-@@ -1730,7 +1730,7 @@ NTSTATUS rpc_printer_migrate_forms_internals(struct net_context *c,
-
- /* connect destination PI_SPOOLSS */
- nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-- &ndr_table_spoolss.syntax_id);
-+ &ndr_table_spoolss);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-@@ -1907,7 +1907,7 @@ NTSTATUS rpc_printer_migrate_drivers_internals(struct net_context *c,
- DEBUG(3,("copying printer-drivers\n"));
-
- nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-- &ndr_table_spoolss.syntax_id);
-+ &ndr_table_spoolss);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-@@ -2126,7 +2126,7 @@ NTSTATUS rpc_printer_migrate_printers_internals(struct net_context *c,
-
- /* connect destination PI_SPOOLSS */
- nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-- &ndr_table_spoolss.syntax_id);
-+ &ndr_table_spoolss);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-@@ -2301,7 +2301,7 @@ NTSTATUS rpc_printer_migrate_settings_internals(struct net_context *c,
-
- /* connect destination PI_SPOOLSS */
- nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-- &ndr_table_spoolss.syntax_id);
-+ &ndr_table_spoolss);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
-index 9c4a77e..a4282ec 100644
---- a/source3/utils/net_util.c
-+++ b/source3/utils/net_util.c
-@@ -231,7 +231,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
- **/
- NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
- struct rpc_pipe_client **pp_pipe_hnd,
-- const struct ndr_syntax_id *interface)
-+ const struct ndr_interface_table *table)
- {
- NTSTATUS nt_status;
- char *server_name = SMB_STRDUP("127.0.0.1");
-@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
- return nt_status;
- }
-
-- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, interface,
-+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("couldn't not initialize pipe\n"));
---
-1.9.3
-
-
-From d5273069a42d7234daaf3dd043d0a6e455348385 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 17 May 2013 16:24:42 +0200
-Subject: [PATCH 017/249] s3-rpc_cli: remove prototype of nonexisting
- cli_rpc_pipe_open_krb5().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit a1368ca6ef8ab4f158c8b303ad058835f1bbf441)
----
- source3/rpc_client/cli_pipe.h | 9 ---------
- 1 file changed, 9 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index bf785fb..34ae542 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -131,15 +131,6 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
- const char *domain,
- struct rpc_pipe_client **presult);
-
--NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
-- const struct ndr_syntax_id *interface,
-- enum dcerpc_transport_t transport,
-- enum dcerpc_AuthLevel auth_level,
-- const char *service_princ,
-- const char *username,
-- const char *password,
-- struct rpc_pipe_client **presult);
--
- NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
- struct rpc_pipe_client *cli,
- DATA_BLOB *session_key);
---
-1.9.3
-
-
-From 1a6c1ddb44aac3f201bbe2cabab10e409ffd042b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 17 May 2013 16:08:16 +0200
-Subject: [PATCH 018/249] s3-libnetapi: pass down ndr_interface_table to
- libnetapi_get_binding_handle().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit fa37bbd9d06865d265bf554a3c49920f956f2185)
----
- source3/lib/netapi/cm.c | 4 ++--
- source3/lib/netapi/file.c | 6 +++---
- source3/lib/netapi/getdc.c | 6 +++---
- source3/lib/netapi/netapi_private.h | 3 ++-
- source3/lib/netapi/netlogon.c | 4 ++--
- source3/lib/netapi/serverinfo.c | 6 +++---
- source3/lib/netapi/share.c | 10 +++++-----
- source3/lib/netapi/shutdown.c | 4 ++--
- 8 files changed, 22 insertions(+), 21 deletions(-)
-
-diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
-index da3d2e1..c3ae19f 100644
---- a/source3/lib/netapi/cm.c
-+++ b/source3/lib/netapi/cm.c
-@@ -269,7 +269,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
-
- WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
- const char *server_name,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct dcerpc_binding_handle **binding_handle)
- {
- struct rpc_pipe_client *pipe_cli;
-@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
-
- *binding_handle = NULL;
-
-- result = libnetapi_open_pipe(ctx, server_name, interface, &pipe_cli);
-+ result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
- if (!W_ERROR_IS_OK(result)) {
- return result;
- }
-diff --git a/source3/lib/netapi/file.c b/source3/lib/netapi/file.c
-index 1e406d2..551f9ff 100644
---- a/source3/lib/netapi/file.c
-+++ b/source3/lib/netapi/file.c
-@@ -36,7 +36,7 @@ WERROR NetFileClose_r(struct libnetapi_ctx *ctx,
- struct dcerpc_binding_handle *b;
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -130,7 +130,7 @@ WERROR NetFileGetInfo_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -201,7 +201,7 @@ WERROR NetFileEnum_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-diff --git a/source3/lib/netapi/getdc.c b/source3/lib/netapi/getdc.c
-index 3b26d46..ae976f1 100644
---- a/source3/lib/netapi/getdc.c
-+++ b/source3/lib/netapi/getdc.c
-@@ -47,7 +47,7 @@ WERROR NetGetDCName_r(struct libnetapi_ctx *ctx,
- void *buffer;
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_netlogon.syntax_id,
-+ &ndr_table_netlogon,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -101,7 +101,7 @@ WERROR NetGetAnyDCName_r(struct libnetapi_ctx *ctx,
- void *buffer;
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_netlogon.syntax_id,
-+ &ndr_table_netlogon,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -173,7 +173,7 @@ WERROR DsGetDcName_r(struct libnetapi_ctx *ctx,
- struct dcerpc_binding_handle *b;
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_netlogon.syntax_id,
-+ &ndr_table_netlogon,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
-index 349287b..62aa7ef 100644
---- a/source3/lib/netapi/netapi_private.h
-+++ b/source3/lib/netapi/netapi_private.h
-@@ -30,6 +30,7 @@
- return fn ## _r(ctx, r);
-
- struct dcerpc_binding_handle;
-+struct ndr_interface_table;
-
- struct libnetapi_private_ctx {
- struct {
-@@ -64,7 +65,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
- struct rpc_pipe_client **presult);
- WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
- const char *server_name,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct dcerpc_binding_handle **binding_handle);
- WERROR libnetapi_samr_open_domain(struct libnetapi_ctx *mem_ctx,
- struct rpc_pipe_client *pipe_cli,
-diff --git a/source3/lib/netapi/netlogon.c b/source3/lib/netapi/netlogon.c
-index a046fb7..136cb48 100644
---- a/source3/lib/netapi/netlogon.c
-+++ b/source3/lib/netapi/netlogon.c
-@@ -133,7 +133,7 @@ WERROR I_NetLogonControl_r(struct libnetapi_ctx *ctx,
- struct dcerpc_binding_handle *b;
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_netlogon.syntax_id,
-+ &ndr_table_netlogon,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -190,7 +190,7 @@ WERROR I_NetLogonControl2_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_netlogon.syntax_id,
-+ &ndr_table_netlogon,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
-index 046b693..b2a84d1 100644
---- a/source3/lib/netapi/serverinfo.c
-+++ b/source3/lib/netapi/serverinfo.c
-@@ -503,7 +503,7 @@ WERROR NetServerGetInfo_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -616,7 +616,7 @@ WERROR NetServerSetInfo_r(struct libnetapi_ctx *ctx,
- struct dcerpc_binding_handle *b;
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -658,7 +658,7 @@ WERROR NetRemoteTOD_r(struct libnetapi_ctx *ctx,
- struct dcerpc_binding_handle *b;
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-diff --git a/source3/lib/netapi/share.c b/source3/lib/netapi/share.c
-index d12fa1c..090e1a9 100644
---- a/source3/lib/netapi/share.c
-+++ b/source3/lib/netapi/share.c
-@@ -200,7 +200,7 @@ WERROR NetShareAdd_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -258,7 +258,7 @@ WERROR NetShareDel_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -321,7 +321,7 @@ WERROR NetShareEnum_r(struct libnetapi_ctx *ctx,
- ZERO_STRUCT(info_ctr);
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -428,7 +428,7 @@ WERROR NetShareGetInfo_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -502,7 +502,7 @@ WERROR NetShareSetInfo_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-diff --git a/source3/lib/netapi/shutdown.c b/source3/lib/netapi/shutdown.c
-index 78bc2fc..9e1e8e1 100644
---- a/source3/lib/netapi/shutdown.c
-+++ b/source3/lib/netapi/shutdown.c
-@@ -38,7 +38,7 @@ WERROR NetShutdownInit_r(struct libnetapi_ctx *ctx,
- struct dcerpc_binding_handle *b;
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_initshutdown.syntax_id,
-+ &ndr_table_initshutdown,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -82,7 +82,7 @@ WERROR NetShutdownAbort_r(struct libnetapi_ctx *ctx,
- struct dcerpc_binding_handle *b;
-
- werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-- &ndr_table_initshutdown.syntax_id,
-+ &ndr_table_initshutdown,
- &b);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
---
-1.9.3
-
-
-From e25e7bfe15bdb89a9680708c27b50e14a8a86ca3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 17 May 2013 16:10:13 +0200
-Subject: [PATCH 019/249] s3-libnetapi: pass down ndr_interface_table to
- libnetapi_open_pipe().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 77f7f2a976e5b95f3bd9f542b92926adee4f5fa6)
----
- source3/lib/netapi/cm.c | 8 ++++----
- source3/lib/netapi/group.c | 18 +++++++++---------
- source3/lib/netapi/joindomain.c | 10 +++++-----
- source3/lib/netapi/localgroup.c | 14 +++++++-------
- source3/lib/netapi/netapi_private.h | 2 +-
- source3/lib/netapi/user.c | 22 +++++++++++-----------
- 6 files changed, 37 insertions(+), 37 deletions(-)
-
-diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
-index c3ae19f..dd1f1e3 100644
---- a/source3/lib/netapi/cm.c
-+++ b/source3/lib/netapi/cm.c
-@@ -234,7 +234,7 @@ static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
-
- WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
- const char *server_name,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- struct rpc_pipe_client *result = NULL;
-@@ -251,10 +251,10 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
- return werr;
- }
-
-- status = pipe_cm_open(ctx, ipc, interface, &result);
-+ status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
- if (!NT_STATUS_IS_OK(status)) {
- libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
-- get_pipe_name_from_syntax(talloc_tos(), interface),
-+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
- get_friendly_nt_error_msg(status));
- return WERR_DEST_NOT_FOUND;
- }
-@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
-
- *binding_handle = NULL;
-
-- result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
-+ result = libnetapi_open_pipe(ctx, server_name, table, &pipe_cli);
- if (!W_ERROR_IS_OK(result)) {
- return result;
- }
-diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
-index b806fc4..6d9b248 100644
---- a/source3/lib/netapi/group.c
-+++ b/source3/lib/netapi/group.c
-@@ -76,7 +76,7 @@ WERROR NetGroupAdd_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -272,7 +272,7 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -492,7 +492,7 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -770,7 +770,7 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -918,7 +918,7 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -1078,7 +1078,7 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -1397,7 +1397,7 @@ WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -1544,7 +1544,7 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
-
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -1736,7 +1736,7 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
-index b6fb57a..d8e624f 100644
---- a/source3/lib/netapi/joindomain.c
-+++ b/source3/lib/netapi/joindomain.c
-@@ -116,7 +116,7 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
- DATA_BLOB session_key;
-
- werr = libnetapi_open_pipe(ctx, r->in.server,
-- &ndr_table_wkssvc.syntax_id,
-+ &ndr_table_wkssvc,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -257,7 +257,7 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
- DATA_BLOB session_key;
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_wkssvc.syntax_id,
-+ &ndr_table_wkssvc,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -313,7 +313,7 @@ WERROR NetGetJoinInformation_r(struct libnetapi_ctx *ctx,
- struct dcerpc_binding_handle *b;
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_wkssvc.syntax_id,
-+ &ndr_table_wkssvc,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -455,7 +455,7 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
- DATA_BLOB session_key;
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_wkssvc.syntax_id,
-+ &ndr_table_wkssvc,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -508,7 +508,7 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
- DATA_BLOB session_key;
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_wkssvc.syntax_id,
-+ &ndr_table_wkssvc,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
-index 17cab68..241970d 100644
---- a/source3/lib/netapi/localgroup.c
-+++ b/source3/lib/netapi/localgroup.c
-@@ -185,7 +185,7 @@ WERROR NetLocalGroupAdd_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -319,7 +319,7 @@ WERROR NetLocalGroupDel_r(struct libnetapi_ctx *ctx,
- ZERO_STRUCT(alias_handle);
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -499,7 +499,7 @@ WERROR NetLocalGroupGetInfo_r(struct libnetapi_ctx *ctx,
- ZERO_STRUCT(alias_handle);
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -678,7 +678,7 @@ WERROR NetLocalGroupSetInfo_r(struct libnetapi_ctx *ctx,
- ZERO_STRUCT(alias_handle);
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -828,7 +828,7 @@ WERROR NetLocalGroupEnum_r(struct libnetapi_ctx *ctx,
- ZERO_STRUCT(alias_handle);
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -1141,7 +1141,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
-
- if (r->in.level == 3) {
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_lsarpc.syntax_id,
-+ &ndr_table_lsarpc,
- &lsa_pipe);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -1160,7 +1160,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
-index 62aa7ef..897cf3d 100644
---- a/source3/lib/netapi/netapi_private.h
-+++ b/source3/lib/netapi/netapi_private.h
-@@ -61,7 +61,7 @@ NET_API_STATUS libnetapi_get_debuglevel(struct libnetapi_ctx *ctx, char **debugl
- WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx);
- WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
- const char *server_name,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult);
- WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
- const char *server_name,
-diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
-index a971e2d..4a39f69 100644
---- a/source3/lib/netapi/user.c
-+++ b/source3/lib/netapi/user.c
-@@ -400,7 +400,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -552,7 +552,7 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
- ZERO_STRUCT(user_handle);
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
-
- if (!W_ERROR_IS_OK(werr)) {
-@@ -1322,7 +1322,7 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -1630,7 +1630,7 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -1764,7 +1764,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -1936,7 +1936,7 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -2395,7 +2395,7 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -2880,7 +2880,7 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -3015,7 +3015,7 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -3206,7 +3206,7 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
-@@ -3547,7 +3547,7 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
- }
-
- werr = libnetapi_open_pipe(ctx, r->in.server_name,
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &pipe_cli);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
---
-1.9.3
-
-
-From 4157ba43258373cd995b2ee74dcd4d65782dc2ea Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 17 May 2013 16:13:26 +0200
-Subject: [PATCH 020/249] s3-libnetapi: pass down ndr_interface_table to
- pipe_cm() and friends.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 0ce2178f2ffeaee324c7e8fef7c87727def7bd77)
----
- source3/lib/netapi/cm.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
-index dd1f1e3..8551521 100644
---- a/source3/lib/netapi/cm.c
-+++ b/source3/lib/netapi/cm.c
-@@ -161,7 +161,7 @@ WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx)
- ********************************************************************/
-
- static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- struct client_pipe_connection *p;
-@@ -177,7 +177,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
-
- if (strequal(ipc_remote_name, p->pipe->desthost)
- && ndr_syntax_id_equal(&p->pipe->abstract_syntax,
-- interface)) {
-+ &table->syntax_id)) {
- *presult = p->pipe;
- return NT_STATUS_OK;
- }
-@@ -191,7 +191,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
-
- static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
- struct client_ipc_connection *ipc,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- struct client_pipe_connection *p;
-@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
- return NT_STATUS_NO_MEMORY;
- }
-
-- status = cli_rpc_pipe_open_noauth(ipc->cli, interface, &p->pipe);
-+ status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(p);
- return status;
-@@ -219,14 +219,14 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
-
- static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
- struct client_ipc_connection *ipc,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
-- if (NT_STATUS_IS_OK(pipe_cm_find(ipc, interface, presult))) {
-+ if (NT_STATUS_IS_OK(pipe_cm_find(ipc, table, presult))) {
- return NT_STATUS_OK;
- }
-
-- return pipe_cm_connect(ctx, ipc, interface, presult);
-+ return pipe_cm_connect(ctx, ipc, table, presult);
- }
-
- /********************************************************************
-@@ -251,7 +251,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
- return werr;
- }
-
-- status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
-+ status = pipe_cm_open(ctx, ipc, table, &result);
- if (!NT_STATUS_IS_OK(status)) {
- libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
---
-1.9.3
-
-
-From ec8ba2a371ce4c4cc14d04e852034dcd92862542 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 17 May 2013 16:16:59 +0200
-Subject: [PATCH 021/249] s3-rpc_cli: pass down ndr_interface_table to
- rpc_pipe_open_ncalrpc().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 9b4fb5b074b035eaef98c4a463c9d68006ed52da)
----
- source3/librpc/rpc/dcerpc_ep.c | 2 +-
- source3/rpc_client/cli_pipe.c | 4 ++--
- source3/rpc_client/cli_pipe.h | 2 +-
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/librpc/rpc/dcerpc_ep.c b/source3/librpc/rpc/dcerpc_ep.c
-index bb080c5..410caa7 100644
---- a/source3/librpc/rpc/dcerpc_ep.c
-+++ b/source3/librpc/rpc/dcerpc_ep.c
-@@ -365,7 +365,7 @@ static NTSTATUS ep_register(TALLOC_CTX *mem_ctx,
-
- status = rpc_pipe_open_ncalrpc(tmp_ctx,
- ncalrpc_sock,
-- &ndr_table_epmapper.syntax_id,
-+ &ndr_table_epmapper,
- &cli);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 385ae25..427b628 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2682,7 +2682,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
- Create a rpc pipe client struct, connecting to a unix domain socket
- ********************************************************************/
- NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
-- const struct ndr_syntax_id *abstract_syntax,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- struct rpc_pipe_client *result;
-@@ -2696,7 +2696,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
- return NT_STATUS_NO_MEMORY;
- }
-
-- result->abstract_syntax = *abstract_syntax;
-+ result->abstract_syntax = table->syntax_id;
- result->transfer_syntax = ndr_transfer_syntax_ndr;
-
- result->desthost = get_myname(result);
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index 34ae542..3415db0 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -71,7 +71,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
- struct rpc_pipe_client **presult);
-
- NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
-- const struct ndr_syntax_id *abstract_syntax,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult);
-
- struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
---
-1.9.3
-
-
-From 816b7983c2342ea500e7467f2ab6c04dff89308f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 17 May 2013 16:44:05 +0200
-Subject: [PATCH 022/249] s3-rpc_cli: pass down ndr_interface_table to
- rpc_pipe_open_interface().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 6886cff0a7e97864e9094af936cbef08a3c8f6f4)
----
- source3/printing/nt_printing_migrate_internal.c | 2 +-
- source3/printing/printspoolss.c | 4 +--
- source3/rpc_server/rpc_ncacn_np.c | 8 +++---
- source3/rpc_server/rpc_ncacn_np.h | 2 +-
- source3/smbd/lanman.c | 34 ++++++++++++-------------
- source3/smbd/reply.c | 2 +-
- 6 files changed, 26 insertions(+), 26 deletions(-)
-
-diff --git a/source3/printing/nt_printing_migrate_internal.c b/source3/printing/nt_printing_migrate_internal.c
-index 200db07f..6bc7ea2 100644
---- a/source3/printing/nt_printing_migrate_internal.c
-+++ b/source3/printing/nt_printing_migrate_internal.c
-@@ -211,7 +211,7 @@ bool nt_printing_tdb_migrate(struct messaging_context *msg_ctx)
- }
-
- status = rpc_pipe_open_interface(tmp_ctx,
-- &ndr_table_winreg.syntax_id,
-+ &ndr_table_winreg,
- session_info,
- NULL,
- msg_ctx,
-diff --git a/source3/printing/printspoolss.c b/source3/printing/printspoolss.c
-index fc1e9c1..0507e83 100644
---- a/source3/printing/printspoolss.c
-+++ b/source3/printing/printspoolss.c
-@@ -154,7 +154,7 @@ NTSTATUS print_spool_open(files_struct *fsp,
- * a job id */
-
- status = rpc_pipe_open_interface(fsp->conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- fsp->conn->session_info,
- fsp->conn->sconn->remote_address,
- fsp->conn->sconn->msg_ctx,
-@@ -343,7 +343,7 @@ void print_spool_terminate(struct connection_struct *conn,
- rap_jobid_delete(print_file->svcname, print_file->jobid);
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
-index b4602a9..7389b3e 100644
---- a/source3/rpc_server/rpc_ncacn_np.c
-+++ b/source3/rpc_server/rpc_ncacn_np.c
-@@ -758,7 +758,7 @@ done:
- */
-
- NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
-- const struct ndr_syntax_id *syntax,
-+ const struct ndr_interface_table *table,
- const struct auth_session_info *session_info,
- const struct tsocket_address *remote_address,
- struct messaging_context *msg_ctx,
-@@ -783,7 +783,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
- return NT_STATUS_NO_MEMORY;
- }
-
-- pipe_name = get_pipe_name_from_syntax(tmp_ctx, syntax);
-+ pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
- if (pipe_name == NULL) {
- status = NT_STATUS_INVALID_PARAMETER;
- goto done;
-@@ -800,7 +800,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
- switch (pipe_mode) {
- case RPC_SERVICE_MODE_EMBEDDED:
- status = rpc_pipe_open_internal(tmp_ctx,
-- syntax, session_info,
-+ &table->syntax_id, session_info,
- remote_address, msg_ctx,
- &cli);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -813,7 +813,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
- * to spoolssd. */
-
- status = rpc_pipe_open_external(tmp_ctx,
-- pipe_name, syntax,
-+ pipe_name, &table->syntax_id,
- session_info,
- &cli);
- if (!NT_STATUS_IS_OK(status)) {
-diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h
-index 586d61b..67cd8a1 100644
---- a/source3/rpc_server/rpc_ncacn_np.h
-+++ b/source3/rpc_server/rpc_ncacn_np.h
-@@ -50,7 +50,7 @@ NTSTATUS rpcint_binding_handle(TALLOC_CTX *mem_ctx,
- struct messaging_context *msg_ctx,
- struct dcerpc_binding_handle **binding_handle);
- NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
-- const struct ndr_syntax_id *syntax,
-+ const struct ndr_interface_table *table,
- const struct auth_session_info *session_info,
- const struct tsocket_address *remote_address,
- struct messaging_context *msg_ctx,
-diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
-index d0dae36..3c488ec 100644
---- a/source3/smbd/lanman.c
-+++ b/source3/smbd/lanman.c
-@@ -832,7 +832,7 @@ static bool api_DosPrintQGetInfo(struct smbd_server_connection *sconn,
- }
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -1029,7 +1029,7 @@ static bool api_DosPrintQEnum(struct smbd_server_connection *sconn,
- }
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -2256,7 +2256,7 @@ static bool api_RNetShareAdd(struct smbd_server_connection *sconn,
- return false;
- }
-
-- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
-+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -2368,7 +2368,7 @@ static bool api_RNetGroupEnum(struct smbd_server_connection *sconn,
- }
-
- status = rpc_pipe_open_interface(
-- talloc_tos(), &ndr_table_samr.syntax_id,
-+ talloc_tos(), &ndr_table_samr,
- conn->session_info, conn->sconn->remote_address,
- conn->sconn->msg_ctx, &samr_pipe);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2574,7 +2574,7 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn,
- endp = *rdata + *rdata_len;
-
- status = rpc_pipe_open_interface(
-- talloc_tos(), &ndr_table_samr.syntax_id,
-+ talloc_tos(), &ndr_table_samr,
- conn->session_info, conn->sconn->remote_address,
- conn->sconn->msg_ctx, &samr_pipe);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2774,7 +2774,7 @@ static bool api_RNetUserEnum(struct smbd_server_connection *sconn,
- endp = *rdata + *rdata_len;
-
- status = rpc_pipe_open_interface(
-- talloc_tos(), &ndr_table_samr.syntax_id,
-+ talloc_tos(), &ndr_table_samr,
- conn->session_info, conn->sconn->remote_address,
- conn->sconn->msg_ctx, &samr_pipe);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -3037,7 +3037,7 @@ static bool api_SamOEMChangePassword(struct smbd_server_connection *sconn,
- memcpy(password.data, data, 516);
- memcpy(hash.hash, data+516, 16);
-
-- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
-+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -3134,7 +3134,7 @@ static bool api_RDosPrintJobDel(struct smbd_server_connection *sconn,
- ZERO_STRUCT(handle);
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -3262,7 +3262,7 @@ static bool api_WPrintQueueCtrl(struct smbd_server_connection *sconn,
- ZERO_STRUCT(handle);
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -3444,7 +3444,7 @@ static bool api_PrintJobInfo(struct smbd_server_connection *sconn,
- ZERO_STRUCT(handle);
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -3621,7 +3621,7 @@ static bool api_RNetServerGetInfo(struct smbd_server_connection *sconn,
- p = *rdata;
- p2 = p + struct_len;
-
-- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
-+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -4052,7 +4052,7 @@ static bool api_RNetUserGetInfo(struct smbd_server_connection *sconn,
- ZERO_STRUCT(domain_handle);
- ZERO_STRUCT(user_handle);
-
-- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
-+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -4581,7 +4581,7 @@ static bool api_WPrintJobGetInfo(struct smbd_server_connection *sconn,
- ZERO_STRUCT(handle);
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -4723,7 +4723,7 @@ static bool api_WPrintJobEnumerate(struct smbd_server_connection *sconn,
- ZERO_STRUCT(handle);
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -4923,7 +4923,7 @@ static bool api_WPrintDestGetInfo(struct smbd_server_connection *sconn,
- ZERO_STRUCT(handle);
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -5055,7 +5055,7 @@ static bool api_WPrintDestEnum(struct smbd_server_connection *sconn,
- queuecnt = 0;
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-@@ -5366,7 +5366,7 @@ static bool api_RNetSessionEnum(struct smbd_server_connection *sconn,
- }
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_srvsvc.syntax_id,
-+ &ndr_table_srvsvc,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
-diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
-index 3f5b950..eace557 100644
---- a/source3/smbd/reply.c
-+++ b/source3/smbd/reply.c
-@@ -5637,7 +5637,7 @@ void reply_printqueue(struct smb_request *req)
- ZERO_STRUCT(handle);
-
- status = rpc_pipe_open_interface(conn,
-- &ndr_table_spoolss.syntax_id,
-+ &ndr_table_spoolss,
- conn->session_info,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
---
-1.9.3
-
-
-From 3dc2d438f0b440f34b7cdd9eeac429a15f679460 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:03:23 +0200
-Subject: [PATCH 023/249] s3-rpc_cli: pass down ndr_interface_table to
- cli_rpc_pipe_open_schannel().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit f6d61b571d79ebf1df58513ec728057d00b95f3e)
----
- source3/auth/auth_domain.c | 2 +-
- source3/rpc_client/cli_pipe.h | 2 +-
- source3/rpc_client/cli_pipe_schannel.c | 4 ++--
- source3/rpcclient/rpcclient.c | 2 +-
- source3/utils/net_rpc.c | 2 +-
- 5 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
-index 286c75c..a375f11 100644
---- a/source3/auth/auth_domain.c
-+++ b/source3/auth/auth_domain.c
-@@ -115,7 +115,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
- if (lp_client_schannel()) {
- /* We also setup the creds chain in the open_schannel call. */
- result = cli_rpc_pipe_open_schannel(
-- *cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
-+ *cli, &ndr_table_netlogon, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
- } else {
- result = cli_rpc_pipe_open_noauth(
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index 3415db0..d17322a 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -125,7 +125,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
- struct rpc_pipe_client **presult);
-
- NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index c275720..8bc01a5 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -169,7 +169,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
- ****************************************************************************/
-
- NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
- }
-
- status = cli_rpc_pipe_open_schannel_with_key(
-- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
-+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
- &result);
-
- /* Now we've bound using the session key we can close the netlog pipe. */
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index d204d7f..6b6478e 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -734,7 +734,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- break;
- case DCERPC_AUTH_TYPE_SCHANNEL:
- ntresult = cli_rpc_pipe_open_schannel(
-- cli, &cmd_entry->table->syntax_id,
-+ cli, cmd_entry->table,
- default_transport,
- pipe_default_auth_level,
- get_cmdline_auth_info_domain(auth_info),
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 4503f59..dab9fcd 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -191,7 +191,7 @@ int run_rpc_command(struct net_context *c,
- &ndr_table_netlogon.syntax_id))) {
- /* Always try and create an schannel netlogon pipe. */
- nt_status = cli_rpc_pipe_open_schannel(
-- cli, &table->syntax_id, NCACN_NP,
-+ cli, table, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
---
-1.9.3
-
-
-From 428596faf89f424c83edb86d45c5a1322e3fb6b5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:08:33 +0200
-Subject: [PATCH 024/249] s3-rpc_cli: pass down ndr_interface_table to
- cli_rpc_pipe_open_ntlmssp_auth_schannel().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 7f169474fc86479abe09a5716b8029c6febcfaa9)
----
- source3/rpc_client/cli_pipe.h | 2 +-
- source3/rpc_client/cli_pipe_schannel.c | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index d17322a..7026692 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -116,7 +116,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- struct rpc_pipe_client **presult);
-
- NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index 8bc01a5..261a768 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -128,7 +128,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
- ****************************************************************************/
-
- NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
- }
-
- status = cli_rpc_pipe_open_schannel_with_key(
-- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
-+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
- &result);
-
- /* Now we've bound using the session key we can close the netlog pipe. */
---
-1.9.3
-
-
-From cda31f4e490942ffc89513f000fa147f535a2713 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:17:24 +0200
-Subject: [PATCH 025/249] s3-rpc_cli: pass down ndr_interface_table to
- cli_rpc_pipe_open_schannel_with_key().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 3dc3a6c8483a8de22b483ecf164c81232d4a8d65)
----
- source3/libnet/libnet_join.c | 2 +-
- source3/rpc_client/cli_pipe.c | 6 +++---
- source3/rpc_client/cli_pipe.h | 2 +-
- source3/rpc_client/cli_pipe_schannel.c | 4 ++--
- source3/utils/net_rpc_join.c | 4 ++--
- source3/winbindd/winbindd_cm.c | 8 ++++----
- 6 files changed, 13 insertions(+), 13 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 1418385..9f47f3b 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -1287,7 +1287,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
- }
-
- status = cli_rpc_pipe_open_schannel_with_key(
-- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
-+ cli, &ndr_table_netlogon, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY,
- netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 427b628..34cef32 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -3022,7 +3022,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
- ****************************************************************************/
-
- NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-@@ -3033,7 +3033,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- struct pipe_auth_data *auth;
- NTSTATUS status;
-
-- status = cli_rpc_pipe_open(cli, transport, interface, &result);
-+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-@@ -3070,7 +3070,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
-
- DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
- "for domain %s and bound using schannel.\n",
-- get_pipe_name_from_syntax(talloc_tos(), interface),
-+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
- result->desthost, domain));
-
- *presult = result;
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index 7026692..65bfbc8 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -108,7 +108,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
- struct rpc_pipe_client **presult);
-
- NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index 261a768..784e63f 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
- }
-
- status = cli_rpc_pipe_open_schannel_with_key(
-- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
-+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
- &result);
-
- /* Now we've bound using the session key we can close the netlog pipe. */
-@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
- }
-
- status = cli_rpc_pipe_open_schannel_with_key(
-- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
-+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
- &result);
-
- /* Now we've bound using the session key we can close the netlog pipe. */
-diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
-index 56799cd..4b43769 100644
---- a/source3/utils/net_rpc_join.c
-+++ b/source3/utils/net_rpc_join.c
-@@ -137,7 +137,7 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
- }
-
- ntret = cli_rpc_pipe_open_schannel_with_key(
-- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
-+ cli, &ndr_table_netlogon, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY,
- domain, &netlogon_pipe->dc, &pipe_hnd);
-
-@@ -497,7 +497,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
- struct rpc_pipe_client *netlogon_schannel_pipe;
-
- status = cli_rpc_pipe_open_schannel_with_key(
-- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
-+ cli, &ndr_table_netlogon, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY, domain, &pipe_hnd->dc,
- &netlogon_schannel_pipe);
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 61917db..f17fc68 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2415,7 +2415,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- goto anonymous;
- }
- status = cli_rpc_pipe_open_schannel_with_key
-- (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
-+ (conn->cli, &ndr_table_samr, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY,
- domain->name, &p_creds, &conn->samr_pipe);
-
-@@ -2547,7 +2547,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
- }
-
- status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
-- &ndr_table_lsarpc.syntax_id,
-+ &ndr_table_lsarpc,
- NCACN_IP_TCP,
- DCERPC_AUTH_LEVEL_PRIVACY,
- domain->name,
-@@ -2646,7 +2646,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- goto anonymous;
- }
- result = cli_rpc_pipe_open_schannel_with_key
-- (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
-+ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY,
- domain->name, &p_creds, &conn->lsa_pipe);
-
-@@ -2831,7 +2831,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- */
-
- result = cli_rpc_pipe_open_schannel_with_key(
-- conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
-+ conn->cli, &ndr_table_netlogon, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
- &conn->netlogon_pipe);
-
---
-1.9.3
-
-
-From 9b569e91cd22806eedae76d3fb60cdbd7548e4c2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:29:28 +0200
-Subject: [PATCH 026/249] s3-rpc_cli: pass down ndr_interface_table to
- cli_rpc_pipe_open_noauth().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 9813fe2b04a5b4abaa95ea1d893b3803edbede4d)
----
- source3/auth/auth_domain.c | 2 +-
- source3/client/client.c | 2 +-
- source3/lib/netapi/cm.c | 2 +-
- source3/libnet/libnet_join.c | 8 ++++----
- source3/libsmb/libsmb_dir.c | 2 +-
- source3/libsmb/libsmb_server.c | 2 +-
- source3/libsmb/passchange.c | 4 ++--
- source3/libsmb/trustdom_cache.c | 2 +-
- source3/libsmb/trusts_util.c | 2 +-
- source3/rpc_client/cli_pipe.c | 4 ++--
- source3/rpc_client/cli_pipe.h | 2 +-
- source3/rpc_client/cli_pipe_schannel.c | 2 +-
- source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
- source3/rpcclient/cmd_spoolss.c | 2 +-
- source3/rpcclient/cmd_test.c | 4 ++--
- source3/rpcclient/rpcclient.c | 2 +-
- source3/torture/test_async_echo.c | 2 +-
- source3/utils/net_ads.c | 2 +-
- source3/utils/net_rpc.c | 20 ++++++++++----------
- source3/utils/net_rpc_join.c | 6 +++---
- source3/utils/net_rpc_shell.c | 2 +-
- source3/utils/net_rpc_trust.c | 2 +-
- source3/utils/net_util.c | 8 ++++----
- source3/utils/netlookup.c | 2 +-
- source3/utils/smbcacls.c | 7 +++----
- source3/utils/smbcquotas.c | 2 +-
- source3/utils/smbtree.c | 2 +-
- source3/winbindd/winbindd_cm.c | 10 +++++-----
- 28 files changed, 54 insertions(+), 55 deletions(-)
-
-diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
-index a375f11..54ee5a1 100644
---- a/source3/auth/auth_domain.c
-+++ b/source3/auth/auth_domain.c
-@@ -119,7 +119,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
- DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
- } else {
- result = cli_rpc_pipe_open_noauth(
-- *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
-+ *cli, &ndr_table_netlogon, &netlogon_pipe);
- }
-
- if (!NT_STATUS_IS_OK(result)) {
-diff --git a/source3/client/client.c b/source3/client/client.c
-index ab46cb8..dafc5f0 100644
---- a/source3/client/client.c
-+++ b/source3/client/client.c
-@@ -4227,7 +4227,7 @@ static bool browse_host_rpc(bool sort)
- int i;
- struct dcerpc_binding_handle *b;
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
- &pipe_hnd);
-
- if (!NT_STATUS_IS_OK(status)) {
-diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
-index 8551521..1cfdccf 100644
---- a/source3/lib/netapi/cm.c
-+++ b/source3/lib/netapi/cm.c
-@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
- return NT_STATUS_NO_MEMORY;
- }
-
-- status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
-+ status = cli_rpc_pipe_open_noauth(ipc->cli, table, &p->pipe);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(p);
- return status;
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 9f47f3b..324c8f3 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -749,7 +749,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
- goto done;
- }
-
-- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
-@@ -819,7 +819,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
- fstring trust_passwd;
- NTSTATUS status;
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
-@@ -908,7 +908,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
-
- /* Open the domain */
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
-@@ -1377,7 +1377,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
-
- /* Open the domain */
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
-diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
-index 87e10d8..3a07f11 100644
---- a/source3/libsmb/libsmb_dir.c
-+++ b/source3/libsmb/libsmb_dir.c
-@@ -277,7 +277,7 @@ net_share_enum_rpc(struct cli_state *cli,
- struct dcerpc_binding_handle *b;
-
- /* Open the server service pipe */
-- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
-+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(1, ("net_share_enum_rpc pipe open fail!\n"));
-diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
-index d4254da..dff0062 100644
---- a/source3/libsmb/libsmb_server.c
-+++ b/source3/libsmb/libsmb_server.c
-@@ -802,7 +802,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
- ipc_srv->cli = ipc_cli;
-
- nt_status = cli_rpc_pipe_open_noauth(
-- ipc_srv->cli, &ndr_table_lsarpc.syntax_id, &pipe_hnd);
-+ ipc_srv->cli, &ndr_table_lsarpc, &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(1, ("cli_nt_session_open fail!\n"));
- errno = ENOTSUP;
-diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
-index 3933833..9736ada 100644
---- a/source3/libsmb/passchange.c
-+++ b/source3/libsmb/passchange.c
-@@ -169,7 +169,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
- * way.
- */
- result = cli_rpc_pipe_open_noauth(
-- cli, &ndr_table_samr.syntax_id, &pipe_hnd);
-+ cli, &ndr_table_samr, &pipe_hnd);
- }
-
- if (!NT_STATUS_IS_OK(result)) {
-@@ -230,7 +230,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
- result = NT_STATUS_UNSUCCESSFUL;
-
- /* OK, this is ugly, but... try an anonymous pipe. */
-- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
-+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
- &pipe_hnd);
-
- if ( NT_STATUS_IS_OK(result) &&
-diff --git a/source3/libsmb/trustdom_cache.c b/source3/libsmb/trustdom_cache.c
-index 8789d30..dadc751 100644
---- a/source3/libsmb/trustdom_cache.c
-+++ b/source3/libsmb/trustdom_cache.c
-@@ -289,7 +289,7 @@ static bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
-
- /* open the LSARPC_PIPE */
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &lsa_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
-diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
-index 0d039bc..6156ba0 100644
---- a/source3/libsmb/trusts_util.c
-+++ b/source3/libsmb/trusts_util.c
-@@ -182,7 +182,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
- /* Shouldn't we open this with schannel ? JRA. */
-
- nt_status = cli_rpc_pipe_open_noauth(
-- cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
-+ cli, &ndr_table_netlogon, &netlogon_pipe);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
- dc_name, nt_errstr(nt_status)));
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 34cef32..1137abd 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2948,11 +2948,11 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
- ****************************************************************************/
-
- NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
-- interface, presult);
-+ &table->syntax_id, presult);
- }
-
- /****************************************************************************
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index 65bfbc8..9aae61a 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -77,7 +77,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
- struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
-
- NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult);
-
- NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index 784e63f..bc672ef 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -217,7 +217,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli,
- struct rpc_pipe_client *netlogon_pipe = NULL;
- NTSTATUS status;
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
- &netlogon_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
-diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-index 335647b..c12cd05 100644
---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
-+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-@@ -2504,7 +2504,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
- * Now start the NT Domain stuff :-).
- */
-
-- ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss.syntax_id, pp_pipe);
-+ ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss, pp_pipe);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(2,("spoolss_connect_to_client: unable to open the spoolss pipe on machine %s. Error was : %s.\n",
- remote_machine, nt_errstr(ret)));
-diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
-index 5c499d4..fb011f8 100644
---- a/source3/rpcclient/cmd_spoolss.c
-+++ b/source3/rpcclient/cmd_spoolss.c
-@@ -3453,7 +3453,7 @@ static WERROR cmd_spoolss_printercmp(struct rpc_pipe_client *cli,
- if ( !NT_STATUS_IS_OK(nt_status) )
- return WERR_GENERAL_FAILURE;
-
-- nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss.syntax_id,
-+ nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss,
- &cli2);
- if (!NT_STATUS_IS_OK(nt_status)) {
- printf("failed to open spoolss pipe on server %s (%s)\n",
-diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c
-index 591ae8c..367dc71 100644
---- a/source3/rpcclient/cmd_test.c
-+++ b/source3/rpcclient/cmd_test.c
-@@ -36,14 +36,14 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- d_printf("testme\n");
-
- status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
-- &ndr_table_lsarpc.syntax_id,
-+ &ndr_table_lsarpc,
- &lsa_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
-
- status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
-- &ndr_table_samr.syntax_id,
-+ &ndr_table_samr,
- &samr_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index 6b6478e..e3b35bb 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -167,7 +167,7 @@ static void fetch_machine_sid(struct cli_state *cli)
- goto error;
- }
-
-- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &lsapipe);
- if (!NT_STATUS_IS_OK(result)) {
- fprintf(stderr, "could not initialise lsa pipe. Error was %s\n", nt_errstr(result) );
-diff --git a/source3/torture/test_async_echo.c b/source3/torture/test_async_echo.c
-index 6df95dd..f21daa4 100644
---- a/source3/torture/test_async_echo.c
-+++ b/source3/torture/test_async_echo.c
-@@ -82,7 +82,7 @@ bool run_async_echo(int dummy)
- printf("torture_open_connection failed\n");
- goto fail;
- }
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho,
- &p);
- if (!NT_STATUS_IS_OK(status)) {
- printf("Could not open echo pipe: %s\n", nt_errstr(status));
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index 5699943..89eebf3 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -1957,7 +1957,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
- SAFE_FREE(srv_cn_escaped);
- SAFE_FREE(printername_escaped);
-
-- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
-+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss, &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
- servername);
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index dab9fcd..69ff14d 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -82,7 +82,7 @@ NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
- union lsa_PolicyInformation *info = NULL;
- struct dcerpc_binding_handle *b;
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &lsa_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
-@@ -212,7 +212,7 @@ int run_rpc_command(struct net_context *c,
- c->opt_password, &pipe_hnd);
- } else {
- nt_status = cli_rpc_pipe_open_noauth(
-- cli, &table->syntax_id,
-+ cli, table,
- &pipe_hnd);
- }
- if (!NT_STATUS_IS_OK(nt_status)) {
-@@ -348,7 +348,7 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
- NTSTATUS result;
- enum netr_SchannelType sec_channel_type;
-
-- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
-+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
-@@ -1966,7 +1966,7 @@ static NTSTATUS get_sid_from_name(struct cli_state *cli,
- NTSTATUS status, result;
- struct dcerpc_binding_handle *b;
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
-@@ -2980,7 +2980,7 @@ static NTSTATUS rpc_list_alias_members(struct net_context *c,
- }
-
- result = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(pipe_hnd),
-- &ndr_table_lsarpc.syntax_id,
-+ &ndr_table_lsarpc,
- &lsa_pipe);
- if (!NT_STATUS_IS_OK(result)) {
- d_fprintf(stderr, _("Couldn't open LSA pipe. Error was %s\n"),
-@@ -6232,7 +6232,7 @@ static NTSTATUS rpc_trustdom_get_pdc(struct net_context *c,
-
- /* Try netr_GetDcName */
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
- &netr);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
-@@ -6379,7 +6379,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
- * Call LsaOpenPolicy and LsaQueryInfo
- */
-
-- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
-@@ -6656,7 +6656,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc,
- return -1;
- };
-
-- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
-@@ -6834,7 +6834,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
- return -1;
- };
-
-- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
-@@ -6950,7 +6950,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
- /*
- * Open \PIPE\samr and get needed policy handles
- */
-- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
-+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
-diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
-index 4b43769..aabbe54 100644
---- a/source3/utils/net_rpc_join.c
-+++ b/source3/utils/net_rpc_join.c
-@@ -245,7 +245,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
-
- /* Fetch domain sid */
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
-@@ -280,7 +280,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
- }
-
- /* Create domain user */
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
-@@ -456,7 +456,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
-
- /* Now check the whole process from top-to-bottom */
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
-diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c
-index 6086066..120cfa6 100644
---- a/source3/utils/net_rpc_shell.c
-+++ b/source3/utils/net_rpc_shell.c
-@@ -85,7 +85,7 @@ static NTSTATUS net_sh_run(struct net_context *c,
- return NT_STATUS_NO_MEMORY;
- }
-
-- status = cli_rpc_pipe_open_noauth(ctx->cli, &cmd->table->syntax_id,
-+ status = cli_rpc_pipe_open_noauth(ctx->cli, cmd->table,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- d_fprintf(stderr, _("Could not open pipe: %s\n"),
-diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
-index 9060700..5e58103 100644
---- a/source3/utils/net_rpc_trust.c
-+++ b/source3/utils/net_rpc_trust.c
-@@ -210,7 +210,7 @@ static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx,
- return status;
- }
-
-- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id, pipe_hnd);
-+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc, pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to initialise lsa pipe with error [%s]\n",
- nt_errstr(status)));
-diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
-index a4282ec..13a0ef1 100644
---- a/source3/utils/net_util.c
-+++ b/source3/utils/net_util.c
-@@ -45,7 +45,7 @@ NTSTATUS net_rpc_lookup_name(struct net_context *c,
-
- ZERO_STRUCT(pol);
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &lsa_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
-@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
- return nt_status;
- }
-
-- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
-+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, table,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("couldn't not initialize pipe\n"));
-@@ -571,7 +571,7 @@ static NTSTATUS net_scan_dc_noad(struct net_context *c,
- ZERO_STRUCTP(dc_info);
- ZERO_STRUCT(pol);
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &pipe_hnd);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
-@@ -634,7 +634,7 @@ NTSTATUS net_scan_dc(struct net_context *c,
-
- ZERO_STRUCTP(dc_info);
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup,
- &dssetup_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("net_scan_dc: failed to open dssetup pipe with %s, "
-diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c
-index b66c34e..56d3bfe 100644
---- a/source3/utils/netlookup.c
-+++ b/source3/utils/netlookup.c
-@@ -122,7 +122,7 @@ static struct con_struct *create_cs(struct net_context *c,
- }
-
- nt_status = cli_rpc_pipe_open_noauth(cs->cli,
-- &ndr_table_lsarpc.syntax_id,
-+ &ndr_table_lsarpc,
- &cs->lsapipe);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
-diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
-index 23a1192..f092839 100644
---- a/source3/utils/smbcacls.c
-+++ b/source3/utils/smbcacls.c
-@@ -96,7 +96,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
- goto tcon_fail;
- }
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &p);
- if (!NT_STATUS_IS_OK(status)) {
- goto fail;
-@@ -146,7 +146,7 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
- goto tcon_fail;
- }
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
- &p);
- if (!NT_STATUS_IS_OK(status)) {
- goto fail;
-@@ -187,14 +187,13 @@ static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
- struct policy_handle handle;
- NTSTATUS status, result;
- TALLOC_CTX *frame = talloc_stackframe();
-- const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id;
-
- status = cli_tree_connect(cli, "IPC$", "?????", "", 0);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
-
-- status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe);
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- goto tdis;
- }
-diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
-index bf1f95c..2791b93 100644
---- a/source3/utils/smbcquotas.c
-+++ b/source3/utils/smbcquotas.c
-@@ -58,7 +58,7 @@ static bool cli_open_policy_hnd(void)
- NTSTATUS ret;
- cli_ipc = connect_one("IPC$");
- ret = cli_rpc_pipe_open_noauth(cli_ipc,
-- &ndr_table_lsarpc.syntax_id,
-+ &ndr_table_lsarpc,
- &global_pipe_hnd);
- if (!NT_STATUS_IS_OK(ret)) {
- return False;
-diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
-index 40b1f09..5c07b12 100644
---- a/source3/utils/smbtree.c
-+++ b/source3/utils/smbtree.c
-@@ -177,7 +177,7 @@ static bool get_rpc_shares(struct cli_state *cli,
- return False;
- }
-
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
- &pipe_hnd);
-
- if (!NT_STATUS_IS_OK(status)) {
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index f17fc68..facef64 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2078,7 +2078,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
- DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
-
- status = cli_rpc_pipe_open_noauth(domain->conn.cli,
-- &ndr_table_dssetup.syntax_id,
-+ &ndr_table_dssetup,
- &cli);
-
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2129,7 +2129,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
-
- no_dssetup:
- status = cli_rpc_pipe_open_noauth(domain->conn.cli,
-- &ndr_table_lsarpc.syntax_id, &cli);
-+ &ndr_table_lsarpc, &cli);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
-@@ -2447,7 +2447,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- anonymous:
-
- /* Finally fall back to anonymous. */
-- status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
-+ status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
- &conn->samr_pipe);
-
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2674,7 +2674,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- anonymous:
-
- result = cli_rpc_pipe_open_noauth(conn->cli,
-- &ndr_table_lsarpc.syntax_id,
-+ &ndr_table_lsarpc,
- &conn->lsa_pipe);
- if (!NT_STATUS_IS_OK(result)) {
- result = NT_STATUS_PIPE_NOT_AVAILABLE;
-@@ -2765,7 +2765,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- TALLOC_FREE(conn->netlogon_pipe);
-
- result = cli_rpc_pipe_open_noauth(conn->cli,
-- &ndr_table_netlogon.syntax_id,
-+ &ndr_table_netlogon,
- &netlogon_pipe);
- if (!NT_STATUS_IS_OK(result)) {
- return result;
---
-1.9.3
-
-
-From fce35e003f655b3564ee4df5ebfe7f3e6ff6d188 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:33:03 +0200
-Subject: [PATCH 027/249] s3-rpc_cli: pass down ndr_interface_table to
- cli_rpc_pipe_open_noauth_transport().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 9aa99c3cfb0ff7a290dd4df472a4ff30d0efcb76)
----
- source3/rpc_client/cli_pipe.c | 13 +++++++------
- source3/rpc_client/cli_pipe.h | 2 +-
- source3/rpcclient/rpcclient.c | 2 +-
- 3 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 1137abd..4523ab7 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2865,14 +2865,14 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
-
- NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
- enum dcerpc_transport_t transport,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- struct rpc_pipe_client *result;
- struct pipe_auth_data *auth;
- NTSTATUS status;
-
-- status = cli_rpc_pipe_open(cli, transport, interface, &result);
-+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-@@ -2921,7 +2921,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
- status = rpc_pipe_bind(result, auth);
- if (!NT_STATUS_IS_OK(status)) {
- int lvl = 0;
-- if (ndr_syntax_id_equal(interface,
-+ if (ndr_syntax_id_equal(&table->syntax_id,
- &ndr_table_dssetup.syntax_id)) {
- /* non AD domains just don't have this pipe, avoid
- * level 0 statement in that case - gd */
-@@ -2929,7 +2929,8 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
- }
- DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
- "%s failed with error %s\n",
-- get_pipe_name_from_syntax(talloc_tos(), interface),
-+ get_pipe_name_from_syntax(talloc_tos(),
-+ &table->syntax_id),
- nt_errstr(status) ));
- TALLOC_FREE(result);
- return status;
-@@ -2937,7 +2938,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
-
- DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
- "%s and bound anonymously.\n",
-- get_pipe_name_from_syntax(talloc_tos(), interface),
-+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
- result->desthost));
-
- *presult = result;
-@@ -2952,7 +2953,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
- struct rpc_pipe_client **presult)
- {
- return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
-- &table->syntax_id, presult);
-+ table, presult);
- }
-
- /****************************************************************************
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index 9aae61a..f37f8a9 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -82,7 +82,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
-
- NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
- enum dcerpc_transport_t transport,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult);
-
- NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index e3b35bb..c23ff2d 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -690,7 +690,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- case DCERPC_AUTH_TYPE_NONE:
- ntresult = cli_rpc_pipe_open_noauth_transport(
- cli, default_transport,
-- &cmd_entry->table->syntax_id,
-+ cmd_entry->table,
- &cmd_entry->rpc_pipe);
- break;
- case DCERPC_AUTH_TYPE_SPNEGO:
---
-1.9.3
-
-
-From 0d85042853b635486912688102253b2f358b5056 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:38:01 +0200
-Subject: [PATCH 028/249] s3-rpc_cli: pass down ndr_interface_table to
- cli_rpc_pipe_open().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 34cc4b409558f229fba24f59e81ef9100a851d24)
----
- source3/rpc_client/cli_pipe.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 4523ab7..4dc7345 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2843,7 +2843,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
-
- static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
- enum dcerpc_transport_t transport,
-- const struct ndr_syntax_id *interface,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- switch (transport) {
-@@ -2851,9 +2851,9 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
- return rpc_pipe_open_tcp(NULL,
- smbXcli_conn_remote_name(cli->conn),
- smbXcli_conn_remote_sockaddr(cli->conn),
-- interface, presult);
-+ &table->syntax_id, presult);
- case NCACN_NP:
-- return rpc_pipe_open_np(cli, interface, presult);
-+ return rpc_pipe_open_np(cli, &table->syntax_id, presult);
- default:
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-@@ -2872,7 +2872,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
- struct pipe_auth_data *auth;
- NTSTATUS status;
-
-- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
-+ status = cli_rpc_pipe_open(cli, transport, table, &result);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-@@ -2977,7 +2977,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
-
- NTSTATUS status;
-
-- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
-+ status = cli_rpc_pipe_open(cli, transport, table, &result);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-@@ -3034,7 +3034,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- struct pipe_auth_data *auth;
- NTSTATUS status;
-
-- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
-+ status = cli_rpc_pipe_open(cli, transport, table, &result);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-@@ -3104,7 +3104,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
-+ status = cli_rpc_pipe_open(cli, transport, table, &result);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
---
-1.9.3
-
-
-From d5e312185a7adc8429f8caba29a9808ab7954a27 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:40:45 +0200
-Subject: [PATCH 029/249] s3-rpc_cli: pass down ndr_interface_table to
- rpc_pipe_open_np().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 8cd3a060514ddcc178c938100edfb0b177c00c8c)
----
- source3/rpc_client/cli_pipe.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 4dc7345..0347d76 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2775,7 +2775,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r
- ****************************************************************************/
-
- static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
-- const struct ndr_syntax_id *abstract_syntax,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- struct rpc_pipe_client *result;
-@@ -2793,7 +2793,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
- return NT_STATUS_NO_MEMORY;
- }
-
-- result->abstract_syntax = *abstract_syntax;
-+ result->abstract_syntax = table->syntax_id;
- result->transfer_syntax = ndr_transfer_syntax_ndr;
- result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
- result->srv_name_slash = talloc_asprintf_strupper_m(
-@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
- return NT_STATUS_NO_MEMORY;
- }
-
-- status = rpc_transport_np_init(result, cli, abstract_syntax,
-+ status = rpc_transport_np_init(result, cli, &table->syntax_id,
- &result->transport);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(result);
-@@ -2853,7 +2853,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
- smbXcli_conn_remote_sockaddr(cli->conn),
- &table->syntax_id, presult);
- case NCACN_NP:
-- return rpc_pipe_open_np(cli, &table->syntax_id, presult);
-+ return rpc_pipe_open_np(cli, table, presult);
- default:
- return NT_STATUS_NOT_IMPLEMENTED;
- }
---
-1.9.3
-
-
-From f1fa7838cb933fd0d390a56d823272f8528eb63c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:44:00 +0200
-Subject: [PATCH 030/249] s3-rpc_cli: pass down ndr_interface_table to
- rpc_pipe_open_tcp().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 5c5cff0a722a0925ae75ea7aa11ede0d82d5b92d)
----
- source3/rpc_client/cli_pipe.c | 8 ++++----
- source3/rpc_client/cli_pipe.h | 2 +-
- source3/torture/rpc_open_tcp.c | 2 +-
- 3 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 0347d76..46adf69 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2663,19 +2663,19 @@ done:
- */
- NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
- const struct sockaddr_storage *addr,
-- const struct ndr_syntax_id *abstract_syntax,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- NTSTATUS status;
- uint16_t port = 0;
-
-- status = rpc_pipe_get_tcp_port(host, addr, abstract_syntax, &port);
-+ status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
-- abstract_syntax, presult);
-+ &table->syntax_id, presult);
- }
-
- /********************************************************************
-@@ -2851,7 +2851,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
- return rpc_pipe_open_tcp(NULL,
- smbXcli_conn_remote_name(cli->conn),
- smbXcli_conn_remote_sockaddr(cli->conn),
-- &table->syntax_id, presult);
-+ table, presult);
- case NCACN_NP:
- return rpc_pipe_open_np(cli, table, presult);
- default:
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index f37f8a9..6fcc587 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -67,7 +67,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
- NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
- const char *host,
- const struct sockaddr_storage *ss_addr,
-- const struct ndr_syntax_id *abstract_syntax,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult);
-
- NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
-diff --git a/source3/torture/rpc_open_tcp.c b/source3/torture/rpc_open_tcp.c
-index d29f4cf..cd27b5f 100644
---- a/source3/torture/rpc_open_tcp.c
-+++ b/source3/torture/rpc_open_tcp.c
-@@ -95,7 +95,7 @@ int main(int argc, const char **argv)
- }
-
- status = rpc_pipe_open_tcp(mem_ctx, argv[2], NULL,
-- &((*table)->syntax_id),
-+ *table,
- &rpc_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- d_printf("ERROR calling rpc_pipe_open_tcp(): %s\n",
---
-1.9.3
-
-
-From 67c01c15af1bbb98916e75f7cad61edcc13c2e2f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:46:07 +0200
-Subject: [PATCH 031/249] s3-rpc_cli: pass down ndr_interface_table to
- rpc_pipe_get_tcp_port().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 0ff8c2d508949f732716e24047694cecf38597df)
----
- source3/rpc_client/cli_pipe.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 46adf69..15e77db 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2518,7 +2518,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
- */
- static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
- const struct sockaddr_storage *addr,
-- const struct ndr_syntax_id *abstract_syntax,
-+ const struct ndr_interface_table *table,
- uint16_t *pport)
- {
- NTSTATUS status;
-@@ -2541,7 +2541,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
- goto done;
- }
-
-- if (ndr_syntax_id_equal(abstract_syntax,
-+ if (ndr_syntax_id_equal(&table->syntax_id,
- &ndr_table_epmapper.syntax_id)) {
- *pport = 135;
- return NT_STATUS_OK;
-@@ -2576,7 +2576,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
- }
-
- map_binding->transport = NCACN_IP_TCP;
-- map_binding->object = *abstract_syntax;
-+ map_binding->object = table->syntax_id;
- map_binding->host = host; /* needed? */
- map_binding->endpoint = "0"; /* correct? needed? */
-
-@@ -2612,7 +2612,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
- status = dcerpc_epm_Map(epm_handle,
- tmp_ctx,
- discard_const_p(struct GUID,
-- &(abstract_syntax->uuid)),
-+ &(table->syntax_id.uuid)),
- map_tower,
- entry_handle,
- max_towers,
-@@ -2669,7 +2669,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
- NTSTATUS status;
- uint16_t port = 0;
-
-- status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
-+ status = rpc_pipe_get_tcp_port(host, addr, table, &port);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
---
-1.9.3
-
-
-From a032ff8c89e479792947af4315ed6eb59a69f8f5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:47:16 +0200
-Subject: [PATCH 032/249] s3-rpc_cli: pass down ndr_interface_table to
- rpc_pipe_open_tcp_port().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 7bdcfcb37c5b96ee6aa0cecffd89c6d17291fe62)
----
- source3/rpc_client/cli_pipe.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 15e77db..1b2955f 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2447,7 +2447,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
- static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
- const struct sockaddr_storage *ss_addr,
- uint16_t port,
-- const struct ndr_syntax_id *abstract_syntax,
-+ const struct ndr_interface_table *table,
- struct rpc_pipe_client **presult)
- {
- struct rpc_pipe_client *result;
-@@ -2460,7 +2460,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
- return NT_STATUS_NO_MEMORY;
- }
-
-- result->abstract_syntax = *abstract_syntax;
-+ result->abstract_syntax = table->syntax_id;
- result->transfer_syntax = ndr_transfer_syntax_ndr;
-
- result->desthost = talloc_strdup(result, host);
-@@ -2549,7 +2549,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
-
- /* open the connection to the endpoint mapper */
- status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
-- &ndr_table_epmapper.syntax_id,
-+ &ndr_table_epmapper,
- &epm_pipe);
-
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2675,7 +2675,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
- }
-
- return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
-- &table->syntax_id, presult);
-+ table, presult);
- }
-
- /********************************************************************
---
-1.9.3
-
-
-From 0b4ae5ec146e35c364f01c033d6c22efb99b7314 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:52:05 +0200
-Subject: [PATCH 033/249] s3-rpc_cli: pass down ndr_interface_table to
- rpc_transport_np_init().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit c41b6e5c5e7fcdbd98c1eb2bea08378b47d343d4)
----
- source3/rpc_client/cli_pipe.c | 2 +-
- source3/rpc_client/rpc_transport.h | 2 +-
- source3/rpc_client/rpc_transport_np.c | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 1b2955f..1fa8d91 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
- return NT_STATUS_NO_MEMORY;
- }
-
-- status = rpc_transport_np_init(result, cli, &table->syntax_id,
-+ status = rpc_transport_np_init(result, cli, table,
- &result->transport);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(result);
-diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
-index bc115dd..2b4a323 100644
---- a/source3/rpc_client/rpc_transport.h
-+++ b/source3/rpc_client/rpc_transport.h
-@@ -89,7 +89,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- struct rpc_cli_transport **presult);
- NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
-- const struct ndr_syntax_id *abstract_syntax,
-+ const struct ndr_interface_table *table,
- struct rpc_cli_transport **presult);
-
- /* The following definitions come from rpc_client/rpc_transport_sock.c */
-diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
-index f0696ad..7bd1ca3 100644
---- a/source3/rpc_client/rpc_transport_np.c
-+++ b/source3/rpc_client/rpc_transport_np.c
-@@ -152,7 +152,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
- }
-
- NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
-- const struct ndr_syntax_id *abstract_syntax,
-+ const struct ndr_interface_table *table,
- struct rpc_cli_transport **presult)
- {
- TALLOC_CTX *frame = talloc_stackframe();
-@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
- goto fail;
- }
-
-- req = rpc_transport_np_init_send(frame, ev, cli, abstract_syntax);
-+ req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
- if (req == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto fail;
---
-1.9.3
-
-
-From 739d05d91f23c4c6e17078c84192f30911cbdfcd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 24 May 2013 13:56:53 +0200
-Subject: [PATCH 034/249] s3-rpc_cli: pass down ndr_interface_table to
- rpc_transport_np_init_send().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit b19e7e6638a5dd53e3c6e6701f78bf31184ed493)
----
- source3/rpc_client/rpc_transport.h | 2 +-
- source3/rpc_client/rpc_transport_np.c | 6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
-index 2b4a323..72e7609 100644
---- a/source3/rpc_client/rpc_transport.h
-+++ b/source3/rpc_client/rpc_transport.h
-@@ -84,7 +84,7 @@ struct cli_state;
- struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct cli_state *cli,
-- const struct ndr_syntax_id *abstract_syntax);
-+ const struct ndr_interface_table *table);
- NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- struct rpc_cli_transport **presult);
-diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
-index 7bd1ca3..c0f313e 100644
---- a/source3/rpc_client/rpc_transport_np.c
-+++ b/source3/rpc_client/rpc_transport_np.c
-@@ -40,7 +40,7 @@ static void rpc_transport_np_init_pipe_open(struct tevent_req *subreq);
- struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct cli_state *cli,
-- const struct ndr_syntax_id *abstract_syntax)
-+ const struct ndr_interface_table *table)
- {
- struct tevent_req *req;
- struct rpc_transport_np_init_state *state;
-@@ -55,7 +55,7 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
- state->ev = ev;
- state->cli = cli;
- state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
-- state->pipe_name = get_pipe_name_from_syntax(state, abstract_syntax);
-+ state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
- if (tevent_req_nomem(state->pipe_name, req)) {
- return tevent_req_post(req, ev);
- }
-@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
- goto fail;
- }
-
-- req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
-+ req = rpc_transport_np_init_send(frame, ev, cli, table);
- if (req == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto fail;
---
-1.9.3
-
-
-From c5529ee9045c44114ab1716b05d3408baa1b4e42 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 24 Sep 2008 11:04:42 +0200
-Subject: [PATCH 035/249] s3: libnet_join: add admin_domain.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit c11a79c5a054e862f61c97093fa2ce5e5040f111)
----
- source3/librpc/idl/libnet_join.idl | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
-index 4f28bb6..ac0a350 100644
---- a/source3/librpc/idl/libnet_join.idl
-+++ b/source3/librpc/idl/libnet_join.idl
-@@ -21,6 +21,7 @@ interface libnetjoin
- [in,ref] string *domain_name,
- [in] string account_ou,
- [in] string admin_account,
-+ [in] string admin_domain,
- [in,noprint] string admin_password,
- [in] string machine_password,
- [in] wkssvc_joinflags join_flags,
-@@ -51,6 +52,7 @@ interface libnetjoin
- [in] string domain_name,
- [in] string account_ou,
- [in] string admin_account,
-+ [in] string admin_domain,
- [in,noprint] string admin_password,
- [in] string machine_password,
- [in] wkssvc_joinflags unjoin_flags,
---
-1.9.3
-
-
-From a0d8f42ac44d279ae7bc599792cd1d564925dcbf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 24 Sep 2008 11:05:37 +0200
-Subject: [PATCH 036/249] s3: libnet_join: use admin_domain in libnetjoin.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit cc0cbd4fdc6e07538d67cc41ca07bad1eaebf493)
----
- source3/libnet/libnet_join.c | 27 ++++++++++++++++++++++++++-
- 1 file changed, 26 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 324c8f3..2253079 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -701,6 +701,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
-
- static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
- const char *user,
-+ const char *domain,
- const char *pass,
- bool use_kerberos,
- struct cli_state **cli)
-@@ -720,7 +721,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
- NULL, 0,
- "IPC$", "IPC",
- user,
-- NULL,
-+ domain,
- pass,
- flags,
- SMB_SIGNING_DEFAULT);
-@@ -742,6 +743,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
-
- status = libnet_join_connect_dc_ipc(r->in.dc_name,
- r->in.admin_account,
-+ r->in.admin_domain,
- r->in.admin_password,
- r->in.use_kerberos,
- cli);
-@@ -1368,6 +1370,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
-
- status = libnet_join_connect_dc_ipc(r->in.dc_name,
- r->in.admin_account,
-+ r->in.admin_domain,
- r->in.admin_password,
- r->in.use_kerberos,
- &cli);
-@@ -1755,6 +1758,17 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
- return WERR_SETUP_DOMAIN_CONTROLLER;
- }
-
-+ if (!r->in.admin_domain) {
-+ char *admin_domain = NULL;
-+ char *admin_account = NULL;
-+ split_domain_user(mem_ctx,
-+ r->in.admin_account,
-+ &admin_domain,
-+ &admin_account);
-+ r->in.admin_domain = admin_domain;
-+ r->in.admin_account = admin_account;
-+ }
-+
- if (!secrets_init()) {
- libnet_join_set_error_string(mem_ctx, r,
- "Unable to open secrets database");
-@@ -2316,6 +2330,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
- return WERR_SETUP_DOMAIN_CONTROLLER;
- }
-
-+ if (!r->in.admin_domain) {
-+ char *admin_domain = NULL;
-+ char *admin_account = NULL;
-+ split_domain_user(mem_ctx,
-+ r->in.admin_account,
-+ &admin_domain,
-+ &admin_account);
-+ r->in.admin_domain = admin_domain;
-+ r->in.admin_account = admin_account;
-+ }
-+
- if (!secrets_init()) {
- libnet_unjoin_set_error_string(mem_ctx, r,
- "Unable to open secrets database");
---
-1.9.3
-
-
-From 46f8496292a12b7acdd045d126b61fa9d8afee74 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 6 Nov 2008 11:40:03 +0100
-Subject: [PATCH 037/249] s3-libnetjoin: add machine_name length check.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit c4d6d75cf48aed7b17728e283581366143fa4233)
----
- source3/libnet/libnet_join.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 2253079..b731d9b 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -1746,6 +1746,15 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
- return WERR_INVALID_PARAM;
- }
-
-+ if (strlen(r->in.machine_name) > 15) {
-+ libnet_join_set_error_string(mem_ctx, r,
-+ "Our netbios name can be at most 15 chars long, "
-+ "\"%s\" is %u chars long\n",
-+ r->in.machine_name,
-+ (unsigned int)strlen(r->in.machine_name));
-+ return WERR_INVALID_PARAM;
-+ }
-+
- if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
- &r->in.domain_name,
- &r->in.dc_name)) {
---
-1.9.3
-
-
-From a60cf7ddd4e2d41d92cdd35ab05f2d6a30b055c9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 6 Nov 2008 13:37:45 +0100
-Subject: [PATCH 038/249] s3-libnetjoin: move "net rpc oldjoin" to use
- libnetjoin.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit d398a12f7907866189c1b253ca6a40e5454f42a1)
----
- source3/utils/net_rpc.c | 182 ++++++++++++++++++++++--------------------------
- 1 file changed, 84 insertions(+), 98 deletions(-)
-
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 69ff14d..720e9d2 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -37,6 +37,8 @@
- #include "secrets.h"
- #include "lib/netapi/netapi.h"
- #include "lib/netapi/netapi_net.h"
-+#include "librpc/gen_ndr/libnet_join.h"
-+#include "libnet/libnet_join.h"
- #include "rpc_client/init_lsa.h"
- #include "../libcli/security/security.h"
- #include "libsmb/libsmb.h"
-@@ -314,48 +316,46 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
- }
-
- /**
-- * Join a domain, the old way.
-+ * Join a domain, the old way. This function exists to allow
-+ * the message to be displayed when oldjoin was explicitly
-+ * requested, but not when it was implied by "net rpc join".
- *
- * This uses 'machinename' as the inital password, and changes it.
- *
- * The password should be created with 'server manager' or equiv first.
- *
-- * All parameters are provided by the run_rpc_command function, except for
-- * argc, argv which are passed through.
-- *
-- * @param domain_sid The domain sid acquired from the remote server.
-- * @param cli A cli_state connected to the server.
-- * @param mem_ctx Talloc context, destroyed on completion of the function.
- * @param argc Standard main() style argc.
- * @param argv Standard main() style argv. Initial components are already
- * stripped.
- *
-- * @return Normal NTSTATUS return.
-+ * @return A shell status integer (0 for success).
- **/
-
--static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
-- const struct dom_sid *domain_sid,
-- const char *domain_name,
-- struct cli_state *cli,
-- struct rpc_pipe_client *pipe_hnd,
-- TALLOC_CTX *mem_ctx,
-- int argc,
-- const char **argv)
-+static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
- {
-+ struct libnet_JoinCtx *r = NULL;
-+ TALLOC_CTX *mem_ctx;
-+ WERROR werr;
-+ const char *domain = lp_workgroup(); /* FIXME */
-+ bool modify_config = lp_config_backend_is_registry();
-+ enum netr_SchannelType sec_chan_type;
-+ char *pw = NULL;
-
-- fstring trust_passwd;
-- unsigned char orig_trust_passwd_hash[16];
-- NTSTATUS result;
-- enum netr_SchannelType sec_channel_type;
-+ if (c->display_usage) {
-+ d_printf("Usage:\n"
-+ "net rpc oldjoin\n"
-+ " Join a domain the old way\n");
-+ return 0;
-+ }
-
-- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
-- &pipe_hnd);
-- if (!NT_STATUS_IS_OK(result)) {
-- DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
-- "error was %s\n",
-- smbXcli_conn_remote_name(cli->conn),
-- nt_errstr(result) ));
-- return result;
-+ mem_ctx = talloc_init("net_rpc_oldjoin");
-+ if (!mem_ctx) {
-+ return -1;
-+ }
-+
-+ werr = libnet_init_JoinCtx(mem_ctx, &r);
-+ if (!W_ERROR_IS_OK(werr)) {
-+ goto fail;
- }
-
- /*
-@@ -363,92 +363,78 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
- a BDC, the server must agree that we are a BDC.
- */
- if (argc >= 0) {
-- sec_channel_type = get_sec_channel_type(argv[0]);
-+ sec_chan_type = get_sec_channel_type(argv[0]);
- } else {
-- sec_channel_type = get_sec_channel_type(NULL);
-+ sec_chan_type = get_sec_channel_type(NULL);
- }
-
-- fstrcpy(trust_passwd, lp_netbios_name());
-- if (!strlower_m(trust_passwd)) {
-- return NT_STATUS_UNSUCCESSFUL;
-+ if (!c->msg_ctx) {
-+ d_fprintf(stderr, _("Could not initialise message context. "
-+ "Try running as root\n"));
-+ werr = WERR_ACCESS_DENIED;
-+ goto fail;
- }
-
-- /*
-- * Machine names can be 15 characters, but the max length on
-- * a password is 14. --jerry
-- */
--
-- trust_passwd[14] = '\0';
--
-- E_md4hash(trust_passwd, orig_trust_passwd_hash);
--
-- result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup,
-- lp_netbios_name(),
-- orig_trust_passwd_hash,
-- sec_channel_type);
--
-- if (NT_STATUS_IS_OK(result))
-- printf(_("Joined domain %s.\n"), c->opt_target_workgroup);
-+ pw = talloc_strndup(r, lp_netbios_name(), 14);
-+ if (pw == NULL) {
-+ werr = WERR_NOMEM;
-+ goto fail;
-+ }
-
-+ r->in.msg_ctx = c->msg_ctx;
-+ r->in.domain_name = domain;
-+ r->in.secure_channel_type = sec_chan_type;
-+ r->in.dc_name = c->opt_host;
-+ r->in.admin_account = "";
-+ r->in.admin_password = strlower_talloc(r, pw);
-+ if (r->in.admin_password == NULL) {
-+ werr = WERR_NOMEM;
-+ goto fail;
-+ }
-+ r->in.debug = true;
-+ r->in.modify_config = modify_config;
-+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
-+ WKSSVC_JOIN_FLAGS_JOIN_UNSECURE |
-+ WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED;
-
-- if (!secrets_store_domain_sid(c->opt_target_workgroup, domain_sid)) {
-- DEBUG(0, ("error storing domain sid for %s\n", c->opt_target_workgroup));
-- result = NT_STATUS_UNSUCCESSFUL;
-+ werr = libnet_Join(mem_ctx, r);
-+ if (!W_ERROR_IS_OK(werr)) {
-+ goto fail;
- }
-
-- return result;
--}
-+ /* Check the short name of the domain */
-
--/**
-- * Join a domain, the old way.
-- *
-- * @param argc Standard main() style argc.
-- * @param argv Standard main() style argv. Initial components are already
-- * stripped.
-- *
-- * @return A shell status integer (0 for success).
-- **/
-+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
-+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
-+ d_printf("domain name obtained from the server.\n");
-+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
-+ d_printf("You should set \"workgroup = %s\" in %s.\n",
-+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
-+ }
-
--static int net_rpc_perform_oldjoin(struct net_context *c, int argc, const char **argv)
--{
-- return run_rpc_command(c, NULL, &ndr_table_netlogon,
-- NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
-- rpc_oldjoin_internals,
-- argc, argv);
--}
-+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
-
--/**
-- * Join a domain, the old way. This function exists to allow
-- * the message to be displayed when oldjoin was explicitly
-- * requested, but not when it was implied by "net rpc join".
-- *
-- * @param argc Standard main() style argc.
-- * @param argv Standard main() style argv. Initial components are already
-- * stripped.
-- *
-- * @return A shell status integer (0 for success).
-- **/
-+ if (r->out.dns_domain_name) {
-+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
-+ r->out.dns_domain_name);
-+ } else {
-+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
-+ r->out.netbios_domain_name);
-+ }
-
--static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
--{
-- int rc = -1;
-+ TALLOC_FREE(mem_ctx);
-
-- if (c->display_usage) {
-- d_printf( "%s\n"
-- "net rpc oldjoin\n"
-- " %s\n",
-- _("Usage:"),
-- _("Join a domain the old way"));
-- return 0;
-- }
-+ return 0;
-
-- rc = net_rpc_perform_oldjoin(c, argc, argv);
-+fail:
-+ /* issue an overall failure message at the end. */
-+ d_fprintf(stderr, _("Failed to join domain: %s\n"),
-+ r && r->out.error_string ? r->out.error_string :
-+ get_friendly_werror_msg(werr));
-
-- if (rc) {
-- d_fprintf(stderr, _("Failed to join domain\n"));
-- }
-+ TALLOC_FREE(mem_ctx);
-
-- return rc;
-+ return -1;
- }
-
- /**
-@@ -492,7 +478,7 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
- return -1;
- }
-
-- if ((net_rpc_perform_oldjoin(c, argc, argv) == 0))
-+ if ((net_rpc_oldjoin(c, argc, argv) == 0))
- return 0;
-
- return net_rpc_join_newstyle(c, argc, argv);
---
-1.9.3
-
-
-From 3185251186366984b5ec06322c75cfda71dccdbc Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 13 Jun 2013 19:12:27 +0200
-Subject: [PATCH 039/249] s3:libnet: let the caller truncate the pw in
- libnet_join_joindomain_rpc_unsecure()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 1242ab0cb3bf575b695b39313604af9d0a7f1b3a)
----
- source3/libnet/libnet_join.c | 15 +--------------
- 1 file changed, 1 insertion(+), 14 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index b731d9b..d8ec235 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -818,7 +818,6 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
- struct rpc_pipe_client *pipe_hnd = NULL;
- unsigned char orig_trust_passwd_hash[16];
- unsigned char new_trust_passwd_hash[16];
-- fstring trust_passwd;
- NTSTATUS status;
-
- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
-@@ -837,19 +836,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
- E_md4hash(r->in.machine_password, new_trust_passwd_hash);
-
- /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
-- fstrcpy(trust_passwd, r->in.admin_password);
-- if (!strlower_m(trust_passwd)) {
-- return NT_STATUS_INVALID_PARAMETER;
-- }
--
-- /*
-- * Machine names can be 15 characters, but the max length on
-- * a password is 14. --jerry
-- */
--
-- trust_passwd[14] = '\0';
--
-- E_md4hash(trust_passwd, orig_trust_passwd_hash);
-+ E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
-
- status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
- r->in.machine_name,
---
-1.9.3
-
-
-From e1e15a73a9a5215866f6471c5e583457c516b47e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 3 Feb 2009 20:10:05 +0100
-Subject: [PATCH 040/249] s3-net: use libnetjoin for "net rpc testjoin".
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 9cfa6251600ddea0e821f2bd3fd359c28eb1b7f9)
----
- source3/utils/net_proto.h | 2 +-
- source3/utils/net_rpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++
- source3/utils/net_rpc_join.c | 29 -------------------
- 3 files changed, 67 insertions(+), 30 deletions(-)
-
-diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
-index 03fb312..d791708 100644
---- a/source3/utils/net_proto.h
-+++ b/source3/utils/net_proto.h
-@@ -145,6 +145,7 @@ int run_rpc_command(struct net_context *c,
- int argc,
- const char **argv);
- int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
-+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
- int net_rpc_join(struct net_context *c, int argc, const char **argv);
- NTSTATUS rpc_info_internals(struct net_context *c,
- const struct dom_sid *domain_sid,
-@@ -205,7 +206,6 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
- const char *server,
- const struct sockaddr_storage *server_ss);
- int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
--int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
-
- /* The following definitions come from utils/net_rpc_printer.c */
-
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 720e9d2..592be44 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -438,6 +438,72 @@ fail:
- }
-
- /**
-+ * check that a join is OK
-+ *
-+ * @return A shell status integer (0 for success)
-+ *
-+ **/
-+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
-+{
-+ NTSTATUS status;
-+ TALLOC_CTX *mem_ctx;
-+ const char *domain = c->opt_target_workgroup;
-+ const char *dc = c->opt_host;
-+
-+ if (c->display_usage) {
-+ d_printf("Usage\n"
-+ "net rpc testjoin\n"
-+ " Test if a join is OK\n");
-+ return 0;
-+ }
-+
-+ mem_ctx = talloc_init("net_rpc_testjoin");
-+ if (!mem_ctx) {
-+ return -1;
-+ }
-+
-+ if (!dc) {
-+ struct netr_DsRGetDCNameInfo *info;
-+
-+ if (!c->msg_ctx) {
-+ d_fprintf(stderr, _("Could not initialise message context. "
-+ "Try running as root\n"));
-+ talloc_destroy(mem_ctx);
-+ return -1;
-+ }
-+
-+ status = dsgetdcname(mem_ctx,
-+ c->msg_ctx,
-+ domain,
-+ NULL,
-+ NULL,
-+ DS_RETURN_DNS_NAME,
-+ &info);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ talloc_destroy(mem_ctx);
-+ return -1;
-+ }
-+
-+ dc = strip_hostname(info->dc_unc);
-+ }
-+
-+ /* Display success or failure */
-+ status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
-+ c->opt_kerberos);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
-+ domain, nt_errstr(status));
-+ talloc_destroy(mem_ctx);
-+ return -1;
-+ }
-+
-+ printf("Join to '%s' is OK\n",domain);
-+ talloc_destroy(mem_ctx);
-+
-+ return 0;
-+}
-+
-+/**
- * 'net rpc join' entrypoint.
- * @param argc Standard main() style argc.
- * @param argv Standard main() style argv. Initial components are already
-diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
-index aabbe54..ee39a5c 100644
---- a/source3/utils/net_rpc_join.c
-+++ b/source3/utils/net_rpc_join.c
-@@ -561,32 +561,3 @@ done:
-
- return retval;
- }
--
--/**
-- * check that a join is OK
-- *
-- * @return A shell status integer (0 for success)
-- *
-- **/
--int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
--{
-- NTSTATUS nt_status;
--
-- if (c->display_usage) {
-- d_printf(_("Usage\n"
-- "net rpc testjoin\n"
-- " Test if a join is OK\n"));
-- return 0;
-- }
--
-- /* Display success or failure */
-- nt_status = net_rpc_join_ok(c, c->opt_target_workgroup, NULL, NULL);
-- if (!NT_STATUS_IS_OK(nt_status)) {
-- fprintf(stderr, _("Join to domain '%s' is not valid: %s\n"),
-- c->opt_target_workgroup, nt_errstr(nt_status));
-- return -1;
-- }
--
-- printf(_("Join to '%s' is OK\n"), c->opt_target_workgroup);
-- return 0;
--}
---
-1.9.3
-
-
-From a0474baa59c0991c2b2d8e3f425c9a6845162f45 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 3 Feb 2009 20:21:05 +0100
-Subject: [PATCH 041/249] s3-net: use libnetjoin for "net rpc join" newstyle.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 3e4ded48bbeacdcd128f3c667cbdd12a3efca312)
----
- source3/utils/net_proto.h | 8 +---
- source3/utils/net_rpc.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++
- source3/wscript_build | 2 +-
- 3 files changed, 108 insertions(+), 8 deletions(-)
-
-diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
-index d791708..1809ba9 100644
---- a/source3/utils/net_proto.h
-+++ b/source3/utils/net_proto.h
-@@ -146,6 +146,7 @@ int run_rpc_command(struct net_context *c,
- const char **argv);
- int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
- int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
-+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
- int net_rpc_join(struct net_context *c, int argc, const char **argv);
- NTSTATUS rpc_info_internals(struct net_context *c,
- const struct dom_sid *domain_sid,
-@@ -200,13 +201,6 @@ int net_rpc(struct net_context *c, int argc, const char **argv);
-
- int net_rpc_audit(struct net_context *c, int argc, const char **argv);
-
--/* The following definitions come from utils/net_rpc_join.c */
--
--NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
-- const char *server,
-- const struct sockaddr_storage *server_ss);
--int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
--
- /* The following definitions come from utils/net_rpc_printer.c */
-
- NTSTATUS net_copy_fileattr(struct net_context *c,
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 592be44..6358460 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -504,6 +504,112 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
- }
-
- /**
-+ * Join a domain using the administrator username and password
-+ *
-+ * @param argc Standard main() style argc
-+ * @param argc Standard main() style argv. Initial components are already
-+ * stripped. Currently not used.
-+ * @return A shell status integer (0 for success)
-+ *
-+ **/
-+
-+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
-+{
-+ struct libnet_JoinCtx *r = NULL;
-+ TALLOC_CTX *mem_ctx;
-+ WERROR werr;
-+ const char *domain = lp_workgroup(); /* FIXME */
-+ bool modify_config = lp_config_backend_is_registry();
-+ enum netr_SchannelType sec_chan_type;
-+
-+ if (c->display_usage) {
-+ d_printf("Usage:\n"
-+ "net rpc join\n"
-+ " Join a domain the new way\n");
-+ return 0;
-+ }
-+
-+ mem_ctx = talloc_init("net_rpc_join_newstyle");
-+ if (!mem_ctx) {
-+ return -1;
-+ }
-+
-+ werr = libnet_init_JoinCtx(mem_ctx, &r);
-+ if (!W_ERROR_IS_OK(werr)) {
-+ goto fail;
-+ }
-+
-+ /*
-+ check what type of join - if the user want's to join as
-+ a BDC, the server must agree that we are a BDC.
-+ */
-+ if (argc >= 0) {
-+ sec_chan_type = get_sec_channel_type(argv[0]);
-+ } else {
-+ sec_chan_type = get_sec_channel_type(NULL);
-+ }
-+
-+ if (!c->msg_ctx) {
-+ d_fprintf(stderr, _("Could not initialise message context. "
-+ "Try running as root\n"));
-+ werr = WERR_ACCESS_DENIED;
-+ goto fail;
-+ }
-+
-+ r->in.msg_ctx = c->msg_ctx;
-+ r->in.domain_name = domain;
-+ r->in.secure_channel_type = sec_chan_type;
-+ r->in.dc_name = c->opt_host;
-+ r->in.admin_account = c->opt_user_name;
-+ r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
-+ r->in.debug = true;
-+ r->in.use_kerberos = c->opt_kerberos;
-+ r->in.modify_config = modify_config;
-+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
-+ WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
-+ WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
-+
-+ werr = libnet_Join(mem_ctx, r);
-+ if (!W_ERROR_IS_OK(werr)) {
-+ goto fail;
-+ }
-+
-+ /* Check the short name of the domain */
-+
-+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
-+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
-+ d_printf("domain name obtained from the server.\n");
-+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
-+ d_printf("You should set \"workgroup = %s\" in %s.\n",
-+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
-+ }
-+
-+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
-+
-+ if (r->out.dns_domain_name) {
-+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
-+ r->out.dns_domain_name);
-+ } else {
-+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
-+ r->out.netbios_domain_name);
-+ }
-+
-+ TALLOC_FREE(mem_ctx);
-+
-+ return 0;
-+
-+fail:
-+ /* issue an overall failure message at the end. */
-+ d_printf("Failed to join domain: %s\n",
-+ r && r->out.error_string ? r->out.error_string :
-+ get_friendly_werror_msg(werr));
-+
-+ TALLOC_FREE(mem_ctx);
-+
-+ return -1;
-+}
-+
-+/**
- * 'net rpc join' entrypoint.
- * @param argc Standard main() style argc.
- * @param argv Standard main() style argv. Initial components are already
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 9461b05..0bf84e2 100755
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -507,7 +507,7 @@ LIBNET_SAMSYNC_SRC = '''libnet/libnet_samsync.c
-
- NET_SRC1 = '''utils/net.c utils/net_ads.c utils/net_help.c
- utils/net_rap.c utils/net_rpc.c utils/net_rpc_samsync.c
-- utils/net_rpc_join.c utils/net_time.c utils/net_lookup.c
-+ utils/net_time.c utils/net_lookup.c
- utils/net_cache.c utils/net_groupmap.c
- utils/net_idmap.c utils/net_idmap_check.c
- utils/interact.c
---
-1.9.3
-
-
-From b2aad96d2ffd5545c250cce605dfdb7f0852806c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 15 Jul 2013 13:28:34 +0200
-Subject: [PATCH 042/249] s3-net: avoid confusing output in net_rpc_oldjoin()
- if NET_FLAGS_EXPECT_FALLBACK is passed
-
-"net rpc join" tries net_rpc_oldjoin() first and falls back to
-net_rpc_join_newstyle(). We should not print the join failed
-if just net_rpc_oldjoin() failed.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 05d9b4165af9e7f03d3fbeb64db4fc305fcec4df)
----
- source3/utils/net.h | 1 +
- source3/utils/net_proto.h | 1 -
- source3/utils/net_rpc.c | 15 +++++++++++++--
- 3 files changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/source3/utils/net.h b/source3/utils/net.h
-index 2056d89..e97734a 100644
---- a/source3/utils/net.h
-+++ b/source3/utils/net.h
-@@ -182,6 +182,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD };
- #define NET_FLAGS_SIGN 0x00000040 /* sign RPC connection */
- #define NET_FLAGS_SEAL 0x00000080 /* seal RPC connection */
- #define NET_FLAGS_TCP 0x00000100 /* use ncacn_ip_tcp */
-+#define NET_FLAGS_EXPECT_FALLBACK 0x00000200 /* the caller will fallback */
-
- /* net share operation modes */
- #define NET_MODE_SHARE_MIGRATE 1
-diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
-index 1809ba9..25e9db2 100644
---- a/source3/utils/net_proto.h
-+++ b/source3/utils/net_proto.h
-@@ -146,7 +146,6 @@ int run_rpc_command(struct net_context *c,
- const char **argv);
- int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
- int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
--int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
- int net_rpc_join(struct net_context *c, int argc, const char **argv);
- NTSTATUS rpc_info_internals(struct net_context *c,
- const struct dom_sid *domain_sid,
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 6358460..dff8801 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -427,11 +427,16 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
- return 0;
-
- fail:
-+ if (c->opt_flags & NET_FLAGS_EXPECT_FALLBACK) {
-+ goto cleanup;
-+ }
-+
- /* issue an overall failure message at the end. */
- d_fprintf(stderr, _("Failed to join domain: %s\n"),
- r && r->out.error_string ? r->out.error_string :
- get_friendly_werror_msg(werr));
-
-+cleanup:
- TALLOC_FREE(mem_ctx);
-
- return -1;
-@@ -513,7 +518,7 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
- *
- **/
-
--int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
-+static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
- {
- struct libnet_JoinCtx *r = NULL;
- TALLOC_CTX *mem_ctx;
-@@ -623,6 +628,8 @@ fail:
-
- int net_rpc_join(struct net_context *c, int argc, const char **argv)
- {
-+ int ret;
-+
- if (c->display_usage) {
- d_printf("%s\n%s",
- _("Usage:"),
-@@ -650,8 +657,12 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
- return -1;
- }
-
-- if ((net_rpc_oldjoin(c, argc, argv) == 0))
-+ c->opt_flags |= NET_FLAGS_EXPECT_FALLBACK;
-+ ret = net_rpc_oldjoin(c, argc, argv);
-+ c->opt_flags &= ~NET_FLAGS_EXPECT_FALLBACK;
-+ if (ret == 0) {
- return 0;
-+ }
-
- return net_rpc_join_newstyle(c, argc, argv);
- }
---
-1.9.3
-
-
-From 8e8a2602d1c793f9a46e5219dea91a46e34d24ca Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 16 Jul 2013 10:07:30 +0200
-Subject: [PATCH 043/249] s4:librpc: fix netlogon connections against servers
- without AES support
-
-LogonGetCapabilities() only works on the credential chain if
-the server supports AES, so we need to work on a temporary copy
-until we know the server replied a valid return authenticator.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 34fa7946993506fde2c6b30e4a41bea27390a814)
----
- source4/librpc/rpc/dcerpc_schannel.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
-index 1480486..130ebeb 100644
---- a/source4/librpc/rpc/dcerpc_schannel.c
-+++ b/source4/librpc/rpc/dcerpc_schannel.c
-@@ -385,6 +385,7 @@ struct auth_schannel_state {
- struct loadparm_context *lp_ctx;
- uint8_t auth_level;
- struct netlogon_creds_CredentialState *creds_state;
-+ struct netlogon_creds_CredentialState save_creds_state;
- struct netr_Authenticator auth;
- struct netr_Authenticator return_auth;
- union netr_Capabilities capabilities;
-@@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx)
- s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
- if (composite_nomem(s->creds_state, c)) return;
-
-- netlogon_creds_client_authenticator(s->creds_state, &s->auth);
-+ s->save_creds_state = *s->creds_state;
-+ netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
-
- s->c.in.server_name = talloc_asprintf(c,
- "\\\\%s",
-@@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq)
- }
-
- /* verify credentials */
-- if (!netlogon_creds_client_check(s->creds_state,
-+ if (!netlogon_creds_client_check(&s->save_creds_state,
- &s->c.out.return_authenticator->cred)) {
- composite_error(c, NT_STATUS_UNSUCCESSFUL);
- return;
- }
-
-+ *s->creds_state = s->save_creds_state;
-+
- if (!NT_STATUS_IS_OK(s->c.out.result)) {
- composite_error(c, s->c.out.result);
- return;
---
-1.9.3
-
-
-From 300fb415d5a6a60702b0c8464e0e76cf0e11fdeb Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 22 Mar 2013 15:07:10 +0100
-Subject: [PATCH 044/249] s3:rpcclient: use talloc_stackframe() in do_cmd()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit d54c908ff5bef774f5cca038741558089ff6baeb)
----
- source3/rpcclient/rpcclient.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index c23ff2d..9bf296e 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -678,7 +678,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
-
- /* Create mem_ctx */
-
-- if (!(mem_ctx = talloc_init("do_cmd"))) {
-+ if (!(mem_ctx = talloc_stackframe())) {
- DEBUG(0, ("talloc_init() failed\n"));
- return NT_STATUS_NO_MEMORY;
- }
-@@ -745,12 +745,14 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- "auth type %u\n",
- cmd_entry->table->name,
- pipe_default_auth_type ));
-+ talloc_free(mem_ctx);
- return NT_STATUS_UNSUCCESSFUL;
- }
- if (!NT_STATUS_IS_OK(ntresult)) {
- DEBUG(0, ("Could not initialise %s. Error was %s\n",
- cmd_entry->table->name,
- nt_errstr(ntresult) ));
-+ talloc_free(mem_ctx);
- return ntresult;
- }
-
-@@ -765,6 +767,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- trust_password, &machine_account,
- &sec_channel_type))
- {
-+ talloc_free(mem_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
-@@ -780,6 +783,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- if (!NT_STATUS_IS_OK(ntresult)) {
- DEBUG(0, ("Could not initialise credentials for %s.\n",
- cmd_entry->table->name));
-+ talloc_free(mem_ctx);
- return ntresult;
- }
- }
-@@ -803,7 +807,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
-
- /* Cleanup */
-
-- talloc_destroy(mem_ctx);
-+ talloc_free(mem_ctx);
-
- return ntresult;
- }
---
-1.9.3
-
-
-From 95972ec54aafcf8a66e0164cd1fb478b6f4c58f6 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 24 Apr 2013 12:36:04 +0200
-Subject: [PATCH 045/249] libcli/auth: make
- netlogon_creds_crypt_samlogon_validation more robust
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 39fedd27182d9e1985418ea79b86aef69999dd57)
----
- libcli/auth/credentials.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
-index fb77ede..5c8b25b 100644
---- a/libcli/auth/credentials.c
-+++ b/libcli/auth/credentials.c
-@@ -493,8 +493,12 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
- bool encrypt)
- {
- static const char zeros[16];
--
- struct netr_SamBaseInfo *base = NULL;
-+
-+ if (validation == NULL) {
-+ return;
-+ }
-+
- switch (validation_level) {
- case 2:
- if (validation->sam2) {
---
-1.9.3
-
-
-From ac092a319c388cc2577bcbd87e16522ba37dc2d0 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 14 Jun 2013 09:47:50 +0200
-Subject: [PATCH 046/249] libcli/auth: fix shadowed declaration in
- netlogon_creds_crypt_samlogon_validation()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 291f6a1e031dc9db7d03b3ca924c4309b313cae5)
----
- libcli/auth/credentials.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
-index 5c8b25b..2e9c87e 100644
---- a/libcli/auth/credentials.c
-+++ b/libcli/auth/credentials.c
-@@ -490,7 +490,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
- static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
- uint16_t validation_level,
- union netr_Validation *validation,
-- bool encrypt)
-+ bool do_encrypt)
- {
- static const char zeros[16];
- struct netr_SamBaseInfo *base = NULL;
-@@ -531,7 +531,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
- /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- if (memcmp(base->key.key, zeros,
- sizeof(base->key.key)) != 0) {
-- if (encrypt) {
-+ if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds,
- base->key.key,
- sizeof(base->key.key));
-@@ -544,7 +544,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
-
- if (memcmp(base->LMSessKey.key, zeros,
- sizeof(base->LMSessKey.key)) != 0) {
-- if (encrypt) {
-+ if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds,
- base->LMSessKey.key,
- sizeof(base->LMSessKey.key));
-@@ -574,7 +574,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
- /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- if (memcmp(base->LMSessKey.key, zeros,
- sizeof(base->LMSessKey.key)) != 0) {
-- if (encrypt) {
-+ if (do_encrypt) {
- netlogon_creds_des_encrypt_LMKey(creds,
- &base->LMSessKey);
- } else {
---
-1.9.3
-
-
-From c535bfb9ead2175ae68b9d18a1692218a0fcf800 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 25 Apr 2013 17:01:00 +0200
-Subject: [PATCH 047/249] libcli/auth: add
- netlogon_creds_[de|en]crypt_samlogon_logon()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit c7319fce604d5f89a89094b6b18ef459a347aef8)
----
- libcli/auth/credentials.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++
- libcli/auth/proto.h | 6 +++
- 2 files changed, 124 insertions(+)
-
-diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
-index 2e9c87e..78a8d7a 100644
---- a/libcli/auth/credentials.c
-+++ b/libcli/auth/credentials.c
-@@ -601,6 +601,124 @@ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_Credential
- validation, true);
- }
-
-+static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
-+ enum netr_LogonInfoClass level,
-+ union netr_LogonLevel *logon,
-+ bool encrypt)
-+{
-+ static const char zeros[16];
-+
-+ if (logon == NULL) {
-+ return;
-+ }
-+
-+ switch (level) {
-+ case NetlogonInteractiveInformation:
-+ case NetlogonInteractiveTransitiveInformation:
-+ case NetlogonServiceInformation:
-+ case NetlogonServiceTransitiveInformation:
-+ if (logon->password == NULL) {
-+ return;
-+ }
-+
-+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ uint8_t *h;
-+
-+ h = logon->password->lmpassword.hash;
-+ if (memcmp(h, zeros, 16) != 0) {
-+ if (encrypt) {
-+ netlogon_creds_aes_encrypt(creds, h, 16);
-+ } else {
-+ netlogon_creds_aes_decrypt(creds, h, 16);
-+ }
-+ }
-+
-+ h = logon->password->ntpassword.hash;
-+ if (memcmp(h, zeros, 16) != 0) {
-+ if (encrypt) {
-+ netlogon_creds_aes_encrypt(creds, h, 16);
-+ } else {
-+ netlogon_creds_aes_decrypt(creds, h, 16);
-+ }
-+ }
-+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-+ uint8_t *h;
-+
-+ h = logon->password->lmpassword.hash;
-+ if (memcmp(h, zeros, 16) != 0) {
-+ netlogon_creds_arcfour_crypt(creds, h, 16);
-+ }
-+
-+ h = logon->password->ntpassword.hash;
-+ if (memcmp(h, zeros, 16) != 0) {
-+ netlogon_creds_arcfour_crypt(creds, h, 16);
-+ }
-+ } else {
-+ struct samr_Password *p;
-+
-+ p = &logon->password->lmpassword;
-+ if (memcmp(p->hash, zeros, 16) != 0) {
-+ if (encrypt) {
-+ netlogon_creds_des_encrypt(creds, p);
-+ } else {
-+ netlogon_creds_des_decrypt(creds, p);
-+ }
-+ }
-+ p = &logon->password->ntpassword;
-+ if (memcmp(p->hash, zeros, 16) != 0) {
-+ if (encrypt) {
-+ netlogon_creds_des_encrypt(creds, p);
-+ } else {
-+ netlogon_creds_des_decrypt(creds, p);
-+ }
-+ }
-+ }
-+ break;
-+
-+ case NetlogonNetworkInformation:
-+ case NetlogonNetworkTransitiveInformation:
-+ break;
-+
-+ case NetlogonGenericInformation:
-+ if (logon->generic == NULL) {
-+ return;
-+ }
-+
-+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ if (encrypt) {
-+ netlogon_creds_aes_encrypt(creds,
-+ logon->generic->data,
-+ logon->generic->length);
-+ } else {
-+ netlogon_creds_aes_decrypt(creds,
-+ logon->generic->data,
-+ logon->generic->length);
-+ }
-+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-+ netlogon_creds_arcfour_crypt(creds,
-+ logon->generic->data,
-+ logon->generic->length);
-+ } else {
-+ /* Using DES to verify kerberos tickets makes no sense */
-+ }
-+ break;
-+ }
-+}
-+
-+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
-+ enum netr_LogonInfoClass level,
-+ union netr_LogonLevel *logon)
-+{
-+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, false);
-+}
-+
-+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
-+ enum netr_LogonInfoClass level,
-+ union netr_LogonLevel *logon)
-+{
-+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
-+}
-+
- /*
- copy a netlogon_creds_CredentialState struct
- */
-diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
-index 6bc18d7..110e039 100644
---- a/libcli/auth/proto.h
-+++ b/libcli/auth/proto.h
-@@ -64,6 +64,12 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
- void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
- uint16_t validation_level,
- union netr_Validation *validation);
-+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
-+ enum netr_LogonInfoClass level,
-+ union netr_LogonLevel *logon);
-+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
-+ enum netr_LogonInfoClass level,
-+ union netr_LogonLevel *logon);
-
- /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
-
---
-1.9.3
-
-
-From d4f36f187d7c87c8daae3f94cdba52225faa19b8 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 24 Apr 2013 12:53:27 +0200
-Subject: [PATCH 048/249] libcli/auth: add netlogon_creds_shallow_copy_logon()
-
-This can be used before netlogon_creds_encrypt_samlogon_logon()
-in order to keep the provided buffers unchanged.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 2ea749a1a43a6539b01d36dbe0402a99619444e1)
----
- libcli/auth/credentials.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++
- libcli/auth/proto.h | 3 ++
- 2 files changed, 76 insertions(+)
-
-diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
-index 78a8d7a..1f664d3 100644
---- a/libcli/auth/credentials.c
-+++ b/libcli/auth/credentials.c
-@@ -719,6 +719,79 @@ void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState
- netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
- }
-
-+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
-+ enum netr_LogonInfoClass level,
-+ const union netr_LogonLevel *in)
-+{
-+ union netr_LogonLevel *out;
-+
-+ if (in == NULL) {
-+ return NULL;
-+ }
-+
-+ out = talloc(mem_ctx, union netr_LogonLevel);
-+ if (out == NULL) {
-+ return NULL;
-+ }
-+
-+ *out = *in;
-+
-+ switch (level) {
-+ case NetlogonInteractiveInformation:
-+ case NetlogonInteractiveTransitiveInformation:
-+ case NetlogonServiceInformation:
-+ case NetlogonServiceTransitiveInformation:
-+ if (in->password == NULL) {
-+ return out;
-+ }
-+
-+ out->password = talloc(out, struct netr_PasswordInfo);
-+ if (out->password == NULL) {
-+ talloc_free(out);
-+ return NULL;
-+ }
-+ *out->password = *in->password;
-+
-+ return out;
-+
-+ case NetlogonNetworkInformation:
-+ case NetlogonNetworkTransitiveInformation:
-+ break;
-+
-+ case NetlogonGenericInformation:
-+ if (in->generic == NULL) {
-+ return out;
-+ }
-+
-+ out->generic = talloc(out, struct netr_GenericInfo);
-+ if (out->generic == NULL) {
-+ talloc_free(out);
-+ return NULL;
-+ }
-+ *out->generic = *in->generic;
-+
-+ if (in->generic->data == NULL) {
-+ return out;
-+ }
-+
-+ if (in->generic->length == 0) {
-+ return out;
-+ }
-+
-+ out->generic->data = talloc_memdup(out->generic,
-+ in->generic->data,
-+ in->generic->length);
-+ if (out->generic->data == NULL) {
-+ talloc_free(out);
-+ return NULL;
-+ }
-+
-+ return out;
-+ }
-+
-+ return out;
-+}
-+
- /*
- copy a netlogon_creds_CredentialState struct
- */
-diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
-index 110e039..0c319d3 100644
---- a/libcli/auth/proto.h
-+++ b/libcli/auth/proto.h
-@@ -70,6 +70,9 @@ void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState
- void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
- enum netr_LogonInfoClass level,
- union netr_LogonLevel *logon);
-+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
-+ enum netr_LogonInfoClass level,
-+ const union netr_LogonLevel *in);
-
- /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
-
---
-1.9.3
-
-
-From 8cf11ba846fc31ce26020aabcf463817b56580a7 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 24 Apr 2013 16:00:18 +0200
-Subject: [PATCH 049/249] s4:netlogon: make use of
- netlogon_creds_decrypt_samlogon_logon()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 9d548318da11247ffe8acf505cdb5299090c16f0)
----
- source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++---------------------
- 1 file changed, 6 insertions(+), 22 deletions(-)
-
-diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-index 70239a4..c41cd02 100644
---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
-+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-@@ -712,29 +712,15 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
- user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(user_info);
-
-+ netlogon_creds_decrypt_samlogon_logon(creds,
-+ r->in.logon_level,
-+ r->in.logon);
-+
- switch (r->in.logon_level) {
- case NetlogonInteractiveInformation:
- case NetlogonServiceInformation:
- case NetlogonInteractiveTransitiveInformation:
- case NetlogonServiceTransitiveInformation:
-- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- netlogon_creds_aes_decrypt(creds,
-- r->in.logon->password->lmpassword.hash,
-- sizeof(r->in.logon->password->lmpassword.hash));
-- netlogon_creds_aes_decrypt(creds,
-- r->in.logon->password->ntpassword.hash,
-- sizeof(r->in.logon->password->ntpassword.hash));
-- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-- netlogon_creds_arcfour_crypt(creds,
-- r->in.logon->password->lmpassword.hash,
-- sizeof(r->in.logon->password->lmpassword.hash));
-- netlogon_creds_arcfour_crypt(creds,
-- r->in.logon->password->ntpassword.hash,
-- sizeof(r->in.logon->password->ntpassword.hash));
-- } else {
-- netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword);
-- netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword);
-- }
-
- /* TODO: we need to deny anonymous access here */
- nt_status = auth_context_create(mem_ctx,
-@@ -788,11 +774,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
- case NetlogonGenericInformation:
- {
- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- netlogon_creds_aes_decrypt(creds,
-- r->in.logon->generic->data, r->in.logon->generic->length);
-+ /* OK */
- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-- netlogon_creds_arcfour_crypt(creds,
-- r->in.logon->generic->data, r->in.logon->generic->length);
-+ /* OK */
- } else {
- /* Using DES to verify kerberos tickets makes no sense */
- return NT_STATUS_INVALID_PARAMETER;
---
-1.9.3
-
-
-From 22bdc484af1b1a4ebd9451fd5cde4d3993dd6f0a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 24 Apr 2013 16:00:44 +0200
-Subject: [PATCH 050/249] s3:netlogon: make use of
- netlogon_creds_decrypt_samlogon_logon()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 7b3ddd1a0bb41fe84c115555113362044620e484)
----
- source3/rpc_server/netlogon/srv_netlog_nt.c | 45 ++++++++++++++---------------
- 1 file changed, 21 insertions(+), 24 deletions(-)
-
-diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
-index e5ca474..09857b6 100644
---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -1467,6 +1467,15 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
- struct auth_context *auth_context = NULL;
- const char *fn;
-
-+#ifdef DEBUG_PASSWORD
-+ logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
-+ r->in.logon_level,
-+ r->in.logon);
-+ if (logon == NULL) {
-+ logon = r->in.logon;
-+ }
-+#endif
-+
- switch (p->opnum) {
- case NDR_NETR_LOGONSAMLOGON:
- fn = "_netr_LogonSamLogon";
-@@ -1547,6 +1556,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
-
- status = NT_STATUS_OK;
-
-+ netlogon_creds_decrypt_samlogon_logon(creds,
-+ r->in.logon_level,
-+ logon);
-+
- switch (r->in.logon_level) {
- case NetlogonNetworkInformation:
- case NetlogonNetworkTransitiveInformation:
-@@ -1592,32 +1605,16 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
- uint8_t chal[8];
-
- #ifdef DEBUG_PASSWORD
-- DEBUG(100,("lm owf password:"));
-- dump_data(100, logon->password->lmpassword.hash, 16);
--
-- DEBUG(100,("nt owf password:"));
-- dump_data(100, logon->password->ntpassword.hash, 16);
--#endif
-- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- netlogon_creds_aes_decrypt(creds,
-- logon->password->lmpassword.hash,
-- 16);
-- netlogon_creds_aes_decrypt(creds,
-- logon->password->ntpassword.hash,
-- 16);
-- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-- netlogon_creds_arcfour_crypt(creds,
-- logon->password->lmpassword.hash,
-- 16);
-- netlogon_creds_arcfour_crypt(creds,
-- logon->password->ntpassword.hash,
-- 16);
-- } else {
-- netlogon_creds_des_decrypt(creds, &logon->password->lmpassword);
-- netlogon_creds_des_decrypt(creds, &logon->password->ntpassword);
-+ if (logon != r->in.logon) {
-+ DEBUG(100,("lm owf password:"));
-+ dump_data(100,
-+ r->in.logon->password->lmpassword.hash, 16);
-+
-+ DEBUG(100,("nt owf password:"));
-+ dump_data(100,
-+ r->in.logon->password->ntpassword.hash, 16);
- }
-
--#ifdef DEBUG_PASSWORD
- DEBUG(100,("decrypt of lm owf password:"));
- dump_data(100, logon->password->lmpassword.hash, 16);
-
---
-1.9.3
-
-
-From b25c7249bdca17d4b4720a2e8f8ba329c4105e94 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 25 Apr 2013 18:27:57 +0200
-Subject: [PATCH 051/249] s3:rpc_client: make rpccli_schannel_bind_data()
- static
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 6ce645e03c279cbb2ed8a94f033b8e0601b61ef4)
----
- source3/rpc_client/cli_pipe.c | 9 +++++----
- source3/rpc_client/cli_pipe.h | 6 ------
- 2 files changed, 5 insertions(+), 10 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 1fa8d91..66fa2d2 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2401,10 +2401,11 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
- return status;
- }
-
--NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
-- enum dcerpc_AuthLevel auth_level,
-- struct netlogon_creds_CredentialState *creds,
-- struct pipe_auth_data **presult)
-+static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
-+ const char *domain,
-+ enum dcerpc_AuthLevel auth_level,
-+ struct netlogon_creds_CredentialState *creds,
-+ struct pipe_auth_data **presult)
- {
- struct schannel_state *schannel_auth;
- struct pipe_auth_data *result;
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index 6fcc587..8eb6040 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -58,12 +58,6 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
- NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
- struct pipe_auth_data **presult);
-
--NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
-- const char *domain,
-- enum dcerpc_AuthLevel auth_level,
-- struct netlogon_creds_CredentialState *creds,
-- struct pipe_auth_data **presult);
--
- NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
- const char *host,
- const struct sockaddr_storage *ss_addr,
---
-1.9.3
-
-
-From 9f56e42ba78ce4e1248f06a0cecfc97789aea260 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 25 Apr 2013 18:29:31 +0200
-Subject: [PATCH 052/249] s3:rpc_client: use the correct context for
- netlogon_creds_copy() in rpccli_schannel_bind_data()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 8a302fc353de8d373a0ec8544da4da6f305ec923)
----
- source3/rpc_client/cli_pipe.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 66fa2d2..afe8030 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2431,7 +2431,10 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
-
- schannel_auth->state = SCHANNEL_STATE_START;
- schannel_auth->initiator = true;
-- schannel_auth->creds = netlogon_creds_copy(result, creds);
-+ schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
-+ if (schannel_auth->creds == NULL) {
-+ goto fail;
-+ }
-
- result->auth_ctx = schannel_auth;
- *presult = result;
---
-1.9.3
-
-
-From 08d78b16f0adf1d223f29d613a498878230522be Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 25 Apr 2013 19:43:58 +0200
-Subject: [PATCH 053/249] s3:rpc_client: rename same variables in
- cli_rpc_pipe_open_schannel_with_key()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 94be8d63cd21fbb9e31bf7a92af82e19c596f94f)
----
- source3/rpc_client/cli_pipe.c | 30 +++++++++++++++---------------
- 1 file changed, 15 insertions(+), 15 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index afe8030..ec804e7 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -3032,32 +3032,32 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
- struct netlogon_creds_CredentialState **pdc,
-- struct rpc_pipe_client **presult)
-+ struct rpc_pipe_client **_rpccli)
- {
-- struct rpc_pipe_client *result;
-- struct pipe_auth_data *auth;
-+ struct rpc_pipe_client *rpccli;
-+ struct pipe_auth_data *rpcauth;
- NTSTATUS status;
-
-- status = cli_rpc_pipe_open(cli, transport, table, &result);
-+ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
-- status = rpccli_schannel_bind_data(result, domain, auth_level,
-- *pdc, &auth);
-+ status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
-+ *pdc, &rpcauth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
- nt_errstr(status)));
-- TALLOC_FREE(result);
-+ TALLOC_FREE(rpccli);
- return status;
- }
-
-- status = rpc_pipe_bind(result, auth);
-+ status = rpc_pipe_bind(rpccli, rpcauth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
- "cli_rpc_pipe_bind failed with error %s\n",
- nt_errstr(status) ));
-- TALLOC_FREE(result);
-+ TALLOC_FREE(rpccli);
- return status;
- }
-
-@@ -3065,10 +3065,10 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- * The credentials on a new netlogon pipe are the ones we are passed
- * in - copy them over
- */
-- if (result->dc == NULL) {
-- result->dc = netlogon_creds_copy(result, *pdc);
-- if (result->dc == NULL) {
-- TALLOC_FREE(result);
-+ if (rpccli->dc == NULL) {
-+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
-+ if (rpccli->dc == NULL) {
-+ TALLOC_FREE(rpccli);
- return NT_STATUS_NO_MEMORY;
- }
- }
-@@ -3076,9 +3076,9 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
- "for domain %s and bound using schannel.\n",
- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
-- result->desthost, domain));
-+ rpccli->desthost, domain));
-
-- *presult = result;
-+ *_rpccli = rpccli;
- return NT_STATUS_OK;
- }
-
---
-1.9.3
-
-
-From 33991d3ea286fc5da1458ca64aa4fc004547ae04 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 5 Aug 2013 20:26:54 +0200
-Subject: [PATCH 054/249] s3:libsmb: remove unused cli_state->is_guestlogin
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 11e0be0e72cfc4bc65ba2b0ffd10cbae3ad69b2d)
----
- source3/include/client.h | 1 -
- source3/libsmb/cliconnect.c | 5 -----
- 2 files changed, 6 deletions(-)
-
-diff --git a/source3/include/client.h b/source3/include/client.h
-index 3f92d6d..59fb104 100644
---- a/source3/include/client.h
-+++ b/source3/include/client.h
-@@ -72,7 +72,6 @@ struct cli_state {
- int timeout; /* in milliseconds. */
- int initialised;
- int win95;
-- bool is_guestlogin;
- /* What the server offered. */
- uint32_t server_posix_capabilities;
- /* What the client requested. */
-diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
-index 13e7704..81bc028 100644
---- a/source3/libsmb/cliconnect.c
-+++ b/source3/libsmb/cliconnect.c
-@@ -240,7 +240,6 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq)
- p = bytes;
-
- cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
-
- status = smb_bytes_talloc_string(cli,
- inhdr,
-@@ -448,7 +447,6 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq)
- p = bytes;
-
- cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
-
- status = smb_bytes_talloc_string(cli,
- inhdr,
-@@ -613,7 +611,6 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq)
- p = bytes;
-
- cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
-
- status = smb_bytes_talloc_string(cli,
- inhdr,
-@@ -930,7 +927,6 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq)
- p = bytes;
-
- cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
-
- status = smb_bytes_talloc_string(cli,
- inhdr,
-@@ -1180,7 +1176,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
- state->inbuf = in;
- inhdr = in + NBT_HDR_SIZE;
- cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
-
- blob_length = SVAL(vwv+3, 0);
- if (blob_length > num_bytes) {
---
-1.9.3
-
-
-From 937a0f2fc020e12c21c10597a889275614603add Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jun 2013 09:41:52 +0200
-Subject: [PATCH 055/249] s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AES
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit d82ab70579ff2bcb69f997068482b198f321d1ef)
----
- source3/auth/auth_domain.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
-index 54ee5a1..06078e2 100644
---- a/source3/auth/auth_domain.c
-+++ b/source3/auth/auth_domain.c
-@@ -133,7 +133,8 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
-
- if (!lp_client_schannel()) {
- /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-+ NETLOGON_NEG_SUPPORTS_AES;
- enum netr_SchannelType sec_chan_type = 0;
- unsigned char machine_pwd[16];
- const char *account_name;
---
-1.9.3
-
-
-From 981a88bb20cef572e5573ee2f18115a6e395fbf9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jun 2013 09:41:52 +0200
-Subject: [PATCH 056/249] s3:libnet_join: try to use NETLOGON_NEG_SUPPORTS_AES
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit beba32619a91977543f882432fd08acc9de78fd3)
----
- source3/libnet/libnet_join.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index d8ec235..c1eccda 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -1194,7 +1194,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
- const char *dc_name,
- const bool use_kerberos)
- {
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-+ NETLOGON_NEG_SUPPORTS_AES;
- struct cli_state *cli = NULL;
- struct rpc_pipe_client *pipe_hnd = NULL;
- struct rpc_pipe_client *netlogon_pipe = NULL;
---
-1.9.3
-
-
-From 846a35f004850695ca7c9d4597cd8729bb7c99e3 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jun 2013 09:41:52 +0200
-Subject: [PATCH 057/249] s3:rpc_client: try to use NETLOGON_NEG_SUPPORTS_AES
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 04600634b3e761d7c56f699fd4ba80b4cd2926a1)
----
- source3/rpc_client/cli_netlogon.c | 3 ++-
- source3/rpc_client/cli_pipe_schannel.c | 6 ++++--
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 3d6a3e1..5e8a2fc 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -610,7 +610,8 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
- struct dcerpc_binding_handle *b = cli->binding_handle;
-
- if (!cli->dc) {
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-+ NETLOGON_NEG_SUPPORTS_AES;
- result = rpccli_netlogon_setup_creds(cli,
- cli->desthost, /* server name */
- lp_workgroup(), /* domain */
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index bc672ef..de745c0 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -136,7 +136,8 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
- const char *password,
- struct rpc_pipe_client **presult)
- {
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-+ NETLOGON_NEG_SUPPORTS_AES;
- struct rpc_pipe_client *netlogon_pipe = NULL;
- struct rpc_pipe_client *result = NULL;
- NTSTATUS status;
-@@ -175,7 +176,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
- const char *domain,
- struct rpc_pipe_client **presult)
- {
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-+ NETLOGON_NEG_SUPPORTS_AES;
- struct rpc_pipe_client *netlogon_pipe = NULL;
- struct rpc_pipe_client *result = NULL;
- NTSTATUS status;
---
-1.9.3
-
-
-From a56391bc8cbe1fa9142d0a20f4bf977538f27e67 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jun 2013 09:41:52 +0200
-Subject: [PATCH 058/249] s3:rpcclient: try to use NETLOGON_NEG_SUPPORTS_AES
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit e77a64f505fc43628e487e832033d0cd8ec4de8e)
----
- source3/rpcclient/cmd_netlogon.c | 3 ++-
- source3/rpcclient/rpcclient.c | 3 ++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index 01d6da4..d92434b 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -1120,7 +1120,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- NTSTATUS result;
- const char *server_name = cli->desthost;
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-+ NETLOGON_NEG_SUPPORTS_AES;
- struct netr_Authenticator clnt_creds, srv_cred;
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
- unsigned char trust_passwd_hash[16];
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index 9bf296e..cb7b70f 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -758,7 +758,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
-
- if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
- &ndr_table_netlogon.syntax_id)) {
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-+ NETLOGON_NEG_SUPPORTS_AES;
- enum netr_SchannelType sec_channel_type;
- uchar trust_password[16];
- const char *machine_account;
---
-1.9.3
-
-
-From 06c4ff36efc63ef014c449602dc314ca4e7016bd Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 25 Apr 2013 19:57:09 +0200
-Subject: [PATCH 059/249] s3:rpc_client: fix/add AES downgrade detection to
- rpc_pipe_bind_step_two_done()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 90e28c1825b2c48714d7b34fdb57d3878116d07e)
----
- source3/rpc_client/cli_pipe.c | 19 +++++++------------
- 1 file changed, 7 insertions(+), 12 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index ec804e7..c354a6f 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1828,8 +1828,7 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
- status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
- TALLOC_FREE(subreq);
- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-- if (state->cli->dc && state->cli->dc->negotiate_flags &
-- NETLOGON_NEG_SUPPORTS_AES) {
-+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- DEBUG(5, ("AES is not supported and the error was %s\n",
- nt_errstr(status)));
- tevent_req_nterror(req,
-@@ -1880,9 +1879,6 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
- return;
- }
-
-- TALLOC_FREE(state->cli->dc);
-- state->cli->dc = talloc_steal(state->cli, state->creds);
--
- if (!NT_STATUS_IS_OK(state->r.out.result)) {
- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
- nt_errstr(state->r.out.result)));
-@@ -1890,18 +1886,17 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
- return;
- }
-
-- if (state->creds->negotiate_flags !=
-- state->r.out.capabilities->server_capabilities) {
-- DEBUG(0, ("The client capabilities don't match the server "
-- "capabilities: local[0x%08X] remote[0x%08X]\n",
-- state->creds->negotiate_flags,
-- state->capabilities.server_capabilities));
-+ if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
-+ DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
-+ "but AES was not negotiated - downgrade detected",
-+ state->cli->desthost));
- tevent_req_nterror(req,
- NT_STATUS_INVALID_NETWORK_RESPONSE);
- return;
- }
-
-- /* TODO: Add downgrade dectection. */
-+ TALLOC_FREE(state->cli->dc);
-+ state->cli->dc = talloc_move(state->cli, &state->creds);
-
- tevent_req_done(req);
- return;
---
-1.9.3
-
-
-From e6416b9fe5019c3ce1aa8ecf42d73125a049338f Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 25 Apr 2013 19:45:52 +0200
-Subject: [PATCH 060/249] s3:rpc_client: use netlogon_creds_copy before
- rpc_pipe_bind
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit e9c8e3fb92143525f846523e446e2213e5b55d9d)
----
- source3/rpc_client/cli_pipe.c | 24 ++++++++++++------------
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index c354a6f..eb172db 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -3047,6 +3047,18 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- return status;
- }
-
-+ /*
-+ * The credentials on a new netlogon pipe are the ones we are passed
-+ * in - copy them over
-+ *
-+ * This may get overwritten... in rpc_pipe_bind()...
-+ */
-+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
-+ if (rpccli->dc == NULL) {
-+ TALLOC_FREE(rpccli);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
- status = rpc_pipe_bind(rpccli, rpcauth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
-@@ -3056,18 +3068,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- return status;
- }
-
-- /*
-- * The credentials on a new netlogon pipe are the ones we are passed
-- * in - copy them over
-- */
-- if (rpccli->dc == NULL) {
-- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
-- if (rpccli->dc == NULL) {
-- TALLOC_FREE(rpccli);
-- return NT_STATUS_NO_MEMORY;
-- }
-- }
--
- DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
- "for domain %s and bound using schannel.\n",
- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
---
-1.9.3
-
-
-From 1836ea96ed7dd055278fd6cac3f69a06ea979ea2 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 25 Apr 2013 19:34:13 +0200
-Subject: [PATCH 061/249] s3:rpc_client: add netr_LogonGetCapabilities to
- cli_rpc_pipe_open_schannel_with_key()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit eecb5bafba5b362d4fdf33d6a2a32e4ee56f30a4)
----
- source3/rpc_client/cli_pipe.c | 101 ++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 101 insertions(+)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index eb172db..314eb92 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -3032,6 +3032,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- struct rpc_pipe_client *rpccli;
- struct pipe_auth_data *rpcauth;
- NTSTATUS status;
-+ NTSTATUS result;
-+ struct netlogon_creds_CredentialState save_creds;
-+ struct netr_Authenticator auth;
-+ struct netr_Authenticator return_auth;
-+ union netr_Capabilities capabilities;
-
- status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -3068,6 +3073,102 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- return status;
- }
-
-+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
-+ goto done;
-+ }
-+
-+ save_creds = *rpccli->dc;
-+ ZERO_STRUCT(return_auth);
-+ ZERO_STRUCT(capabilities);
-+
-+ netlogon_creds_client_authenticator(&save_creds, &auth);
-+
-+ status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
-+ talloc_tos(),
-+ rpccli->srv_name_slash,
-+ save_creds.computer_name,
-+ &auth, &return_auth,
-+ 1, &capabilities,
-+ &result);
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ DEBUG(5, ("AES was negotiated and the error was %s - "
-+ "downgrade detected\n",
-+ nt_errstr(status)));
-+ TALLOC_FREE(rpccli);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+
-+ /* This is probably an old Samba Version */
-+ DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
-+ nt_errstr(status)));
-+ goto done;
-+ }
-+
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
-+ nt_errstr(status)));
-+ TALLOC_FREE(rpccli);
-+ return status;
-+ }
-+
-+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ /* This means AES isn't supported. */
-+ DEBUG(5, ("AES was negotiated and the result was %s - "
-+ "downgrade detected\n",
-+ nt_errstr(result)));
-+ TALLOC_FREE(rpccli);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+
-+ /* This is probably an old Windows version */
-+ DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
-+ nt_errstr(result)));
-+ goto done;
-+ }
-+
-+ /*
-+ * We need to check the credential state here, cause win2k3 and earlier
-+ * returns NT_STATUS_NOT_IMPLEMENTED
-+ */
-+ if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
-+ /*
-+ * Server replied with bad credential. Fail.
-+ */
-+ DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
-+ "replied with bad credential\n",
-+ rpccli->desthost));
-+ TALLOC_FREE(rpccli);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ *rpccli->dc = save_creds;
-+
-+ if (!NT_STATUS_IS_OK(result)) {
-+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
-+ nt_errstr(result)));
-+ TALLOC_FREE(rpccli);
-+ return result;
-+ }
-+
-+ if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
-+ /* This means AES isn't supported. */
-+ DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
-+ "was OK - downgrade detected\n"));
-+ TALLOC_FREE(rpccli);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+
-+ if (save_creds.negotiate_flags != capabilities.server_capabilities) {
-+ DEBUG(0, ("The client capabilities don't match the server "
-+ "capabilities: local[0x%08X] remote[0x%08X]\n",
-+ save_creds.negotiate_flags,
-+ capabilities.server_capabilities));
-+ TALLOC_FREE(rpccli);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+
-+done:
- DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
- "for domain %s and bound using schannel.\n",
- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
---
-1.9.3
-
-
-From 675be19880c2ac4bca14d69592ce39bb66a34dec Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 25 Apr 2013 18:30:36 +0200
-Subject: [PATCH 062/249] s3:rpc_client: remove netr_LogonGetCapabilities check
- from rpc_pipe_bind*
-
-It's done in the caller now.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3302356226cca474f0afab9a129220241c16663f)
----
- source3/rpc_client/cli_pipe.c | 150 +-----------------------------------------
- 1 file changed, 1 insertion(+), 149 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 314eb92..cba055a 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1568,15 +1568,9 @@ struct rpc_pipe_bind_state {
- DATA_BLOB rpc_out;
- bool auth3;
- uint32_t rpc_call_id;
-- struct netr_Authenticator auth;
-- struct netr_Authenticator return_auth;
-- struct netlogon_creds_CredentialState *creds;
-- union netr_Capabilities capabilities;
-- struct netr_LogonGetCapabilities r;
- };
-
- static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
--static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
- static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
- struct rpc_pipe_bind_state *state,
- DATA_BLOB *credentials);
-@@ -1679,14 +1673,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
-
- case DCERPC_AUTH_TYPE_NONE:
- case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
-+ case DCERPC_AUTH_TYPE_SCHANNEL:
- /* Bind complete. */
- tevent_req_done(req);
- return;
-
-- case DCERPC_AUTH_TYPE_SCHANNEL:
-- rpc_pipe_bind_step_two_trigger(req);
-- return;
--
- case DCERPC_AUTH_TYPE_NTLMSSP:
- case DCERPC_AUTH_TYPE_SPNEGO:
- case DCERPC_AUTH_TYPE_KRB5:
-@@ -1763,145 +1754,6 @@ err_out:
- tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
- }
-
--static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq);
--
--static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req)
--{
-- struct rpc_pipe_bind_state *state =
-- tevent_req_data(req,
-- struct rpc_pipe_bind_state);
-- struct dcerpc_binding_handle *b = state->cli->binding_handle;
-- struct schannel_state *schannel_auth =
-- talloc_get_type_abort(state->cli->auth->auth_ctx,
-- struct schannel_state);
-- struct tevent_req *subreq;
--
-- if (schannel_auth == NULL ||
-- !ndr_syntax_id_equal(&state->cli->abstract_syntax,
-- &ndr_table_netlogon.syntax_id)) {
-- tevent_req_done(req);
-- return;
-- }
--
-- ZERO_STRUCT(state->return_auth);
--
-- state->creds = netlogon_creds_copy(state, schannel_auth->creds);
-- if (state->creds == NULL) {
-- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
-- return;
-- }
--
-- netlogon_creds_client_authenticator(state->creds, &state->auth);
--
-- state->r.in.server_name = state->cli->srv_name_slash;
-- state->r.in.computer_name = state->creds->computer_name;
-- state->r.in.credential = &state->auth;
-- state->r.in.query_level = 1;
-- state->r.in.return_authenticator = &state->return_auth;
--
-- state->r.out.capabilities = &state->capabilities;
-- state->r.out.return_authenticator = &state->return_auth;
--
-- subreq = dcerpc_netr_LogonGetCapabilities_r_send(talloc_tos(),
-- state->ev,
-- b,
-- &state->r);
-- if (subreq == NULL) {
-- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
-- return;
-- }
--
-- tevent_req_set_callback(subreq, rpc_pipe_bind_step_two_done, req);
-- return;
--}
--
--static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
--{
-- struct tevent_req *req =
-- tevent_req_callback_data(subreq,
-- struct tevent_req);
-- struct rpc_pipe_bind_state *state =
-- tevent_req_data(req,
-- struct rpc_pipe_bind_state);
-- NTSTATUS status;
--
-- status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
-- TALLOC_FREE(subreq);
-- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- DEBUG(5, ("AES is not supported and the error was %s\n",
-- nt_errstr(status)));
-- tevent_req_nterror(req,
-- NT_STATUS_INVALID_NETWORK_RESPONSE);
-- return;
-- }
--
-- /* This is probably NT */
-- DEBUG(5, ("We are checking against an NT - %s\n",
-- nt_errstr(status)));
-- tevent_req_done(req);
-- return;
-- } else if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
-- nt_errstr(status)));
-- tevent_req_nterror(req, status);
-- return;
-- }
--
-- if (NT_STATUS_EQUAL(state->r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
-- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- /* This means AES isn't supported. */
-- DEBUG(5, ("AES is not supported and the error was %s\n",
-- nt_errstr(state->r.out.result)));
-- tevent_req_nterror(req,
-- NT_STATUS_INVALID_NETWORK_RESPONSE);
-- return;
-- }
--
-- /* This is probably an old Samba version */
-- DEBUG(5, ("We are checking against an old Samba version - %s\n",
-- nt_errstr(state->r.out.result)));
-- tevent_req_done(req);
-- return;
-- }
--
-- /* We need to check the credential state here, cause win2k3 and earlier
-- * returns NT_STATUS_NOT_IMPLEMENTED */
-- if (!netlogon_creds_client_check(state->creds,
-- &state->r.out.return_authenticator->cred)) {
-- /*
-- * Server replied with bad credential. Fail.
-- */
-- DEBUG(0,("rpc_pipe_bind_step_two_done: server %s "
-- "replied with bad credential\n",
-- state->cli->desthost));
-- tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
-- return;
-- }
--
-- if (!NT_STATUS_IS_OK(state->r.out.result)) {
-- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
-- nt_errstr(state->r.out.result)));
-- tevent_req_nterror(req, state->r.out.result);
-- return;
-- }
--
-- if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
-- DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
-- "but AES was not negotiated - downgrade detected",
-- state->cli->desthost));
-- tevent_req_nterror(req,
-- NT_STATUS_INVALID_NETWORK_RESPONSE);
-- return;
-- }
--
-- TALLOC_FREE(state->cli->dc);
-- state->cli->dc = talloc_move(state->cli, &state->creds);
--
-- tevent_req_done(req);
-- return;
--}
--
- static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
- struct rpc_pipe_bind_state *state,
- DATA_BLOB *auth_token)
---
-1.9.3
-
-
-From f9b4e38b8458ec905b5f78e402f21f23c4a967e1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 25 Apr 2013 19:33:28 +0200
-Subject: [PATCH 063/249] s3:rpc_client: remove unused
- cli_rpc_pipe_open_ntlmssp_auth_schannel()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 04938cbeecc777f7b799a11f1ca0461b351d968a)
----
- source3/rpc_client/cli_pipe.h | 9 ----
- source3/rpc_client/cli_pipe_schannel.c | 80 ----------------------------------
- 2 files changed, 89 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index 8eb6040..ab99373 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -109,15 +109,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- struct netlogon_creds_CredentialState **pdc,
- struct rpc_pipe_client **presult);
-
--NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
-- const struct ndr_interface_table *table,
-- enum dcerpc_transport_t transport,
-- enum dcerpc_AuthLevel auth_level,
-- const char *domain,
-- const char *username,
-- const char *password,
-- struct rpc_pipe_client **presult);
--
- NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
- const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index de745c0..aaae44b 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -86,86 +86,6 @@ static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon
-
- /****************************************************************************
- Open a named pipe to an SMB server and bind using schannel (bind type 68).
-- Fetch the session key ourselves using a temporary netlogon pipe. This
-- version uses an ntlmssp auth bound netlogon pipe to get the key.
-- ****************************************************************************/
--
--static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
-- const char *domain,
-- const char *username,
-- const char *password,
-- uint32 *pneg_flags,
-- struct rpc_pipe_client **presult)
--{
-- struct rpc_pipe_client *netlogon_pipe = NULL;
-- NTSTATUS status;
--
-- status = cli_rpc_pipe_open_spnego(
-- cli, &ndr_table_netlogon, NCACN_NP,
-- GENSEC_OID_NTLMSSP,
-- DCERPC_AUTH_LEVEL_PRIVACY,
-- smbXcli_conn_remote_name(cli->conn),
-- domain, username, password, &netlogon_pipe);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
-- pneg_flags);
-- if (!NT_STATUS_IS_OK(status)) {
-- TALLOC_FREE(netlogon_pipe);
-- return status;
-- }
--
-- *presult = netlogon_pipe;
-- return NT_STATUS_OK;
--}
--
--/****************************************************************************
-- Open a named pipe to an SMB server and bind using schannel (bind type 68).
-- Fetch the session key ourselves using a temporary netlogon pipe. This version
-- uses an ntlmssp bind to get the session key.
-- ****************************************************************************/
--
--NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
-- const struct ndr_interface_table *table,
-- enum dcerpc_transport_t transport,
-- enum dcerpc_AuthLevel auth_level,
-- const char *domain,
-- const char *username,
-- const char *password,
-- struct rpc_pipe_client **presult)
--{
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-- NETLOGON_NEG_SUPPORTS_AES;
-- struct rpc_pipe_client *netlogon_pipe = NULL;
-- struct rpc_pipe_client *result = NULL;
-- NTSTATUS status;
--
-- status = get_schannel_session_key_auth_ntlmssp(
-- cli, domain, username, password, &neg_flags, &netlogon_pipe);
-- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
-- "key from server %s for domain %s.\n",
-- smbXcli_conn_remote_name(cli->conn), domain ));
-- return status;
-- }
--
-- status = cli_rpc_pipe_open_schannel_with_key(
-- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
-- &result);
--
-- /* Now we've bound using the session key we can close the netlog pipe. */
-- TALLOC_FREE(netlogon_pipe);
--
-- if (NT_STATUS_IS_OK(status)) {
-- *presult = result;
-- }
-- return status;
--}
--
--/****************************************************************************
-- Open a named pipe to an SMB server and bind using schannel (bind type 68).
- Fetch the session key ourselves using a temporary netlogon pipe.
- ****************************************************************************/
-
---
-1.9.3
-
-
-From 35d07a4d7ca15e4cf22f7cc96d6958c9856dc0a0 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 3 Aug 2013 11:26:13 +0200
-Subject: [PATCH 064/249] auth/gensec: first check GENSEC_FEATURE_SESSION_KEY
- before returning NOT_IMPLEMENTED
-
-Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 45c74c8084d2db14fef6a79cd98068be2ab73f30)
----
- auth/gensec/gensec.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
-index ea62861..9a8f0ef 100644
---- a/auth/gensec/gensec.c
-+++ b/auth/gensec/gensec.c
-@@ -155,13 +155,14 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *session_key)
- {
-- if (!gensec_security->ops->session_key) {
-- return NT_STATUS_NOT_IMPLEMENTED;
-- }
- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
- return NT_STATUS_NO_USER_SESSION_KEY;
- }
-
-+ if (!gensec_security->ops->session_key) {
-+ return NT_STATUS_NOT_IMPLEMENTED;
-+ }
-+
- return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
- }
-
---
-1.9.3
-
-
-From 6eda030bd26347cef3fb670b0876956c97c00bfa Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 3 Aug 2013 11:43:58 +0200
-Subject: [PATCH 065/249] auth/gensec: add gensec_security_by_auth_type()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 59b09564a7edac8dc241269587146342244ce58b)
----
- auth/gensec/gensec.h | 3 +++
- auth/gensec/gensec_start.c | 26 ++++++++++++++++++++++++++
- 2 files changed, 29 insertions(+)
-
-diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
-index 396a16d..c080861 100644
---- a/auth/gensec/gensec.h
-+++ b/auth/gensec/gensec.h
-@@ -268,6 +268,9 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
- const char *oid_string);
- const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
- const char *sasl_name);
-+const struct gensec_security_ops *gensec_security_by_auth_type(
-+ struct gensec_security *gensec_security,
-+ uint32_t auth_type);
- struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx);
- const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
-diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
-index e46f0ee..c2cfa1c 100644
---- a/auth/gensec/gensec_start.c
-+++ b/auth/gensec/gensec_start.c
-@@ -246,6 +246,32 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
- return NULL;
- }
-
-+_PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
-+ struct gensec_security *gensec_security,
-+ uint32_t auth_type)
-+{
-+ int i;
-+ struct gensec_security_ops **backends;
-+ const struct gensec_security_ops *backend;
-+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
-+ if (!mem_ctx) {
-+ return NULL;
-+ }
-+ backends = gensec_security_mechs(gensec_security, mem_ctx);
-+ for (i=0; backends && backends[i]; i++) {
-+ if (!gensec_security_ops_enabled(backends[i], gensec_security))
-+ continue;
-+ if (backends[i]->auth_type == auth_type) {
-+ backend = backends[i];
-+ talloc_free(mem_ctx);
-+ return backend;
-+ }
-+ }
-+ talloc_free(mem_ctx);
-+
-+ return NULL;
-+}
-+
- static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
- const char *name)
- {
---
-1.9.3
-
-
-From f4e1506ed3a032d38605207f592cbc4ece93a414 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 24 Apr 2013 12:33:28 +0200
-Subject: [PATCH 066/249] libcli/auth: maintain the sequence number for the
- NETLOGON SSP as 64bit
-
-See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 9f2e81ae02549369db49c05edf7071612a03a8b8)
----
- libcli/auth/schannel.h | 2 +-
- libcli/auth/schannel_sign.c | 17 +++++++++++++----
- source3/librpc/rpc/dcerpc_helpers.c | 4 ++--
- 3 files changed, 16 insertions(+), 7 deletions(-)
-
-diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
-index bfccd95..271b5bb 100644
---- a/libcli/auth/schannel.h
-+++ b/libcli/auth/schannel.h
-@@ -30,7 +30,7 @@ enum schannel_position {
-
- struct schannel_state {
- enum schannel_position state;
-- uint32_t seq_num;
-+ uint64_t seq_num;
- bool initiator;
- struct netlogon_creds_CredentialState *creds;
- };
-diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
-index 1871da2..6e5d454 100644
---- a/libcli/auth/schannel_sign.c
-+++ b/libcli/auth/schannel_sign.c
-@@ -24,6 +24,17 @@
- #include "../libcli/auth/schannel.h"
- #include "../lib/crypto/crypto.h"
-
-+#define SETUP_SEQNUM(state, buf, initiator) do { \
-+ uint8_t *_buf = buf; \
-+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
-+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
-+ if (initiator) { \
-+ _seq_num_high |= 0x80000000; \
-+ } \
-+ RSIVAL(_buf, 0, _seq_num_low); \
-+ RSIVAL(_buf, 4, _seq_num_high); \
-+} while(0)
-+
- static void netsec_offset_and_sizes(struct schannel_state *state,
- bool do_seal,
- uint32_t *_min_sig_size,
-@@ -255,8 +266,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
- confounder = NULL;
- }
-
-- RSIVAL(seq_num, 0, state->seq_num);
-- SIVAL(seq_num, 4, state->initiator?0:0x80);
-+ SETUP_SEQNUM(state, seq_num, !state->initiator);
-
- if (do_unseal) {
- netsec_do_seal(state, seq_num,
-@@ -325,8 +335,7 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
- &checksum_length,
- &confounder_ofs);
-
-- RSIVAL(seq_num, 0, state->seq_num);
-- SIVAL(seq_num, 4, state->initiator?0x80:0);
-+ SETUP_SEQNUM(state, seq_num, state->initiator);
-
- if (do_seal) {
- confounder = _confounder;
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index a55e419..0095990 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -462,8 +462,8 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
-- sas->seq_num));
-+ DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
-+ (unsigned long long)sas->seq_num));
-
- switch (auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
---
-1.9.3
-
-
-From f99afc1924dbb267e696bbdf26db606a8c77f093 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 12:53:42 +0200
-Subject: [PATCH 067/249] libcli/auth: add netsec_create_state()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 33215398f32c76f4b8ada7b547c6d0741cb2ac16)
----
- libcli/auth/schannel_proto.h | 3 +++
- libcli/auth/schannel_sign.c | 23 +++++++++++++++++++++++
- 2 files changed, 26 insertions(+)
-
-diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
-index 0414218..da76559 100644
---- a/libcli/auth/schannel_proto.h
-+++ b/libcli/auth/schannel_proto.h
-@@ -28,6 +28,9 @@ struct schannel_state;
- struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx);
-
-+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState *creds,
-+ bool initiator);
- NTSTATUS netsec_incoming_packet(struct schannel_state *state,
- bool do_unseal,
- uint8_t *data, size_t length,
-diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
-index 6e5d454..518a6a9 100644
---- a/libcli/auth/schannel_sign.c
-+++ b/libcli/auth/schannel_sign.c
-@@ -35,6 +35,29 @@
- RSIVAL(_buf, 4, _seq_num_high); \
- } while(0)
-
-+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState *creds,
-+ bool initiator)
-+{
-+ struct schannel_state *state;
-+
-+ state = talloc(mem_ctx, struct schannel_state);
-+ if (state == NULL) {
-+ return NULL;
-+ }
-+
-+ state->state = SCHANNEL_STATE_UPDATE_1;
-+ state->initiator = initiator;
-+ state->seq_num = 0;
-+ state->creds = netlogon_creds_copy(state, creds);
-+ if (state->creds == NULL) {
-+ talloc_free(state);
-+ return NULL;
-+ }
-+
-+ return state;
-+}
-+
- static void netsec_offset_and_sizes(struct schannel_state *state,
- bool do_seal,
- uint32_t *_min_sig_size,
---
-1.9.3
-
-
-From f13417a00173fcde96417773a1a551caced24c8b Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 13:28:11 +0200
-Subject: [PATCH 068/249] s3:cli_pipe: make use of netsec_create_state()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit e96142fc439efb7c90719f9c387778c4218ae637)
----
- source3/rpc_client/cli_pipe.c | 9 +--------
- 1 file changed, 1 insertion(+), 8 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index cba055a..9e979b0 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2271,18 +2271,11 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
- goto fail;
- }
-
-- schannel_auth = talloc_zero(result, struct schannel_state);
-+ schannel_auth = netsec_create_state(result, creds, true /* initiator */);
- if (schannel_auth == NULL) {
- goto fail;
- }
-
-- schannel_auth->state = SCHANNEL_STATE_START;
-- schannel_auth->initiator = true;
-- schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
-- if (schannel_auth->creds == NULL) {
-- goto fail;
-- }
--
- result->auth_ctx = schannel_auth;
- *presult = result;
- return NT_STATUS_OK;
---
-1.9.3
-
-
-From becf68bc072fdfab4489326d148775ebdbe27fda Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 13:28:59 +0200
-Subject: [PATCH 069/249] s3:cli_pipe: pass down creds->computer_name to
- NL_AUTH_MESSAGE
-
-We need to use the same computer_name value as in the netr_Authenticate3()
-request.
-
-We abuse cli->auth->user_name to pass the value down.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 838cb539621ef19cac6badb4b10678dcc3a6f68a)
----
- source3/rpc_client/cli_pipe.c | 13 ++++++-------
- 1 file changed, 6 insertions(+), 7 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 9e979b0..1de71fb 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1027,13 +1027,12 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
- NTSTATUS status;
- struct NL_AUTH_MESSAGE r;
-
-- /* Use lp_workgroup() if domain not specified */
-+ if (!cli->auth->user_name || !cli->auth->user_name[0]) {
-+ return NT_STATUS_INVALID_PARAMETER_MIX;
-+ }
-
- if (!cli->auth->domain || !cli->auth->domain[0]) {
-- cli->auth->domain = talloc_strdup(cli, lp_workgroup());
-- if (cli->auth->domain == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
-+ return NT_STATUS_INVALID_PARAMETER_MIX;
- }
-
- /*
-@@ -1044,7 +1043,7 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
- r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
- r.oem_netbios_domain.a = cli->auth->domain;
-- r.oem_netbios_computer.a = lp_netbios_name();
-+ r.oem_netbios_computer.a = cli->auth->user_name;
-
- status = dcerpc_push_schannel_bind(cli, &r, auth_token);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2265,7 +2264,7 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
- result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
- result->auth_level = auth_level;
-
-- result->user_name = talloc_strdup(result, "");
-+ result->user_name = talloc_strdup(result, creds->computer_name);
- result->domain = talloc_strdup(result, domain);
- if ((result->user_name == NULL) || (result->domain == NULL)) {
- goto fail;
---
-1.9.3
-
-
-From b447ab32047f33d306ee891d1d3fe2ae5a8c56f1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 3 Aug 2013 08:50:54 +0200
-Subject: [PATCH 070/249] s3:cli_pipe.c: return NO_USER_SESSION_KEY in
- cli_get_session_key() for schannel
-
-SCHANNEL connections don't have a user session key,
-they're like anonymous connections.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit af4dc306846a30a5a1201306cc2cbf4d494e16e7)
----
- source3/rpc_client/cli_pipe.c | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 1de71fb..470469f 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -3091,7 +3091,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
- {
- NTSTATUS status;
- struct pipe_auth_data *a;
-- struct schannel_state *schannel_auth;
- struct gensec_security *gensec_security;
- DATA_BLOB sk = data_blob_null;
- bool make_dup = false;
-@@ -3107,12 +3106,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
- }
-
- switch (cli->auth->auth_type) {
-- case DCERPC_AUTH_TYPE_SCHANNEL:
-- schannel_auth = talloc_get_type_abort(a->auth_ctx,
-- struct schannel_state);
-- sk = data_blob_const(schannel_auth->creds->session_key, 16);
-- make_dup = true;
-- break;
- case DCERPC_AUTH_TYPE_SPNEGO:
- case DCERPC_AUTH_TYPE_NTLMSSP:
- case DCERPC_AUTH_TYPE_KRB5:
---
-1.9.3
-
-
-From abebeb10c26f6fa7e61c56553ce1e52b5d45937a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 13:33:37 +0200
-Subject: [PATCH 071/249] s3:rpc_server: make use of netsec_create_state()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a964309bf7631f4f6953e0d6556f8ed8e5300dcc)
----
- source3/rpc_server/srv_pipe.c | 12 ++++--------
- 1 file changed, 4 insertions(+), 8 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 7daff04..9043a14 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -462,8 +462,8 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
- */
-
- become_root();
-- status = schannel_get_creds_state(p, lp_ctx,
-- neg.oem_netbios_computer.a, &creds);
-+ status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
-+ neg.oem_netbios_computer.a, &creds);
- unbecome_root();
-
- talloc_unlink(p, lp_ctx);
-@@ -472,16 +472,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
- return False;
- }
-
-- schannel_auth = talloc_zero(p, struct schannel_state);
-+ schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
-+ TALLOC_FREE(creds);
- if (!schannel_auth) {
-- TALLOC_FREE(creds);
- return False;
- }
-
-- schannel_auth->state = SCHANNEL_STATE_START;
-- schannel_auth->initiator = false;
-- schannel_auth->creds = creds;
--
- /*
- * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
- * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
---
-1.9.3
-
-
-From b567c4ef93de5c098d724c15b614f5f233903812 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 13:36:30 +0200
-Subject: [PATCH 072/249] s3:dcerpc_helpers: remove unused DEBUG message of
- schannel_state->seq_num.
-
-This is a layer violation and not needed anymore as we know
-how the seqnum handling works now.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a36ccdc83edb7437dd00601c459421286fd79db4)
----
- source3/librpc/rpc/dcerpc_helpers.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index 0095990..97999d7 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -462,9 +462,6 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
-- (unsigned long long)sas->seq_num));
--
- switch (auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- status = netsec_outgoing_packet(sas,
---
-1.9.3
-
-
-From e044773b51b76b3582669ee7e3a388d6471e2f2e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 10:08:54 +0200
-Subject: [PATCH 073/249] s4:libnet: avoid usage of dcerpc_schannel_creds()
-
-We use cli_credentials_get_netlogon_creds() which returns the same value.
-
-dcerpc_schannel_creds() is a layer violation.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit c0144273af8f0956a05d102113c40cec77069f7a)
----
- source4/libnet/libnet_samsync.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/source4/libnet/libnet_samsync.c b/source4/libnet/libnet_samsync.c
-index 9629b9f..206d81e 100644
---- a/source4/libnet/libnet_samsync.c
-+++ b/source4/libnet/libnet_samsync.c
-@@ -25,7 +25,6 @@
- #include "libcli/auth/libcli_auth.h"
- #include "../libcli/samsync/samsync.h"
- #include "auth/gensec/gensec.h"
--#include "auth/gensec/schannel.h"
- #include "auth/credentials/credentials.h"
- #include "libcli/auth/schannel.h"
- #include "librpc/gen_ndr/ndr_netlogon.h"
-@@ -183,9 +182,9 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx
-
- /* get NETLOGON credentials */
-
-- nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds);
-- if (!NT_STATUS_IS_OK(nt_status)) {
-- r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer");
-+ creds = cli_credentials_get_netlogon_creds(machine_account);
-+ if (creds == NULL) {
-+ r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from credentials");
- talloc_free(samsync_ctx);
- return nt_status;
- }
---
-1.9.3
-
-
-From 322dc86454fc4e60de641ef02da2c2744c347001 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 10:08:54 +0200
-Subject: [PATCH 074/249] s4:torture: avoid usage of dcerpc_schannel_creds()
-
-We use cli_credentials_get_netlogon_creds() which returns the same value.
-
-dcerpc_schannel_creds() is a layer violation.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 2ea3a24dced0814100e352bbbca124011be73602)
----
- source4/torture/rpc/samlogon.c | 5 ++---
- source4/torture/rpc/samr.c | 6 +++---
- source4/torture/rpc/samsync.c | 11 ++++-------
- source4/torture/rpc/schannel.c | 6 ++----
- 4 files changed, 11 insertions(+), 17 deletions(-)
-
-diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
-index 4861038..886ff39 100644
---- a/source4/torture/rpc/samlogon.c
-+++ b/source4/torture/rpc/samlogon.c
-@@ -29,7 +29,6 @@
- #include "lib/cmdline/popt_common.h"
- #include "torture/rpc/torture_rpc.h"
- #include "auth/gensec/gensec.h"
--#include "auth/gensec/schannel.h"
- #include "libcli/auth/libcli_auth.h"
- #include "param/param.h"
-
-@@ -1764,8 +1763,8 @@ bool torture_rpc_samlogon(struct torture_context *torture)
- torture_assert_ntstatus_ok_goto(torture, status, ret, failed,
- talloc_asprintf(torture, "RPC pipe connect as domain member failed: %s\n", nt_errstr(status)));
-
-- status = dcerpc_schannel_creds(p->conn->security_state.generic_state, mem_ctx, &creds);
-- if (!NT_STATUS_IS_OK(status)) {
-+ creds = cli_credentials_get_netlogon_creds(machine_credentials);
-+ if (creds == NULL) {
- ret = false;
- goto failed;
- }
-diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
-index cdfa2b8..d4d64f9 100644
---- a/source4/torture/rpc/samr.c
-+++ b/source4/torture/rpc/samr.c
-@@ -37,7 +37,6 @@
- #include "torture/rpc/torture_rpc.h"
- #include "param/param.h"
- #include "auth/gensec/gensec.h"
--#include "auth/gensec/schannel.h"
- #include "auth/gensec/gensec_proto.h"
- #include "../libcli/auth/schannel.h"
-
-@@ -2959,6 +2958,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
-
- static bool test_SamLogon(struct torture_context *tctx,
- struct dcerpc_pipe *p,
-+ struct cli_credentials *machine_credentials,
- struct cli_credentials *test_credentials,
- NTSTATUS expected_result,
- bool interactive)
-@@ -2978,7 +2978,7 @@ static bool test_SamLogon(struct torture_context *tctx,
- struct netr_Authenticator a;
- struct dcerpc_binding_handle *b = p->binding_handle;
-
-- torture_assert_ntstatus_ok(tctx, dcerpc_schannel_creds(p->conn->security_state.generic_state, tctx, &creds), "");
-+ torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
-
- if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
- flags |= CLI_CRED_LANMAN_AUTH;
-@@ -3105,7 +3105,7 @@ static bool test_SamLogon_with_creds(struct torture_context *tctx,
- torture_comment(tctx, "Testing samlogon (%s) as %s password: %s\n",
- interactive ? "interactive" : "network", acct_name, password);
-
-- if (!test_SamLogon(tctx, p, test_credentials,
-+ if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
- expected_samlogon_result, interactive)) {
- torture_warning(tctx, "new password did not work\n");
- ret = false;
-diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
-index 81027d0..15cab73 100644
---- a/source4/torture/rpc/samsync.c
-+++ b/source4/torture/rpc/samsync.c
-@@ -27,7 +27,6 @@
- #include "system/time.h"
- #include "torture/rpc/torture_rpc.h"
- #include "auth/gensec/gensec.h"
--#include "auth/gensec/schannel.h"
- #include "libcli/auth/libcli_auth.h"
- #include "libcli/samsync/samsync.h"
- #include "libcli/security/security.h"
-@@ -1720,9 +1719,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
- }
- samsync_state->b = samsync_state->p->binding_handle;
-
-- status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state,
-- samsync_state, &samsync_state->creds);
-- if (!NT_STATUS_IS_OK(status)) {
-+ samsync_state->creds = cli_credentials_get_netlogon_creds(credentials);
-+ if (samsync_state->creds == NULL) {
- ret = false;
- }
-
-@@ -1758,9 +1756,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
- goto failed;
- }
-
-- status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->conn->security_state.generic_state,
-- samsync_state, &samsync_state->creds_netlogon_wksta);
-- if (!NT_STATUS_IS_OK(status)) {
-+ samsync_state->creds_netlogon_wksta = cli_credentials_get_netlogon_creds(credentials_wksta);
-+ if (samsync_state->creds_netlogon_wksta == NULL) {
- torture_comment(torture, "Failed to obtail schanel creds!\n");
- ret = false;
- }
-diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
-index 8203749..0098dcf 100644
---- a/source4/torture/rpc/schannel.c
-+++ b/source4/torture/rpc/schannel.c
-@@ -26,14 +26,12 @@
- #include "auth/credentials/credentials.h"
- #include "torture/rpc/torture_rpc.h"
- #include "lib/cmdline/popt_common.h"
--#include "auth/gensec/schannel.h"
- #include "../libcli/auth/schannel.h"
- #include "libcli/auth/libcli_auth.h"
- #include "libcli/security/security.h"
- #include "system/filesys.h"
- #include "param/param.h"
- #include "librpc/rpc/dcerpc_proto.h"
--#include "auth/gensec/gensec.h"
- #include "libcli/composite/composite.h"
- #include "lib/events/events.h"
-
-@@ -413,8 +411,8 @@ static bool test_schannel(struct torture_context *tctx,
-
- torture_assert_ntstatus_ok(tctx, status, "bind auth");
-
-- status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
-- torture_assert_ntstatus_ok(tctx, status, "schannel creds");
-+ creds = cli_credentials_get_netlogon_creds(credentials);
-+ torture_assert(tctx, (creds != NULL), "schannel creds");
-
- /* checks the capabilities */
- torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
---
-1.9.3
-
-
-From fa1c5bc2cdff9decd361c919567c502ef0c09385 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 12:31:41 +0200
-Subject: [PATCH 075/249] s4:gensec/schannel: remove unused
- dcerpc_schannel_creds()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 4cad5dcb6d5e49cc9bb1aa4ca454f369e00e8c6f)
----
- source4/auth/gensec/schannel.c | 23 -----------------------
- source4/auth/gensec/schannel.h | 26 --------------------------
- 2 files changed, 49 deletions(-)
- delete mode 100644 source4/auth/gensec/schannel.h
-
-diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
-index e7c545f..10d2565 100644
---- a/source4/auth/gensec/schannel.c
-+++ b/source4/auth/gensec/schannel.c
-@@ -29,7 +29,6 @@
- #include "../libcli/auth/schannel.h"
- #include "librpc/rpc/dcerpc.h"
- #include "param/param.h"
--#include "auth/gensec/schannel.h"
- #include "auth/gensec/gensec_toplevel_proto.h"
-
- _PUBLIC_ NTSTATUS gensec_schannel_init(void);
-@@ -204,28 +203,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
- }
-
- /**
-- * Return the struct netlogon_creds_CredentialState.
-- *
-- * Make sure not to call this unless gensec is using schannel...
-- */
--
--/* TODO: make this non-public */
--
--_PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- struct netlogon_creds_CredentialState **creds)
--{
-- struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
--
-- *creds = talloc_reference(mem_ctx, state->creds);
-- if (!*creds) {
-- return NT_STATUS_NO_MEMORY;
-- }
-- return NT_STATUS_OK;
--}
--
--
--/**
- * Returns anonymous credentials for schannel, matching Win2k3.
- *
- */
-diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h
-deleted file mode 100644
-index 88a32a7..0000000
---- a/source4/auth/gensec/schannel.h
-+++ /dev/null
-@@ -1,26 +0,0 @@
--/*
-- Unix SMB/CIFS implementation.
--
-- dcerpc schannel operations
--
-- Copyright (C) Andrew Tridgell 2004
-- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
--
-- This program is free software; you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by
-- the Free Software Foundation; either version 3 of the License, or
-- (at your option) any later version.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- GNU General Public License for more details.
--
-- You should have received a copy of the GNU General Public License
-- along with this program. If not, see <http://www.gnu.org/licenses/>.
--*/
--
--struct netlogon_creds_CredentialState;
--NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- struct netlogon_creds_CredentialState **creds);
---
-1.9.3
-
-
-From eeb52af669e963ac856fc77be6a47f7ed33d8580 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 13:04:07 +0200
-Subject: [PATCH 076/249] s4:gensec/schannel: simplify the code by using
- netsec_create_state()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 49f347eb11bd12a3f25b0fcb8ba36d4a36594868)
----
- source4/auth/gensec/schannel.c | 98 +++++++++++++-----------------------------
- 1 file changed, 30 insertions(+), 68 deletions(-)
-
-diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
-index 10d2565..3896a41 100644
---- a/source4/auth/gensec/schannel.c
-+++ b/source4/auth/gensec/schannel.c
-@@ -35,12 +35,11 @@ _PUBLIC_ NTSTATUS gensec_schannel_init(void);
-
- static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
- {
-- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
-- uint32_t sig_size;
--
-- sig_size = netsec_outgoing_sig_size(state);
-+ struct schannel_state *state =
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-
-- return sig_size;
-+ return netsec_outgoing_sig_size(state);
- }
-
- static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
-@@ -54,7 +53,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
- struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
- {
-- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
-+ struct schannel_state *state =
-+ talloc_get_type(gensec_security->private_data,
-+ struct schannel_state);
- NTSTATUS status;
- enum ndr_err_code ndr_err;
- struct NL_AUTH_MESSAGE bind_schannel;
-@@ -67,24 +68,22 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
-
- switch (gensec_security->gensec_role) {
- case GENSEC_CLIENT:
-- if (state->state != SCHANNEL_STATE_START) {
-+ if (state != NULL) {
- /* we could parse the bind ack, but we don't know what it is yet */
- return NT_STATUS_OK;
- }
-
-- state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
-- if (state->creds == NULL) {
-+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
-+ if (creds == NULL) {
- return NT_STATUS_INVALID_PARAMETER_MIX;
- }
-- /*
-- * We need to create a reference here or we don't get
-- * updates performed on the credentials if we create a
-- * copy.
-- */
-- state->creds = talloc_reference(state, state->creds);
-- if (state->creds == NULL) {
-+
-+ state = netsec_create_state(gensec_security,
-+ creds, true /* initiator */);
-+ if (state == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-+ gensec_security->private_data = state;
-
- bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
- #if 0
-@@ -117,12 +116,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
- return status;
- }
-
-- state->state = SCHANNEL_STATE_UPDATE_1;
--
- return NT_STATUS_MORE_PROCESSING_REQUIRED;
- case GENSEC_SERVER:
-
-- if (state->state != SCHANNEL_STATE_START) {
-+ if (state != NULL) {
- /* no third leg on this protocol */
- return NT_STATUS_INVALID_PARAMETER;
- }
-@@ -177,7 +174,12 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
- return status;
- }
-
-- state->creds = talloc_steal(state, creds);
-+ state = netsec_create_state(gensec_security,
-+ creds, false /* not initiator */);
-+ if (state == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ gensec_security->private_data = state;
-
- bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
- bind_schannel_ack.Flags = 0;
-@@ -195,8 +197,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
- return status;
- }
-
-- state->state = SCHANNEL_STATE_UPDATE_1;
--
- return NT_STATUS_OK;
- }
- return NT_STATUS_INVALID_PARAMETER;
-@@ -214,54 +214,16 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
- return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
- }
-
--static NTSTATUS schannel_start(struct gensec_security *gensec_security)
--{
-- struct schannel_state *state;
--
-- state = talloc_zero(gensec_security, struct schannel_state);
-- if (!state) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- state->state = SCHANNEL_STATE_START;
-- gensec_security->private_data = state;
--
-- return NT_STATUS_OK;
--}
--
- static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
- {
-- NTSTATUS status;
-- struct schannel_state *state;
--
-- status = schannel_start(gensec_security);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- state = (struct schannel_state *)gensec_security->private_data;
-- state->initiator = false;
--
- return NT_STATUS_OK;
- }
-
- static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
- {
-- NTSTATUS status;
-- struct schannel_state *state;
--
-- status = schannel_start(gensec_security);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- state = (struct schannel_state *)gensec_security->private_data;
-- state->initiator = true;
--
- return NT_STATUS_OK;
- }
-
--
- static bool schannel_have_feature(struct gensec_security *gensec_security,
- uint32_t feature)
- {
-@@ -287,8 +249,8 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
- const DATA_BLOB *sig)
- {
- struct schannel_state *state =
-- talloc_get_type(gensec_security->private_data,
-- struct schannel_state);
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-
- return netsec_incoming_packet(state, true,
- discard_const_p(uint8_t, data),
-@@ -304,8 +266,8 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
- const DATA_BLOB *sig)
- {
- struct schannel_state *state =
-- talloc_get_type(gensec_security->private_data,
-- struct schannel_state);
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-
- return netsec_incoming_packet(state, false,
- discard_const_p(uint8_t, data),
-@@ -321,8 +283,8 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
- DATA_BLOB *sig)
- {
- struct schannel_state *state =
-- talloc_get_type(gensec_security->private_data,
-- struct schannel_state);
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-
- return netsec_outgoing_packet(state, mem_ctx, true,
- data, length, sig);
-@@ -338,8 +300,8 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
- DATA_BLOB *sig)
- {
- struct schannel_state *state =
-- talloc_get_type(gensec_security->private_data,
-- struct schannel_state);
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-
- return netsec_outgoing_packet(state, mem_ctx, false,
- discard_const_p(uint8_t, data),
---
-1.9.3
-
-
-From 685f00cfd7be11f4c62441e17d6416b9a668bb47 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 13:25:20 +0200
-Subject: [PATCH 077/249] s4:gensec/schannel: use the correct computer_name
- from netlogon_creds_CredentialState
-
-We need to use the same computer_name we used in the netr_Authenticate3
-request.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit b5104768225ae0308aa3f22f8d9bca389ef3cb3a)
----
- source4/auth/gensec/schannel.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
-index 3896a41..91f166b 100644
---- a/source4/auth/gensec/schannel.c
-+++ b/source4/auth/gensec/schannel.c
-@@ -94,17 +94,17 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
- NL_FLAG_UTF8_DNS_DOMAIN_NAME |
- NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
-+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
- bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
- /* w2k3 refuses us if we use the full DNS workstation?
- why? perhaps because we don't fill in the dNSHostName
- attribute in the machine account? */
-- bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
-+ bind_schannel.utf8_netbios_computer = creds->computer_name;
- #else
- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
-+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
- #endif
-
- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
---
-1.9.3
-
-
-From bd54e89fc5eb4d6afed3ef770dabf14a6ac6b060 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 3 Aug 2013 11:21:32 +0200
-Subject: [PATCH 078/249] s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is
- not supported
-
-There's a sequence number attached to the connection,
-which needs to be incremented with each message...
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a07049a839729e29ca888bae353cd37fd6238486)
----
- source4/auth/gensec/schannel.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
-index 91f166b..7fc0c7c 100644
---- a/source4/auth/gensec/schannel.c
-+++ b/source4/auth/gensec/schannel.c
-@@ -234,9 +234,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
- if (feature & GENSEC_FEATURE_DCE_STYLE) {
- return true;
- }
-- if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
-- return true;
-- }
- return false;
- }
-
---
-1.9.3
-
-
-From afcf626800e8aaf94878d62d1fd7318b2ffe21c1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 3 Aug 2013 11:27:55 +0200
-Subject: [PATCH 079/249] s4:gensec/schannel: there's no point in having
- schannel_session_key()
-
-gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
-before calling schannel_session_key(), as we don't provide
-GENSEC_FEATURE_SESSION_KEY.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 9b9ab1ae6963b3819dc2b095cbe9e1432f3459b7)
----
- source4/auth/gensec/schannel.c | 8 --------
- 1 file changed, 8 deletions(-)
-
-diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
-index 7fc0c7c..ebf6469 100644
---- a/source4/auth/gensec/schannel.c
-+++ b/source4/auth/gensec/schannel.c
-@@ -42,13 +42,6 @@ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t
- return netsec_outgoing_sig_size(state);
- }
-
--static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- DATA_BLOB *session_key)
--{
-- return NT_STATUS_NOT_IMPLEMENTED;
--}
--
- static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
-@@ -315,7 +308,6 @@ static const struct gensec_security_ops gensec_schannel_security_ops = {
- .sign_packet = schannel_sign_packet,
- .check_packet = schannel_check_packet,
- .unseal_packet = schannel_unseal_packet,
-- .session_key = schannel_session_key,
- .session_info = schannel_session_info,
- .sig_size = schannel_sig_size,
- .have_feature = schannel_have_feature,
---
-1.9.3
-
-
-From 56599b7019eabe3656bdba676214c74191ad068f Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 3 Aug 2013 11:32:31 +0200
-Subject: [PATCH 080/249] s4:gensec/schannel: only require
- librpc/gen_ndr/dcerpc.h
-
-We just need DCERPC_AUTH_TYPE_SCHANNEL
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit e90e1b5c76db4cf589adf8856eb32e5f0d955734)
----
- source4/auth/gensec/schannel.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
-index ebf6469..e67432c 100644
---- a/source4/auth/gensec/schannel.c
-+++ b/source4/auth/gensec/schannel.c
-@@ -27,7 +27,7 @@
- #include "auth/gensec/gensec.h"
- #include "auth/gensec/gensec_proto.h"
- #include "../libcli/auth/schannel.h"
--#include "librpc/rpc/dcerpc.h"
-+#include "librpc/gen_ndr/dcerpc.h"
- #include "param/param.h"
- #include "auth/gensec/gensec_toplevel_proto.h"
-
---
-1.9.3
-
-
-From baa82a6ef22c1761c7206323e90781d008a7888b Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 13:37:54 +0200
-Subject: [PATCH 081/249] libcli/auth/schannel: make struct schannel_state
- private
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 4c978b68d9a87001f625c10421e7d4cc140b4554)
----
- libcli/auth/schannel.h | 13 -------------
- libcli/auth/schannel_sign.c | 12 ++++++++++++
- 2 files changed, 12 insertions(+), 13 deletions(-)
-
-diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
-index 271b5bb..c53d68e 100644
---- a/libcli/auth/schannel.h
-+++ b/libcli/auth/schannel.h
-@@ -22,17 +22,4 @@
-
- #include "libcli/auth/libcli_auth.h"
- #include "libcli/auth/schannel_state.h"
--
--enum schannel_position {
-- SCHANNEL_STATE_START = 0,
-- SCHANNEL_STATE_UPDATE_1
--};
--
--struct schannel_state {
-- enum schannel_position state;
-- uint64_t seq_num;
-- bool initiator;
-- struct netlogon_creds_CredentialState *creds;
--};
--
- #include "libcli/auth/schannel_proto.h"
-diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
-index 518a6a9..88a6e1e 100644
---- a/libcli/auth/schannel_sign.c
-+++ b/libcli/auth/schannel_sign.c
-@@ -24,6 +24,18 @@
- #include "../libcli/auth/schannel.h"
- #include "../lib/crypto/crypto.h"
-
-+enum schannel_position {
-+ SCHANNEL_STATE_START = 0,
-+ SCHANNEL_STATE_UPDATE_1
-+};
-+
-+struct schannel_state {
-+ enum schannel_position state;
-+ uint64_t seq_num;
-+ bool initiator;
-+ struct netlogon_creds_CredentialState *creds;
-+};
-+
- #define SETUP_SEQNUM(state, buf, initiator) do { \
- uint8_t *_buf = buf; \
- uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
---
-1.9.3
-
-
-From 29806ef23a9826688ace1dc52cd7af554cf83294 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Aug 2013 15:42:21 +0200
-Subject: [PATCH 082/249] libcli/auth/schannel: remove unused schannel_position
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 57bcbb9c50f0a0252110a1e04a2883b511cd9165)
----
- libcli/auth/schannel_sign.c | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
-index 88a6e1e..9502cba 100644
---- a/libcli/auth/schannel_sign.c
-+++ b/libcli/auth/schannel_sign.c
-@@ -24,13 +24,7 @@
- #include "../libcli/auth/schannel.h"
- #include "../lib/crypto/crypto.h"
-
--enum schannel_position {
-- SCHANNEL_STATE_START = 0,
-- SCHANNEL_STATE_UPDATE_1
--};
--
- struct schannel_state {
-- enum schannel_position state;
- uint64_t seq_num;
- bool initiator;
- struct netlogon_creds_CredentialState *creds;
-@@ -58,7 +52,6 @@ struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-- state->state = SCHANNEL_STATE_UPDATE_1;
- state->initiator = initiator;
- state->seq_num = 0;
- state->creds = netlogon_creds_copy(state, creds);
---
-1.9.3
-
-
-From a6ad9118c250446ea9571f5ce9895b11ab8537ed Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 5 Aug 2013 07:12:01 +0200
-Subject: [PATCH 083/249] auth/gensec: introduce gensec_internal.h
-
-We should treat most gensec related structures private.
-
-It's a long way, but this is a start.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 71c63e85e7a09acb57f6b75284358f2b3b29eeed)
----
- auth/gensec/gensec.c | 1 +
- auth/gensec/gensec.h | 100 ++-------------------------
- auth/gensec/gensec_internal.h | 127 +++++++++++++++++++++++++++++++++++
- auth/gensec/gensec_start.c | 1 +
- auth/gensec/gensec_util.c | 1 +
- auth/gensec/spnego.c | 1 +
- auth/ntlmssp/gensec_ntlmssp.c | 1 +
- auth/ntlmssp/gensec_ntlmssp_server.c | 1 +
- auth/ntlmssp/ntlmssp.c | 1 +
- auth/ntlmssp/ntlmssp_client.c | 1 +
- auth/ntlmssp/ntlmssp_server.c | 1 +
- source3/libads/authdata.c | 1 +
- source3/librpc/crypto/gse.c | 1 +
- source3/libsmb/ntlmssp_wrap.c | 1 +
- source3/utils/ntlm_auth.c | 1 +
- source4/auth/gensec/cyrus_sasl.c | 1 +
- source4/auth/gensec/gensec_gssapi.c | 1 +
- source4/auth/gensec/gensec_krb5.c | 1 +
- source4/auth/gensec/pygensec.c | 1 +
- source4/auth/gensec/schannel.c | 1 +
- source4/ldap_server/ldap_backend.c | 1 +
- source4/libcli/ldap/ldap_bind.c | 1 +
- source4/torture/auth/ntlmssp.c | 1 +
- source4/utils/ntlm_auth.c | 1 +
- 24 files changed, 153 insertions(+), 96 deletions(-)
- create mode 100644 auth/gensec/gensec_internal.h
-
-diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
-index 9a8f0ef..d364a34 100644
---- a/auth/gensec/gensec.c
-+++ b/auth/gensec/gensec.c
-@@ -26,6 +26,7 @@
- #include "lib/tsocket/tsocket.h"
- #include "lib/util/tevent_ntstatus.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "librpc/rpc/dcerpc.h"
-
- /*
-diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
-index c080861..5d39d81 100644
---- a/auth/gensec/gensec.h
-+++ b/auth/gensec/gensec.h
-@@ -76,6 +76,7 @@ struct gensec_settings;
- struct tevent_context;
- struct tevent_req;
- struct smb_krb5_context;
-+struct tsocket_address;
-
- struct gensec_settings {
- struct loadparm_context *lp_ctx;
-@@ -93,106 +94,13 @@ struct gensec_settings {
- const char *server_netbios_name;
- };
-
--struct gensec_security_ops {
-- const char *name;
-- const char *sasl_name;
-- uint8_t auth_type; /* 0 if not offered on DCE-RPC */
-- const char **oid; /* NULL if not offered by SPNEGO */
-- NTSTATUS (*client_start)(struct gensec_security *gensec_security);
-- NTSTATUS (*server_start)(struct gensec_security *gensec_security);
-- /**
-- Determine if a packet has the right 'magic' for this mechanism
-- */
-- NTSTATUS (*magic)(struct gensec_security *gensec_security,
-- const DATA_BLOB *first_packet);
-- NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
-- struct tevent_context *ev,
-- const DATA_BLOB in, DATA_BLOB *out);
-- NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
-- uint8_t *data, size_t length,
-- const uint8_t *whole_pdu, size_t pdu_length,
-- DATA_BLOB *sig);
-- NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
-- const uint8_t *data, size_t length,
-- const uint8_t *whole_pdu, size_t pdu_length,
-- DATA_BLOB *sig);
-- size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
-- size_t (*max_input_size)(struct gensec_security *gensec_security);
-- size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
-- NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
-- const uint8_t *data, size_t length,
-- const uint8_t *whole_pdu, size_t pdu_length,
-- const DATA_BLOB *sig);
-- NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
-- uint8_t *data, size_t length,
-- const uint8_t *whole_pdu, size_t pdu_length,
-- const DATA_BLOB *sig);
-- NTSTATUS (*wrap)(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- const DATA_BLOB *in,
-- DATA_BLOB *out);
-- NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- const DATA_BLOB *in,
-- DATA_BLOB *out);
-- NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- const DATA_BLOB *in,
-- DATA_BLOB *out,
-- size_t *len_processed);
-- NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- const DATA_BLOB *in,
-- DATA_BLOB *out,
-- size_t *len_processed);
-- NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
-- DATA_BLOB blob, size_t *size);
-- NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
-- DATA_BLOB *session_key);
-- NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
-- struct auth_session_info **session_info);
-- void (*want_feature)(struct gensec_security *gensec_security,
-- uint32_t feature);
-- bool (*have_feature)(struct gensec_security *gensec_security,
-- uint32_t feature);
-- NTTIME (*expire_time)(struct gensec_security *gensec_security);
-- bool enabled;
-- bool kerberos;
-- enum gensec_priority priority;
--};
--
--struct gensec_security_ops_wrapper {
-- const struct gensec_security_ops *op;
-- const char *oid;
--};
-+struct gensec_security_ops;
-+struct gensec_security_ops_wrapper;
-
- #define GENSEC_INTERFACE_VERSION 0
-
--struct gensec_security {
-- const struct gensec_security_ops *ops;
-- void *private_data;
-- struct cli_credentials *credentials;
-- struct gensec_target target;
-- enum gensec_role gensec_role;
-- bool subcontext;
-- uint32_t want_features;
-- uint32_t max_update_size;
-- uint8_t dcerpc_auth_level;
-- struct tsocket_address *local_addr, *remote_addr;
-- struct gensec_settings *settings;
--
-- /* When we are a server, this may be filled in to provide an
-- * NTLM authentication backend, and user lookup (such as if no
-- * PAC is found) */
-- struct auth4_context *auth_context;
--};
--
- /* this structure is used by backends to determine the size of some critical types */
--struct gensec_critical_sizes {
-- int interface_version;
-- int sizeof_gensec_security_ops;
-- int sizeof_gensec_security;
--};
-+struct gensec_critical_sizes;
- const struct gensec_critical_sizes *gensec_interface_version(void);
-
- /* Socket wrapper */
-diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
-new file mode 100644
-index 0000000..41b6f0d
---- /dev/null
-+++ b/auth/gensec/gensec_internal.h
-@@ -0,0 +1,127 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+
-+ Generic Authentication Interface
-+
-+ Copyright (C) Andrew Tridgell 2003
-+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#ifndef __GENSEC_INTERNAL_H__
-+#define __GENSEC_INTERNAL_H__
-+
-+struct gensec_security;
-+
-+struct gensec_security_ops {
-+ const char *name;
-+ const char *sasl_name;
-+ uint8_t auth_type; /* 0 if not offered on DCE-RPC */
-+ const char **oid; /* NULL if not offered by SPNEGO */
-+ NTSTATUS (*client_start)(struct gensec_security *gensec_security);
-+ NTSTATUS (*server_start)(struct gensec_security *gensec_security);
-+ /**
-+ Determine if a packet has the right 'magic' for this mechanism
-+ */
-+ NTSTATUS (*magic)(struct gensec_security *gensec_security,
-+ const DATA_BLOB *first_packet);
-+ NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
-+ struct tevent_context *ev,
-+ const DATA_BLOB in, DATA_BLOB *out);
-+ NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
-+ uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
-+ DATA_BLOB *sig);
-+ NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
-+ const uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
-+ DATA_BLOB *sig);
-+ size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
-+ size_t (*max_input_size)(struct gensec_security *gensec_security);
-+ size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
-+ NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
-+ const uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
-+ const DATA_BLOB *sig);
-+ NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
-+ uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
-+ const DATA_BLOB *sig);
-+ NTSTATUS (*wrap)(struct gensec_security *gensec_security,
-+ TALLOC_CTX *mem_ctx,
-+ const DATA_BLOB *in,
-+ DATA_BLOB *out);
-+ NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
-+ TALLOC_CTX *mem_ctx,
-+ const DATA_BLOB *in,
-+ DATA_BLOB *out);
-+ NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
-+ TALLOC_CTX *mem_ctx,
-+ const DATA_BLOB *in,
-+ DATA_BLOB *out,
-+ size_t *len_processed);
-+ NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
-+ TALLOC_CTX *mem_ctx,
-+ const DATA_BLOB *in,
-+ DATA_BLOB *out,
-+ size_t *len_processed);
-+ NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
-+ DATA_BLOB blob, size_t *size);
-+ NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
-+ DATA_BLOB *session_key);
-+ NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
-+ struct auth_session_info **session_info);
-+ void (*want_feature)(struct gensec_security *gensec_security,
-+ uint32_t feature);
-+ bool (*have_feature)(struct gensec_security *gensec_security,
-+ uint32_t feature);
-+ NTTIME (*expire_time)(struct gensec_security *gensec_security);
-+ bool enabled;
-+ bool kerberos;
-+ enum gensec_priority priority;
-+};
-+
-+struct gensec_security_ops_wrapper {
-+ const struct gensec_security_ops *op;
-+ const char *oid;
-+};
-+
-+struct gensec_security {
-+ const struct gensec_security_ops *ops;
-+ void *private_data;
-+ struct cli_credentials *credentials;
-+ struct gensec_target target;
-+ enum gensec_role gensec_role;
-+ bool subcontext;
-+ uint32_t want_features;
-+ uint32_t max_update_size;
-+ uint8_t dcerpc_auth_level;
-+ struct tsocket_address *local_addr, *remote_addr;
-+ struct gensec_settings *settings;
-+
-+ /* When we are a server, this may be filled in to provide an
-+ * NTLM authentication backend, and user lookup (such as if no
-+ * PAC is found) */
-+ struct auth4_context *auth_context;
-+};
-+
-+/* this structure is used by backends to determine the size of some critical types */
-+struct gensec_critical_sizes {
-+ int interface_version;
-+ int sizeof_gensec_security_ops;
-+ int sizeof_gensec_security;
-+};
-+
-+#endif /* __GENSEC_H__ */
-diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
-index c2cfa1c..34029f5 100644
---- a/auth/gensec/gensec_start.c
-+++ b/auth/gensec/gensec_start.c
-@@ -27,6 +27,7 @@
- #include "librpc/rpc/dcerpc.h"
- #include "auth/credentials/credentials.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "lib/param/param.h"
- #include "lib/util/tsort.h"
- #include "lib/util/samba_modules.h"
-diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
-index 64952b1..568128a 100644
---- a/auth/gensec/gensec_util.c
-+++ b/auth/gensec/gensec_util.c
-@@ -22,6 +22,7 @@
-
- #include "includes.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/common_auth.h"
- #include "../lib/util/asn1.h"
-
-diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
-index da1fc0e..38a45f8 100644
---- a/auth/gensec/spnego.c
-+++ b/auth/gensec/spnego.c
-@@ -27,6 +27,7 @@
- #include "librpc/gen_ndr/ndr_dcerpc.h"
- #include "auth/credentials/credentials.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "param/param.h"
- #include "lib/util/asn1.h"
-
-diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
-index 9e1d8a8..654c0e3 100644
---- a/auth/ntlmssp/gensec_ntlmssp.c
-+++ b/auth/ntlmssp/gensec_ntlmssp.c
-@@ -22,6 +22,7 @@
- #include "includes.h"
- #include "auth/ntlmssp/ntlmssp.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/ntlmssp/ntlmssp_private.h"
-
- NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security,
-diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
-index f4dfab3..69c56fb 100644
---- a/auth/ntlmssp/gensec_ntlmssp_server.c
-+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
-@@ -31,6 +31,7 @@
- #include "../libcli/auth/libcli_auth.h"
- #include "../lib/crypto/crypto.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/common_auth.h"
- #include "param/param.h"
-
-diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
-index 1a2d662..916b376 100644
---- a/auth/ntlmssp/ntlmssp.c
-+++ b/auth/ntlmssp/ntlmssp.c
-@@ -29,6 +29,7 @@ struct auth_session_info;
- #include "../libcli/auth/libcli_auth.h"
- #include "librpc/gen_ndr/ndr_dcerpc.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
-
- /**
- * Callbacks for NTLMSSP - for both client and server operating modes
-diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
-index fc66a8d..f99257d 100644
---- a/auth/ntlmssp/ntlmssp_client.c
-+++ b/auth/ntlmssp/ntlmssp_client.c
-@@ -29,6 +29,7 @@ struct auth_session_info;
- #include "../libcli/auth/libcli_auth.h"
- #include "auth/credentials/credentials.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "param/param.h"
- #include "auth/ntlmssp/ntlmssp_private.h"
- #include "../librpc/gen_ndr/ndr_ntlmssp.h"
-diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
-index 57179e1..2f3f0bb 100644
---- a/auth/ntlmssp/ntlmssp_server.c
-+++ b/auth/ntlmssp/ntlmssp_server.c
-@@ -28,6 +28,7 @@
- #include "../libcli/auth/libcli_auth.h"
- #include "../lib/crypto/crypto.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/common_auth.h"
-
- /**
-diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
-index 2c667a6..582917d 100644
---- a/source3/libads/authdata.c
-+++ b/source3/libads/authdata.c
-@@ -30,6 +30,7 @@
- #include "lib/param/param.h"
- #include "librpc/crypto/gse.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
- #include "../libcli/auth/spnego.h"
-
- #ifdef HAVE_KRB5
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index 11a5457..8db3cdd 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -26,6 +26,7 @@
- #include "libads/kerberos_proto.h"
- #include "auth/common_auth.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/credentials/credentials.h"
- #include "../librpc/gen_ndr/dcerpc.h"
-
-diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
-index 9ce4b12..46f68ae 100644
---- a/source3/libsmb/ntlmssp_wrap.c
-+++ b/source3/libsmb/ntlmssp_wrap.c
-@@ -23,6 +23,7 @@
- #include "auth/ntlmssp/ntlmssp_private.h"
- #include "auth_generic.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/credentials/credentials.h"
- #include "librpc/rpc/dcerpc.h"
- #include "lib/param/param.h"
-diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
-index a5e0cd2..5fcb60e 100644
---- a/source3/utils/ntlm_auth.c
-+++ b/source3/utils/ntlm_auth.c
-@@ -32,6 +32,7 @@
- #include "../libcli/auth/spnego.h"
- #include "auth/ntlmssp/ntlmssp.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/credentials/credentials.h"
- #include "librpc/crypto/gse.h"
- #include "smb_krb5.h"
-diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
-index 2e733bf..08dccd6 100644
---- a/source4/auth/gensec/cyrus_sasl.c
-+++ b/source4/auth/gensec/cyrus_sasl.c
-@@ -23,6 +23,7 @@
- #include "lib/tsocket/tsocket.h"
- #include "auth/credentials/credentials.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/gensec/gensec_proto.h"
- #include "auth/gensec/gensec_toplevel_proto.h"
- #include <sasl/sasl.h>
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index 4fc544f..63a53bf 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -34,6 +34,7 @@
- #include "auth/credentials/credentials.h"
- #include "auth/credentials/credentials_krb5.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/gensec/gensec_proto.h"
- #include "auth/gensec/gensec_toplevel_proto.h"
- #include "param/param.h"
-diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
-index fbec64c..ecc3331 100644
---- a/source4/auth/gensec/gensec_krb5.c
-+++ b/source4/auth/gensec/gensec_krb5.c
-@@ -34,6 +34,7 @@
- #include "auth/credentials/credentials_krb5.h"
- #include "auth/kerberos/kerberos_credentials.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/gensec/gensec_proto.h"
- #include "auth/gensec/gensec_toplevel_proto.h"
- #include "param/param.h"
-diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c
-index 02e5ae2..fd6daff 100644
---- a/source4/auth/gensec/pygensec.c
-+++ b/source4/auth/gensec/pygensec.c
-@@ -20,6 +20,7 @@
- #include "includes.h"
- #include "param/pyparam.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
- #include "auth/credentials/pycredentials.h"
- #include "libcli/util/pyerrors.h"
- #include "python/modules.h"
-diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
-index e67432c..eb2e100 100644
---- a/source4/auth/gensec/schannel.c
-+++ b/source4/auth/gensec/schannel.c
-@@ -25,6 +25,7 @@
- #include "auth/auth.h"
- #include "auth/credentials/credentials.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/gensec/gensec_proto.h"
- #include "../libcli/auth/schannel.h"
- #include "librpc/gen_ndr/dcerpc.h"
-diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
-index 4a195e5..f0da82c 100644
---- a/source4/ldap_server/ldap_backend.c
-+++ b/source4/ldap_server/ldap_backend.c
-@@ -23,6 +23,7 @@
- #include "../lib/util/dlinklist.h"
- #include "auth/credentials/credentials.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
- #include "param/param.h"
- #include "smbd/service_stream.h"
- #include "dsdb/samdb/samdb.h"
-diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
-index b355e18..f0a498b 100644
---- a/source4/libcli/ldap/ldap_bind.c
-+++ b/source4/libcli/ldap/ldap_bind.c
-@@ -27,6 +27,7 @@
- #include "libcli/ldap/ldap_client.h"
- #include "lib/tls/tls.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
- #include "auth/gensec/gensec_socket.h"
- #include "auth/credentials/credentials.h"
- #include "lib/stream/packet.h"
-diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c
-index bdaa65b..45e5889 100644
---- a/source4/torture/auth/ntlmssp.c
-+++ b/source4/torture/auth/ntlmssp.c
-@@ -19,6 +19,7 @@
-
- #include "includes.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
- #include "auth/ntlmssp/ntlmssp.h"
- #include "auth/ntlmssp/ntlmssp_private.h"
- #include "lib/cmdline/popt_common.h"
-diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
-index 136e238..1e2feb0 100644
---- a/source4/utils/ntlm_auth.c
-+++ b/source4/utils/ntlm_auth.c
-@@ -27,6 +27,7 @@
- #include <ldb.h>
- #include "auth/credentials/credentials.h"
- #include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
- #include "auth/auth.h"
- #include "librpc/gen_ndr/ndr_netlogon.h"
- #include "auth/auth_sam.h"
---
-1.9.3
-
-
-From fabdf9f539385d97bc4bf2550e7fd4de2d1b5d01 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 5 Aug 2013 10:37:26 +0200
-Subject: [PATCH 084/249] auth/gensec: avoid talloc_reference in
- gensec_use_kerberos_mechs()
-
-We now always copy.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3e3534f882651880093381f5a7846c0938df6501)
----
- auth/gensec/gensec_start.c | 38 ++++++++++++++++++++------------------
- 1 file changed, 20 insertions(+), 18 deletions(-)
-
-diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
-index 34029f5..096ad36 100644
---- a/auth/gensec/gensec_start.c
-+++ b/auth/gensec/gensec_start.c
-@@ -80,13 +80,6 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
- use_kerberos = cli_credentials_get_kerberos_state(creds);
- }
-
-- if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
-- if (!talloc_reference(mem_ctx, old_gensec_list)) {
-- return NULL;
-- }
-- return old_gensec_list;
-- }
--
- for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
- /* noop */
- }
-@@ -99,35 +92,44 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
- j = 0;
- for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
- int oid_idx;
-- bool found_spnego = false;
-+ bool keep = false;
-+
- for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
- if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
-- new_gensec_list[j] = old_gensec_list[i];
-- j++;
-- found_spnego = true;
-+ keep = true;
- break;
- }
- }
-- if (found_spnego) {
-- continue;
-- }
-+
- switch (use_kerberos) {
-+ case CRED_AUTO_USE_KERBEROS:
-+ keep = true;
-+ break;
-+
- case CRED_DONT_USE_KERBEROS:
- if (old_gensec_list[i]->kerberos == false) {
-- new_gensec_list[j] = old_gensec_list[i];
-- j++;
-+ keep = true;
- }
-+
- break;
-+
- case CRED_MUST_USE_KERBEROS:
- if (old_gensec_list[i]->kerberos == true) {
-- new_gensec_list[j] = old_gensec_list[i];
-- j++;
-+ keep = true;
- }
-+
- break;
- default:
- /* Can't happen or invalid parameter */
- return NULL;
- }
-+
-+ if (!keep) {
-+ continue;
-+ }
-+
-+ new_gensec_list[j] = old_gensec_list[i];
-+ j++;
- }
- new_gensec_list[j] = NULL;
-
---
-1.9.3
-
-
-From b71ed3dd183d64beda108d0881c03978ef4b3892 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 5 Aug 2013 10:39:16 +0200
-Subject: [PATCH 085/249] auth/gensec: avoid talloc_reference in
- gensec_security_mechs()
-
-We now always copy.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 6a7a44db5999af7262478eb1c186d784d6075beb)
----
- auth/gensec/gensec_start.c | 27 +++++++++------------------
- 1 file changed, 9 insertions(+), 18 deletions(-)
-
-diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
-index 096ad36..00e2759 100644
---- a/auth/gensec/gensec_start.c
-+++ b/auth/gensec/gensec_start.c
-@@ -140,28 +140,19 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
- struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx)
- {
-- struct gensec_security_ops **backends;
-- if (!gensec_security) {
-- backends = gensec_security_all();
-- if (!talloc_reference(mem_ctx, backends)) {
-- return NULL;
-- }
-- return backends;
-- } else {
-- struct cli_credentials *creds = gensec_get_credentials(gensec_security);
-+ struct cli_credentials *creds = NULL;
-+ struct gensec_security_ops **backends = gensec_security_all();
-+
-+ if (gensec_security != NULL) {
-+ creds = gensec_get_credentials(gensec_security);
-+
- if (gensec_security->settings->backends) {
- backends = gensec_security->settings->backends;
-- } else {
-- backends = gensec_security_all();
- }
-- if (!creds) {
-- if (!talloc_reference(mem_ctx, backends)) {
-- return NULL;
-- }
-- return backends;
-- }
-- return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
- }
-+
-+ return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
-+
- }
-
- static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
---
-1.9.3
-
-
-From fe6a14d48b0eb3dfcfc6d7f0b68e8f28b7ad9796 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 5 Aug 2013 16:12:13 +0200
-Subject: [PATCH 086/249] auth/gensec: make it possible to implement async
- backends
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit e81550c8117166d0fbf69ba1d3957cb950c42961)
----
- auth/gensec/gensec.c | 202 ++++++++++++++++++++++++++++++++----------
- auth/gensec/gensec_internal.h | 7 ++
- 2 files changed, 160 insertions(+), 49 deletions(-)
-
-diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
-index d364a34..abcbcb9 100644
---- a/auth/gensec/gensec.c
-+++ b/auth/gensec/gensec.c
-@@ -218,61 +218,92 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
- const DATA_BLOB in, DATA_BLOB *out)
- {
- NTSTATUS status;
-+ const struct gensec_security_ops *ops = gensec_security->ops;
-+ TALLOC_CTX *frame = NULL;
-+ struct tevent_req *subreq = NULL;
-+ bool ok;
-
-- status = gensec_security->ops->update(gensec_security, out_mem_ctx,
-- ev, in, out);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
-+ if (ops->update_send == NULL) {
-
-- /*
-- * Because callers using the
-- * gensec_start_mech_by_auth_type() never call
-- * gensec_want_feature(), it isn't sensible for them
-- * to have to call gensec_have_feature() manually, and
-- * these are not points of negotiation, but are
-- * asserted by the client
-- */
-- switch (gensec_security->dcerpc_auth_level) {
-- case DCERPC_AUTH_LEVEL_INTEGRITY:
-- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-- DEBUG(0,("Did not manage to negotiate mandetory feature "
-- "SIGN for dcerpc auth_level %u\n",
-- gensec_security->dcerpc_auth_level));
-- return NT_STATUS_ACCESS_DENIED;
-- }
-- break;
-- case DCERPC_AUTH_LEVEL_PRIVACY:
-- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-- DEBUG(0,("Did not manage to negotiate mandetory feature "
-- "SIGN for dcerpc auth_level %u\n",
-- gensec_security->dcerpc_auth_level));
-- return NT_STATUS_ACCESS_DENIED;
-+ status = ops->update(gensec_security, out_mem_ctx,
-+ ev, in, out);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
- }
-- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-- DEBUG(0,("Did not manage to negotiate mandetory feature "
-- "SEAL for dcerpc auth_level %u\n",
-- gensec_security->dcerpc_auth_level));
-- return NT_STATUS_ACCESS_DENIED;
-+
-+ /*
-+ * Because callers using the
-+ * gensec_start_mech_by_auth_type() never call
-+ * gensec_want_feature(), it isn't sensible for them
-+ * to have to call gensec_have_feature() manually, and
-+ * these are not points of negotiation, but are
-+ * asserted by the client
-+ */
-+ switch (gensec_security->dcerpc_auth_level) {
-+ case DCERPC_AUTH_LEVEL_INTEGRITY:
-+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-+ DEBUG(0,("Did not manage to negotiate mandetory feature "
-+ "SIGN for dcerpc auth_level %u\n",
-+ gensec_security->dcerpc_auth_level));
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+ break;
-+ case DCERPC_AUTH_LEVEL_PRIVACY:
-+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-+ DEBUG(0,("Did not manage to negotiate mandetory feature "
-+ "SIGN for dcerpc auth_level %u\n",
-+ gensec_security->dcerpc_auth_level));
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-+ DEBUG(0,("Did not manage to negotiate mandetory feature "
-+ "SEAL for dcerpc auth_level %u\n",
-+ gensec_security->dcerpc_auth_level));
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+ break;
-+ default:
-+ break;
- }
-- break;
-- default:
-- break;
-+
-+ return NT_STATUS_OK;
- }
-
-- return NT_STATUS_OK;
-+ frame = talloc_stackframe();
-+
-+ subreq = ops->update_send(frame, ev, gensec_security, in);
-+ if (subreq == NULL) {
-+ goto fail;
-+ }
-+ ok = tevent_req_poll_ntstatus(subreq, ev, &status);
-+ if (!ok) {
-+ goto fail;
-+ }
-+ status = ops->update_recv(subreq, out_mem_ctx, out);
-+ fail:
-+ TALLOC_FREE(frame);
-+ return status;
- }
-
- struct gensec_update_state {
-- struct tevent_immediate *im;
-+ const struct gensec_security_ops *ops;
-+ struct tevent_req *subreq;
- struct gensec_security *gensec_security;
-- DATA_BLOB in;
- DATA_BLOB out;
-+
-+ /*
-+ * only for sync backends, we should remove this
-+ * once all backends are async.
-+ */
-+ struct tevent_immediate *im;
-+ DATA_BLOB in;
- };
-
- static void gensec_update_async_trigger(struct tevent_context *ctx,
- struct tevent_immediate *im,
- void *private_data);
-+static void gensec_update_subreq_done(struct tevent_req *subreq);
-+
- /**
- * Next state function for the GENSEC state machine async version
- *
-@@ -298,17 +329,31 @@ _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-- state->gensec_security = gensec_security;
-- state->in = in;
-- state->out = data_blob(NULL, 0);
-- state->im = tevent_create_immediate(state);
-- if (tevent_req_nomem(state->im, req)) {
-+ state->ops = gensec_security->ops;
-+ state->gensec_security = gensec_security;
-+
-+ if (state->ops->update_send == NULL) {
-+ state->in = in;
-+ state->im = tevent_create_immediate(state);
-+ if (tevent_req_nomem(state->im, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ tevent_schedule_immediate(state->im, ev,
-+ gensec_update_async_trigger,
-+ req);
-+
-+ return req;
-+ }
-+
-+ state->subreq = state->ops->update_send(state, ev, gensec_security, in);
-+ if (tevent_req_nomem(state->subreq, req)) {
- return tevent_req_post(req, ev);
- }
-
-- tevent_schedule_immediate(state->im, ev,
-- gensec_update_async_trigger,
-- req);
-+ tevent_req_set_callback(state->subreq,
-+ gensec_update_subreq_done,
-+ req);
-
- return req;
- }
-@@ -323,12 +368,71 @@ static void gensec_update_async_trigger(struct tevent_context *ctx,
- tevent_req_data(req, struct gensec_update_state);
- NTSTATUS status;
-
-- status = gensec_update(state->gensec_security, state, ctx,
-- state->in, &state->out);
-+ status = state->ops->update(state->gensec_security, state, ctx,
-+ state->in, &state->out);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+
-+ tevent_req_done(req);
-+}
-+
-+static void gensec_update_subreq_done(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct gensec_update_state *state =
-+ tevent_req_data(req,
-+ struct gensec_update_state);
-+ NTSTATUS status;
-+
-+ state->subreq = NULL;
-+
-+ status = state->ops->update_recv(subreq, state, &state->out);
-+ TALLOC_FREE(subreq);
- if (tevent_req_nterror(req, status)) {
- return;
- }
-
-+ /*
-+ * Because callers using the
-+ * gensec_start_mech_by_authtype() never call
-+ * gensec_want_feature(), it isn't sensible for them
-+ * to have to call gensec_have_feature() manually, and
-+ * these are not points of negotiation, but are
-+ * asserted by the client
-+ */
-+ switch (state->gensec_security->dcerpc_auth_level) {
-+ case DCERPC_AUTH_LEVEL_INTEGRITY:
-+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
-+ DEBUG(0,("Did not manage to negotiate mandetory feature "
-+ "SIGN for dcerpc auth_level %u\n",
-+ state->gensec_security->dcerpc_auth_level));
-+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
-+ return;
-+ }
-+ break;
-+ case DCERPC_AUTH_LEVEL_PRIVACY:
-+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
-+ DEBUG(0,("Did not manage to negotiate mandetory feature "
-+ "SIGN for dcerpc auth_level %u\n",
-+ state->gensec_security->dcerpc_auth_level));
-+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
-+ return;
-+ }
-+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
-+ DEBUG(0,("Did not manage to negotiate mandetory feature "
-+ "SEAL for dcerpc auth_level %u\n",
-+ state->gensec_security->dcerpc_auth_level));
-+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
-+ return;
-+ }
-+ break;
-+ default:
-+ break;
-+ }
-+
- tevent_req_done(req);
- }
-
-diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
-index 41b6f0d..c04164a 100644
---- a/auth/gensec/gensec_internal.h
-+++ b/auth/gensec/gensec_internal.h
-@@ -40,6 +40,13 @@ struct gensec_security_ops {
- NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out);
-+ struct tevent_req *(*update_send)(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct gensec_security *gensec_security,
-+ const DATA_BLOB in);
-+ NTSTATUS (*update_recv)(struct tevent_req *req,
-+ TALLOC_CTX *out_mem_ctx,
-+ DATA_BLOB *out);
- NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
- uint8_t *data, size_t length,
- const uint8_t *whole_pdu, size_t pdu_length,
---
-1.9.3
-
-
-From aa559f2fc6f228fba268adafa92392dff8152747 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 5 Aug 2013 11:10:55 +0200
-Subject: [PATCH 087/249] auth/gensec: use 'const char * const *' for function
- parameters
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit c81b6f7448d7f945635784de645bea4f7f2e230f)
----
- auth/gensec/gensec.h | 2 +-
- auth/gensec/gensec_start.c | 2 +-
- auth/gensec/spnego.c | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
-index 5d39d81..d0bc451 100644
---- a/auth/gensec/gensec.h
-+++ b/auth/gensec/gensec.h
-@@ -184,7 +184,7 @@ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gense
- const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
- struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
-- const char **oid_strings,
-+ const char * const *oid_strings,
- const char *skip);
- const char **gensec_security_oids(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
-diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
-index 00e2759..2874c13 100644
---- a/auth/gensec/gensec_start.c
-+++ b/auth/gensec/gensec_start.c
-@@ -373,7 +373,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
- _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
- struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
-- const char **oid_strings,
-+ const char * const *oid_strings,
- const char *skip)
- {
- struct gensec_security_ops_wrapper *backends_out;
-diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
-index 38a45f8..0eb6da1 100644
---- a/auth/gensec/spnego.c
-+++ b/auth/gensec/spnego.c
-@@ -417,7 +417,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
- struct spnego_state *spnego_state,
- TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
-- const char **mechType,
-+ const char * const *mechType,
- const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out)
- {
- int i;
---
-1.9.3
-
-
-From a2e14962e1eeebaac2fb4539794a454b0f486869 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 5 Aug 2013 11:20:21 +0200
-Subject: [PATCH 088/249] auth/gensec: treat struct gensec_security_ops as
- const if possible.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 966faef9c61d2ec02d75fc3ccc82a61524fb77e4)
----
- auth/gensec/gensec.h | 14 +++++-----
- auth/gensec/gensec_start.c | 52 ++++++++++++++++++++------------------
- auth/gensec/spnego.c | 8 +++---
- source3/auth/auth_generic.c | 15 ++++++-----
- source3/libads/authdata.c | 11 ++++----
- source3/libsmb/auth_generic.c | 15 ++++++-----
- source3/utils/ntlm_auth.c | 22 ++++++++--------
- source4/ldap_server/ldap_backend.c | 4 +--
- 8 files changed, 75 insertions(+), 66 deletions(-)
-
-diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
-index d0bc451..ac1fadf 100644
---- a/auth/gensec/gensec.h
-+++ b/auth/gensec/gensec.h
-@@ -85,7 +85,7 @@ struct gensec_settings {
- /* this allows callers to specify a specific set of ops that
- * should be used, rather than those loaded by the plugin
- * mechanism */
-- struct gensec_security_ops **backends;
-+ const struct gensec_security_ops * const *backends;
-
- /* To fill in our own name in the NTLMSSP server */
- const char *server_dns_domain;
-@@ -179,7 +179,7 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
- const struct gensec_security_ops *gensec_security_by_auth_type(
- struct gensec_security *gensec_security,
- uint32_t auth_type);
--struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
-+const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx);
- const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
- struct gensec_security *gensec_security,
-@@ -243,11 +243,11 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
- const DATA_BLOB *in,
- DATA_BLOB *out);
-
--struct gensec_security_ops **gensec_security_all(void);
--bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security);
--struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
-- struct gensec_security_ops **old_gensec_list,
-- struct cli_credentials *creds);
-+const struct gensec_security_ops * const *gensec_security_all(void);
-+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security);
-+const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
-+ const struct gensec_security_ops * const *old_gensec_list,
-+ struct cli_credentials *creds);
-
- NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
- const char *sasl_name);
-diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
-index 2874c13..3ae64d5 100644
---- a/auth/gensec/gensec_start.c
-+++ b/auth/gensec/gensec_start.c
-@@ -33,17 +33,17 @@
- #include "lib/util/samba_modules.h"
-
- /* the list of currently registered GENSEC backends */
--static struct gensec_security_ops **generic_security_ops;
-+static const struct gensec_security_ops **generic_security_ops;
- static int gensec_num_backends;
-
- /* Return all the registered mechs. Don't modify the return pointer,
-- * but you may talloc_reference it if convient */
--_PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
-+ * but you may talloc_referen it if convient */
-+_PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
- {
- return generic_security_ops;
- }
-
--bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
-+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
- {
- return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
- }
-@@ -68,11 +68,11 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_
- * more compplex.
- */
-
--_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
-- struct gensec_security_ops **old_gensec_list,
-- struct cli_credentials *creds)
-+_PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
-+ const struct gensec_security_ops * const *old_gensec_list,
-+ struct cli_credentials *creds)
- {
-- struct gensec_security_ops **new_gensec_list;
-+ const struct gensec_security_ops **new_gensec_list;
- int i, j, num_mechs_in;
- enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
-
-@@ -84,7 +84,9 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
- /* noop */
- }
-
-- new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
-+ new_gensec_list = talloc_array(mem_ctx,
-+ const struct gensec_security_ops *,
-+ num_mechs_in + 1);
- if (!new_gensec_list) {
- return NULL;
- }
-@@ -136,12 +138,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
- return new_gensec_list;
- }
-
--_PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
-+_PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
- struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx)
- {
- struct cli_credentials *creds = NULL;
-- struct gensec_security_ops **backends = gensec_security_all();
-+ const struct gensec_security_ops * const *backends = gensec_security_all();
-
- if (gensec_security != NULL) {
- creds = gensec_get_credentials(gensec_security);
-@@ -159,7 +161,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
- uint8_t auth_type)
- {
- int i;
-- struct gensec_security_ops **backends;
-+ const struct gensec_security_ops **backends;
- const struct gensec_security_ops *backend;
- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
- if (!mem_ctx) {
-@@ -185,7 +187,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
- const char *oid_string)
- {
- int i, j;
-- struct gensec_security_ops **backends;
-+ const struct gensec_security_ops **backends;
- const struct gensec_security_ops *backend;
- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
- if (!mem_ctx) {
-@@ -218,7 +220,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
- const char *sasl_name)
- {
- int i;
-- struct gensec_security_ops **backends;
-+ const struct gensec_security_ops **backends;
- const struct gensec_security_ops *backend;
- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
- if (!mem_ctx) {
-@@ -245,7 +247,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
- uint32_t auth_type)
- {
- int i;
-- struct gensec_security_ops **backends;
-+ const struct gensec_security_ops **backends;
- const struct gensec_security_ops *backend;
- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
- if (!mem_ctx) {
-@@ -270,7 +272,7 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
- const char *name)
- {
- int i;
-- struct gensec_security_ops **backends;
-+ const struct gensec_security_ops **backends;
- const struct gensec_security_ops *backend;
- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
- if (!mem_ctx) {
-@@ -306,7 +308,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
- const char **sasl_names)
- {
- const struct gensec_security_ops **backends_out;
-- struct gensec_security_ops **backends;
-+ const struct gensec_security_ops **backends;
- int i, k, sasl_idx;
- int num_backends_out = 0;
-
-@@ -377,7 +379,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
- const char *skip)
- {
- struct gensec_security_ops_wrapper *backends_out;
-- struct gensec_security_ops **backends;
-+ const struct gensec_security_ops **backends;
- int i, j, k, oid_idx;
- int num_backends_out = 0;
-
-@@ -451,7 +453,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
- static const char **gensec_security_oids_from_ops(
- struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
-- struct gensec_security_ops **ops,
-+ const struct gensec_security_ops * const *ops,
- const char *skip)
- {
- int i;
-@@ -542,8 +544,10 @@ _PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_securi
- TALLOC_CTX *mem_ctx,
- const char *skip)
- {
-- struct gensec_security_ops **ops
-- = gensec_security_mechs(gensec_security, mem_ctx);
-+ const struct gensec_security_ops **ops;
-+
-+ ops = gensec_security_mechs(gensec_security, mem_ctx);
-+
- return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
- }
-
-@@ -876,13 +880,13 @@ _PUBLIC_ NTSTATUS gensec_register(const struct gensec_security_ops *ops)
-
- generic_security_ops = talloc_realloc(talloc_autofree_context(),
- generic_security_ops,
-- struct gensec_security_ops *,
-+ const struct gensec_security_ops *,
- gensec_num_backends+2);
- if (!generic_security_ops) {
- return NT_STATUS_NO_MEMORY;
- }
-
-- generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
-+ generic_security_ops[gensec_num_backends] = ops;
- gensec_num_backends++;
- generic_security_ops[gensec_num_backends] = NULL;
-
-@@ -908,7 +912,7 @@ _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
- return &critical_sizes;
- }
-
--static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
-+static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
- return (*gs2)->priority - (*gs1)->priority;
- }
-
-diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
-index 0eb6da1..d90a50c 100644
---- a/auth/gensec/spnego.c
-+++ b/auth/gensec/spnego.c
-@@ -352,9 +352,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
- const DATA_BLOB in, DATA_BLOB *out)
- {
- int i,j;
-- struct gensec_security_ops **all_ops
-- = gensec_security_mechs(gensec_security, out_mem_ctx);
-- for (i=0; all_ops[i]; i++) {
-+ const struct gensec_security_ops **all_ops;
-+
-+ all_ops = gensec_security_mechs(gensec_security, out_mem_ctx);
-+
-+ for (i=0; all_ops && all_ops[i]; i++) {
- bool is_spnego;
- NTSTATUS nt_status;
-
-diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
-index a2ba4e3..e15c87e 100644
---- a/source3/auth/auth_generic.c
-+++ b/source3/auth/auth_generic.c
-@@ -203,6 +203,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
- return nt_status;
- }
- } else {
-+ const struct gensec_security_ops **backends = NULL;
- struct gensec_settings *gensec_settings;
- struct loadparm_context *lp_ctx;
- size_t idx = 0;
-@@ -259,24 +260,24 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
- return NT_STATUS_NO_MEMORY;
- }
-
-- gensec_settings->backends = talloc_zero_array(gensec_settings,
-- struct gensec_security_ops *, 4);
-- if (gensec_settings->backends == NULL) {
-+ backends = talloc_zero_array(gensec_settings,
-+ const struct gensec_security_ops *, 4);
-+ if (backends == NULL) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-+ gensec_settings->backends = backends;
-
- gensec_init();
-
- /* These need to be in priority order, krb5 before NTLMSSP */
- #if defined(HAVE_KRB5)
-- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
-+ backends[idx++] = &gensec_gse_krb5_security_ops;
- #endif
-
-- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
-+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
-
-- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
-- GENSEC_OID_SPNEGO);
-+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
-
- /*
- * This is anonymous for now, because we just use it
-diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
-index 582917d..801e551 100644
---- a/source3/libads/authdata.c
-+++ b/source3/libads/authdata.c
-@@ -111,7 +111,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- const char *cc = "MEMORY:kerberos_return_pac";
- struct auth_session_info *session_info;
- struct gensec_security *gensec_server_context;
--
-+ const struct gensec_security_ops **backends;
- struct gensec_settings *gensec_settings;
- size_t idx = 0;
- struct auth4_context *auth_context;
-@@ -230,16 +230,17 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- goto out;
- }
-
-- gensec_settings->backends = talloc_zero_array(gensec_settings,
-- struct gensec_security_ops *, 2);
-- if (gensec_settings->backends == NULL) {
-+ backends = talloc_zero_array(gensec_settings,
-+ const struct gensec_security_ops *, 2);
-+ if (backends == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto out;
- }
-+ gensec_settings->backends = backends;
-
- gensec_init();
-
-- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
-+ backends[idx++] = &gensec_gse_krb5_security_ops;
-
- status = gensec_server_start(tmp_ctx, gensec_settings,
- auth_context, &gensec_server_context);
-diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
-index ba0a0ce..e30c1b7 100644
---- a/source3/libsmb/auth_generic.c
-+++ b/source3/libsmb/auth_generic.c
-@@ -54,6 +54,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
- NTSTATUS nt_status;
- size_t idx = 0;
- struct gensec_settings *gensec_settings;
-+ const struct gensec_security_ops **backends = NULL;
- struct loadparm_context *lp_ctx;
-
- ans = talloc_zero(mem_ctx, struct auth_generic_state);
-@@ -76,24 +77,24 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
- return NT_STATUS_NO_MEMORY;
- }
-
-- gensec_settings->backends = talloc_zero_array(gensec_settings,
-- struct gensec_security_ops *, 4);
-- if (gensec_settings->backends == NULL) {
-+ backends = talloc_zero_array(gensec_settings,
-+ const struct gensec_security_ops *, 4);
-+ if (backends == NULL) {
- TALLOC_FREE(ans);
- return NT_STATUS_NO_MEMORY;
- }
-+ gensec_settings->backends = backends;
-
- gensec_init();
-
- /* These need to be in priority order, krb5 before NTLMSSP */
- #if defined(HAVE_KRB5)
-- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
-+ backends[idx++] = &gensec_gse_krb5_security_ops;
- #endif
-
-- gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
-+ backends[idx++] = &gensec_ntlmssp3_client_ops;
-
-- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
-- GENSEC_OID_SPNEGO);
-+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
-
- nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
-
-diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
-index 5fcb60e..25e717c 100644
---- a/source3/utils/ntlm_auth.c
-+++ b/source3/utils/ntlm_auth.c
-@@ -1035,7 +1035,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
- NTSTATUS nt_status;
-
- TALLOC_CTX *tmp_ctx;
--
-+ const struct gensec_security_ops **backends;
- struct gensec_settings *gensec_settings;
- size_t idx = 0;
- struct cli_credentials *server_credentials;
-@@ -1079,26 +1079,26 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
- gensec_settings->server_dns_name = strlower_talloc(gensec_settings,
- get_mydnsfullname());
-
-- gensec_settings->backends = talloc_zero_array(gensec_settings,
-- struct gensec_security_ops *, 4);
-+ backends = talloc_zero_array(gensec_settings,
-+ const struct gensec_security_ops *, 4);
-
-- if (gensec_settings->backends == NULL) {
-+ if (backends == NULL) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
--
-+ gensec_settings->backends = backends;
-+
- gensec_init();
-
- /* These need to be in priority order, krb5 before NTLMSSP */
- #if defined(HAVE_KRB5)
-- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
-+ backends[idx++] = &gensec_gse_krb5_security_ops;
- #endif
--
-- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
-
-- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
-- GENSEC_OID_SPNEGO);
--
-+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
-+
-+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
-+
- /*
- * This is anonymous for now, because we just use it
- * to set the kerberos state at the moment
-diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
-index f0da82c..3432594 100644
---- a/source4/ldap_server/ldap_backend.c
-+++ b/source4/ldap_server/ldap_backend.c
-@@ -192,8 +192,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
-
- if (conn->server_credentials) {
- char **sasl_mechs = NULL;
-- struct gensec_security_ops **backends = gensec_security_all();
-- struct gensec_security_ops **ops
-+ const struct gensec_security_ops * const *backends = gensec_security_all();
-+ const struct gensec_security_ops **ops
- = gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
- unsigned int i, j = 0;
- for (i = 0; ops && ops[i]; i++) {
---
-1.9.3
-
-
-From 6a58d4f4cb60bf25c1493ef0aedd5978abc06969 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 5 Aug 2013 10:43:38 +0200
-Subject: [PATCH 089/249] libcli/auth: avoid possible mem leak in
- read_negTokenInit()
-
-Also add error checks.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit f1e60142e12deb560e3c62441fd9ff2acd086b60)
----
- libcli/auth/spnego_parse.c | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
-index 3bf7aea..2c73613 100644
---- a/libcli/auth/spnego_parse.c
-+++ b/libcli/auth/spnego_parse.c
-@@ -46,13 +46,24 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
- asn1_start_tag(asn1, ASN1_CONTEXT(0));
- asn1_start_tag(asn1, ASN1_SEQUENCE(0));
-
-- token->mechTypes = talloc(NULL, const char *);
-+ token->mechTypes = talloc(mem_ctx, const char *);
-+ if (token->mechTypes == NULL) {
-+ asn1->has_error = true;
-+ return false;
-+ }
- for (i = 0; !asn1->has_error &&
- 0 < asn1_tag_remaining(asn1); i++) {
- char *oid;
-- token->mechTypes = talloc_realloc(NULL,
-- token->mechTypes,
-- const char *, i+2);
-+ const char **p;
-+ p = talloc_realloc(mem_ctx,
-+ token->mechTypes,
-+ const char *, i+2);
-+ if (p == NULL) {
-+ TALLOC_FREE(token->mechTypes);
-+ asn1->has_error = true;
-+ return false;
-+ }
-+ token->mechTypes = p;
- asn1_read_OID(asn1, token->mechTypes, &oid);
- token->mechTypes[i] = oid;
- }
---
-1.9.3
-
-
-From 8835471a993521e49aa48ef55f324874e1933108 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 5 Aug 2013 10:46:47 +0200
-Subject: [PATCH 090/249] libcli/auth: add more const to
- spnego_negTokenInit->mechTypes
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Sat Aug 10 11:11:54 CEST 2013 on sn-devel-104
-(cherry picked from commit 9177a0d1c1c92c45ef92fbda55fc6dd8aeb76b6c)
----
- libcli/auth/spnego.h | 2 +-
- libcli/auth/spnego_parse.c | 27 ++++++++++++++++-----------
- libcli/auth/spnego_proto.h | 2 +-
- source3/utils/ntlm_auth.c | 2 +-
- 4 files changed, 19 insertions(+), 14 deletions(-)
-
-diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
-index 9a93f2e..539b903 100644
---- a/libcli/auth/spnego.h
-+++ b/libcli/auth/spnego.h
-@@ -49,7 +49,7 @@ enum spnego_negResult {
- };
-
- struct spnego_negTokenInit {
-- const char **mechTypes;
-+ const char * const *mechTypes;
- DATA_BLOB reqFlags;
- uint8_t reqFlagsPadding;
- DATA_BLOB mechToken;
-diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
-index 2c73613..b1ca07d 100644
---- a/libcli/auth/spnego_parse.c
-+++ b/libcli/auth/spnego_parse.c
-@@ -42,12 +42,14 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
-
- switch (context) {
- /* Read mechTypes */
-- case ASN1_CONTEXT(0):
-+ case ASN1_CONTEXT(0): {
-+ const char **mechTypes;
-+
- asn1_start_tag(asn1, ASN1_CONTEXT(0));
- asn1_start_tag(asn1, ASN1_SEQUENCE(0));
-
-- token->mechTypes = talloc(mem_ctx, const char *);
-- if (token->mechTypes == NULL) {
-+ mechTypes = talloc(mem_ctx, const char *);
-+ if (mechTypes == NULL) {
- asn1->has_error = true;
- return false;
- }
-@@ -56,22 +58,25 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
- char *oid;
- const char **p;
- p = talloc_realloc(mem_ctx,
-- token->mechTypes,
-+ mechTypes,
- const char *, i+2);
- if (p == NULL) {
-- TALLOC_FREE(token->mechTypes);
-+ talloc_free(mechTypes);
- asn1->has_error = true;
- return false;
- }
-- token->mechTypes = p;
-- asn1_read_OID(asn1, token->mechTypes, &oid);
-- token->mechTypes[i] = oid;
-+ mechTypes = p;
-+
-+ asn1_read_OID(asn1, mechTypes, &oid);
-+ mechTypes[i] = oid;
- }
-- token->mechTypes[i] = NULL;
-+ mechTypes[i] = NULL;
-+ token->mechTypes = mechTypes;
-
- asn1_end_tag(asn1);
- asn1_end_tag(asn1);
- break;
-+ }
- /* Read reqFlags */
- case ASN1_CONTEXT(1):
- asn1_start_tag(asn1, ASN1_CONTEXT(1));
-@@ -366,7 +371,7 @@ bool spnego_free_data(struct spnego_data *spnego)
- switch(spnego->type) {
- case SPNEGO_NEG_TOKEN_INIT:
- if (spnego->negTokenInit.mechTypes) {
-- talloc_free(spnego->negTokenInit.mechTypes);
-+ talloc_free(discard_const(spnego->negTokenInit.mechTypes));
- }
- data_blob_free(&spnego->negTokenInit.reqFlags);
- data_blob_free(&spnego->negTokenInit.mechToken);
-@@ -390,7 +395,7 @@ out:
- }
-
- bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
-- const char **mech_types,
-+ const char * const *mech_types,
- DATA_BLOB *blob)
- {
- struct asn1_data *asn1 = asn1_init(mem_ctx);
-diff --git a/libcli/auth/spnego_proto.h b/libcli/auth/spnego_proto.h
-index 5fd5e59..c0fa934 100644
---- a/libcli/auth/spnego_proto.h
-+++ b/libcli/auth/spnego_proto.h
-@@ -24,5 +24,5 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
- ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego);
- bool spnego_free_data(struct spnego_data *spnego);
- bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
-- const char **mech_types,
-+ const char * const *mech_types,
- DATA_BLOB *blob);
-diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
-index 25e717c..1df615c 100644
---- a/source3/utils/ntlm_auth.c
-+++ b/source3/utils/ntlm_auth.c
-@@ -2058,7 +2058,7 @@ static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper
-
- /* The server offers a list of mechanisms */
-
-- const char **mechType = (const char **)spnego.negTokenInit.mechTypes;
-+ const char *const *mechType = spnego.negTokenInit.mechTypes;
-
- while (*mechType != NULL) {
-
---
-1.9.3
-
-
-From c06bb0c3d2c032f8b4848c75baa1fd900650866a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 9 Aug 2013 10:15:05 +0200
-Subject: [PATCH 091/249] auth/credentials: make sure
- cli_credentials_get_nt_hash() always returns a talloc object
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- auth/credentials/credentials.c | 19 ++++++++++++++-----
- auth/credentials/credentials.h | 4 ++--
- 2 files changed, 16 insertions(+), 7 deletions(-)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index be497bc..57a7c0b 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -471,8 +471,8 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
- * @param cred credentials context
- * @retval If set, the cleartext password, otherwise NULL
- */
--_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
-- TALLOC_CTX *mem_ctx)
-+_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
-+ TALLOC_CTX *mem_ctx)
- {
- const char *password = cli_credentials_get_password(cred);
-
-@@ -481,13 +481,22 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
- if (!nt_hash) {
- return NULL;
- }
--
-+
- E_md4hash(password, nt_hash->hash);
-
- return nt_hash;
-- } else {
-- return cred->nt_hash;
-+ } else if (cred->nt_hash != NULL) {
-+ struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
-+ if (!nt_hash) {
-+ return NULL;
-+ }
-+
-+ *nt_hash = *cred->nt_hash;
-+
-+ return nt_hash;
- }
-+
-+ return NULL;
- }
-
- /**
-diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
-index cb09dc3..766a513 100644
---- a/auth/credentials/credentials.h
-+++ b/auth/credentials/credentials.h
-@@ -141,8 +141,8 @@ bool cli_credentials_set_password(struct cli_credentials *cred,
- enum credentials_obtained obtained);
- struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
- void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
--const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
-- TALLOC_CTX *mem_ctx);
-+struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
-+ TALLOC_CTX *mem_ctx);
- bool cli_credentials_set_realm(struct cli_credentials *cred,
- const char *val,
- enum credentials_obtained obtained);
---
-1.9.3
-
-
-From 8a3ed9f72ef9f9de32da4d454b866d64eb24ee17 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@symas.com>
-Date: Tue, 17 Sep 2013 13:09:50 -0700
-Subject: [PATCH 092/249] Add SASL/EXTERNAL gensec module
-
-Signed-off-by: Howard Chu <hyc@symas.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
-(cherry picked from commit 6bf59b03d72b94b71e53fc2404c11e0d237e41b2)
----
- auth/gensec/external.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++
- auth/gensec/gensec.h | 3 +-
- auth/gensec/wscript_build | 7 ++++
- 3 files changed, 91 insertions(+), 1 deletion(-)
- create mode 100644 auth/gensec/external.c
-
-diff --git a/auth/gensec/external.c b/auth/gensec/external.c
-new file mode 100644
-index 0000000..a26e435
---- /dev/null
-+++ b/auth/gensec/external.c
-@@ -0,0 +1,82 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+
-+ SASL/EXTERNAL authentication.
-+
-+ Copyright (C) Howard Chu <hyc@symas.com> 2013
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "includes.h"
-+#include "auth/credentials/credentials.h"
-+#include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
-+#include "auth/gensec/gensec_proto.h"
-+#include "auth/gensec/gensec_toplevel_proto.h"
-+
-+/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
-+ * layer is already mutually authenticated.
-+ */
-+
-+NTSTATUS gensec_external_init(void);
-+
-+static NTSTATUS gensec_external_start(struct gensec_security *gensec_security)
-+{
-+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN)
-+ return NT_STATUS_INVALID_PARAMETER;
-+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL)
-+ return NT_STATUS_INVALID_PARAMETER;
-+
-+ return NT_STATUS_OK;
-+}
-+
-+static NTSTATUS gensec_external_update(struct gensec_security *gensec_security,
-+ TALLOC_CTX *out_mem_ctx,
-+ struct tevent_context *ev,
-+ const DATA_BLOB in, DATA_BLOB *out)
-+{
-+ *out = data_blob_talloc(out_mem_ctx, "", 0);
-+ return NT_STATUS_OK;
-+}
-+
-+/* We have no features */
-+static bool gensec_external_have_feature(struct gensec_security *gensec_security,
-+ uint32_t feature)
-+{
-+ return false;
-+}
-+
-+static const struct gensec_security_ops gensec_external_ops = {
-+ .name = "sasl-EXTERNAL",
-+ .sasl_name = "EXTERNAL",
-+ .client_start = gensec_external_start,
-+ .update = gensec_external_update,
-+ .have_feature = gensec_external_have_feature,
-+ .enabled = true,
-+ .priority = GENSEC_EXTERNAL
-+};
-+
-+
-+NTSTATUS gensec_external_init(void)
-+{
-+ NTSTATUS ret;
-+
-+ ret = gensec_register(&gensec_external_ops);
-+ if (!NT_STATUS_IS_OK(ret)) {
-+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
-+ gensec_external_ops.name));
-+ }
-+ return ret;
-+}
-diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
-index ac1fadf..6974f87 100644
---- a/auth/gensec/gensec.h
-+++ b/auth/gensec/gensec.h
-@@ -41,7 +41,8 @@ enum gensec_priority {
- GENSEC_SCHANNEL = 60,
- GENSEC_NTLMSSP = 50,
- GENSEC_SASL = 20,
-- GENSEC_OTHER = 0
-+ GENSEC_OTHER = 10,
-+ GENSEC_EXTERNAL = 0
- };
-
- struct gensec_security;
-diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
-index fcd74a3..71222f7 100755
---- a/auth/gensec/wscript_build
-+++ b/auth/gensec/wscript_build
-@@ -16,3 +16,10 @@ bld.SAMBA_MODULE('gensec_spnego',
- init_function='gensec_spnego_init',
- deps='asn1util samba-credentials SPNEGO_PARSE'
- )
-+
-+bld.SAMBA_MODULE('gensec_external',
-+ source='external.c',
-+ autoproto='external_proto.h',
-+ subsystem='gensec',
-+ init_function='gensec_external_init'
-+ )
---
-1.9.3
-
-
-From 75d9566940069ebeb367191ec6a6641bf7d45a83 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 17:24:10 +0200
-Subject: [PATCH 093/249] gensec: move schannel module to toplevel.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 4d2ec9e37ee9dcf7b521806a1c0aabdffe524d47)
----
- auth/gensec/schannel.c | 330 ++++++++++++++++++++++++++++++++++++++
- auth/gensec/wscript_build | 8 +
- source4/auth/gensec/schannel.c | 330 --------------------------------------
- source4/auth/gensec/wscript_build | 10 --
- 4 files changed, 338 insertions(+), 340 deletions(-)
- create mode 100644 auth/gensec/schannel.c
- delete mode 100644 source4/auth/gensec/schannel.c
-
-diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
-new file mode 100644
-index 0000000..eb2e100
---- /dev/null
-+++ b/auth/gensec/schannel.c
-@@ -0,0 +1,330 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+
-+ dcerpc schannel operations
-+
-+ Copyright (C) Andrew Tridgell 2004
-+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "includes.h"
-+#include "librpc/gen_ndr/ndr_schannel.h"
-+#include "auth/auth.h"
-+#include "auth/credentials/credentials.h"
-+#include "auth/gensec/gensec.h"
-+#include "auth/gensec/gensec_internal.h"
-+#include "auth/gensec/gensec_proto.h"
-+#include "../libcli/auth/schannel.h"
-+#include "librpc/gen_ndr/dcerpc.h"
-+#include "param/param.h"
-+#include "auth/gensec/gensec_toplevel_proto.h"
-+
-+_PUBLIC_ NTSTATUS gensec_schannel_init(void);
-+
-+static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
-+{
-+ struct schannel_state *state =
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-+
-+ return netsec_outgoing_sig_size(state);
-+}
-+
-+static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
-+ struct tevent_context *ev,
-+ const DATA_BLOB in, DATA_BLOB *out)
-+{
-+ struct schannel_state *state =
-+ talloc_get_type(gensec_security->private_data,
-+ struct schannel_state);
-+ NTSTATUS status;
-+ enum ndr_err_code ndr_err;
-+ struct NL_AUTH_MESSAGE bind_schannel;
-+ struct NL_AUTH_MESSAGE bind_schannel_ack;
-+ struct netlogon_creds_CredentialState *creds;
-+ const char *workstation;
-+ const char *domain;
-+
-+ *out = data_blob(NULL, 0);
-+
-+ switch (gensec_security->gensec_role) {
-+ case GENSEC_CLIENT:
-+ if (state != NULL) {
-+ /* we could parse the bind ack, but we don't know what it is yet */
-+ return NT_STATUS_OK;
-+ }
-+
-+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
-+ if (creds == NULL) {
-+ return NT_STATUS_INVALID_PARAMETER_MIX;
-+ }
-+
-+ state = netsec_create_state(gensec_security,
-+ creds, true /* initiator */);
-+ if (state == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ gensec_security->private_data = state;
-+
-+ bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
-+#if 0
-+ /* to support this we'd need to have access to the full domain name */
-+ /* 0x17, 23 */
-+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
-+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
-+ NL_FLAG_UTF8_DNS_DOMAIN_NAME |
-+ NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
-+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
-+ bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
-+ /* w2k3 refuses us if we use the full DNS workstation?
-+ why? perhaps because we don't fill in the dNSHostName
-+ attribute in the machine account? */
-+ bind_schannel.utf8_netbios_computer = creds->computer_name;
-+#else
-+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
-+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
-+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
-+#endif
-+
-+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
-+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ status = ndr_map_error2ntstatus(ndr_err);
-+ DEBUG(3, ("Could not create schannel bind: %s\n",
-+ nt_errstr(status)));
-+ return status;
-+ }
-+
-+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
-+ case GENSEC_SERVER:
-+
-+ if (state != NULL) {
-+ /* no third leg on this protocol */
-+ return NT_STATUS_INVALID_PARAMETER;
-+ }
-+
-+ /* parse the schannel startup blob */
-+ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
-+ (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ status = ndr_map_error2ntstatus(ndr_err);
-+ DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
-+ nt_errstr(status)));
-+ return status;
-+ }
-+
-+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
-+ domain = bind_schannel.oem_netbios_domain.a;
-+ if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
-+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
-+ domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
-+ return NT_STATUS_LOGON_FAILURE;
-+ }
-+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
-+ domain = bind_schannel.utf8_dns_domain.u;
-+ if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
-+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
-+ domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
-+ return NT_STATUS_LOGON_FAILURE;
-+ }
-+ } else {
-+ DEBUG(3, ("Request for schannel to without domain\n"));
-+ return NT_STATUS_LOGON_FAILURE;
-+ }
-+
-+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
-+ workstation = bind_schannel.oem_netbios_computer.a;
-+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
-+ workstation = bind_schannel.utf8_netbios_computer.u;
-+ } else {
-+ DEBUG(3, ("Request for schannel to without netbios workstation\n"));
-+ return NT_STATUS_LOGON_FAILURE;
-+ }
-+
-+ status = schannel_get_creds_state(out_mem_ctx,
-+ gensec_security->settings->lp_ctx,
-+ workstation, &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
-+ workstation, nt_errstr(status)));
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
-+ return NT_STATUS_LOGON_FAILURE;
-+ }
-+ return status;
-+ }
-+
-+ state = netsec_create_state(gensec_security,
-+ creds, false /* not initiator */);
-+ if (state == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ gensec_security->private_data = state;
-+
-+ bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
-+ bind_schannel_ack.Flags = 0;
-+ bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
-+ * this does not have
-+ * any meaning here
-+ * - gd */
-+
-+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
-+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ status = ndr_map_error2ntstatus(ndr_err);
-+ DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
-+ workstation, nt_errstr(status)));
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+ }
-+ return NT_STATUS_INVALID_PARAMETER;
-+}
-+
-+/**
-+ * Returns anonymous credentials for schannel, matching Win2k3.
-+ *
-+ */
-+
-+static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
-+ TALLOC_CTX *mem_ctx,
-+ struct auth_session_info **_session_info)
-+{
-+ return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
-+}
-+
-+static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
-+{
-+ return NT_STATUS_OK;
-+}
-+
-+static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
-+{
-+ return NT_STATUS_OK;
-+}
-+
-+static bool schannel_have_feature(struct gensec_security *gensec_security,
-+ uint32_t feature)
-+{
-+ if (feature & (GENSEC_FEATURE_SIGN |
-+ GENSEC_FEATURE_SEAL)) {
-+ return true;
-+ }
-+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
-+ return true;
-+ }
-+ return false;
-+}
-+
-+/*
-+ unseal a packet
-+*/
-+static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
-+ uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
-+ const DATA_BLOB *sig)
-+{
-+ struct schannel_state *state =
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-+
-+ return netsec_incoming_packet(state, true,
-+ discard_const_p(uint8_t, data),
-+ length, sig);
-+}
-+
-+/*
-+ check the signature on a packet
-+*/
-+static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
-+ const uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
-+ const DATA_BLOB *sig)
-+{
-+ struct schannel_state *state =
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-+
-+ return netsec_incoming_packet(state, false,
-+ discard_const_p(uint8_t, data),
-+ length, sig);
-+}
-+/*
-+ seal a packet
-+*/
-+static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
-+ TALLOC_CTX *mem_ctx,
-+ uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
-+ DATA_BLOB *sig)
-+{
-+ struct schannel_state *state =
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-+
-+ return netsec_outgoing_packet(state, mem_ctx, true,
-+ data, length, sig);
-+}
-+
-+/*
-+ sign a packet
-+*/
-+static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
-+ TALLOC_CTX *mem_ctx,
-+ const uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
-+ DATA_BLOB *sig)
-+{
-+ struct schannel_state *state =
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct schannel_state);
-+
-+ return netsec_outgoing_packet(state, mem_ctx, false,
-+ discard_const_p(uint8_t, data),
-+ length, sig);
-+}
-+
-+static const struct gensec_security_ops gensec_schannel_security_ops = {
-+ .name = "schannel",
-+ .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
-+ .client_start = schannel_client_start,
-+ .server_start = schannel_server_start,
-+ .update = schannel_update,
-+ .seal_packet = schannel_seal_packet,
-+ .sign_packet = schannel_sign_packet,
-+ .check_packet = schannel_check_packet,
-+ .unseal_packet = schannel_unseal_packet,
-+ .session_info = schannel_session_info,
-+ .sig_size = schannel_sig_size,
-+ .have_feature = schannel_have_feature,
-+ .enabled = true,
-+ .priority = GENSEC_SCHANNEL
-+};
-+
-+_PUBLIC_ NTSTATUS gensec_schannel_init(void)
-+{
-+ NTSTATUS ret;
-+ ret = gensec_register(&gensec_schannel_security_ops);
-+ if (!NT_STATUS_IS_OK(ret)) {
-+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
-+ gensec_schannel_security_ops.name));
-+ return ret;
-+ }
-+
-+ return ret;
-+}
-diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
-index 71222f7..7329eec 100755
---- a/auth/gensec/wscript_build
-+++ b/auth/gensec/wscript_build
-@@ -17,6 +17,14 @@ bld.SAMBA_MODULE('gensec_spnego',
- deps='asn1util samba-credentials SPNEGO_PARSE'
- )
-
-+bld.SAMBA_MODULE('gensec_schannel',
-+ source='schannel.c',
-+ autoproto='schannel_proto.h',
-+ subsystem='gensec',
-+ init_function='gensec_schannel_init',
-+ deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session'
-+ )
-+
- bld.SAMBA_MODULE('gensec_external',
- source='external.c',
- autoproto='external_proto.h',
-diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
-deleted file mode 100644
-index eb2e100..0000000
---- a/source4/auth/gensec/schannel.c
-+++ /dev/null
-@@ -1,330 +0,0 @@
--/*
-- Unix SMB/CIFS implementation.
--
-- dcerpc schannel operations
--
-- Copyright (C) Andrew Tridgell 2004
-- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
--
-- This program is free software; you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by
-- the Free Software Foundation; either version 3 of the License, or
-- (at your option) any later version.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- GNU General Public License for more details.
--
-- You should have received a copy of the GNU General Public License
-- along with this program. If not, see <http://www.gnu.org/licenses/>.
--*/
--
--#include "includes.h"
--#include "librpc/gen_ndr/ndr_schannel.h"
--#include "auth/auth.h"
--#include "auth/credentials/credentials.h"
--#include "auth/gensec/gensec.h"
--#include "auth/gensec/gensec_internal.h"
--#include "auth/gensec/gensec_proto.h"
--#include "../libcli/auth/schannel.h"
--#include "librpc/gen_ndr/dcerpc.h"
--#include "param/param.h"
--#include "auth/gensec/gensec_toplevel_proto.h"
--
--_PUBLIC_ NTSTATUS gensec_schannel_init(void);
--
--static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
--{
-- struct schannel_state *state =
-- talloc_get_type_abort(gensec_security->private_data,
-- struct schannel_state);
--
-- return netsec_outgoing_sig_size(state);
--}
--
--static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
-- struct tevent_context *ev,
-- const DATA_BLOB in, DATA_BLOB *out)
--{
-- struct schannel_state *state =
-- talloc_get_type(gensec_security->private_data,
-- struct schannel_state);
-- NTSTATUS status;
-- enum ndr_err_code ndr_err;
-- struct NL_AUTH_MESSAGE bind_schannel;
-- struct NL_AUTH_MESSAGE bind_schannel_ack;
-- struct netlogon_creds_CredentialState *creds;
-- const char *workstation;
-- const char *domain;
--
-- *out = data_blob(NULL, 0);
--
-- switch (gensec_security->gensec_role) {
-- case GENSEC_CLIENT:
-- if (state != NULL) {
-- /* we could parse the bind ack, but we don't know what it is yet */
-- return NT_STATUS_OK;
-- }
--
-- creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
-- if (creds == NULL) {
-- return NT_STATUS_INVALID_PARAMETER_MIX;
-- }
--
-- state = netsec_create_state(gensec_security,
-- creds, true /* initiator */);
-- if (state == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
-- gensec_security->private_data = state;
--
-- bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
--#if 0
-- /* to support this we'd need to have access to the full domain name */
-- /* 0x17, 23 */
-- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
-- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
-- NL_FLAG_UTF8_DNS_DOMAIN_NAME |
-- NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
-- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-- bind_schannel.oem_netbios_computer.a = creds->computer_name;
-- bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
-- /* w2k3 refuses us if we use the full DNS workstation?
-- why? perhaps because we don't fill in the dNSHostName
-- attribute in the machine account? */
-- bind_schannel.utf8_netbios_computer = creds->computer_name;
--#else
-- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
-- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
-- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-- bind_schannel.oem_netbios_computer.a = creds->computer_name;
--#endif
--
-- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
-- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-- status = ndr_map_error2ntstatus(ndr_err);
-- DEBUG(3, ("Could not create schannel bind: %s\n",
-- nt_errstr(status)));
-- return status;
-- }
--
-- return NT_STATUS_MORE_PROCESSING_REQUIRED;
-- case GENSEC_SERVER:
--
-- if (state != NULL) {
-- /* no third leg on this protocol */
-- return NT_STATUS_INVALID_PARAMETER;
-- }
--
-- /* parse the schannel startup blob */
-- ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
-- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
-- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-- status = ndr_map_error2ntstatus(ndr_err);
-- DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
-- nt_errstr(status)));
-- return status;
-- }
--
-- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
-- domain = bind_schannel.oem_netbios_domain.a;
-- if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
-- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
-- domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
-- return NT_STATUS_LOGON_FAILURE;
-- }
-- } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
-- domain = bind_schannel.utf8_dns_domain.u;
-- if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
-- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
-- domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
-- return NT_STATUS_LOGON_FAILURE;
-- }
-- } else {
-- DEBUG(3, ("Request for schannel to without domain\n"));
-- return NT_STATUS_LOGON_FAILURE;
-- }
--
-- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
-- workstation = bind_schannel.oem_netbios_computer.a;
-- } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
-- workstation = bind_schannel.utf8_netbios_computer.u;
-- } else {
-- DEBUG(3, ("Request for schannel to without netbios workstation\n"));
-- return NT_STATUS_LOGON_FAILURE;
-- }
--
-- status = schannel_get_creds_state(out_mem_ctx,
-- gensec_security->settings->lp_ctx,
-- workstation, &creds);
-- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
-- workstation, nt_errstr(status)));
-- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
-- return NT_STATUS_LOGON_FAILURE;
-- }
-- return status;
-- }
--
-- state = netsec_create_state(gensec_security,
-- creds, false /* not initiator */);
-- if (state == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
-- gensec_security->private_data = state;
--
-- bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
-- bind_schannel_ack.Flags = 0;
-- bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
-- * this does not have
-- * any meaning here
-- * - gd */
--
-- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
-- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-- status = ndr_map_error2ntstatus(ndr_err);
-- DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
-- workstation, nt_errstr(status)));
-- return status;
-- }
--
-- return NT_STATUS_OK;
-- }
-- return NT_STATUS_INVALID_PARAMETER;
--}
--
--/**
-- * Returns anonymous credentials for schannel, matching Win2k3.
-- *
-- */
--
--static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- struct auth_session_info **_session_info)
--{
-- return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
--}
--
--static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
--{
-- return NT_STATUS_OK;
--}
--
--static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
--{
-- return NT_STATUS_OK;
--}
--
--static bool schannel_have_feature(struct gensec_security *gensec_security,
-- uint32_t feature)
--{
-- if (feature & (GENSEC_FEATURE_SIGN |
-- GENSEC_FEATURE_SEAL)) {
-- return true;
-- }
-- if (feature & GENSEC_FEATURE_DCE_STYLE) {
-- return true;
-- }
-- return false;
--}
--
--/*
-- unseal a packet
--*/
--static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
-- uint8_t *data, size_t length,
-- const uint8_t *whole_pdu, size_t pdu_length,
-- const DATA_BLOB *sig)
--{
-- struct schannel_state *state =
-- talloc_get_type_abort(gensec_security->private_data,
-- struct schannel_state);
--
-- return netsec_incoming_packet(state, true,
-- discard_const_p(uint8_t, data),
-- length, sig);
--}
--
--/*
-- check the signature on a packet
--*/
--static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
-- const uint8_t *data, size_t length,
-- const uint8_t *whole_pdu, size_t pdu_length,
-- const DATA_BLOB *sig)
--{
-- struct schannel_state *state =
-- talloc_get_type_abort(gensec_security->private_data,
-- struct schannel_state);
--
-- return netsec_incoming_packet(state, false,
-- discard_const_p(uint8_t, data),
-- length, sig);
--}
--/*
-- seal a packet
--*/
--static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- uint8_t *data, size_t length,
-- const uint8_t *whole_pdu, size_t pdu_length,
-- DATA_BLOB *sig)
--{
-- struct schannel_state *state =
-- talloc_get_type_abort(gensec_security->private_data,
-- struct schannel_state);
--
-- return netsec_outgoing_packet(state, mem_ctx, true,
-- data, length, sig);
--}
--
--/*
-- sign a packet
--*/
--static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
-- TALLOC_CTX *mem_ctx,
-- const uint8_t *data, size_t length,
-- const uint8_t *whole_pdu, size_t pdu_length,
-- DATA_BLOB *sig)
--{
-- struct schannel_state *state =
-- talloc_get_type_abort(gensec_security->private_data,
-- struct schannel_state);
--
-- return netsec_outgoing_packet(state, mem_ctx, false,
-- discard_const_p(uint8_t, data),
-- length, sig);
--}
--
--static const struct gensec_security_ops gensec_schannel_security_ops = {
-- .name = "schannel",
-- .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
-- .client_start = schannel_client_start,
-- .server_start = schannel_server_start,
-- .update = schannel_update,
-- .seal_packet = schannel_seal_packet,
-- .sign_packet = schannel_sign_packet,
-- .check_packet = schannel_check_packet,
-- .unseal_packet = schannel_unseal_packet,
-- .session_info = schannel_session_info,
-- .sig_size = schannel_sig_size,
-- .have_feature = schannel_have_feature,
-- .enabled = true,
-- .priority = GENSEC_SCHANNEL
--};
--
--_PUBLIC_ NTSTATUS gensec_schannel_init(void)
--{
-- NTSTATUS ret;
-- ret = gensec_register(&gensec_schannel_security_ops);
-- if (!NT_STATUS_IS_OK(ret)) {
-- DEBUG(0,("Failed to register '%s' gensec backend!\n",
-- gensec_schannel_security_ops.name));
-- return ret;
-- }
--
-- return ret;
--}
-diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
-index 04fccc5..a3eff97 100755
---- a/source4/auth/gensec/wscript_build
-+++ b/source4/auth/gensec/wscript_build
-@@ -32,16 +32,6 @@ bld.SAMBA_MODULE('cyrus_sasl',
- )
-
-
--bld.SAMBA_MODULE('gensec_schannel',
-- source='schannel.c',
-- subsystem='gensec',
-- deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials ndr auth_session',
-- internal_module=True,
-- autoproto='schannel_proto.h',
-- init_function='gensec_schannel_init'
-- )
--
--
- bld.SAMBA_PYTHON('pygensec',
- source='pygensec.c',
- deps='gensec pytalloc-util pyparam_util',
---
-1.9.3
-
-
-From c4829848f45db27d6c145b35a20bea2f33bcb4d7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 17:24:49 +0200
-Subject: [PATCH 094/249] gensec: remove duplicate
- gensec_security_by_authtype() call.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We should use the equivalent gensec_security_by_auth_type() call which is
-exposed in the public header.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit d433ad077f354de4fc1d5a155d991f417ae9967c)
----
- auth/gensec/gensec_start.c | 29 ++---------------------------
- 1 file changed, 2 insertions(+), 27 deletions(-)
-
-diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
-index 3ae64d5..906ef67 100644
---- a/auth/gensec/gensec_start.c
-+++ b/auth/gensec/gensec_start.c
-@@ -157,31 +157,6 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
-
- }
-
--static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
-- uint8_t auth_type)
--{
-- int i;
-- const struct gensec_security_ops **backends;
-- const struct gensec_security_ops *backend;
-- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
-- if (!mem_ctx) {
-- return NULL;
-- }
-- backends = gensec_security_mechs(gensec_security, mem_ctx);
-- for (i=0; backends && backends[i]; i++) {
-- if (!gensec_security_ops_enabled(backends[i], gensec_security))
-- continue;
-- if (backends[i]->auth_type == auth_type) {
-- backend = backends[i];
-- talloc_free(mem_ctx);
-- return backend;
-- }
-- }
-- talloc_free(mem_ctx);
--
-- return NULL;
--}
--
- _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
- struct gensec_security *gensec_security,
- const char *oid_string)
-@@ -719,7 +694,7 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
- _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
- uint8_t auth_type, uint8_t auth_level)
- {
-- gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
-+ gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type);
- if (!gensec_security->ops) {
- DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
- return NT_STATUS_INVALID_PARAMETER;
-@@ -746,7 +721,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
- _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
- {
- const struct gensec_security_ops *ops;
-- ops = gensec_security_by_authtype(gensec_security, authtype);
-+ ops = gensec_security_by_auth_type(gensec_security, authtype);
- if (ops) {
- return ops->name;
- }
---
-1.9.3
-
-
-From 8c54d2ee4861a35def7cce29b900a68112356f6b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 17:25:55 +0200
-Subject: [PATCH 095/249] gensec: check for NULL gensec_security in
- gensec_security_by_auth_type().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We have equivalent checks in other gensec_security_by_X calls already.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 4f979525e4137c536118a9c2b2b4ef798c270e27)
----
- auth/gensec/gensec_start.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
-index 906ef67..476134a 100644
---- a/auth/gensec/gensec_start.c
-+++ b/auth/gensec/gensec_start.c
-@@ -230,8 +230,10 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
- }
- backends = gensec_security_mechs(gensec_security, mem_ctx);
- for (i=0; backends && backends[i]; i++) {
-- if (!gensec_security_ops_enabled(backends[i], gensec_security))
-- continue;
-+ if (gensec_security != NULL &&
-+ !gensec_security_ops_enabled(backends[i], gensec_security)) {
-+ continue;
-+ }
- if (backends[i]->auth_type == auth_type) {
- backend = backends[i];
- talloc_free(mem_ctx);
---
-1.9.3
-
-
-From 5b941811c7ebd51bf2c8d421517fd92b3065ba47 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 17:27:28 +0200
-Subject: [PATCH 096/249] s3-auth: also load schannel module from
- auth_generic_client_prepare().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 8fce75aa58ec70547ad218bde154e141f2d17303)
----
- source3/libsmb/auth_generic.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
-index e30c1b7..3130dec 100644
---- a/source3/libsmb/auth_generic.c
-+++ b/source3/libsmb/auth_generic.c
-@@ -78,7 +78,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
- }
-
- backends = talloc_zero_array(gensec_settings,
-- const struct gensec_security_ops *, 4);
-+ const struct gensec_security_ops *, 5);
- if (backends == NULL) {
- TALLOC_FREE(ans);
- return NT_STATUS_NO_MEMORY;
-@@ -95,6 +95,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
- backends[idx++] = &gensec_ntlmssp3_client_ops;
-
- backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
-+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
-
- nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
-
---
-1.9.3
-
-
-From 28b5f156bcc03b88f8c0f3e52cd051a0b069334e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 17:44:10 +0200
-Subject: [PATCH 097/249] s3-rpc_cli: allow to pass down a netlogon
- CredentialState struct to gensec.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 7b570b4128f9af212048ce56abd841a1f6fdc259)
----
- source3/rpc_client/cli_pipe.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 470469f..2acbad6 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2178,6 +2178,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
- const char *username,
- const char *password,
- enum credentials_use_kerberos use_kerberos,
-+ struct netlogon_creds_CredentialState *creds,
- struct pipe_auth_data **presult)
- {
- struct auth_generic_state *auth_generic_ctx;
-@@ -2231,6 +2232,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
- }
-
- cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
-+ cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
-
- status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2830,6 +2832,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
- server, target_service,
- domain, username, password,
- CRED_AUTO_USE_KERBEROS,
-+ NULL,
- &auth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
-@@ -3057,7 +3060,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
- DCERPC_AUTH_TYPE_SPNEGO, auth_level,
- server, target_service,
- domain, username, password,
-- use_kerberos,
-+ use_kerberos, NULL,
- &auth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
---
-1.9.3
-
-
-From 4775b3fd2905e54b2c824d901fd8a99fb8caae04 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 18:23:40 +0200
-Subject: [PATCH 098/249] s3-auth: register schannel gensec module in
- auth_generic_prepare() as well.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 090671aca5234f47f390054de771198e3c177060)
----
- source3/auth/auth_generic.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
-index e15c87e..e07d3b7 100644
---- a/source3/auth/auth_generic.c
-+++ b/source3/auth/auth_generic.c
-@@ -32,6 +32,7 @@
- #include "librpc/crypto/gse.h"
- #include "auth/credentials/credentials.h"
- #include "lib/param/loadparm.h"
-+#include "librpc/gen_ndr/dcerpc.h"
-
- static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
- TALLOC_CTX *mem_ctx,
-@@ -261,7 +262,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
- }
-
- backends = talloc_zero_array(gensec_settings,
-- const struct gensec_security_ops *, 4);
-+ const struct gensec_security_ops *, 5);
- if (backends == NULL) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
-@@ -279,6 +280,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
-
- backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
-
-+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
-+
- /*
- * This is anonymous for now, because we just use it
- * to set the kerberos state at the moment
---
-1.9.3
-
-
-From 080c2ac3cbd28318bc6c682dff0aea17fad07a2c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 18:33:14 +0200
-Subject: [PATCH 099/249] s3-rpc_cli: use gensec for schannel bind.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 89d0b89b5d58ceef13bc10036d396b10f8a102ae)
----
- source3/rpc_client/cli_pipe.c | 22 +++++++++++++---------
- 1 file changed, 13 insertions(+), 9 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 2acbad6..8a642e2 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1120,12 +1120,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
-
- switch (auth->auth_type) {
- case DCERPC_AUTH_TYPE_SCHANNEL:
-- ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
-- if (!NT_STATUS_IS_OK(ret)) {
-- return ret;
-- }
-- break;
--
- case DCERPC_AUTH_TYPE_NTLMSSP:
- case DCERPC_AUTH_TYPE_KRB5:
- case DCERPC_AUTH_TYPE_SPNEGO:
-@@ -2884,16 +2878,26 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- struct netr_Authenticator auth;
- struct netr_Authenticator return_auth;
- union netr_Capabilities capabilities;
-+ const char *target_service = table->authservices->names[0];
-
- status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
-- status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
-- *pdc, &rpcauth);
-+ status = rpccli_generic_bind_data(rpccli,
-+ DCERPC_AUTH_TYPE_SCHANNEL,
-+ auth_level,
-+ NULL,
-+ target_service,
-+ domain,
-+ (*pdc)->computer_name,
-+ NULL,
-+ CRED_AUTO_USE_KERBEROS,
-+ *pdc,
-+ &rpcauth);
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
-+ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
- nt_errstr(status)));
- TALLOC_FREE(rpccli);
- return status;
---
-1.9.3
-
-
-From 40ffd89f975e06821379fbd240187f5e268da5fe Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 18:34:58 +0200
-Subject: [PATCH 100/249] s3-rpc_srv: use gensec for schannel bind.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit a32a83ba9d6c7b5bbe9077973e5402ba65c068e7)
----
- source3/rpc_server/srv_pipe.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 9043a14..fd7a90a 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -808,10 +808,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- break;
-
- case DCERPC_AUTH_TYPE_SCHANNEL:
-- if (!pipe_schannel_auth_bind(p, pkt,
-- &auth_info, &auth_resp)) {
-+ if (!pipe_auth_generic_bind(p, pkt,
-+ &auth_info, &auth_resp)) {
-+ goto err_exit;
-+ }
-+ if (!session_info_set_session_key(p->session_info, generic_session_key())) {
-+ DEBUG(0, ("session_info_set_session_key failed\n"));
- goto err_exit;
- }
-+ p->pipe_bound = true;
- break;
-
- case DCERPC_AUTH_TYPE_SPNEGO:
---
-1.9.3
-
-
-From 285de020b6e284ad5074492d62740ba8a370826a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 18:36:19 +0200
-Subject: [PATCH 101/249] s3-rpc: use gensec for schannel footer processing.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 5a628490e46f428432cd9b32c2b4b3a34a3736ae)
----
- source3/librpc/rpc/dcerpc_helpers.c | 35 +++--------------------------------
- 1 file changed, 3 insertions(+), 32 deletions(-)
-
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index 97999d7..b9e05cb 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -273,7 +273,6 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
- size_t max_len;
- size_t mod_len;
- struct gensec_security *gensec_security;
-- struct schannel_state *schannel_auth;
-
- /* no auth token cases first */
- switch (auth->auth_level) {
-@@ -307,16 +306,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
- case DCERPC_AUTH_TYPE_SPNEGO:
- case DCERPC_AUTH_TYPE_NTLMSSP:
- case DCERPC_AUTH_TYPE_KRB5:
-+ case DCERPC_AUTH_TYPE_SCHANNEL:
- gensec_security = talloc_get_type_abort(auth->auth_ctx,
- struct gensec_security);
- *auth_len = gensec_sig_size(gensec_security, max_len);
- break;
--
-- case DCERPC_AUTH_TYPE_SCHANNEL:
-- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
-- struct schannel_state);
-- *auth_len = netsec_outgoing_sig_size(schannel_auth);
-- break;
- default:
- return NT_STATUS_INVALID_PARAMETER;
- }
-@@ -548,7 +542,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
- NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
- size_t pad_len, DATA_BLOB *rpc_out)
- {
-- struct schannel_state *schannel_auth;
- struct gensec_security *gensec_security;
- char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
- DATA_BLOB auth_info;
-@@ -600,19 +593,13 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
- case DCERPC_AUTH_TYPE_SPNEGO:
- case DCERPC_AUTH_TYPE_KRB5:
- case DCERPC_AUTH_TYPE_NTLMSSP:
-+ case DCERPC_AUTH_TYPE_SCHANNEL:
- gensec_security = talloc_get_type_abort(auth->auth_ctx,
- struct gensec_security);
- status = add_generic_auth_footer(gensec_security,
- auth->auth_level,
- rpc_out);
- break;
-- case DCERPC_AUTH_TYPE_SCHANNEL:
-- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
-- struct schannel_state);
-- status = add_schannel_auth_footer(schannel_auth,
-- auth->auth_level,
-- rpc_out);
-- break;
- default:
- status = NT_STATUS_INVALID_PARAMETER;
- break;
-@@ -640,7 +627,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- DATA_BLOB *raw_pkt,
- size_t *pad_len)
- {
-- struct schannel_state *schannel_auth;
- struct gensec_security *gensec_security;
- NTSTATUS status;
- struct dcerpc_auth auth_info;
-@@ -710,6 +696,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- case DCERPC_AUTH_TYPE_SPNEGO:
- case DCERPC_AUTH_TYPE_KRB5:
- case DCERPC_AUTH_TYPE_NTLMSSP:
-+ case DCERPC_AUTH_TYPE_SCHANNEL:
-
- DEBUG(10, ("GENSEC auth\n"));
-
-@@ -723,22 +710,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- return status;
- }
- break;
--
-- case DCERPC_AUTH_TYPE_SCHANNEL:
--
-- DEBUG(10, ("SCHANNEL auth\n"));
--
-- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
-- struct schannel_state);
-- status = get_schannel_auth_footer(pkt, schannel_auth,
-- auth->auth_level,
-- &data, &full_pkt,
-- &auth_info.credentials);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
-- break;
--
- default:
- DEBUG(0, ("process_request_pdu: "
- "unknown auth type %u set.\n",
---
-1.9.3
-
-
-From cfa396d153cedb9b10356540a479ff299c480cae Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 19 Sep 2013 11:03:31 +0200
-Subject: [PATCH 102/249] s3-rpc_cli: remove unused schannel calls from
- dcerpc_helpers.c
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 639f60b1513a8c877d307ed86b7748250821fb3f)
----
- source3/librpc/rpc/dcerpc.h | 3 -
- source3/librpc/rpc/dcerpc_helpers.c | 124 ------------------------------------
- 2 files changed, 127 deletions(-)
-
-diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
-index b3ae3b4..38d59cd 100644
---- a/source3/librpc/rpc/dcerpc.h
-+++ b/source3/librpc/rpc/dcerpc.h
-@@ -60,9 +60,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
- const DATA_BLOB *blob,
- struct ncacn_packet *r,
- bool bigendian);
--NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
-- struct NL_AUTH_MESSAGE *r,
-- DATA_BLOB *blob);
- NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
- enum dcerpc_AuthType auth_type,
- enum dcerpc_AuthLevel auth_level,
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index b9e05cb..2400bfd 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -21,9 +21,6 @@
- #include "includes.h"
- #include "librpc/rpc/dcerpc.h"
- #include "librpc/gen_ndr/ndr_dcerpc.h"
--#include "librpc/gen_ndr/ndr_schannel.h"
--#include "../libcli/auth/schannel.h"
--#include "../libcli/auth/spnego.h"
- #include "librpc/crypto/gse.h"
- #include "auth/gensec/gensec.h"
-
-@@ -135,34 +132,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
- }
-
- /**
--* @brief NDR Encodes a NL_AUTH_MESSAGE
--*
--* @param mem_ctx The memory context the blob will be allocated on
--* @param r The NL_AUTH_MESSAGE to encode
--* @param blob [out] The encoded blob if successful
--*
--* @return a NTSTATUS error code
--*/
--NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
-- struct NL_AUTH_MESSAGE *r,
-- DATA_BLOB *blob)
--{
-- enum ndr_err_code ndr_err;
--
-- ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
-- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-- return ndr_map_error2ntstatus(ndr_err);
-- }
--
-- if (DEBUGLEVEL >= 10) {
-- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
-- }
--
-- return NT_STATUS_OK;
--}
--
--/**
- * @brief NDR Encodes a dcerpc_auth structure
- *
- * @param mem_ctx The memory context the blob will be allocated on
-@@ -437,99 +406,6 @@ static NTSTATUS get_generic_auth_footer(struct gensec_security *gensec_security,
- }
- }
-
--/*******************************************************************
-- Create and add the schannel sign/seal auth data.
-- ********************************************************************/
--
--static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
-- enum dcerpc_AuthLevel auth_level,
-- DATA_BLOB *rpc_out)
--{
-- uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
-- size_t data_and_pad_len = rpc_out->length
-- - DCERPC_RESPONSE_LENGTH
-- - DCERPC_AUTH_TRAILER_LENGTH;
-- DATA_BLOB auth_blob;
-- NTSTATUS status;
--
-- if (!sas) {
-- return NT_STATUS_INVALID_PARAMETER;
-- }
--
-- switch (auth_level) {
-- case DCERPC_AUTH_LEVEL_PRIVACY:
-- status = netsec_outgoing_packet(sas,
-- rpc_out->data,
-- true,
-- data_p,
-- data_and_pad_len,
-- &auth_blob);
-- break;
-- case DCERPC_AUTH_LEVEL_INTEGRITY:
-- status = netsec_outgoing_packet(sas,
-- rpc_out->data,
-- false,
-- data_p,
-- data_and_pad_len,
-- &auth_blob);
-- break;
-- default:
-- status = NT_STATUS_INTERNAL_ERROR;
-- break;
-- }
--
-- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
-- nt_errstr(status)));
-- return status;
-- }
--
-- if (DEBUGLEVEL >= 10) {
-- dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
-- }
--
-- /* Finally attach the blob. */
-- if (!data_blob_append(NULL, rpc_out,
-- auth_blob.data, auth_blob.length)) {
-- return NT_STATUS_NO_MEMORY;
-- }
-- data_blob_free(&auth_blob);
--
-- return NT_STATUS_OK;
--}
--
--/*******************************************************************
-- Check/unseal the Schannel auth data. (Unseal in place).
-- ********************************************************************/
--
--static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
-- struct schannel_state *auth_state,
-- enum dcerpc_AuthLevel auth_level,
-- DATA_BLOB *data, DATA_BLOB *full_pkt,
-- DATA_BLOB *auth_token)
--{
-- switch (auth_level) {
-- case DCERPC_AUTH_LEVEL_PRIVACY:
-- /* Data portion is encrypted. */
-- return netsec_incoming_packet(auth_state,
-- true,
-- data->data,
-- data->length,
-- auth_token);
--
-- case DCERPC_AUTH_LEVEL_INTEGRITY:
-- /* Data is signed. */
-- return netsec_incoming_packet(auth_state,
-- false,
-- data->data,
-- data->length,
-- auth_token);
--
-- default:
-- return NT_STATUS_INVALID_PARAMETER;
-- }
--}
--
- /**
- * @brief Append an auth footer according to what is the current mechanism
- *
---
-1.9.3
-
-
-From 3c10a3501c04e1f5f9bd2bb1418b95b4b17248a8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 19 Sep 2013 11:04:19 +0200
-Subject: [PATCH 103/249] s3-rpc_cli: remove unused schannel calls from
- cli_pipe.c
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 45949d721892a0e8a6b1a76e221c6b3bfd6a872f)
----
- source3/rpc_client/cli_pipe.c | 76 -------------------------------------------
- 1 file changed, 76 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 8a642e2..b73f2f2 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -22,11 +22,8 @@
- #include "includes.h"
- #include "../lib/util/tevent_ntstatus.h"
- #include "librpc/gen_ndr/ndr_epmapper_c.h"
--#include "../librpc/gen_ndr/ndr_schannel.h"
- #include "../librpc/gen_ndr/ndr_dssetup.h"
- #include "../libcli/auth/schannel.h"
--#include "../libcli/auth/spnego.h"
--#include "../auth/ntlmssp/ntlmssp.h"
- #include "auth_generic.h"
- #include "librpc/gen_ndr/ndr_dcerpc.h"
- #include "librpc/gen_ndr/ndr_netlogon_c.h"
-@@ -1018,42 +1015,6 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
- }
-
- /*******************************************************************
-- Creates schannel auth bind.
-- ********************************************************************/
--
--static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
-- DATA_BLOB *auth_token)
--{
-- NTSTATUS status;
-- struct NL_AUTH_MESSAGE r;
--
-- if (!cli->auth->user_name || !cli->auth->user_name[0]) {
-- return NT_STATUS_INVALID_PARAMETER_MIX;
-- }
--
-- if (!cli->auth->domain || !cli->auth->domain[0]) {
-- return NT_STATUS_INVALID_PARAMETER_MIX;
-- }
--
-- /*
-- * Now marshall the data into the auth parse_struct.
-- */
--
-- r.MessageType = NL_NEGOTIATE_REQUEST;
-- r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
-- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
-- r.oem_netbios_domain.a = cli->auth->domain;
-- r.oem_netbios_computer.a = cli->auth->user_name;
--
-- status = dcerpc_push_schannel_bind(cli, &r, auth_token);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- return NT_STATUS_OK;
--}
--
--/*******************************************************************
- Creates the internals of a DCE/RPC bind request or alter context PDU.
- ********************************************************************/
-
-@@ -2243,43 +2204,6 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
- return status;
- }
-
--static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
-- const char *domain,
-- enum dcerpc_AuthLevel auth_level,
-- struct netlogon_creds_CredentialState *creds,
-- struct pipe_auth_data **presult)
--{
-- struct schannel_state *schannel_auth;
-- struct pipe_auth_data *result;
--
-- result = talloc(mem_ctx, struct pipe_auth_data);
-- if (result == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
-- result->auth_level = auth_level;
--
-- result->user_name = talloc_strdup(result, creds->computer_name);
-- result->domain = talloc_strdup(result, domain);
-- if ((result->user_name == NULL) || (result->domain == NULL)) {
-- goto fail;
-- }
--
-- schannel_auth = netsec_create_state(result, creds, true /* initiator */);
-- if (schannel_auth == NULL) {
-- goto fail;
-- }
--
-- result->auth_ctx = schannel_auth;
-- *presult = result;
-- return NT_STATUS_OK;
--
-- fail:
-- TALLOC_FREE(result);
-- return NT_STATUS_NO_MEMORY;
--}
--
- /**
- * Create an rpc pipe client struct, connecting to a tcp port.
- */
---
-1.9.3
-
-
-From e4b33d6311e051501815199bd6c6dbba33f1bc55 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 19 Sep 2013 11:05:21 +0200
-Subject: [PATCH 104/249] s3-rpc_srv: remove unused schannel calls from
- srv_pipe.c
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Thu Sep 19 12:59:04 CEST 2013 on sn-devel-104
-(cherry picked from commit 6965f918c04328535c55a0ef9b7fe6392fba193a)
----
- source3/rpc_server/srv_pipe.c | 116 ------------------------------------------
- 1 file changed, 116 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index fd7a90a..06752a8 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -30,11 +30,8 @@
- #include "includes.h"
- #include "system/filesys.h"
- #include "srv_pipe_internal.h"
--#include "../librpc/gen_ndr/ndr_schannel.h"
- #include "../librpc/gen_ndr/dcerpc.h"
- #include "../librpc/rpc/rpc_common.h"
--#include "../libcli/auth/schannel.h"
--#include "../libcli/auth/spnego.h"
- #include "dcesrv_auth_generic.h"
- #include "rpc_server.h"
- #include "rpc_dce.h"
-@@ -415,119 +412,6 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
- }
-
- /*******************************************************************
-- Handle an schannel bind auth.
--*******************************************************************/
--
--static bool pipe_schannel_auth_bind(struct pipes_struct *p,
-- TALLOC_CTX *mem_ctx,
-- struct dcerpc_auth *auth_info,
-- DATA_BLOB *response)
--{
-- struct NL_AUTH_MESSAGE neg;
-- struct NL_AUTH_MESSAGE reply;
-- bool ret;
-- NTSTATUS status;
-- struct netlogon_creds_CredentialState *creds;
-- enum ndr_err_code ndr_err;
-- struct schannel_state *schannel_auth;
-- struct loadparm_context *lp_ctx;
--
-- ndr_err = ndr_pull_struct_blob(
-- &auth_info->credentials, mem_ctx, &neg,
-- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
-- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-- DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
-- return false;
-- }
--
-- if (DEBUGLEVEL >= 10) {
-- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
-- }
--
-- if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
-- DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
-- return false;
-- }
--
-- lp_ctx = loadparm_init_s3(p, loadparm_s3_helpers());
-- if (!lp_ctx) {
-- DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
-- return false;
-- }
--
-- /*
-- * The neg.oem_netbios_computer.a key here must match the remote computer name
-- * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
-- * operations that use credentials.
-- */
--
-- become_root();
-- status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
-- neg.oem_netbios_computer.a, &creds);
-- unbecome_root();
--
-- talloc_unlink(p, lp_ctx);
-- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
-- return False;
-- }
--
-- schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
-- TALLOC_FREE(creds);
-- if (!schannel_auth) {
-- return False;
-- }
--
-- /*
-- * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
-- * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
-- * struct of the person who opened the pipe. I need to test this further. JRA.
-- *
-- * VL. As we are mapping this to guest set the generic key
-- * "SystemLibraryDTC" key here. It's a bit difficult to test against
-- * W2k3, as it does not allow schannel binds against SAMR and LSA
-- * anymore.
-- */
--
-- ret = session_info_set_session_key(p->session_info, generic_session_key());
--
-- if (!ret) {
-- DEBUG(0, ("session_info_set_session_key failed\n"));
-- return false;
-- }
--
-- /*** SCHANNEL verifier ***/
--
-- reply.MessageType = NL_NEGOTIATE_RESPONSE;
-- reply.Flags = 0;
-- reply.Buffer.dummy = 5; /* ??? actually I don't think
-- * this has any meaning
-- * here - gd */
--
-- ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
-- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-- DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
-- return false;
-- }
--
-- if (DEBUGLEVEL >= 10) {
-- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
-- }
--
-- DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
-- neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
--
-- /* We're finished with this bind - no more packets. */
-- p->auth.auth_ctx = schannel_auth;
-- p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
--
-- p->pipe_bound = True;
--
-- return True;
--}
--
--/*******************************************************************
- Handle an NTLMSSP bind auth.
- *******************************************************************/
-
---
-1.9.3
-
-
-From 68fbdf567cb7d0bc3550b826204c0708a771a4dc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 12 Aug 2013 17:22:15 +0200
-Subject: [PATCH 105/249] librpc/ndr: call ndr_table_list() from all ndr_X
- functions.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 88c1dbf722889a2d7379cdcbac1ce9b140a42356)
----
- librpc/ndr/ndr_table.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
-index 7ca0417..01d9094 100644
---- a/librpc/ndr/ndr_table.c
-+++ b/librpc/ndr/ndr_table.c
-@@ -73,7 +73,7 @@ const char *ndr_interface_name(const struct GUID *uuid, uint32_t if_version)
- int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
- {
- const struct ndr_interface_list *l;
-- for (l=ndr_interfaces;l;l=l->next){
-+ for (l=ndr_table_list();l;l=l->next){
- if (GUID_equal(&l->table->syntax_id.uuid, uuid) &&
- l->table->syntax_id.if_version == if_version) {
- return l->table->num_calls;
-@@ -89,7 +89,7 @@ int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
- const struct ndr_interface_table *ndr_table_by_name(const char *name)
- {
- const struct ndr_interface_list *l;
-- for (l=ndr_interfaces;l;l=l->next) {
-+ for (l=ndr_table_list();l;l=l->next) {
- if (strcasecmp(l->table->name, name) == 0) {
- return l->table;
- }
-@@ -103,7 +103,7 @@ const struct ndr_interface_table *ndr_table_by_name(const char *name)
- const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
- {
- const struct ndr_interface_list *l;
-- for (l=ndr_interfaces;l;l=l->next) {
-+ for (l=ndr_table_list();l;l=l->next) {
- if (GUID_equal(&l->table->syntax_id.uuid, uuid)) {
- return l->table;
- }
---
-1.9.3
-
-
-From c936c80f7e567bab6fc749fb35e60176fca020af Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 8 Aug 2013 17:34:56 +0200
-Subject: [PATCH 106/249] librpc/ndr: make sure ndr_table_list() always calls
- ndr_init_table() first.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 21200b12dc14673f9a610c5798635b6052370dbe)
----
- librpc/ndr/ndr_table.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
-index 01d9094..f73b9fc 100644
---- a/librpc/ndr/ndr_table.c
-+++ b/librpc/ndr/ndr_table.c
-@@ -116,6 +116,7 @@ const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
- */
- const struct ndr_interface_list *ndr_table_list(void)
- {
-+ ndr_table_init();
- return ndr_interfaces;
- }
-
---
-1.9.3
-
-
-From 2ced3243b3589b673967452a6401d665dd514525 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 8 Aug 2013 17:40:22 +0200
-Subject: [PATCH 107/249] s3-rpc: use table->name directly in DEBUG contexts.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit a94e278883c58b35d383753e86135ff6a1d14ec7)
----
- source3/lib/netapi/cm.c | 2 +-
- source3/rpc_client/cli_pipe.c | 7 +++----
- 2 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
-index 1cfdccf..bb5d6b2 100644
---- a/source3/lib/netapi/cm.c
-+++ b/source3/lib/netapi/cm.c
-@@ -254,7 +254,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
- status = pipe_cm_open(ctx, ipc, table, &result);
- if (!NT_STATUS_IS_OK(status)) {
- libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
-- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
-+ table->name,
- get_friendly_nt_error_msg(status));
- return WERR_DEST_NOT_FOUND;
- }
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index b73f2f2..64e7f1c 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2692,8 +2692,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
- }
- DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
- "%s failed with error %s\n",
-- get_pipe_name_from_syntax(talloc_tos(),
-- &table->syntax_id),
-+ table->name,
- nt_errstr(status) ));
- TALLOC_FREE(result);
- return status;
-@@ -2701,7 +2700,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
-
- DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
- "%s and bound anonymously.\n",
-- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
-+ table->name,
- result->desthost));
-
- *presult = result;
-@@ -2946,7 +2945,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- done:
- DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
- "for domain %s and bound using schannel.\n",
-- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
-+ table->name,
- rpccli->desthost, domain));
-
- *_rpccli = rpccli;
---
-1.9.3
-
-
-From cd864f1a3748c219df78600fc826a6e1d81fa07d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 10:58:16 +0200
-Subject: [PATCH 108/249] s3-rpc: use ndr_interface_name() instead of
- get_pipe_name_from_syntax() in DEBUG.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 3135533710b2a1b64aaf6b10d30b86f3c004657d)
----
- source3/rpc_server/rpc_handles.c | 15 +++++++++------
- source3/rpc_server/srv_pipe.c | 22 ++++++++++++++--------
- source3/rpc_server/srv_pipe_hnd.c | 16 +++++++++++-----
- source3/wscript_build | 3 ++-
- 4 files changed, 36 insertions(+), 20 deletions(-)
-
-diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
-index 70c3919..409299a 100644
---- a/source3/rpc_server/rpc_handles.c
-+++ b/source3/rpc_server/rpc_handles.c
-@@ -27,6 +27,7 @@
- #include "rpc_server/rpc_pipes.h"
- #include "../libcli/security/security.h"
- #include "lib/tsocket/tsocket.h"
-+#include "librpc/ndr/ndr_table.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_SRV
-@@ -218,7 +219,8 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
-
- DEBUG(10,("init_pipe_handle_list: created handle list for "
- "pipe %s\n",
-- get_pipe_name_from_syntax(talloc_tos(), syntax)));
-+ ndr_interface_name(&syntax->uuid,
-+ syntax->if_version)));
- }
-
- /*
-@@ -235,7 +237,7 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
-
- DEBUG(10,("init_pipe_handle_list: pipe_handles ref count = %lu for "
- "pipe %s\n", (unsigned long)p->pipe_handles->pipe_ref_count,
-- get_pipe_name_from_syntax(talloc_tos(), syntax)));
-+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
-
- return True;
- }
-@@ -412,8 +414,8 @@ void close_policy_by_pipe(struct pipes_struct *p)
- TALLOC_FREE(p->pipe_handles);
-
- DEBUG(10,("Deleted handle list for RPC connection %s\n",
-- get_pipe_name_from_syntax(talloc_tos(),
-- &p->contexts->syntax)));
-+ ndr_interface_name(&p->contexts->syntax.uuid,
-+ p->contexts->syntax.if_version)));
- }
- }
-
-@@ -456,8 +458,9 @@ void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd,
- if (p->pipe_handles->count > MAX_OPEN_POLS) {
- DEBUG(0, ("ERROR: Too many handles (%d) for RPC connection %s\n",
- (int) p->pipe_handles->count,
-- get_pipe_name_from_syntax(talloc_tos(),
-- &p->contexts->syntax)));
-+ ndr_interface_name(&p->contexts->syntax.uuid,
-+ p->contexts->syntax.if_version)));
-+
- *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
- return NULL;
- }
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 06752a8..19dbc37 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -41,6 +41,7 @@
- #include "rpc_server/srv_pipe.h"
- #include "rpc_server/rpc_contexts.h"
- #include "lib/param/param.h"
-+#include "librpc/ndr/ndr_table.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_SRV
-@@ -336,7 +337,8 @@ static bool check_bind_req(struct pipes_struct *p,
- bool ok;
-
- DEBUG(3,("check_bind_req for %s\n",
-- get_pipe_name_from_syntax(talloc_tos(), abstract)));
-+ ndr_interface_name(&abstract->uuid,
-+ abstract->if_version)));
-
- /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
- if (rpc_srv_pipe_exists_by_id(abstract) &&
-@@ -580,7 +582,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- if (NT_STATUS_IS_ERR(status)) {
- DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
- "%s in bind request.\n",
-- get_pipe_name_from_syntax(talloc_tos(), &id)));
-+ ndr_interface_name(&id.uuid,
-+ id.if_version)));
-
- return setup_bind_nak(p, pkt);
- }
-@@ -595,8 +598,10 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- } else {
- DEBUG(0, ("module %s doesn't provide functions for "
- "pipe %s!\n",
-- get_pipe_name_from_syntax(talloc_tos(), &id),
-- get_pipe_name_from_syntax(talloc_tos(), &id)));
-+ ndr_interface_name(&id.uuid,
-+ id.if_version),
-+ ndr_interface_name(&id.uuid,
-+ id.if_version)));
- return setup_bind_nak(p, pkt);
- }
- }
-@@ -1206,7 +1211,8 @@ static bool api_pipe_request(struct pipes_struct *p,
- TALLOC_CTX *frame = talloc_stackframe();
-
- DEBUG(5, ("Requested %s rpc service\n",
-- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
-+ ndr_interface_name(&pipe_fns->syntax.uuid,
-+ pipe_fns->syntax.if_version)));
-
- ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
- &pipe_fns->syntax);
-@@ -1237,7 +1243,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
-
- /* interpret the command */
- DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
-- get_pipe_name_from_syntax(talloc_tos(), syntax),
-+ ndr_interface_name(&syntax->uuid, syntax->if_version),
- pkt->u.request.opnum));
-
- if (DEBUGLEVEL >= 50) {
-@@ -1276,7 +1282,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
- /* do the actual command */
- if(!api_rpc_cmds[fn_num].fn(p)) {
- DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
-- get_pipe_name_from_syntax(talloc_tos(), syntax),
-+ ndr_interface_name(&syntax->uuid, syntax->if_version),
- api_rpc_cmds[fn_num].name));
- data_blob_free(&p->out_data.rdata);
- return False;
-@@ -1299,7 +1305,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
- }
-
- DEBUG(5,("api_rpcTNP: called %s successfully\n",
-- get_pipe_name_from_syntax(talloc_tos(), syntax)));
-+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
-
- /* Check for buffer underflow in rpc parsing */
- if ((DEBUGLEVEL >= 10) &&
-diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
-index 3f8ff44..fcbfa77 100644
---- a/source3/rpc_server/srv_pipe_hnd.c
-+++ b/source3/rpc_server/srv_pipe_hnd.c
-@@ -30,6 +30,7 @@
- #include "rpc_server/rpc_config.h"
- #include "../lib/tsocket/tsocket.h"
- #include "../lib/util/tevent_ntstatus.h"
-+#include "librpc/ndr/ndr_table.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_SRV
-@@ -281,7 +282,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
- }
-
- DEBUG(6,(" name: %s len: %u\n",
-- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
-+ ndr_interface_name(&p->contexts->syntax.uuid,
-+ p->contexts->syntax.if_version),
- (unsigned int)n));
-
- /*
-@@ -299,7 +301,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
- DEBUG(5,("read_from_pipe: too large read (%u) requested on "
- "pipe %s. We can only service %d sized reads.\n",
- (unsigned int)n,
-- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
-+ ndr_interface_name(&p->contexts->syntax.uuid,
-+ p->contexts->syntax.if_version),
- RPC_MAX_PDU_FRAG_LEN ));
- n = RPC_MAX_PDU_FRAG_LEN;
- }
-@@ -320,7 +323,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
-
- DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, "
- "current_pdu_sent = %u returning %d bytes.\n",
-- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
-+ ndr_interface_name(&p->contexts->syntax.uuid,
-+ p->contexts->syntax.if_version),
- (unsigned int)p->out_data.frag.length,
- (unsigned int)p->out_data.current_pdu_sent,
- (int)data_returned));
-@@ -341,7 +345,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
-
- DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length "
- "= %u, p->out_data.rdata.length = %u.\n",
-- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
-+ ndr_interface_name(&p->contexts->syntax.uuid,
-+ p->contexts->syntax.if_version),
- (int)p->fault_state,
- (unsigned int)p->out_data.data_sent_length,
- (unsigned int)p->out_data.rdata.length));
-@@ -363,7 +368,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
-
- if(!create_next_pdu(p)) {
- DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n",
-- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax)));
-+ ndr_interface_name(&p->contexts->syntax.uuid,
-+ p->contexts->syntax.if_version)));
- return -1;
- }
-
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 0bf84e2..bb2e928 100755
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -672,7 +672,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
- deps='''ndr ndr-standard
- RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
- LIBTSOCKET gse dcerpc-binding
-- libsmb''',
-+ libsmb
-+ ndr-table''',
- vars=locals(),
- private_library=True)
-
---
-1.9.3
-
-
-From 6e6ba9bb34ac4e1d55056ef82e4bad8ab2d65b0d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 8 Aug 2013 17:33:29 +0200
-Subject: [PATCH 109/249] librpc: add dcerpc_default_transport_endpoint()
- function.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 40ee3d8a5f7439b90f1ebf5e40535fad51038fe6)
----
- librpc/rpc/dcerpc_util.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++
- librpc/rpc/rpc_common.h | 3 +++
- 2 files changed, 58 insertions(+)
-
-diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
-index 0b9cca3..4046f32 100644
---- a/librpc/rpc/dcerpc_util.c
-+++ b/librpc/rpc/dcerpc_util.c
-@@ -332,3 +332,58 @@ NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
- tevent_req_received(req);
- return NT_STATUS_OK;
- }
-+
-+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
-+ enum dcerpc_transport_t transport,
-+ const struct ndr_interface_table *table)
-+{
-+ NTSTATUS status;
-+ const char *p = NULL;
-+ const char *endpoint = NULL;
-+ int i;
-+ struct dcerpc_binding *default_binding = NULL;
-+ TALLOC_CTX *frame = talloc_stackframe();
-+
-+ /* Find one of the default pipes for this interface */
-+
-+ for (i = 0; i < table->endpoints->count; i++) {
-+
-+ status = dcerpc_parse_binding(frame, table->endpoints->names[i],
-+ &default_binding);
-+ if (NT_STATUS_IS_OK(status)) {
-+ if (transport == NCA_UNKNOWN &&
-+ default_binding->endpoint != NULL) {
-+ p = default_binding->endpoint;
-+ break;
-+ }
-+ if (default_binding->transport == transport &&
-+ default_binding->endpoint != NULL) {
-+ p = default_binding->endpoint;
-+ break;
-+ }
-+ }
-+ }
-+
-+ if (i == table->endpoints->count || p == NULL) {
-+ goto done;
-+ }
-+
-+ /*
-+ * extract the pipe name without \\pipe from for example
-+ * ncacn_np:[\\pipe\\epmapper]
-+ */
-+ if (default_binding->transport == NCACN_NP) {
-+ if (strncasecmp(p, "\\pipe\\", 6) == 0) {
-+ p += 6;
-+ }
-+ if (strncmp(p, "\\", 1) == 0) {
-+ p += 1;
-+ }
-+ }
-+
-+ endpoint = talloc_strdup(mem_ctx, p);
-+
-+ done:
-+ talloc_free(frame);
-+ return endpoint;
-+}
-diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
-index e2b3755..d2816f5 100644
---- a/librpc/rpc/rpc_common.h
-+++ b/librpc/rpc/rpc_common.h
-@@ -143,6 +143,9 @@ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v);
- uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob);
- void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v);
- uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
-+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
-+ enum dcerpc_transport_t transport,
-+ const struct ndr_interface_table *table);
-
- /**
- * @brief Pull a dcerpc_auth structure, taking account of any auth
---
-1.9.3
-
-
-From a71f6912117ef5054cba4346f8bfd555d70d7837 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 18 Sep 2013 10:59:14 +0200
-Subject: [PATCH 110/249] s3-rpc: use dcerpc_default_transport_endpoint
- function.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit b73e2d927b2221cb3fde8776789c8ca085cf2b8f)
----
- source3/rpc_client/rpc_transport_np.c | 4 +++-
- source3/rpc_server/rpc_ncacn_np.c | 12 ++++++++++--
- source3/rpc_server/srv_pipe.c | 28 +++++++++++++++++++++-------
- 3 files changed, 34 insertions(+), 10 deletions(-)
-
-diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
-index c0f313e..91943f4 100644
---- a/source3/rpc_client/rpc_transport_np.c
-+++ b/source3/rpc_client/rpc_transport_np.c
-@@ -22,6 +22,7 @@
- #include "rpc_client/rpc_transport.h"
- #include "libsmb/cli_np_tstream.h"
- #include "client.h"
-+#include "librpc/ndr/ndr_table.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_CLI
-@@ -55,7 +56,8 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
- state->ev = ev;
- state->cli = cli;
- state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
-- state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
-+ state->pipe_name = dcerpc_default_transport_endpoint(state, NCACN_NP,
-+ table);
- if (tevent_req_nomem(state->pipe_name, req)) {
- return tevent_req_post(req, ev);
- }
-diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
-index 7389b3e..46b77fd 100644
---- a/source3/rpc_server/rpc_ncacn_np.c
-+++ b/source3/rpc_server/rpc_ncacn_np.c
-@@ -36,6 +36,7 @@
- #include "../lib/util/tevent_ntstatus.h"
- #include "rpc_contexts.h"
- #include "rpc_server/rpc_config.h"
-+#include "librpc/ndr/ndr_table.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_SRV
-@@ -54,8 +55,15 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
- struct pipe_rpc_fns *context_fns;
- const char *pipe_name;
- int ret;
-+ const struct ndr_interface_table *table;
-
-- pipe_name = get_pipe_name_from_syntax(talloc_tos(), syntax);
-+ table = ndr_table_by_uuid(&syntax->uuid);
-+ if (table == NULL) {
-+ DEBUG(0,("unknown interface\n"));
-+ return NULL;
-+ }
-+
-+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
-
- DEBUG(4,("Create pipe requested %s\n", pipe_name));
-
-@@ -783,7 +791,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
- return NT_STATUS_NO_MEMORY;
- }
-
-- pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
-+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
- if (pipe_name == NULL) {
- status = NT_STATUS_INVALID_PARAMETER;
- goto done;
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 19dbc37..5f834fb 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -552,6 +552,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- struct dcerpc_ack_ctx bind_ack_ctx;
- DATA_BLOB auth_resp = data_blob_null;
- DATA_BLOB auth_blob = data_blob_null;
-+ const struct ndr_interface_table *table;
-
- /* No rebinds on a bound pipe - use alter context. */
- if (p->pipe_bound) {
-@@ -569,15 +570,21 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- * that this is a pipe name we support.
- */
- id = pkt->u.bind.ctx_list[0].abstract_syntax;
-+
-+ table = ndr_table_by_uuid(&id.uuid);
-+ if (table == NULL) {
-+ DEBUG(0,("unknown interface\n"));
-+ return false;
-+ }
-+
- if (rpc_srv_pipe_exists_by_id(&id)) {
- DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
- rpc_srv_get_pipe_cli_name(&id),
- rpc_srv_get_pipe_srv_name(&id)));
- } else {
- status = smb_probe_module(
-- "rpc", get_pipe_name_from_syntax(
-- talloc_tos(),
-- &id));
-+ "rpc", dcerpc_default_transport_endpoint(pkt,
-+ NCACN_NP, table));
-
- if (NT_STATUS_IS_ERR(status)) {
- DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
-@@ -589,8 +596,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- }
-
- if (rpc_srv_get_pipe_interface_by_cli_name(
-- get_pipe_name_from_syntax(talloc_tos(),
-- &id),
-+ dcerpc_default_transport_endpoint(pkt,
-+ NCACN_NP, table),
- &id)) {
- DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
- rpc_srv_get_pipe_cli_name(&id),
-@@ -1240,16 +1247,23 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
- {
- int fn_num;
- uint32_t offset1;
-+ const struct ndr_interface_table *table;
-
- /* interpret the command */
- DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
- ndr_interface_name(&syntax->uuid, syntax->if_version),
- pkt->u.request.opnum));
-
-+ table = ndr_table_by_uuid(&syntax->uuid);
-+ if (table == NULL) {
-+ DEBUG(0,("unknown interface\n"));
-+ return false;
-+ }
-+
- if (DEBUGLEVEL >= 50) {
- fstring name;
- slprintf(name, sizeof(name)-1, "in_%s",
-- get_pipe_name_from_syntax(talloc_tos(), syntax));
-+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
- dump_pdu_region(name, pkt->u.request.opnum,
- &p->in_data.data, 0,
- p->in_data.data.length);
-@@ -1298,7 +1312,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
- if (DEBUGLEVEL >= 50) {
- fstring name;
- slprintf(name, sizeof(name)-1, "out_%s",
-- get_pipe_name_from_syntax(talloc_tos(), syntax));
-+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
- dump_pdu_region(name, pkt->u.request.opnum,
- &p->out_data.rdata, offset1,
- p->out_data.rdata.length);
---
-1.9.3
-
-
-From 8bb6f177b210159ea6317b20e2cc12732b4d273a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 7 Aug 2013 17:43:08 +0200
-Subject: [PATCH 111/249] s3-rpc: remove unused source3/librpc/rpc/rpc_common.c
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Fri Sep 20 14:57:06 CEST 2013 on sn-devel-104
-(cherry picked from commit 807628ecac445999e75ec9ea1abdc5f2fde356d6)
----
- source3/librpc/rpc/dcerpc.h | 8 --
- source3/librpc/rpc/rpc_common.c | 209 ----------------------------------------
- source3/wscript_build | 1 -
- 3 files changed, 218 deletions(-)
- delete mode 100644 source3/librpc/rpc/rpc_common.c
-
-diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
-index 38d59cd..b18b7ba 100644
---- a/source3/librpc/rpc/dcerpc.h
-+++ b/source3/librpc/rpc/dcerpc.h
-@@ -85,12 +85,4 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- DATA_BLOB *raw_pkt,
- size_t *pad_len);
-
--/* The following definitions come from librpc/rpc/rpc_common.c */
--
--bool smb_register_ndr_interface(const struct ndr_interface_table *interface);
--const struct ndr_interface_table *get_iface_from_syntax(
-- const struct ndr_syntax_id *syntax);
--const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
-- const struct ndr_syntax_id *syntax);
--
- #endif /* __S3_DCERPC_H__ */
-diff --git a/source3/librpc/rpc/rpc_common.c b/source3/librpc/rpc/rpc_common.c
-deleted file mode 100644
-index 1219b2d..0000000
---- a/source3/librpc/rpc/rpc_common.c
-+++ /dev/null
-@@ -1,209 +0,0 @@
--/*
-- * Unix SMB/CIFS implementation.
-- * RPC Pipe client / server routines
-- * Largely rewritten by Jeremy Allison 2005.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 3 of the License, or
-- * (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, see <http://www.gnu.org/licenses/>.
-- */
--
--#include "includes.h"
--#include "librpc/rpc/dcerpc.h"
--#include "../librpc/gen_ndr/ndr_lsa.h"
--#include "../librpc/gen_ndr/ndr_dssetup.h"
--#include "../librpc/gen_ndr/ndr_samr.h"
--#include "../librpc/gen_ndr/ndr_netlogon.h"
--#include "../librpc/gen_ndr/ndr_srvsvc.h"
--#include "../librpc/gen_ndr/ndr_wkssvc.h"
--#include "../librpc/gen_ndr/ndr_winreg.h"
--#include "../librpc/gen_ndr/ndr_spoolss.h"
--#include "../librpc/gen_ndr/ndr_dfs.h"
--#include "../librpc/gen_ndr/ndr_echo.h"
--#include "../librpc/gen_ndr/ndr_initshutdown.h"
--#include "../librpc/gen_ndr/ndr_svcctl.h"
--#include "../librpc/gen_ndr/ndr_eventlog.h"
--#include "../librpc/gen_ndr/ndr_ntsvcs.h"
--#include "../librpc/gen_ndr/ndr_epmapper.h"
--#include "../librpc/gen_ndr/ndr_drsuapi.h"
--#include "../librpc/gen_ndr/ndr_fsrvp.h"
--
--static const char *get_pipe_name_from_iface(
-- TALLOC_CTX *mem_ctx, const struct ndr_interface_table *interface)
--{
-- int i;
-- const struct ndr_interface_string_array *ep = interface->endpoints;
-- char *p;
--
-- for (i=0; i<ep->count; i++) {
-- if (strncmp(ep->names[i], "ncacn_np:[\\pipe\\", 16) == 0) {
-- break;
-- }
-- }
-- if (i == ep->count) {
-- return NULL;
-- }
--
-- /*
-- * extract the pipe name without \\pipe from for example
-- * ncacn_np:[\\pipe\\epmapper]
-- */
-- p = strchr(ep->names[i]+15, ']');
-- if (p == NULL) {
-- return "PIPE";
-- }
-- return talloc_strndup(mem_ctx, ep->names[i]+15, p - ep->names[i] - 15);
--}
--
--static const struct ndr_interface_table **interfaces;
--
--bool smb_register_ndr_interface(const struct ndr_interface_table *interface)
--{
-- int num_interfaces = talloc_array_length(interfaces);
-- const struct ndr_interface_table **tmp;
-- int i;
--
-- for (i=0; i<num_interfaces; i++) {
-- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id,
-- &interface->syntax_id)) {
-- return true;
-- }
-- }
--
-- tmp = talloc_realloc(NULL, interfaces,
-- const struct ndr_interface_table *,
-- num_interfaces + 1);
-- if (tmp == NULL) {
-- DEBUG(1, ("smb_register_ndr_interface: talloc failed\n"));
-- return false;
-- }
-- interfaces = tmp;
-- interfaces[num_interfaces] = interface;
-- return true;
--}
--
--static bool initialize_interfaces(void)
--{
-- if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_samr)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_winreg)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_eventlog)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
-- return false;
-- }
-- if (!smb_register_ndr_interface(&ndr_table_FileServerVssAgent)) {
-- return false;
-- }
-- return true;
--}
--
--const struct ndr_interface_table *get_iface_from_syntax(
-- const struct ndr_syntax_id *syntax)
--{
-- int num_interfaces;
-- int i;
--
-- if (interfaces == NULL) {
-- if (!initialize_interfaces()) {
-- return NULL;
-- }
-- }
-- num_interfaces = talloc_array_length(interfaces);
--
-- for (i=0; i<num_interfaces; i++) {
-- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id, syntax)) {
-- return interfaces[i];
-- }
-- }
--
-- return NULL;
--}
--
--/****************************************************************************
-- Return the pipe name from the interface.
-- ****************************************************************************/
--
--const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
-- const struct ndr_syntax_id *syntax)
--{
-- const struct ndr_interface_table *interface;
-- char *guid_str;
-- const char *result;
--
-- interface = get_iface_from_syntax(syntax);
-- if (interface != NULL) {
-- result = get_pipe_name_from_iface(mem_ctx, interface);
-- if (result != NULL) {
-- return result;
-- }
-- }
--
-- /*
-- * Here we should ask \\epmapper, but for now our code is only
-- * interested in the known pipes mentioned in pipe_names[]
-- */
--
-- guid_str = GUID_string(talloc_tos(), &syntax->uuid);
-- if (guid_str == NULL) {
-- return NULL;
-- }
-- result = talloc_asprintf(mem_ctx, "Interface %s.%d", guid_str,
-- (int)syntax->if_version);
-- TALLOC_FREE(guid_str);
--
-- if (result == NULL) {
-- return "PIPE";
-- }
-- return result;
--}
--
-diff --git a/source3/wscript_build b/source3/wscript_build
-index bb2e928..8126cf6 100755
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -141,7 +141,6 @@ LIBSMB_SRC = '''libsmb/clientgen.c libsmb/cliconnect.c libsmb/clifile.c
-
- LIBMSRPC_SRC = '''
- rpc_client/cli_pipe.c
-- librpc/rpc/rpc_common.c
- rpc_client/rpc_transport_np.c
- rpc_client/rpc_transport_sock.c
- rpc_client/rpc_transport_tstream.c
---
-1.9.3
-
-
-From 2b2d978bd97299371a1fd7798d69ab377a76d389 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Wed, 14 Aug 2013 09:27:59 +0000
-Subject: [PATCH 112/249] winbind3: Fix an invalid free
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This fixes a warning I've never seen before :-)
-
-../source3/winbindd/winbindd_cm.c:781:59: warning: attempt to free a non-heap object ‘machine_krb5_principal’ [-Wfree-nonheap-object]
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Wed Aug 14 14:04:16 CEST 2013 on sn-devel-104
-(cherry picked from commit 5f75814586f2d6f7c2dc8fd9342cb045c1f7e68c)
----
- source3/winbindd/winbindd_cm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index facef64..d868826 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -840,7 +840,7 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
- }
-
- if (!strupper_m(*machine_krb5_principal)) {
-- SAFE_FREE(machine_krb5_principal);
-+ SAFE_FREE(*machine_krb5_principal);
- return NT_STATUS_INVALID_PARAMETER;
- }
- }
---
-1.9.3
-
-
-From 1b88903c4f5931397e22874b3751dd05a03a2dea Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Fri, 11 Oct 2013 13:34:13 +1300
-Subject: [PATCH 113/249] s3-winbindd: Remove undocumented winbindd:socket dir
- parameter
-
-This uses the documeted "winbindd socket directory" parameter instead.
-
-This came about due to the merge of the two smb.conf tables in s3 and
-s4 for the Samba 4.0 release. The s4 code used a real parameter,
-which caused this to be documented, whereas no automatic procedure
-existed to notice the parametric option and the need to document that.
-The fact that this was not used consistently in both codebases is one
-of the many areas of technical debt we still need to pay off here.
-
-Andrew Bartlett
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit e512491552d9ed0dc1005a23ffc8f77ba237f863)
----
- selftest/target/Samba3.pm | 2 +-
- source3/include/proto.h | 1 +
- source3/param/loadparm.c | 1 +
- source3/winbindd/winbindd.c | 9 ++-------
- source3/winbindd/winbindd_proto.h | 1 -
- 5 files changed, 5 insertions(+), 9 deletions(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index ba01154..d8f0c27 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -972,7 +972,7 @@ sub provision($$$$$$)
- printing = bsd
- printcap name = /dev/null
-
-- winbindd:socket dir = $wbsockdir
-+ winbindd socket directory = $wbsockdir
- nmbd:socket dir = $nmbdsockdir
- idmap config * : range = 100000-200000
- winbind enum users = yes
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index cbad7ac..53cd59d 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1069,6 +1069,7 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
- const char *lp_template_homedir(void);
- const char *lp_template_shell(void);
- const char *lp_winbind_separator(void);
-+const char *lp_winbindd_socket_directory(void);
- bool lp_winbind_enum_users(void);
- bool lp_winbind_enum_groups(void);
- bool lp_winbind_use_default_domain(void);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 4b31023..b2804ae 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -961,6 +961,7 @@ static void init_globals(bool reinit_globals)
- string_set(&Globals.szTemplateShell, "/bin/false");
- string_set(&Globals.szTemplateHomedir, "/home/%D/%U");
- string_set(&Globals.szWinbindSeparator, "\\");
-+ string_set(&Globals.szWinbinddSocketDirectory, dyn_WINBINDD_SOCKET_DIR);
-
- string_set(&Globals.szCupsServer, "");
- string_set(&Globals.szIPrintServer, "");
-diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
-index f101e52..69a17bf 100644
---- a/source3/winbindd/winbindd.c
-+++ b/source3/winbindd/winbindd.c
-@@ -189,7 +189,7 @@ static void terminate(bool is_parent)
- char *path = NULL;
-
- if (asprintf(&path, "%s/%s",
-- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME) > 0) {
-+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME) > 0) {
- unlink(path);
- SAFE_FREE(path);
- }
-@@ -1067,11 +1067,6 @@ static void winbindd_listen_fde_handler(struct tevent_context *ev,
- * Winbindd socket accessor functions
- */
-
--const char *get_winbind_pipe_dir(void)
--{
-- return lp_parm_const_string(-1, "winbindd", "socket dir", get_dyn_WINBINDD_SOCKET_DIR());
--}
--
- char *get_winbind_priv_pipe_dir(void)
- {
- return state_path(WINBINDD_PRIV_SOCKET_SUBDIR);
-@@ -1092,7 +1087,7 @@ static bool winbindd_setup_listeners(void)
-
- pub_state->privileged = false;
- pub_state->fd = create_pipe_sock(
-- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
-+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME, 0755);
- if (pub_state->fd == -1) {
- goto failed;
- }
-diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
-index 3df7d7c..cfc19d0 100644
---- a/source3/winbindd/winbindd_proto.h
-+++ b/source3/winbindd/winbindd_proto.h
-@@ -34,7 +34,6 @@ bool winbindd_setup_stdin_handler(bool parent, bool foreground);
- bool winbindd_setup_sig_hup_handler(const char *lfile);
- bool winbindd_use_idmap_cache(void);
- bool winbindd_use_cache(void);
--const char *get_winbind_pipe_dir(void);
- char *get_winbind_priv_pipe_dir(void);
- struct tevent_context *winbind_event_context(void);
- int main(int argc, char **argv, char **envp);
---
-1.9.3
-
-
-From d0ae2d10385dea4b8fae3d8932d40f546ff8905b Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Mon, 14 Oct 2013 15:33:20 +1300
-Subject: [PATCH 114/249] lib/param: lp_magicchar takes a const struct
- share_params *p so should be FN_LOCAL_PARM_CHAR
-
-This was found when trying to autogenerate prototypes for lp_ functions again.
-
-Andrew Bartlett
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- lib/param/loadparm.c | 2 +-
- lib/param/param_functions.c | 2 +-
- source3/param/loadparm.c | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
-index 455c5e6..4497dbf 100644
---- a/lib/param/loadparm.c
-+++ b/lib/param/loadparm.c
-@@ -314,7 +314,7 @@ static struct loadparm_context *global_loadparm_context;
-
- #define FN_LOCAL_PARM_INTEGER(fn_name, val) FN_LOCAL_INTEGER(fn_name, val)
-
--#define FN_LOCAL_CHAR(fn_name,val) \
-+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
- _PUBLIC_ char lpcfg_ ## fn_name(struct loadparm_service *service, \
- struct loadparm_service *sDefault) { \
- return((service != NULL)? service->val : sDefault->val); \
-diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
-index d9d5df6..60f9c07 100644
---- a/lib/param/param_functions.c
-+++ b/lib/param/param_functions.c
-@@ -147,7 +147,7 @@ FN_LOCAL_INTEGER(aio_write_size, iAioWriteSize)
- FN_LOCAL_INTEGER(map_readonly, iMap_readonly)
- FN_LOCAL_INTEGER(directory_name_cache_size, iDirectoryNameCacheSize)
- FN_LOCAL_INTEGER(smb_encrypt, ismb_encrypt)
--FN_LOCAL_CHAR(magicchar, magic_char)
-+FN_LOCAL_PARM_CHAR(magicchar, magic_char)
- FN_LOCAL_STRING(cups_options, szCupsOptions)
- FN_LOCAL_PARM_BOOL(change_notify, bChangeNotify)
- FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index b2804ae..40f3242 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -1116,7 +1116,7 @@ char *lp_ ## fn_name(TALLOC_CTX *ctx,int i) {return(lp_string((ctx), (LP_SNUM_OK
- bool lp_ ## fn_name(const struct share_params *p) {return(bool)(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
- #define FN_LOCAL_PARM_INTEGER(fn_name,val) \
- int lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
--#define FN_LOCAL_CHAR(fn_name,val) \
-+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
- char lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
-
-
---
-1.9.3
-
-
-From bf5cb3b6c6e2d3171b70fff5deb9a7767d6609a8 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Mon, 14 Oct 2013 13:47:27 +1300
-Subject: [PATCH 115/249] build: Move loadparm-related build rules to
- source3/param/wscript_build
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source3/param/wscript_build | 32 ++++++++++++++++++++++++++++++++
- source3/wscript_build | 36 ++----------------------------------
- 2 files changed, 34 insertions(+), 34 deletions(-)
- create mode 100644 source3/param/wscript_build
-
-diff --git a/source3/param/wscript_build b/source3/param/wscript_build
-new file mode 100644
-index 0000000..278d5f5
---- /dev/null
-+++ b/source3/param/wscript_build
-@@ -0,0 +1,32 @@
-+#!/usr/bin/env python
-+
-+bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
-+ source='util.c',
-+ deps='talloc')
-+
-+bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
-+ source='loadparm_ctx.c',
-+ deps='''talloc s3_param_h param''')
-+
-+bld.SAMBA_GENERATOR('s3_param_global_h',
-+ source= '../../script/mkparamdefs.pl loadparm.c ../../lib/param/param_functions.c',
-+ target='param_global.h',
-+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
-+
-+bld.SAMBA3_PYTHON('pys3param',
-+ source='pyparam.c',
-+ deps='param',
-+ public_deps='samba-hostconfig pytalloc-util talloc',
-+ realname='samba/samba3/param.so')
-+
-+bld.SAMBA3_SUBSYSTEM('param_service',
-+ source='service.c',
-+ deps = 'USER_UTIL param PRINTING')
-+
-+bld.SAMBA3_BINARY('test_lp_load',
-+ source='test_lp_load.c',
-+ deps='''
-+ talloc
-+ param
-+ popt_samba3''',
-+ install=False)
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 8126cf6..13d15c3 100755
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -751,33 +751,9 @@ bld.SAMBA3_SUBSYSTEM('SERVER_MUTEX',
- source=SERVER_MUTEX_SRC,
- deps='talloc')
-
--bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
-- source=PARAM_UTIL_SRC,
-- deps='talloc')
--
--bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
-- source='param/loadparm_ctx.c',
-- deps='''talloc s3_param_h param''',
-- vars=locals())
--
--bld.SAMBA_GENERATOR('param/param_global_h',
-- source= '../script/mkparamdefs.pl param/loadparm.c ../lib/param/param_functions.c',
-- target='param/param_global.h',
-- rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
--
- bld.SAMBA3_SUBSYSTEM('param',
- source=PARAM_WITHOUT_REG_SRC,
-- deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h param/param_global_h cups''')
--
--bld.SAMBA3_PYTHON('pys3param',
-- source='param/pyparam.c',
-- deps='param',
-- public_deps='samba-hostconfig pytalloc-util talloc',
-- realname='samba/samba3/param.so')
--
--bld.SAMBA3_SUBSYSTEM('param_service',
-- source='param/service.c',
-- deps = 'USER_UTIL param PRINTING')
-+ deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h s3_param_global_h cups''')
-
- bld.SAMBA3_SUBSYSTEM('REGFIO',
- source=REGFIO_SRC,
-@@ -1566,15 +1542,6 @@ bld.SAMBA3_BINARY('rpc_open_tcp',
- install=False,
- vars=locals())
-
--bld.SAMBA3_BINARY('test_lp_load',
-- source=TEST_LP_LOAD_SRC,
-- deps='''
-- talloc
-- param
-- popt_samba3''',
-- install=False,
-- vars=locals())
--
- bld.SAMBA3_BINARY('dbwrap_tool',
- source=DBWRAP_TOOL_SRC,
- deps='''
-@@ -1638,6 +1605,7 @@ bld.RECURSE('librpc/idl')
- bld.RECURSE('libsmb')
- bld.RECURSE('modules')
- bld.RECURSE('pam_smbpass')
-+bld.RECURSE('param')
- bld.RECURSE('passdb')
- bld.RECURSE('rpc_server')
- bld.RECURSE('script')
---
-1.9.3
-
-
-From 281cb415404f7044a4bdbc93a21b2f755cbc74ee Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Mon, 14 Oct 2013 15:34:40 +1300
-Subject: [PATCH 116/249] lib/param: Do not attempt to access the s3 function
- for allocated and subbed string parameters
-
-This allows us not to generate array entries for these, which in turn allows
-us to avoid initialising them. The issue is that we do not have the
-% macro sub context nor a talloc context handy (yet).
-
-Andrew Bartlett
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- lib/param/loadparm.c | 21 ++++++++++-----------
- 1 file changed, 10 insertions(+), 11 deletions(-)
-
-diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
-index 4497dbf..23b45e2 100644
---- a/lib/param/loadparm.c
-+++ b/lib/param/loadparm.c
-@@ -232,7 +232,16 @@ static struct loadparm_context *global_loadparm_context;
- #define lpcfg_default_service global_loadparm_context->sDefault
- #define lpcfg_global_service(i) global_loadparm_context->services[i]
-
--#define FN_GLOBAL_STRING(fn_name,var_name) \
-+#define FN_GLOBAL_STRING(fn_name,var_name) \
-+ _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
-+ if (lp_ctx == NULL) return NULL; \
-+ if (lp_ctx->s3_fns) { \
-+ smb_panic( __location__ ": " #fn_name " not implemented because it is an allocated and substiuted string"); \
-+ } \
-+ return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
-+}
-+
-+#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
- _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
- if (lp_ctx == NULL) return NULL; \
- if (lp_ctx->s3_fns) { \
-@@ -242,16 +251,6 @@ static struct loadparm_context *global_loadparm_context;
- return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
- }
-
--#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
-- _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
-- if (lp_ctx == NULL) return NULL; \
-- if (lp_ctx->s3_fns) { \
-- SMB_ASSERT(lp_ctx->s3_fns->fn_name); \
-- return lp_ctx->s3_fns->fn_name(); \
-- } \
-- return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
-- }
--
- #define FN_GLOBAL_LIST(fn_name,var_name) \
- _PUBLIC_ const char **lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
- if (lp_ctx == NULL) return NULL; \
---
-1.9.3
-
-
-From e610d185d26910e6cb96ddf8507c31c5f1503271 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Mon, 14 Oct 2013 15:36:18 +1300
-Subject: [PATCH 117/249] param: Skip generating hooks for local and string
- parameters
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- script/mks3param.pl | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/script/mks3param.pl b/script/mks3param.pl
-index 4222ca5..799958c 100644
---- a/script/mks3param.pl
-+++ b/script/mks3param.pl
-@@ -108,7 +108,14 @@ sub handle_loadparm($$)
- {
- my ($file,$line) = @_;
-
-- if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
-+ # Local parameters don't need the ->s3_fns because the struct
-+ # loadparm_service is shared and lpcfg_service() checks the ->s3_fns
-+ # hook
-+ #
-+ # STRING isn't handled as we do not yet have a way to pass in a memory context nor
-+ # do we have a good way of dealing with the % macros yet.
-+
-+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
- my $scope = $1;
- my $type = $2;
- my $name = $3;
---
-1.9.3
-
-
-From 970290dc75404ab366617210edfca718fe21864b Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Mon, 14 Oct 2013 15:39:10 +1300
-Subject: [PATCH 118/249] s3/param: Autogenerate parameters prototypes again
- after proto.h was frozen
-
-This autogenerates the parameters so that we can keep everything in sync easier,
-particularly when adding new parameters. This will also make it easier to move
-to a fully autogenerated system in the future, as it reduces special cases.
-
-Andrew Bartlett
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- script/mks3param_proto.pl | 199 ++++++++++++++++++++++++++++++++++++++++++++
- source3/include/proto.h | 2 +
- source3/param/wscript_build | 5 ++
- 3 files changed, 206 insertions(+)
- create mode 100644 script/mks3param_proto.pl
-
-diff --git a/script/mks3param_proto.pl b/script/mks3param_proto.pl
-new file mode 100644
-index 0000000..446e343
---- /dev/null
-+++ b/script/mks3param_proto.pl
-@@ -0,0 +1,199 @@
-+#!/usr/bin/perl
-+# Generate loadparm interfaces tables for Samba3/Samba4 integration
-+# by Andrew Bartlett
-+# based on mkproto.pl Written by Jelmer Vernooij
-+# based on the original mkproto.sh by Andrew Tridgell
-+
-+use strict;
-+
-+# don't use warnings module as it is not portable enough
-+# use warnings;
-+
-+use Getopt::Long;
-+use File::Basename;
-+use File::Path;
-+
-+#####################################################################
-+# read a file into a string
-+
-+my $file = undef;
-+my $public_define = undef;
-+my $_public = "";
-+my $_private = "";
-+my $public_data = \$_public;
-+my $builddir = ".";
-+my $srcdir = ".";
-+
-+sub public($)
-+{
-+ my ($d) = @_;
-+ $$public_data .= $d;
-+}
-+
-+sub usage()
-+{
-+ print "Usage: mks3param.pl [options] [c files]\n";
-+ print "OPTIONS:\n";
-+ print " --srcdir=path Read files relative to this directory\n";
-+ print " --builddir=path Write file relative to this directory\n";
-+ print " --help Print this help message\n\n";
-+ exit 0;
-+}
-+
-+GetOptions(
-+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
-+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
-+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
-+ 'help' => \&usage
-+) or exit(1);
-+
-+sub normalize_define($$)
-+{
-+ my ($define, $file) = @_;
-+
-+ if (not defined($define) and defined($file)) {
-+ $define = "__" . uc($file) . "__";
-+ $define =~ tr{./}{__};
-+ $define =~ tr{\-}{_};
-+ } elsif (not defined($define)) {
-+ $define = '_S3_PARAM_PROTO_H_';
-+ }
-+
-+ return $define;
-+}
-+
-+$public_define = normalize_define($public_define, $file);
-+
-+sub file_load($)
-+{
-+ my($filename) = @_;
-+ local(*INPUTFILE);
-+ open(INPUTFILE, $filename) or return undef;
-+ my($saved_delim) = $/;
-+ undef $/;
-+ my($data) = <INPUTFILE>;
-+ close(INPUTFILE);
-+ $/ = $saved_delim;
-+ return $data;
-+}
-+
-+sub print_header($$)
-+{
-+ my ($file, $header_name) = @_;
-+ $file->("#ifndef $header_name\n");
-+ $file->("#define $header_name\n\n");
-+ $file->("/* This file was automatically generated by mks3param_proto.pl. DO NOT EDIT */\n\n");
-+}
-+
-+sub print_footer($$)
-+{
-+ my ($file, $header_name) = @_;
-+ $file->("\n#endif /* $header_name */\n\n");
-+}
-+
-+sub handle_loadparm($$)
-+{
-+ my ($file,$line) = @_;
-+
-+ my $scope;
-+ my $type;
-+ my $name;
-+ my $var;
-+ my $param;
-+
-+ if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
-+ $scope = $1;
-+ $type = $2;
-+ $name = $3;
-+ $var = $4;
-+ $param = "int";
-+ } elsif ($line =~ /^FN_(GLOBAL|LOCAL)_PARM_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
-+ $scope = $1;
-+ $type = $2;
-+ $name = $3;
-+ $var = $4;
-+ $param = "const struct share_params *p";
-+ } else {
-+ return;
-+ }
-+
-+ my %tmap = (
-+ "BOOL" => "bool ",
-+ "CONST_STRING" => "const char *",
-+ "STRING" => "char *",
-+ "INTEGER" => "int ",
-+ "CHAR" => "char ",
-+ "LIST" => "const char **",
-+ );
-+
-+ my %smap = (
-+ "GLOBAL" => "void",
-+ "LOCAL" => "$param"
-+ );
-+
-+ if (($type eq "STRING") and ($scope eq "GLOBAL")) {
-+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx);\n");
-+ } elsif (($type eq "STRING") and ($scope eq "LOCAL")) {
-+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx, $smap{$scope});\n");
-+ } else {
-+ $file->("$tmap{$type}lp_$name($smap{$scope});\n");
-+ }
-+}
-+
-+sub process_file($$)
-+{
-+ my ($file, $filename) = @_;
-+
-+ $filename =~ s/\.o$/\.c/g;
-+
-+ if ($filename =~ /^\//) {
-+ open(FH, "<$filename") or die("Failed to open $filename");
-+ } elsif (!open(FH, "< $builddir/$filename")) {
-+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
-+ }
-+
-+ my $comment = undef;
-+ my $incomment = 0;
-+ while (my $line = <FH>) {
-+ if ($line =~ /^\/\*\*/) {
-+ $comment = "";
-+ $incomment = 1;
-+ }
-+
-+ if ($incomment) {
-+ $comment .= $line;
-+ if ($line =~ /\*\//) {
-+ $incomment = 0;
-+ }
-+ }
-+
-+ # these are ordered for maximum speed
-+ next if ($line =~ /^\s/);
-+
-+ next unless ($line =~ /\(/);
-+
-+ next if ($line =~ /^\/|[;]/);
-+
-+ if ($line =~ /^FN_/) {
-+ handle_loadparm($file, $line);
-+ }
-+ next;
-+ }
-+
-+ close(FH);
-+}
-+
-+
-+print_header(\&public, $public_define);
-+
-+process_file(\&public, $_) foreach (@ARGV);
-+print_footer(\&public, $public_define);
-+
-+if (not defined($file)) {
-+ print STDOUT $$public_data;
-+}
-+
-+mkpath(dirname($file), 0, 0755);
-+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
-+print PUBLIC "$$public_data";
-+close(PUBLIC);
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 53cd59d..614baa4 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -993,6 +993,8 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
-
- /* The following definitions come from param/loadparm.c */
-
-+#include "source3/param/param_proto.h"
-+
- const char **lp_smb_ports(void);
- const char *lp_dos_charset(void);
- const char *lp_unix_charset(void);
-diff --git a/source3/param/wscript_build b/source3/param/wscript_build
-index 278d5f5..643c27e 100644
---- a/source3/param/wscript_build
-+++ b/source3/param/wscript_build
-@@ -13,6 +13,11 @@ bld.SAMBA_GENERATOR('s3_param_global_h',
- target='param_global.h',
- rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
-
-+bld.SAMBA_GENERATOR('s3_param_proto_h',
-+ source= '../../script/mks3param_proto.pl loadparm.c ../../lib/param/param_functions.c',
-+ target='param_proto.h',
-+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
-+
- bld.SAMBA3_PYTHON('pys3param',
- source='pyparam.c',
- deps='param',
---
-1.9.3
-
-
-From 4f87a4ca65b386e90cca479aabdf9051de2c67e3 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Mon, 14 Oct 2013 15:46:43 +1300
-Subject: [PATCH 119/249] param: Autogenerate s3 lp_ctx glue table
-
-This allows us to use more lpcfg_ functions without adding them
-manually.
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- lib/param/wscript_build | 1 +
- script/mks3param_ctx_table.pl | 139 ++++++++++++++++++++++++++++++++++++++++++
- source3/param/loadparm_ctx.c | 64 +------------------
- source3/param/wscript_build | 5 ++
- 4 files changed, 146 insertions(+), 63 deletions(-)
- create mode 100644 script/mks3param_ctx_table.pl
-
-diff --git a/lib/param/wscript_build b/lib/param/wscript_build
-index 10e05a3..0e1a2e0 100644
---- a/lib/param/wscript_build
-+++ b/lib/param/wscript_build
-@@ -11,6 +11,7 @@ bld.SAMBA_GENERATOR('s3_param_h',
- target='s3_param.h',
- rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
-
-+
- bld.SAMBA_GENERATOR('param_global_h',
- source= '../../script/mkparamdefs.pl loadparm.c param_functions.c',
- target='param_global.h',
-diff --git a/script/mks3param_ctx_table.pl b/script/mks3param_ctx_table.pl
-new file mode 100644
-index 0000000..cfd6e02
---- /dev/null
-+++ b/script/mks3param_ctx_table.pl
-@@ -0,0 +1,139 @@
-+#!/usr/bin/perl
-+# Generate loadparm interfaces tables for Samba3/Samba4 integration
-+# by Andrew Bartlett
-+# based on mkproto.pl Written by Jelmer Vernooij
-+# based on the original mkproto.sh by Andrew Tridgell
-+
-+use strict;
-+
-+# don't use warnings module as it is not portable enough
-+# use warnings;
-+
-+use Getopt::Long;
-+use File::Basename;
-+use File::Path;
-+
-+#####################################################################
-+# read a file into a string
-+
-+my $file = undef;
-+my $public_define = undef;
-+my $_public = "";
-+my $_private = "";
-+my $public_data = \$_public;
-+my $builddir = ".";
-+my $srcdir = ".";
-+
-+sub public($)
-+{
-+ my ($d) = @_;
-+ $$public_data .= $d;
-+}
-+
-+sub usage()
-+{
-+ print "Usage: mks3param.pl [options] [c files]\n";
-+ print "OPTIONS:\n";
-+ print " --srcdir=path Read files relative to this directory\n";
-+ print " --builddir=path Write file relative to this directory\n";
-+ print " --help Print this help message\n\n";
-+ exit 0;
-+}
-+
-+GetOptions(
-+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
-+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
-+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
-+ 'help' => \&usage
-+) or exit(1);
-+
-+sub file_load($)
-+{
-+ my($filename) = @_;
-+ local(*INPUTFILE);
-+ open(INPUTFILE, $filename) or return undef;
-+ my($saved_delim) = $/;
-+ undef $/;
-+ my($data) = <INPUTFILE>;
-+ close(INPUTFILE);
-+ $/ = $saved_delim;
-+ return $data;
-+}
-+
-+sub print_header($)
-+{
-+ my ($file) = @_;
-+ $file->("/* This file was automatically generated by mks3param_ctx.pl. DO NOT EDIT */\n\n");
-+ $file->("static const struct loadparm_s3_helpers s3_fns = \n");
-+ $file->("{\n");
-+ $file->("\t.get_parametric = lp_parm_const_string_service,\n");
-+ $file->("\t.get_parm_struct = lp_get_parameter,\n");
-+ $file->("\t.get_parm_ptr = lp_parm_ptr,\n");
-+ $file->("\t.get_service = lp_service_for_s4_ctx,\n");
-+ $file->("\t.get_servicebynum = lp_servicebynum_for_s4_ctx,\n");
-+ $file->("\t.get_default_loadparm_service = lp_default_loadparm_service,\n");
-+ $file->("\t.get_numservices = lp_numservices,\n");
-+ $file->("\t.load = lp_load_for_s4_ctx,\n");
-+ $file->("\t.set_cmdline = lp_set_cmdline,\n");
-+ $file->("\t.dump = lp_dump,\n");
-+}
-+
-+sub print_footer($)
-+{
-+ my ($file) = @_;
-+ $file->("};");
-+}
-+
-+sub handle_loadparm($$)
-+{
-+ my ($file,$line) = @_;
-+
-+ # STRING isn't handled here, as we still don't know what to do with the substituted vars */
-+ # LOCAL also isn't handled here
-+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
-+ my $scope = $1;
-+ my $type = $2;
-+ my $name = $3;
-+
-+ $file->(".$name = lp_$name,\n");
-+ }
-+}
-+
-+sub process_file($$)
-+{
-+ my ($file, $filename) = @_;
-+
-+ $filename =~ s/\.o$/\.c/g;
-+
-+ if ($filename =~ /^\//) {
-+ open(FH, "<$filename") or die("Failed to open $filename");
-+ } elsif (!open(FH, "< $builddir/$filename")) {
-+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
-+ }
-+
-+ my $comment = undef;
-+ my $incomment = 0;
-+ while (my $line = <FH>) {
-+ if ($line =~ /^FN_/) {
-+ handle_loadparm($file, $line);
-+ }
-+ next;
-+ }
-+
-+ close(FH);
-+}
-+
-+
-+print_header(\&public);
-+
-+process_file(\&public, $_) foreach (@ARGV);
-+print_footer(\&public);
-+
-+if (not defined($file)) {
-+ print STDOUT $$public_data;
-+}
-+
-+mkpath(dirname($file), 0, 0755);
-+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
-+print PUBLIC "$$public_data";
-+close(PUBLIC);
-diff --git a/source3/param/loadparm_ctx.c b/source3/param/loadparm_ctx.c
-index 63ead53..5cbc920 100644
---- a/source3/param/loadparm_ctx.c
-+++ b/source3/param/loadparm_ctx.c
-@@ -56,69 +56,7 @@ static bool lp_load_for_s4_ctx(const char *filename)
- return status;
- }
-
--/* These are in the order that they appear in the s4 loadparm file.
-- * All of the s4 loadparm functions should be here eventually, once
-- * they are implemented in the s3 loadparm, have the same format (enum
-- * values in particular) and defaults. */
--static const struct loadparm_s3_helpers s3_fns =
--{
-- .get_parametric = lp_parm_const_string_service,
-- .get_parm_struct = lp_get_parameter,
-- .get_parm_ptr = lp_parm_ptr,
-- .get_service = lp_service_for_s4_ctx,
-- .get_servicebynum = lp_servicebynum_for_s4_ctx,
-- .get_default_loadparm_service = lp_default_loadparm_service,
-- .get_numservices = lp_numservices,
-- .load = lp_load_for_s4_ctx,
-- .set_cmdline = lp_set_cmdline,
-- .dump = lp_dump,
--
-- ._server_role = lp__server_role,
-- ._security = lp__security,
-- ._domain_master = lp__domain_master,
-- ._domain_logons = lp__domain_logons,
--
-- .winbind_separator = lp_winbind_separator,
-- .template_homedir = lp_template_homedir,
-- .template_shell = lp_template_shell,
--
-- .dos_charset = lp_dos_charset,
-- .unix_charset = lp_unix_charset,
--
-- .realm = lp_realm,
-- .dnsdomain = lp_dnsdomain,
-- .socket_options = lp_socket_options,
-- .workgroup = lp_workgroup,
--
-- .netbios_name = lp_netbios_name,
-- .netbios_scope = lp_netbios_scope,
-- .netbios_aliases = lp_netbios_aliases,
--
-- .lanman_auth = lp_lanman_auth,
-- .ntlm_auth = lp_ntlm_auth,
--
-- .client_plaintext_auth = lp_client_plaintext_auth,
-- .client_lanman_auth = lp_client_lanman_auth,
-- .client_ntlmv2_auth = lp_client_ntlmv2_auth,
-- .client_use_spnego_principal = lp_client_use_spnego_principal,
--
-- .private_dir = lp_private_dir,
-- .ncalrpc_dir = lp_ncalrpc_dir,
-- .lockdir = lp_lockdir,
--
-- .passdb_backend = lp_passdb_backend,
--
-- .host_msdfs = lp_host_msdfs,
-- .unix_extensions = lp_unix_extensions,
-- .use_spnego = lp_use_spnego,
-- .use_mmap = lp_use_mmap,
-- .use_ntdb = lp_use_ntdb,
--
-- .srv_minprotocol = lp_srv_minprotocol,
-- .srv_maxprotocol = lp_srv_maxprotocol,
--
-- .passwordserver = lp_passwordserver
--};
-+#include "loadparm_ctx_table.c"
-
- const struct loadparm_s3_helpers *loadparm_s3_helpers(void)
- {
-diff --git a/source3/param/wscript_build b/source3/param/wscript_build
-index 643c27e..673cb4d 100644
---- a/source3/param/wscript_build
-+++ b/source3/param/wscript_build
-@@ -18,6 +18,11 @@ bld.SAMBA_GENERATOR('s3_param_proto_h',
- target='param_proto.h',
- rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
-
-+bld.SAMBA_GENERATOR('s3_loadparm_ctx_table_c',
-+ source= ' ../../script/mks3param_ctx_table.pl ../../lib/param/loadparm.c ../../lib/param/param_functions.c',
-+ target='loadparm_ctx_table.c',
-+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
-+
- bld.SAMBA3_PYTHON('pys3param',
- source='pyparam.c',
- deps='param',
---
-1.9.3
-
-
-From 0046f49e1c690cf5b119859650f06559697fd103 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Mon, 14 Oct 2013 15:49:25 +1300
-Subject: [PATCH 120/249] proto: Remove manually written lp_ prototypes
-
-This also ensures we remove prototypes from parameters we remove or
-rename, and easily see how many special cases we have left.
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source3/include/proto.h | 361 +-----------------------------------------------
- 1 file changed, 1 insertion(+), 360 deletions(-)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 614baa4..5e068d2 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -995,379 +995,20 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
-
- #include "source3/param/param_proto.h"
-
--const char **lp_smb_ports(void);
--const char *lp_dos_charset(void);
--const char *lp_unix_charset(void);
--char *lp_logfile(TALLOC_CTX *ctx);
--char *lp_configfile(TALLOC_CTX *ctx);
--const char *lp_smb_passwd_file(void);
--const char *lp_private_dir(void);
--char *lp_serverstring(TALLOC_CTX *ctx);
--int lp_printcap_cache_time(void);
--char *lp_addport_cmd(TALLOC_CTX *ctx);
--char *lp_enumports_cmd(TALLOC_CTX *ctx);
--char *lp_addprinter_cmd(TALLOC_CTX *ctx);
--char *lp_deleteprinter_cmd(TALLOC_CTX *ctx);
--char *lp_os2_driver_map(TALLOC_CTX *ctx);
--const char *lp_lockdir(void);
- const char *lp_statedir(void);
- const char *lp_cachedir(void);
--const char *lp_piddir(void);
--char *lp_mangling_method(TALLOC_CTX *ctx);
--int lp_mangle_prefix(void);
--const char *lp_utmpdir(void);
--const char *lp_wtmpdir(void);
--bool lp_utmp(void);
--char *lp_rootdir(TALLOC_CTX *ctx);
--char *lp_defaultservice(TALLOC_CTX *ctx);
--char *lp_msg_command(TALLOC_CTX *ctx);
--char *lp_get_quota_command(TALLOC_CTX *ctx);
--char *lp_set_quota_command(TALLOC_CTX *ctx);
--char *lp_auto_services(TALLOC_CTX *ctx);
--char *lp_passwd_program(TALLOC_CTX *ctx);
--char *lp_passwd_chat(TALLOC_CTX *ctx);
--const char *lp_passwordserver(void);
--const char **lp_name_resolve_order(void);
--const char *lp_netbios_scope(void);
--const char *lp_netbios_name(void);
--const char *lp_workgroup(void);
--const char *lp_realm(void);
--const char *lp_dnsdomain(void);
--const char *lp_afs_username_map(void);
--int lp_afs_token_lifetime(void);
--char *lp_log_nt_token_command(TALLOC_CTX *ctx);
--char *lp_username_map(TALLOC_CTX *ctx);
--const char *lp_logon_script(void);
--const char *lp_logon_path(void);
--const char *lp_logon_drive(void);
--const char *lp_logon_home(void);
--char *lp_remote_announce(TALLOC_CTX *ctx);
--char *lp_remote_browse_sync(TALLOC_CTX *ctx);
--bool lp_nmbd_bind_explicit_broadcast(void);
--const char **lp_wins_server_list(void);
--const char **lp_interfaces(void);
--const char *lp_nbt_client_socket_address(void);
--char *lp_nis_home_map_name(TALLOC_CTX *ctx);
--const char **lp_netbios_aliases(void);
--const char *lp_passdb_backend(void);
--const char **lp_preload_modules(void);
--char *lp_panic_action(TALLOC_CTX *ctx);
--char *lp_adduser_script(TALLOC_CTX *ctx);
--char *lp_renameuser_script(TALLOC_CTX *ctx);
--char *lp_deluser_script(TALLOC_CTX *ctx);
--const char *lp_guestaccount(void);
--char *lp_addgroup_script(TALLOC_CTX *ctx);
--char *lp_delgroup_script(TALLOC_CTX *ctx);
--char *lp_addusertogroup_script(TALLOC_CTX *ctx);
--char *lp_deluserfromgroup_script(TALLOC_CTX *ctx);
--char *lp_setprimarygroup_script(TALLOC_CTX *ctx);
--char *lp_addmachine_script(TALLOC_CTX *ctx);
--char *lp_shutdown_script(TALLOC_CTX *ctx);
--char *lp_abort_shutdown_script(TALLOC_CTX *ctx);
--char *lp_username_map_script(TALLOC_CTX *ctx);
--int lp_username_map_cache_time(void);
--char *lp_check_password_script(TALLOC_CTX *ctx);
--char *lp_wins_hook(TALLOC_CTX *ctx);
--const char *lp_template_homedir(void);
--const char *lp_template_shell(void);
--const char *lp_winbind_separator(void);
--const char *lp_winbindd_socket_directory(void);
--bool lp_winbind_enum_users(void);
--bool lp_winbind_enum_groups(void);
--bool lp_winbind_use_default_domain(void);
--bool lp_winbind_trusted_domains_only(void);
--bool lp_winbind_nested_groups(void);
--int lp_winbind_expand_groups(void);
--bool lp_winbind_refresh_tickets(void);
--bool lp_winbind_offline_logon(void);
--bool lp_winbind_normalize_names(void);
--bool lp_winbind_rpc_only(void);
--bool lp_create_krb5_conf(void);
- int lp_winbind_max_domain_connections(void);
--int lp_idmap_cache_time(void);
--int lp_idmap_negative_cache_time(void);
- bool lp_idmap_range(const char *domain_name, uint32_t *low, uint32_t *high);
- bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
- const char *lp_idmap_backend(const char *domain_name);
- const char *lp_idmap_default_backend (void);
--int lp_keepalive(void);
--bool lp_passdb_expand_explicit(void);
--char *lp_ldap_suffix(TALLOC_CTX *ctx);
--char *lp_ldap_admin_dn(TALLOC_CTX *ctx);
--int lp_ldap_ssl(void);
--bool lp_ldap_ssl_ads(void);
--int lp_ldap_deref(void);
--int lp_ldap_follow_referral(void);
--int lp_ldap_passwd_sync(void);
--bool lp_ldap_delete_dn(void);
--int lp_ldap_replication_sleep(void);
--int lp_ldap_timeout(void);
--int lp_ldap_connection_timeout(void);
--int lp_ldap_page_size(void);
--int lp_ldap_debug_level(void);
--int lp_ldap_debug_threshold(void);
--char *lp_add_share_cmd(TALLOC_CTX *ctx);
--char *lp_change_share_cmd(TALLOC_CTX *ctx);
--char *lp_delete_share_cmd(TALLOC_CTX *ctx);
--char *lp_usershare_path(TALLOC_CTX *ctx);
--const char **lp_usershare_prefix_allow_list(void);
--const char **lp_usershare_prefix_deny_list(void);
--const char **lp_eventlog_list(void);
--bool lp_registry_shares(void);
--bool lp_usershare_allow_guests(void);
--bool lp_usershare_owner_only(void);
--bool lp_disable_netbios(void);
--bool lp_reset_on_zero_vc(void);
--bool lp_log_writeable_files_on_exit(void);
--bool lp_ms_add_printer_wizard(void);
--bool lp_wins_dns_proxy(void);
--bool lp_we_are_a_wins_server(void);
--bool lp_wins_proxy(void);
--bool lp_local_master(void);
--const char **lp_init_logon_delayed_hosts(void);
--int lp_init_logon_delay(void);
--bool lp_load_printers(void);
- bool lp_readraw(void);
--bool lp_large_readwrite(void);
- bool lp_writeraw(void);
--bool lp_null_passwords(void);
--bool lp_obey_pam_restrictions(void);
--bool lp_encrypted_passwords(void);
--int lp_client_schannel(void);
--int lp_server_schannel(void);
--bool lp_syslog_only(void);
--bool lp_timestamp_logs(void);
--bool lp_debug_prefix_timestamp(void);
--bool lp_debug_hires_timestamp(void);
--bool lp_debug_pid(void);
--bool lp_debug_uid(void);
--bool lp_debug_class(void);
--bool lp_enable_core_files(void);
--bool lp_browse_list(void);
--bool lp_nis_home_map(void);
--bool lp_bind_interfaces_only(void);
--bool lp_pam_password_change(void);
--bool lp_unix_password_sync(void);
--bool lp_passwd_chat_debug(void);
--int lp_passwd_chat_timeout(void);
--bool lp_nt_pipe_support(void);
--bool lp_nt_status_support(void);
--bool lp_stat_cache(void);
--int lp_max_stat_cache_size(void);
--bool lp_allow_trusted_domains(void);
--bool lp_map_untrusted_to_domain(void);
--int lp_restrict_anonymous(void);
--bool lp_lanman_auth(void);
--bool lp_ntlm_auth(void);
--bool lp_client_plaintext_auth(void);
--bool lp_client_lanman_auth(void);
--bool lp_client_ntlmv2_auth(void);
--bool lp_host_msdfs(void);
--bool lp_enhanced_browsing(void);
--bool lp_use_mmap(void);
--bool lp_use_ntdb(void);
--bool lp_unix_extensions(void);
--bool lp_unicode(void);
--bool lp_use_spnego(void);
--bool lp_client_use_spnego(void);
--bool lp_client_use_spnego_principal(void);
--bool lp_hostname_lookups(void);
--bool lp_change_notify(const struct share_params *p );
--bool lp_kernel_change_notify(const struct share_params *p );
--const char * lp_dedicated_keytab_file(void);
--int lp_kerberos_method(void);
--bool lp_defer_sharing_violations(void);
--bool lp_enable_privileges(void);
--bool lp_enable_asu_support(void);
--int lp_os_level(void);
--int lp_max_ttl(void);
--int lp_max_wins_ttl(void);
--int lp_min_wins_ttl(void);
--int lp_max_log_size(void);
--int lp_max_open_files(void);
--int lp_open_files_db_hash_size(void);
--int lp_max_xmit(void);
--int lp_maxmux(void);
--int lp_passwordlevel(void);
--int lp_usernamelevel(void);
--int lp_deadtime(void);
--bool lp_getwd_cache(void);
--int lp_srv_maxprotocol(void);
--int lp_srv_minprotocol(void);
--int lp_cli_maxprotocol(void);
--int lp_cli_minprotocol(void);
- int lp_security(void);
--int lp__server_role(void);
--int lp__security(void);
--int lp__domain_master(void);
--bool lp__domain_logons(void);
--const char **lp_auth_methods(void);
--bool lp_paranoid_server_security(void);
--int lp_maxdisksize(void);
--int lp_lpqcachetime(void);
--int lp_max_smbd_processes(void);
--bool lp__disable_spoolss(void);
--int lp_syslog(void);
--int lp_lm_announce(void);
--int lp_lm_interval(void);
--int lp_machine_password_timeout(void);
--int lp_map_to_guest(void);
--int lp_oplock_break_wait_time(void);
--int lp_lock_spin_time(void);
--int lp_usershare_max_shares(void);
--const char *lp_socket_options(void);
--int lp_config_backend(void);
--int lp_smb2_max_read(void);
--int lp_smb2_max_write(void);
--int lp_smb2_max_trans(void);
- int lp_smb2_max_credits(void);
--char *lp_preexec(TALLOC_CTX *ctx, int );
--char *lp_postexec(TALLOC_CTX *ctx, int );
--char *lp_rootpreexec(TALLOC_CTX *ctx, int );
--char *lp_rootpostexec(TALLOC_CTX *ctx, int );
--char *lp_servicename(TALLOC_CTX *ctx, int );
--const char *lp_const_servicename(int );
--char *lp_pathname(TALLOC_CTX *ctx, int );
--char *lp_dontdescend(TALLOC_CTX *ctx, int );
--char *lp_username(TALLOC_CTX *ctx, int );
--const char **lp_invalid_users(int );
--const char **lp_valid_users(int );
--const char **lp_admin_users(int );
--const char **lp_svcctl_list(void);
--char *lp_cups_options(TALLOC_CTX *ctx, int );
--char *lp_cups_server(TALLOC_CTX *ctx);
- int lp_cups_encrypt(void);
--char *lp_iprint_server(TALLOC_CTX *ctx);
--int lp_cups_connection_timeout(void);
--const char *lp_ctdbd_socket(void);
--const char *_lp_ctdbd_socket(void);
--const char **lp_cluster_addresses(void);
--bool lp_clustering(void);
--int lp_ctdb_timeout(void);
--int lp_ctdb_locktime_warn_threshold(void);
--char *lp_printcommand(TALLOC_CTX *ctx, int );
--char *lp_lpqcommand(TALLOC_CTX *ctx, int );
--char *lp_lprmcommand(TALLOC_CTX *ctx, int );
--char *lp_lppausecommand(TALLOC_CTX *ctx, int );
--char *lp_lpresumecommand(TALLOC_CTX *ctx, int );
--char *lp_queuepausecommand(TALLOC_CTX *ctx, int );
--char *lp_queueresumecommand(TALLOC_CTX *ctx, int );
--const char *lp_printjob_username(int );
--const char **lp_hostsallow(int );
--const char **lp_hostsdeny(int );
--char *lp_magicscript(TALLOC_CTX *ctx, int );
--char *lp_magicoutput(TALLOC_CTX *ctx, int );
--char *lp_comment(TALLOC_CTX *ctx, int );
--char *lp_force_user(TALLOC_CTX *ctx, int );
--char *lp_force_group(TALLOC_CTX *ctx, int );
--const char **lp_readlist(int );
--const char **lp_writelist(int );
--char *lp_fstype(TALLOC_CTX *ctx, int );
--const char **lp_vfs_objects(int );
--char *lp_msdfs_proxy(TALLOC_CTX *ctx, int );
--char *lp_veto_files(TALLOC_CTX *ctx, int );
--char *lp_hide_files(TALLOC_CTX *ctx, int );
--char *lp_veto_oplocks(TALLOC_CTX *ctx, int );
--bool lp_msdfs_root(int );
--char *lp_aio_write_behind(TALLOC_CTX *ctx, int );
--char *lp_dfree_command(TALLOC_CTX *ctx, int );
--bool lp_autoloaded(int );
--bool lp_preexec_close(int );
--bool lp_rootpreexec_close(int );
--int lp_casesensitive(int );
--bool lp_preservecase(int );
--bool lp_shortpreservecase(int );
--bool lp_hide_dot_files(int );
--bool lp_hide_special_files(int );
--bool lp_hideunreadable(int );
--bool lp_hideunwriteable_files(int );
--bool lp_browseable(int );
--bool lp_access_based_share_enum(int );
--bool lp_readonly(int );
--bool lp_guest_ok(int );
--bool lp_guest_only(int );
--bool lp_administrative_share(int );
--bool lp_print_ok(int );
--bool lp_print_notify_backchannel(int );
--bool lp_map_hidden(int );
--bool lp_map_archive(int );
--bool lp_store_dos_attributes(int );
--bool lp_dmapi_support(int );
--bool lp_locking(const struct share_params *p );
--int lp_strict_locking(const struct share_params *p );
--bool lp_posix_locking(const struct share_params *p );
--bool lp_oplocks(int );
--bool lp_kernel_oplocks(int );
--bool lp_level2_oplocks(int );
--bool lp_kernel_share_modes(int);
--bool lp_onlyuser(int );
--bool lp_manglednames(const struct share_params *p );
--bool lp_allow_insecure_widelinks(void);
- bool lp_widelinks(int );
--bool lp_symlinks(int );
--bool lp_syncalways(int );
--bool lp_strict_allocate(int );
--bool lp_strict_sync(int );
--bool lp_map_system(int );
--bool lp_delete_readonly(int );
--bool lp_fake_oplocks(int );
--bool lp_recursive_veto_delete(int );
--bool lp_dos_filemode(int );
--bool lp_dos_filetimes(int );
--bool lp_dos_filetime_resolution(int );
--bool lp_fake_dir_create_times(int);
--bool lp_async_smb_echo_handler(void);
--bool lp_multicast_dns_register(void);
--bool lp_blocking_locks(int );
--bool lp_inherit_perms(int );
--bool lp_inherit_acls(int );
--bool lp_inherit_owner(int );
--bool lp_use_client_driver(int );
--bool lp_default_devmode(int );
--bool lp_force_printername(int );
--bool lp_nt_acl_support(int );
--bool lp_force_unknown_acl_user(int );
--bool lp_ea_support(int );
--bool lp__use_sendfile(int );
--bool lp_profile_acls(int );
--bool lp_map_acl_inherit(int );
--bool lp_afs_share(int );
--bool lp_acl_check_permissions(int );
--bool lp_acl_group_control(int );
--bool lp_acl_map_full_control(int );
--bool lp_acl_allow_execute_always(int);
--bool lp_durable_handles(int);
--int lp_create_mask(int );
--int lp_force_create_mode(int );
--int lp_dir_mask(int );
--int lp_force_dir_mode(int );
--int lp_max_connections(int );
--int lp_defaultcase(int );
--int lp_minprintspace(int );
--int lp_printing(int );
--int lp_max_reported_jobs(int );
--int lp_oplock_contention_limit(int );
--int lp_csc_policy(int );
--int lp_write_cache_size(int );
--int lp_block_size(int );
--int lp_dfree_cache_time(int );
--int lp_allocation_roundup_size(int );
--int lp_aio_read_size(int );
--int lp_aio_write_size(int );
--int lp_map_readonly(int );
--int lp_directory_name_cache_size(int );
--int lp_smb_encrypt(int );
--char lp_magicchar(const struct share_params *p );
--int lp_winbind_cache_time(void);
--int lp_winbind_reconnect_delay(void);
--int lp_winbind_request_timeout(void);
--int lp_winbind_max_clients(void);
--const char **lp_winbind_nss_info(void);
--int lp_algorithmic_rid_base(void);
--int lp_name_cache_timeout(void);
--int lp_client_signing(void);
--int lp_server_signing(void);
--int lp_client_ldap_sasl_wrapping(void);
-+
- char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def);
- const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
- struct loadparm_service;
---
-1.9.3
-
-
-From 5d2278756b5a7372106cbdf9b8d66fb8a0cf5033 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Wed, 16 Oct 2013 14:45:31 +1300
-Subject: [PATCH 121/249] lib/param: Add documentation on how loadparm works
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
----
- lib/param/README | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 69 insertions(+)
-
-diff --git a/lib/param/README b/lib/param/README
-index 403a217..b567d71 100644
---- a/lib/param/README
-+++ b/lib/param/README
-@@ -1,4 +1,73 @@
-+libsamba-hostconfig
-+-------------------
-+
- This directory contains "libsamba-hostconfig".
-
- The libsamba-hostconfig library provides access to all host-wide configuration
- such as the configured shares, default parameter values and host secret keys.
-+
-+
-+Adding a parameter
-+------------------
-+
-+To add or change an smb.conf option, you only have to modify
-+lib/param/param_table.c and lib/param/param_functions.c. The rest is
-+generated for you.
-+
-+
-+Using smb.conf parameters in the code
-+-------------------------------------
-+
-+Call the lpcfg_*() function. To get the lp_ctx, have the caller pass
-+it to you. To get a lp_ctx for the source3/param loadparm system, use:
-+
-+struct loadparm_context *lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
-+
-+Remember to talloc_unlink(tmp_ctx, lp_ctx) the result when you are done!
-+
-+To get a lp_ctx for the lib/param loadparm system, typically the
-+pointer is already set up by popt at startup, and is passed down from
-+cmdline_lp_ctx.
-+
-+In pure source3/ code, you may use lp_*() functions, but are
-+encouraged to use the lpcfg_*() functions so that code can be made
-+common.
-+
-+
-+How does loadparm_init_s3() work?
-+---------------------------------
-+
-+loadparm_s3_helpers() returns a initialised table of function
-+pointers, pointing at all global lp_*() functions, except for those
-+that return substituted strings (% macros). The lpcfg_*() function
-+then calls this plugged in function, allowing the one function and
-+pattern to use either loadparm system.
-+
-+
-+There is a lot of generated code, here, what generates what?
-+------------------------------------------------------------
-+
-+The regular format of the CPP macros in param_functions.c is used to
-+generate up the prototypes (mkproto.pl, mks3param_proto.pl), the service
-+and globals table (mkparamdefs.pl), the glue table (mmks3param.pl) and
-+the initilisation of the glue table (mks3param_ctx_table.pl).
-+
-+I have tried combining some of these, but it just makes the scripts more
-+complex.
-+
-+The CPP macros are defined in and expand in lib/param/loadparm.c and
-+source3/param/loadparm.c to read the values from the generated
-+stuctures. They are CPP #included into these files so that the same
-+macro has two definitions, depending on the system it is loading into.
-+
-+
-+Why was this done, rather than a 'proper' fix, or just using one system or the other?
-+-------------------------------------------------------------------------------------
-+
-+This was done to allow merging from both ends - merging more parts of
-+the loadparm handling, and merging code that needs to read the
-+smb.conf, without having to do it all at once. Ideally
-+param_functions.c would be generated from param_table.c or (even
-+better) our XML manpage source, and the CPP macros would instead be
-+generated expanded as generated C files, but this is a task nobody has
-+taken on yet.
---
-1.9.3
-
-
-From 7734a867500f5b7415f818077229f74486101c51 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 12 Aug 2013 08:19:08 +0200
-Subject: [PATCH 122/249] librpc/rpc: add dcerpc_binding_handle_auth_info()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- librpc/rpc/binding_handle.c | 25 +++++++++++++++++++++++++
- librpc/rpc/rpc_common.h | 8 ++++++++
- 2 files changed, 33 insertions(+)
-
-diff --git a/librpc/rpc/binding_handle.c b/librpc/rpc/binding_handle.c
-index 9354bbd..714baa7 100644
---- a/librpc/rpc/binding_handle.c
-+++ b/librpc/rpc/binding_handle.c
-@@ -98,6 +98,31 @@ uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
- return h->ops->set_timeout(h, timeout);
- }
-
-+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
-+ enum dcerpc_AuthType *auth_type,
-+ enum dcerpc_AuthLevel *auth_level)
-+{
-+ enum dcerpc_AuthType _auth_type;
-+ enum dcerpc_AuthLevel _auth_level;
-+
-+ if (auth_type == NULL) {
-+ auth_type = &_auth_type;
-+ }
-+
-+ if (auth_level == NULL) {
-+ auth_level = &_auth_level;
-+ }
-+
-+ *auth_type = DCERPC_AUTH_TYPE_NONE;
-+ *auth_level = DCERPC_AUTH_LEVEL_NONE;
-+
-+ if (h->ops->auth_info == NULL) {
-+ return;
-+ }
-+
-+ h->ops->auth_info(h, auth_type, auth_level);
-+}
-+
- struct dcerpc_binding_handle_raw_call_state {
- const struct dcerpc_binding_handle_ops *ops;
- uint8_t *out_data;
-diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
-index d2816f5..978229e 100644
---- a/librpc/rpc/rpc_common.h
-+++ b/librpc/rpc/rpc_common.h
-@@ -189,6 +189,10 @@ struct dcerpc_binding_handle_ops {
- uint32_t (*set_timeout)(struct dcerpc_binding_handle *h,
- uint32_t timeout);
-
-+ void (*auth_info)(struct dcerpc_binding_handle *h,
-+ enum dcerpc_AuthType *auth_type,
-+ enum dcerpc_AuthLevel *auth_level);
-+
- struct tevent_req *(*raw_call_send)(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct dcerpc_binding_handle *h,
-@@ -259,6 +263,10 @@ bool dcerpc_binding_handle_is_connected(struct dcerpc_binding_handle *h);
- uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
- uint32_t timeout);
-
-+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
-+ enum dcerpc_AuthType *auth_type,
-+ enum dcerpc_AuthLevel *auth_level);
-+
- struct tevent_req *dcerpc_binding_handle_raw_call_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct dcerpc_binding_handle *h,
---
-1.9.3
-
-
-From 04a9531474630c62c3f717e251d9f1469013f5ae Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 12 Aug 2013 08:19:35 +0200
-Subject: [PATCH 123/249] s3:rpc_client: implement
- dcerpc_binding_handle_auth_info()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/rpc_client/cli_pipe.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 64e7f1c..a343997 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1867,6 +1867,25 @@ static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
- return rpccli_set_timeout(hs->rpc_cli, timeout);
- }
-
-+static void rpccli_bh_auth_info(struct dcerpc_binding_handle *h,
-+ enum dcerpc_AuthType *auth_type,
-+ enum dcerpc_AuthLevel *auth_level)
-+{
-+ struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
-+ struct rpccli_bh_state);
-+
-+ if (hs->rpc_cli == NULL) {
-+ return;
-+ }
-+
-+ if (hs->rpc_cli->auth == NULL) {
-+ return;
-+ }
-+
-+ *auth_type = hs->rpc_cli->auth->auth_type;
-+ *auth_level = hs->rpc_cli->auth->auth_level;
-+}
-+
- struct rpccli_bh_raw_call_state {
- DATA_BLOB in_data;
- DATA_BLOB out_data;
-@@ -2046,6 +2065,7 @@ static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
- .name = "rpccli",
- .is_connected = rpccli_bh_is_connected,
- .set_timeout = rpccli_bh_set_timeout,
-+ .auth_info = rpccli_bh_auth_info,
- .raw_call_send = rpccli_bh_raw_call_send,
- .raw_call_recv = rpccli_bh_raw_call_recv,
- .disconnect_send = rpccli_bh_disconnect_send,
---
-1.9.3
-
-
-From 1db891bac30bb6c3bb0a022c5d1529a9f001237d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 12 Aug 2013 08:19:57 +0200
-Subject: [PATCH 124/249] s4:librpc: implement
- dcerpc_binding_handle_auth_info()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source4/librpc/rpc/dcerpc.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
-index 2826160..56b821e 100644
---- a/source4/librpc/rpc/dcerpc.c
-+++ b/source4/librpc/rpc/dcerpc.c
-@@ -200,6 +200,29 @@ static uint32_t dcerpc_bh_set_timeout(struct dcerpc_binding_handle *h,
- return old;
- }
-
-+static void dcerpc_bh_auth_info(struct dcerpc_binding_handle *h,
-+ enum dcerpc_AuthType *auth_type,
-+ enum dcerpc_AuthLevel *auth_level)
-+{
-+ struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
-+ struct dcerpc_bh_state);
-+
-+ if (hs->p == NULL) {
-+ return;
-+ }
-+
-+ if (hs->p->conn == NULL) {
-+ return;
-+ }
-+
-+ if (hs->p->conn->security_state.auth_info == NULL) {
-+ return;
-+ }
-+
-+ *auth_type = hs->p->conn->security_state.auth_info->auth_type;
-+ *auth_level = hs->p->conn->security_state.auth_info->auth_level;
-+}
-+
- struct dcerpc_bh_raw_call_state {
- struct tevent_context *ev;
- struct dcerpc_binding_handle *h;
-@@ -552,6 +575,7 @@ static const struct dcerpc_binding_handle_ops dcerpc_bh_ops = {
- .name = "dcerpc",
- .is_connected = dcerpc_bh_is_connected,
- .set_timeout = dcerpc_bh_set_timeout,
-+ .auth_info = dcerpc_bh_auth_info,
- .raw_call_send = dcerpc_bh_raw_call_send,
- .raw_call_recv = dcerpc_bh_raw_call_recv,
- .disconnect_send = dcerpc_bh_disconnect_send,
---
-1.9.3
-
-
-From 76304ed57d561eb89dceb3881236a78209dd592c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 17 Sep 2013 04:25:39 +0200
-Subject: [PATCH 125/249] s3:winbindd: don't hide the error in cm_connect_lsa()
-
-We should not overwrite the error with NT_STATUS_PIPE_NOT_AVAILABLE.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/winbindd/winbindd_cm.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index d868826..c4f59d3 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2677,7 +2677,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- &ndr_table_lsarpc,
- &conn->lsa_pipe);
- if (!NT_STATUS_IS_OK(result)) {
-- result = NT_STATUS_PIPE_NOT_AVAILABLE;
- goto done;
- }
-
---
-1.9.3
-
-
-From 9948366e88b1d11127317008c79a2f7182a34d65 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 2 Sep 2013 09:24:42 +0200
-Subject: [PATCH 126/249] s3:include: add forward declaration for struct
- messaging_context; in g_lock.h
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/include/g_lock.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/include/g_lock.h b/source3/include/g_lock.h
-index 004c452..f513349 100644
---- a/source3/include/g_lock.h
-+++ b/source3/include/g_lock.h
-@@ -23,6 +23,7 @@
- #include "dbwrap/dbwrap.h"
-
- struct g_lock_ctx;
-+struct messaging_context;
-
- enum g_lock_type {
- G_LOCK_READ = 0,
---
-1.9.3
-
-
-From 4c30267e3c26cb065b908ff396ca21937fc870c4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 2 Sep 2013 19:29:05 +0200
-Subject: [PATCH 127/249] s3:include: fix messaging_send_buf() protype in
- messages.h
-
-The function already used 'uint8_t' instead of 'uint8'.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/include/messages.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/include/messages.h b/source3/include/messages.h
-index 09c39cc..50b2a84 100644
---- a/source3/include/messages.h
-+++ b/source3/include/messages.h
-@@ -139,7 +139,7 @@ NTSTATUS messaging_send(struct messaging_context *msg_ctx,
-
- NTSTATUS messaging_send_buf(struct messaging_context *msg_ctx,
- struct server_id server, uint32_t msg_type,
-- const uint8 *buf, size_t len);
-+ const uint8_t *buf, size_t len);
- void messaging_dispatch_rec(struct messaging_context *msg_ctx,
- struct messaging_rec *rec);
-
---
-1.9.3
-
-
-From ff45e4d1ca6cff9b2f329d18e98ebd4883639ed9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 27 Aug 2013 12:09:51 +0200
-Subject: [PATCH 128/249] s3:auth_domain: remove dead code in
- check_trustdomain_security()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/auth/auth_domain.c | 22 ----------------------
- 1 file changed, 22 deletions(-)
-
-diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
-index 06078e2..9f88c4a 100644
---- a/source3/auth/auth_domain.c
-+++ b/source3/auth/auth_domain.c
-@@ -378,8 +378,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
- struct auth_serversupplied_info **server_info)
- {
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
-- unsigned char trust_md4_password[16];
-- char *trust_password;
- fstring dc_name;
- struct sockaddr_storage dc_ss;
-
-@@ -408,26 +406,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
- if ( !is_trusted_domain( user_info->mapped.domain_name ) )
- return NT_STATUS_NOT_IMPLEMENTED;
-
-- /*
-- * Get the trusted account password for the trusted domain
-- * No need to become_root() as secrets_init() is done at startup.
-- */
--
-- if (!pdb_get_trusteddom_pw(user_info->mapped.domain_name, &trust_password,
-- NULL, NULL)) {
-- DEBUG(0, ("check_trustdomain_security: could not fetch trust "
-- "account password for domain %s\n",
-- user_info->mapped.domain_name));
-- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-- }
--
--#ifdef DEBUG_PASSWORD
-- DEBUG(100, ("Trust password for domain %s is %s\n", user_info->mapped.domain_name,
-- trust_password));
--#endif
-- E_md4hash(trust_password, trust_md4_password);
-- SAFE_FREE(trust_password);
--
- /* use get_dc_name() for consistency even through we know that it will be
- a netbios name */
-
---
-1.9.3
-
-
-From d9160b0834f74508b711eeec0354aa43d5a1b215 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 2 Sep 2013 20:18:39 +0200
-Subject: [PATCH 129/249] s3:libsmb: remove unused
- change_trust_account_password()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/include/proto.h | 1 -
- source3/libsmb/trusts_util.c | 72 --------------------------------------------
- 2 files changed, 73 deletions(-)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 5e068d2..a40d3c1 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -989,7 +989,6 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
- NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- const char *domain) ;
--NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine);
-
- /* The following definitions come from param/loadparm.c */
-
-diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
-index 6156ba0..8a0e53d 100644
---- a/source3/libsmb/trusts_util.c
-+++ b/source3/libsmb/trusts_util.c
-@@ -135,75 +135,3 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
- sec_channel_type);
- }
-
--NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
--{
-- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-- struct sockaddr_storage pdc_ss;
-- fstring dc_name;
-- struct cli_state *cli = NULL;
-- struct rpc_pipe_client *netlogon_pipe = NULL;
--
-- DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
-- domain));
--
-- if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
-- /* Use the PDC *only* for this */
--
-- if ( !get_pdc_ip(domain, &pdc_ss) ) {
-- DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
-- goto failed;
-- }
--
-- if ( !name_status_find( domain, 0x1b, 0x20, &pdc_ss, dc_name) )
-- goto failed;
-- } else {
-- /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
-- fstrcpy( dc_name, remote_machine );
-- }
--
-- /* if this next call fails, then give up. We can't do
-- password changes on BDC's --jerry */
--
-- if (!NT_STATUS_IS_OK(cli_full_connection(&cli, lp_netbios_name(), dc_name,
-- NULL, 0,
-- "IPC$", "IPC",
-- "", "",
-- "", 0, SMB_SIGNING_DEFAULT))) {
-- DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name));
-- nt_status = NT_STATUS_UNSUCCESSFUL;
-- goto failed;
-- }
--
-- /*
-- * Ok - we have an anonymous connection to the IPC$ share.
-- * Now start the NT Domain stuff :-).
-- */
--
-- /* Shouldn't we open this with schannel ? JRA. */
--
-- nt_status = cli_rpc_pipe_open_noauth(
-- cli, &ndr_table_netlogon, &netlogon_pipe);
-- if (!NT_STATUS_IS_OK(nt_status)) {
-- DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
-- dc_name, nt_errstr(nt_status)));
-- cli_shutdown(cli);
-- cli = NULL;
-- goto failed;
-- }
--
-- nt_status = trust_pw_find_change_and_store_it(
-- netlogon_pipe, netlogon_pipe, domain);
--
-- cli_shutdown(cli);
-- cli = NULL;
--
--failed:
-- if (!NT_STATUS_IS_OK(nt_status)) {
-- DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
-- current_timestring(talloc_tos(), False), domain));
-- }
-- else
-- DEBUG(5,("change_trust_account_password: sucess!\n"));
--
-- return nt_status;
--}
---
-1.9.3
-
-
-From c6b50a3d8c382f19a8ae16428d557928438be464 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 2 Sep 2013 20:19:28 +0200
-Subject: [PATCH 130/249] s3:libsmb: inline trust_pw_change_and_store_it() into
- trust_pw_find_change_and_store_it()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/include/proto.h | 5 -----
- source3/libsmb/trusts_util.c | 50 +++++++++++++-------------------------------
- 2 files changed, 15 insertions(+), 40 deletions(-)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index a40d3c1..216a377 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -981,11 +981,6 @@ void update_trustdom_cache( void );
-
- /* The following definitions come from libsmb/trusts_util.c */
-
--NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
-- const char *domain,
-- const char *account_name,
-- unsigned char orig_trust_passwd_hash[16],
-- enum netr_SchannelType sec_channel_type);
- NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- const char *domain) ;
-diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
-index 8a0e53d..428e0c1 100644
---- a/source3/libsmb/trusts_util.c
-+++ b/source3/libsmb/trusts_util.c
-@@ -29,20 +29,27 @@
-
- /*********************************************************
- Change the domain password on the PDC.
-- Store the password ourselves, but use the supplied password
-- Caller must have already setup the connection to the NETLOGON pipe
-+ Do most of the legwork ourselfs. Caller must have
-+ already setup the connection to the NETLOGON pipe
- **********************************************************/
-
--NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
-- const char *domain,
-- const char *account_name,
-- unsigned char orig_trust_passwd_hash[16],
-- enum netr_SchannelType sec_channel_type)
-+NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
-+ TALLOC_CTX *mem_ctx,
-+ const char *domain)
- {
-+ unsigned char old_trust_passwd_hash[16];
- unsigned char new_trust_passwd_hash[16];
-+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
-+ const char *account_name;
- char *new_trust_passwd;
- NTSTATUS nt_status;
-
-+ if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
-+ &sec_channel_type)) {
-+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
-+ return NT_STATUS_UNSUCCESSFUL;
-+ }
-+
- switch (sec_channel_type) {
- case SEC_CHAN_WKSTA:
- case SEC_CHAN_DOMAIN:
-@@ -64,7 +71,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
-
- nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
- account_name,
-- orig_trust_passwd_hash,
-+ old_trust_passwd_hash,
- new_trust_passwd,
- new_trust_passwd_hash,
- sec_channel_type);
-@@ -108,30 +115,3 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
-
- return nt_status;
- }
--
--/*********************************************************
-- Change the domain password on the PDC.
-- Do most of the legwork ourselfs. Caller must have
-- already setup the connection to the NETLOGON pipe
--**********************************************************/
--
--NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- const char *domain)
--{
-- unsigned char old_trust_passwd_hash[16];
-- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
-- const char *account_name;
--
-- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
-- &sec_channel_type)) {
-- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
-- return NT_STATUS_UNSUCCESSFUL;
-- }
--
-- return trust_pw_change_and_store_it(cli, mem_ctx, domain,
-- account_name,
-- old_trust_passwd_hash,
-- sec_channel_type);
--}
--
---
-1.9.3
-
-
-From fdac5d6b0ed96f262830a3a923b9d2a42d7fd98d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 20 Sep 2013 04:14:00 +0200
-Subject: [PATCH 131/249] s4:librpc: make dcerpc_schannel_key_send/recv static
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source4/librpc/rpc/dcerpc_schannel.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
-index 130ebeb..cd62508 100644
---- a/source4/librpc/rpc/dcerpc_schannel.c
-+++ b/source4/librpc/rpc/dcerpc_schannel.c
-@@ -306,7 +306,7 @@ static void continue_srv_auth2(struct tevent_req *subreq)
- Initiate establishing a schannel key using netlogon challenge
- on a secondary pipe
- */
--struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
-+static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
- struct dcerpc_pipe *p,
- struct cli_credentials *credentials,
- struct loadparm_context *lp_ctx)
-@@ -369,7 +369,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
- /*
- Receive result of schannel key request
- */
--NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
-+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
- {
- NTSTATUS status = composite_wait(c);
-
---
-1.9.3
-
-
-From de42a3f8b1a69a5abd5fb1a95e1c5f80ee68430e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 20 Sep 2013 04:16:00 +0200
-Subject: [PATCH 132/249] s4:librpc: let dcerpc_schannel_key_recv() return
- netlogon_creds_CredentialState
-
-cli_credentials_set_netlogon_creds() should only be used directly before
-a DCERPC bind in order to pass the session information to the
-gensec layer.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source4/librpc/rpc/dcerpc_schannel.c | 24 +++++++++++++++---------
- 1 file changed, 15 insertions(+), 9 deletions(-)
-
-diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
-index cd62508..c4bedfa 100644
---- a/source4/librpc/rpc/dcerpc_schannel.c
-+++ b/source4/librpc/rpc/dcerpc_schannel.c
-@@ -296,9 +296,6 @@ static void continue_srv_auth2(struct tevent_req *subreq)
- return;
- }
-
-- /* setup current netlogon credentials */
-- cli_credentials_set_netlogon_creds(s->credentials, s->creds);
--
- composite_done(c);
- }
-
-@@ -369,10 +366,19 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
- /*
- Receive result of schannel key request
- */
--static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
-+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState **creds)
- {
- NTSTATUS status = composite_wait(c);
--
-+
-+ if (NT_STATUS_IS_OK(status)) {
-+ struct schannel_key_state *s =
-+ talloc_get_type_abort(c->private_data,
-+ struct schannel_key_state);
-+ *creds = talloc_move(mem_ctx, &s->creds);
-+ }
-+
- talloc_free(c);
- return status;
- }
-@@ -410,13 +416,15 @@ static void continue_schannel_key(struct composite_context *ctx)
- NTSTATUS status;
-
- /* receive schannel key */
-- status = c->status = dcerpc_schannel_key_recv(ctx);
-+ status = c->status = dcerpc_schannel_key_recv(ctx, s, &s->creds_state);
- if (!composite_is_ok(c)) {
- DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
- return;
- }
-
- /* send bind auth request with received creds */
-+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
-+
- auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
- lpcfg_gensec_settings(c, s->lp_ctx),
- DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
-@@ -447,9 +455,6 @@ static void continue_bind_auth(struct composite_context *ctx)
- &ndr_table_netlogon.syntax_id)) {
- ZERO_STRUCT(s->return_auth);
-
-- s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
-- if (composite_nomem(s->creds_state, c)) return;
--
- s->save_creds_state = *s->creds_state;
- netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
-
-@@ -528,6 +533,7 @@ static void continue_get_capabilities(struct tevent_req *subreq)
- }
-
- *s->creds_state = s->save_creds_state;
-+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
-
- if (!NT_STATUS_IS_OK(s->c.out.result)) {
- composite_error(c, s->c.out.result);
---
-1.9.3
-
-
-From f6a6e4e91b676461dc8b6dd5abca4120d9bf920a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 20 Sep 2013 04:33:07 +0200
-Subject: [PATCH 133/249] auth:credentials: avoid talloc_reference in
- cli_credentials_set_netlogon_creds()
-
-Typically cli_credentials_set_netlogon_creds() should be used directly
-before the DCERPC bind. And cli_credentials_get_netlogon_creds()
-should be only used by the gensec layer, which only needs a copy.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- auth/credentials/credentials.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index 57a7c0b..9ce38d0 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -814,7 +814,11 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
- _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
- struct netlogon_creds_CredentialState *netlogon_creds)
- {
-- cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
-+ TALLOC_FREE(cred->netlogon_creds);
-+ if (netlogon_creds == NULL) {
-+ return;
-+ }
-+ cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds);
- }
-
- /**
---
-1.9.3
-
-
-From 14b9bb276a798ad71776ebcb698afeeb44aa173a Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Sat, 9 Nov 2013 19:14:15 +0100
-Subject: [PATCH 134/249] libsmb: Fix CID 1127343 Dead default in switch
-
-We have checked sec_channel_type a few lines above already
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Ira Cooper <ira@samba.org>
-(cherry picked from commit 1cae867f72b79995a02eed96265fe9f69ce945da)
----
- source3/libsmb/trusts_util.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
-index 428e0c1..52fb481 100644
---- a/source3/libsmb/trusts_util.c
-+++ b/source3/libsmb/trusts_util.c
-@@ -108,8 +108,6 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
- }
- break;
- }
-- default:
-- break;
- }
- }
-
---
-1.9.3
-
-
-From efb32bbe25d534f69aca03e0945220cb5049c366 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 29 Nov 2013 09:46:01 +0100
-Subject: [PATCH 135/249] s3:rpc_server: use make_session_info_guest() directly
-
-This removes the useless static auth_anonymous_session_info() wrapper.
-
-auth_anonymous_session_info() is also a public function in source4.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit ae6720117ae5fb3c922486ce46e2b0d51e020301)
----
- source3/rpc_server/rpc_server.c | 22 ++++++----------------
- 1 file changed, 6 insertions(+), 16 deletions(-)
-
-diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
-index de54ddc..c3a7f28 100644
---- a/source3/rpc_server/rpc_server.c
-+++ b/source3/rpc_server/rpc_server.c
-@@ -37,19 +37,6 @@
- #define SERVER_TCP_LOW_PORT 1024
- #define SERVER_TCP_HIGH_PORT 1300
-
--static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
-- struct auth_session_info **session_info)
--{
-- NTSTATUS status;
--
-- status = make_session_info_guest(mem_ctx, session_info);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- return NT_STATUS_OK;
--}
--
- /* Creates a pipes_struct and initializes it with the information
- * sent from the client */
- static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
-@@ -1067,11 +1054,14 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx,
- }
-
- if (ncacn_conn->session_info == NULL) {
-- status = auth_anonymous_session_info(ncacn_conn,
-- &ncacn_conn->session_info);
-+ /*
-+ * TODO: use auth_anonymous_session_info() here?
-+ */
-+ status = make_session_info_guest(ncacn_conn,
-+ &ncacn_conn->session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(2, ("Failed to create "
-- "auth_anonymous_session_info - %s\n",
-+ "make_session_info_guest - %s\n",
- nt_errstr(status)));
- talloc_free(ncacn_conn);
- return;
---
-1.9.3
-
-
-From 215d591403e63b785308ff5d6b2e3c87ad9ee408 Mon Sep 17 00:00:00 2001
-From: Garming Sam <garming@catalyst.net.nz>
-Date: Fri, 29 Nov 2013 16:51:08 +1300
-Subject: [PATCH 136/249] selftest: add new rpc client test
-
-Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
-
-Signed-off-by: Garming Sam <garming@catalyst.net.nz>
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 0e46205ff83d137ca486868e4376b258b6dfa1a2)
----
- source3/script/tests/test_rpcclient_samlogon.sh | 27 +++++++++++++++++++++++++
- source3/selftest/tests.py | 2 ++
- 2 files changed, 29 insertions(+)
- create mode 100755 source3/script/tests/test_rpcclient_samlogon.sh
-
-diff --git a/source3/script/tests/test_rpcclient_samlogon.sh b/source3/script/tests/test_rpcclient_samlogon.sh
-new file mode 100755
-index 0000000..01af7f8
---- /dev/null
-+++ b/source3/script/tests/test_rpcclient_samlogon.sh
-@@ -0,0 +1,27 @@
-+#!/bin/sh
-+
-+if [ $# -lt 3 ]; then
-+cat <<EOF
-+Usage: test_rpcclient_samlogon.sh USERNAME PASSWORD binding <rpcclient commands>
-+EOF
-+exit 1;
-+fi
-+
-+USERNAME="$1"
-+PASSWORD="$2"
-+shift 2
-+ADDARGS="$*"
-+
-+rpcclient_samlogon()
-+{
-+ $VALGRIND $BINDIR/rpcclient -U% -c "samlogon $USERNAME $PASSWORD;samlogon $USERNAME $PASSWORD" $@
-+}
-+
-+
-+incdir=`dirname $0`/../../../testprogs/blackbox
-+. $incdir/subunit.sh
-+testit "rpcclient dsenumdomtrusts" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "dsenumdomtrusts" || failed=`expr $failed + 1`
-+testit "rpcclient getdcsitecoverage" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "getdcsitecoverage" || failed=`expr $failed + 1`
-+testit "rpcclient samlogon" rpcclient_samlogon $ADDARGS || failed=`expr $failed +1`
-+
-+testok $0 $failed
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index 85d67d6..f9cc3d1 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -394,6 +394,8 @@ for s in signseal_options:
- plantestsuite("samba3.blackbox.rpcclient krb5 ncacn_np with [%s%s%s] " % (a, s, e), "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
- "$PREFIX/ktest/krb5_ccache-3", binding_string, "-k", configuration])
-
-+plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
-+ "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
-
- options_list = ["", "-e"]
- for options in options_list:
---
-1.9.3
-
-
-From 05251d449931c29a0bb0c0b8ad194253dc5b66cb Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 29 Nov 2013 08:45:38 +0100
-Subject: [PATCH 137/249] s3:rpcclient: close the connection if setting up the
- netlogon secure channel fails
-
-This is based on a patch from Garming Sam <garming@catalyst.net.nz>.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 2fae806550f3355298541a344b217bf810bf92e4)
----
- source3/rpcclient/rpcclient.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index cb7b70f..0cbec20 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -768,6 +768,10 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- trust_password, &machine_account,
- &sec_channel_type))
- {
-+ DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
-+ get_cmdline_auth_info_domain(auth_info),
-+ cmd_entry->table->name));
-+ TALLOC_FREE(cmd_entry->rpc_pipe);
- talloc_free(mem_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-@@ -784,6 +788,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- if (!NT_STATUS_IS_OK(ntresult)) {
- DEBUG(0, ("Could not initialise credentials for %s.\n",
- cmd_entry->table->name));
-+ TALLOC_FREE(cmd_entry->rpc_pipe);
- talloc_free(mem_ctx);
- return ntresult;
- }
---
-1.9.3
-
-
-From 8d3336b9a61a185a4194313fec338321fed6b151 Mon Sep 17 00:00:00 2001
-From: Garming Sam <garming@catalyst.net.nz>
-Date: Mon, 2 Dec 2013 13:20:39 +1300
-Subject: [PATCH 138/249] selftest: add new credential change test
-
-Signed-off-by: Garming Sam <garming@catalyst.net.nz>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 48820b95285f7dffd827143ba56f432f3e283a6f)
----
- source3/script/tests/test_net_cred_change.sh | 16 ++++++++++++++++
- source3/selftest/tests.py | 3 +++
- 2 files changed, 19 insertions(+)
- create mode 100755 source3/script/tests/test_net_cred_change.sh
-
-diff --git a/source3/script/tests/test_net_cred_change.sh b/source3/script/tests/test_net_cred_change.sh
-new file mode 100755
-index 0000000..9013d07
---- /dev/null
-+++ b/source3/script/tests/test_net_cred_change.sh
-@@ -0,0 +1,16 @@
-+#!/bin/sh
-+
-+if [ $# -lt 1 ]; then
-+cat <<EOF
-+Usage: test_net_cred_change.sh CONFIGURATION
-+EOF
-+exit 1;
-+fi
-+
-+incdir=`dirname $0`/../../../testprogs/blackbox
-+. $incdir/subunit.sh
-+testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
-+testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed =`expr $failed + 1`
-+testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
-+
-+testok $0 $failed
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index f9cc3d1..aac1bbb 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -165,6 +165,9 @@ for env in ["s3dc", "member", "s3member"]:
-
- plantestsuite("samba3.ntlm_auth.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_s3.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
-
-+for env in ["member", "s3member"]:
-+ plantestsuite("samba3.blackbox.net_cred_change.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_net_cred_change.sh"), configuration])
-+
- env = "s3member"
- t = "--krb5auth=$DOMAIN\\\\$DC_USERNAME%$DC_PASSWORD"
- plantestsuite("samba3.wbinfo_s3.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_wbinfo_s3.sh"), t])
---
-1.9.3
-
-
-From 4b97cece12602437f3a2c9a395f5ed62cc00c0c4 Mon Sep 17 00:00:00 2001
-From: Garming Sam <garming@catalyst.net.nz>
-Date: Mon, 23 Dec 2013 17:12:39 +1300
-Subject: [PATCH 139/249] selftest: add rodc and other env tests for wbinfo
-
-Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
-Signed-off-by: Garming Sam <garming@catalyst.net.nz>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Mon Dec 23 17:17:39 CET 2013 on sn-devel-104
-(cherry picked from commit 819e1f561df5074ae21db77c6558b34f4b0e1351)
----
- source4/selftest/tests.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
-index e738d1d9..c3a33c7 100755
---- a/source4/selftest/tests.py
-+++ b/source4/selftest/tests.py
-@@ -309,8 +309,8 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
- plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
- plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
- plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
--plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"])
--plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"])
-+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
-+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
- plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
- plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
- plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
---
-1.9.3
-
-
-From 689deff949e8ce9b6aa900e7b0c714d5a025d516 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 17 Dec 2013 19:35:37 +0100
-Subject: [PATCH 140/249] libcli/auth: set the return_authenticator->timestamp
- = 0
-
-This is what windows returns, the value is ignored by the client anyway.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 202bcf9096e53d94b294936d6144ae77f1536b72)
----
- libcli/auth/credentials.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
-index 1f664d3..197db86 100644
---- a/libcli/auth/credentials.c
-+++ b/libcli/auth/credentials.c
-@@ -479,7 +479,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
- netlogon_creds_step(creds);
- if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
- return_authenticator->cred = creds->server;
-- return_authenticator->timestamp = creds->sequence;
-+ return_authenticator->timestamp = 0;
- return NT_STATUS_OK;
- } else {
- ZERO_STRUCTP(return_authenticator);
---
-1.9.3
-
-
-From fe8a979787c9528bb3b403272be3dc6a313bbebd Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 17 Dec 2013 19:40:15 +0100
-Subject: [PATCH 141/249] libcli/auth: remove bogus comment regarding replay
- attacks
-
-creds->sequence (timestamp) is the value that is used to increment the internal
-state, it's not a real sequence number. The sequence comes
-from adding all timestamps of the whole session.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 636daac3b7b08ccb8845dab060157918d296ef67)
----
- libcli/auth/credentials.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
-index 197db86..afb4a04 100644
---- a/libcli/auth/credentials.c
-+++ b/libcli/auth/credentials.c
-@@ -473,8 +473,6 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
- return NT_STATUS_ACCESS_DENIED;
- }
-
-- /* TODO: this may allow the a replay attack on a non-signed
-- connection. Should we check that this is increasing? */
- creds->sequence = received_authenticator->timestamp;
- netlogon_creds_step(creds);
- if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
---
-1.9.3
-
-
-From 1f6a52bb1f756be05e28dc9e16725ac73b005d00 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 17 Dec 2013 19:55:12 +0100
-Subject: [PATCH 142/249] libcli/auth: try to use the current timestamp
- creds->sequence
-
-If the last usage of netlogon_creds_client_authenticator()
-is in the past try to use the current timestamp and increment
-more than just 2.
-
-If we use netlogon_creds_client_authenticator() a lot within a
-second, we increment keep incrementing by 2.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
-(cherry picked from commit e6afeae69537f55ed187b28b60ad29b9e237ec6e)
----
- libcli/auth/credentials.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
-index afb4a04..f52538a 100644
---- a/libcli/auth/credentials.c
-+++ b/libcli/auth/credentials.c
-@@ -344,7 +344,29 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
- void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
- struct netr_Authenticator *next)
- {
-+ uint32_t t32n = (uint32_t)time(NULL);
-+
-+ /*
-+ * we always increment and ignore an overflow here
-+ */
- creds->sequence += 2;
-+
-+ if (t32n > creds->sequence) {
-+ /*
-+ * we may increment more
-+ */
-+ creds->sequence = t32n;
-+ } else {
-+ uint32_t d = creds->sequence - t32n;
-+
-+ if (d >= INT32_MAX) {
-+ /*
-+ * got an overflow of time_t vs. uint32_t
-+ */
-+ creds->sequence = t32n;
-+ }
-+ }
-+
- netlogon_creds_step(creds);
-
- next->cred = creds->client;
---
-1.9.3
-
-
-From 1cc32f5bf176a6daba93603a5b9aa4fc4fe42479 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 3 Jan 2014 12:56:38 +0100
-Subject: [PATCH 143/249] s4:selftest: run wbinfo tests at the end...
-
-This avoids flakey crashes in the promoted_dc environment.
-
-See the examples below, we had up to 50% of the daily build failing...
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-https://git.samba.org/autobuild.flakey/2013-12-23-1942/samba.stdout
-
- [1586/1594 in 1h39m20s] samba4.drs.fsmo.python(promoted_dc)
- Testing for schema role transfer from localdc.samba.example.com to PROMOTEDVDC.samba.example.com
- FSMO transfer of 'schema' role successful
- Testing for schema role transfer from PROMOTEDVDC.samba.example.com to localdc.samba.example.com
- ERROR: Failed to initiate transfer of 'schema' role: LDAP error 52 LDAP_UNAVAILABLE - <Failed FSMO transfer: WERR_DS_DRA_INTERNAL_ERROR> <>
- UNEXPECTED(failure): samba4.drs.fsmo.python(promoted_dc).fsmo.DrsFsmoTestCase.test_SchemaMasterTransfer(promoted_dc)
- REASON: _StringException: _StringException: Content-Type: text/x-traceback;charset=utf8,language=python
- traceback
- 380
-
-https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stdout
-
- [1583/1594 in 1h36m4s] samba.tests.blackbox.samba_tool_drs
- ERROR: Testsuite[samba.tests.blackbox.samba_tool_drs]
- REASON: unable to set up environment promoted_dc - exiting
-
-https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stderr
-
- Unable to convert 1.2.840.86419.1.5.9939 to an attid, and can_change_pfm=false!
- Unable to convert governsID on CN=test-class30318,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com to DRS object - WERR_NOT_FOUND
- ../source4/rpc_server/drsuapi/getncchanges.c:1646: DsGetNCChanges 2nd replication on different DN CN=Configuration,DC=samba,DC=example,DC=com CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com (last_dn CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com)
- ===============================================================
- INTERNAL ERROR: Signal 11 in pid 884274 (4.2.0pre1-DEVELOPERBUILD)
- Please read the Trouble-Shooting section of the Samba HOWTO
- ===============================================================
- smb_panic(): calling panic action [/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274]
- [Thread debugging using libthread_db enabled]
- 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
- stat_loc=0x7fff67c7709c, options=<value optimized out>)
- at ../sysdeps/unix/sysv/linux/waitpid.c:32
- 32 ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
- in ../sysdeps/unix/sysv/linux/waitpid.c
- #0 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
- stat_loc=0x7fff67c7709c, options=<value optimized out>)
- at ../sysdeps/unix/sysv/linux/waitpid.c:32
- oldtype = <value optimized out>
- result = <value optimized out>
- #1 0x00002af6b5baeb39 in do_system (line=<value optimized out>)
- at ../sysdeps/posix/system.c:149
- __result = -512
- _buffer = {__routine = 0x2af6b5baee90 <cancel_handler>,
- __arg = 0x7fff67c77098, __canceltype = 0, __prev = 0x0}
- _avail = 1
- status = <value optimized out>
- save = <value optimized out>
- pid = 886733
- sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1},
- sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0,
- sa_restorer = 0x2af6b5b730f0}
- omask = {__val = {7808, 4294967295, 140734934511616, 1, 2195512, 0,
- 0, 0, 47239032274944, 47239027992529, 140733193388033, 0, 0,
- 47239099003120, 140734934511792, 47239558787328}}
- #2 0x00002af6b311821f in smb_panic_default (
- why=0x2af6b312a875 "internal error") at ../lib/util/fault.c:134
- result = 32767
- pidstr = "884274\000\000\001\375\376\320\366*\000\000\260\377\377\377"
- cmdstring = "/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274\000\307g\377\177\000\000\001\000\000\000\000\000\000\000\320\301#", '\000' <repeats 30 times>"\240, \017\263\366*\000\000\321\247{\261\366*\000\000\001\000\000\000\005", '\000' <repeats 11 times>"\260, \016\v\321\366*\000\000X\351\017\263\366*\000\000\260q\307g\377\177\000\000\000\361\036\321\366*\000\000\020r\307g\377\177\000\000\240\301z\326\366*\000\000\000Z\304\320\366*\000"
- __FUNCTION__ = "smb_panic_default"
- #3 0x00002af6b31183b5 in smb_panic (why=0x2af6b312a875 "internal error")
- at ../lib/util/fault.c:162
- No locals.
- #4 0x00002af6b311809f in fault_report (sig=11) at ../lib/util/fault.c:77
- counter = 1
- __FUNCTION__ = "fault_report"
- #5 0x00002af6b31180b4 in sig_fault (sig=11) at ../lib/util/fault.c:88
- No locals.
- #6 <signal handler called>
- No symbol table info available.
- #7 0x00002af6cabef930 in replmd_check_urgent_objectclass (
- objectclass_el=0x0, situation=REPL_URGENT_ON_UPDATE)
- at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:205
- i = 2
- j = 0
- #8 0x00002af6cabf29b6 in replmd_update_rpmd (module=0x2af6b17f2c20,
- schema=0x2af6d05e5570, req=0x2af6d05e8ad0, rename_attrs=0x0,
- msg=0x2af6d11ef100, seq_num=0x2af6d0c315b8, t=1387895162,
- is_urgent=0x7fff67c778bf, rodc=0x7fff67c778be)
- at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1432
- omd_value = 0x7fff67c77810
- ndr_err = 3508465920
- omd = {version = 1741125552, reserved = 32767, ctr = {ctr1 = {
- count = 3008684740, reserved = 10998, array = 0x7fff67c777b0}}}
- i = 10998
- now = 130323687620000000
- our_invocation_id = 0x2af6d1796390
- ret = 0
- attrs = 0x7fff67c77750
- attrs1 = {0x2af6cabff775 "replPropertyMetaData", 0x2af6cabffc8b "*",
- 0x0}
- attrs2 = {0x2af6cabff76a "uSNChanged", 0x2af6cabffa98 "objectClass",
- 0x2af6cabffc8d "instanceType", 0x0}
- res = 0x2af6d10b0eb0
- ldb = 0x2af6b17f2470
- objectclass_el = 0x0
- situation = REPL_URGENT_ON_UPDATE
- rmd_is_provided = false
- __FUNCTION__ = "replmd_update_rpmd"
- #9 0x00002af6cabf5a06 in replmd_modify (module=0x2af6b17f2c20,
- req=0x2af6d05e8ad0)
- at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:2455
- msds_intid_struct = 0x2af6d05e8ad0
- ldb = 0x2af6b17f2470
- ac = 0x2af6d0c31580
- down_req = 0x2af6d0e6a100
- msg = 0x2af6d11ef100
- t = 1387895162
- ret = 1741125936
- is_urgent = false
- rodc = false
- functional_level = 3
- guid_blob = 0x0
- sd_propagation_control = 0x0
- #10 0x00002af6bf69f94d in dsdb_module_modify (module=0x2af6b17f2c20,
- message=0x2af6d1183fe0, dsdb_flags=4194304, parent=0x2af6ce6ea980)
- at ../source4/dsdb/samdb/ldb_modules/util.c:460
- ops = 0x2af6cae06b40
- mod_req = 0x2af6d05e8ad0
- ret = 0
- ldb = 0x2af6b17f2470
- tmp_ctx = 0x2af6d0ed62f0
- res = 0x2af6d0e6a100
- __FUNCTION__ = "dsdb_module_modify"
- #11 0x00002af6cabf7ebc in replmd_delete_internals (module=0x2af6b17f2c20,
- req=0x2af6ce6ea980, re_delete=true)
- at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3309
- ret = 0
- retb = true
- disallow_move_on_delete = false
- old_dn = 0x2af6d6a2a010
- new_dn = 0x2af6d0794a90
- rdn_name = 0x2af6d0885c10 "CN"
- rdn_value = 0x2af6d10d7368
- new_rdn_value = 0x2af6d0c45a00
- guid = {time_low = 48, time_mid = 0, time_hi_and_version = 0,
- clock_seq = "\200\251", node = "n\316\366*\000"}
- ldb = 0x2af6b17f2470
- schema = 0x2af6d05e5570
- msg = 0x2af6d1183fe0
- old_msg = 0x2af6d1902800
- el = 0x2af6d0874900
- tmp_ctx = 0x2af6d0b77560
- res = 0x2af6d0d57980
- parent_res = 0x30
- preserved_attrs = {0x2af6cac00fe1 "nTSecurityDescriptor",
- 0x2af6cac055c3 "attributeID", 0x2af6cac055cf "attributeSyntax",
- 0x2af6cac055df "dNReferenceUpdate", 0x2af6cac055f1 "dNSHostName",
- 0x2af6cac055fd "flatName", 0x2af6cac05606 "governsID",
- 0x2af6cac05610 "groupType", 0x2af6cabffc8d "instanceType",
- 0x2af6cac0561a "lDAPDisplayName",
- 0x2af6cac0562a "legacyExchangeDN", 0x2af6cabfe94d "isDeleted",
- 0x2af6cabfe957 "isRecycled", 0x2af6cac020f8 "lastKnownParent",
- 0x2af6cac021e8 "msDS-LastKnownRDN",
- 0x2af6cac0563b "mS-DS-CreatorSID", 0x2af6cac0564c "mSMQOwnerID",
- 0x2af6cac05658 "nCName", 0x2af6cabffa98 "objectClass",
- 0x2af6cac0565f "distinguishedName", 0x2af6cabff5b5 "objectGUID",
- 0x2af6cac05671 "objectSid", 0x2af6cac0567b "oMSyntax",
- 0x2af6cac05684 "proxiedObjectName", 0x2af6cac014d8 "name",
- 0x2af6cabff775 "replPropertyMetaData",
- 0x2af6cac05696 "sAMAccountName",
- 0x2af6cac056a5 "securityIdentifier", 0x2af6cac056b8 "sIDHistory",
- 0x2af6cac056c3 "subClassOf", 0x2af6cac01ba8 "systemFlags",
- 0x2af6cac056ce "trustPartner", 0x2af6cac056db "trustDirection",
- 0x2af6cac056ea "trustType", 0x2af6cac056f4 "trustAttributes",
- 0x2af6cabfe9b8 "userAccountControl", 0x2af6cabff76a "uSNChanged",
- 0x2af6cabff75f "uSNCreated", 0x2af6cabff747 "whenCreated",
- 0x2af6cabff753 "whenChanged", 0x0}
- i = 12
- el_count = 1
- deletion_state = OBJECT_TOMBSTONE
- next_deletion_state = OBJECT_TOMBSTONE
- __FUNCTION__ = "replmd_delete_internals"
- #12 0x00002af6cabfbbe3 in replmd_replicated_apply_isDeleted (
- ar=0x2af6d74c0b40)
- at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4718
- del_req = 0x2af6ce6ea980
- res = 0x2af6d0cdebf0
- tmp_ctx = 0x2af6d0949230
- deleted_objects_dn = 0x2af6d1a49f00
- msg = 0x2af6d0a39620
- ret = 0
- #13 0x00002af6cabf0766 in replmd_op_callback (req=0x2af6d05a21e0,
- ares=0x2af6d0d715c0)
- at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:526
- ret = 10998
- ac = 0x2af6d74c0b40
- replmd_private = 0x2af6b188c7c0
- modified_partition = 0x2af6d141b670
- partition_ctrl = 0x2af6d1905f40
- partition = 0x2af6ce6bdbe0
- controls = 0x0
- __FUNCTION__ = "replmd_op_callback"
- #14 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
- ctrls=0x2af6d1629aa0, response=0x0, error=0)
- at ../lib/ldb/common/ldb_modules.c:832
- ares = 0x2af6d0d715c0
- #15 0x00002af6cabf896b in replmd_op_possible_conflict_callback (
- req=0x2af6d05a21e0, ares=0x2af6b1883eb0,
- callback=0x2af6cabf0334 <replmd_op_callback>)
- at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3606
- conflict_dn = 0x2af6cac03470
- ar = 0x2af6d74c0b40
- res = 0x2af6b354f89b
- attrs = {0x2af6cabff775 "replPropertyMetaData",
- 0x2af6cabff5b5 "objectGUID", 0x0}
- ret = -682882240
- omd_value = 0x7fff67c77e20
- omd = {version = 1741127104, reserved = 32767, ctr = {ctr1 = {
- count = 0, reserved = 0, array = 0x28}}}
- rmd = 0x2af6d74c0ae0
- ndr_err = 10998
- rename_incoming_record = false
- rodc = false
- rmd_name = 0x7fff67c77e10
- omd_name = 0x2af6d74c0b40
- msg = 0x2af6b1883e50
- __FUNCTION__ = "replmd_op_possible_conflict_callback"
- #16 0x00002af6cabf93fb in replmd_op_add_callback (req=0x2af6d05a21e0,
- ares=0x2af6b1883eb0)
- at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3802
- ar = 0x2af6d74c0b40
- #17 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
- ctrls=0x2af6d1629aa0, response=0x0, error=0)
- at ../lib/ldb/common/ldb_modules.c:832
- ares = 0x2af6b1883eb0
- #18 0x00002af6ca3c8b6a in partition_req_callback (req=0x2af6d087a1e0,
- ares=0x2af6d05a1fa0) at ../source4/dsdb/samdb/ldb_modules/partition.c:213
- ac = 0x2af6d0949370
- module = 0x2af6cd27bf12
- nreq = 0x2af6d05b67b0
- ret = 0
- partition_ctrl = 0x2af6d0d71740
- #19 0x00002af6cd2752ab in ltdb_request_done (ctx=0x2af6d1cd7ed0, error=0)
- at ../lib/ldb/ldb_tdb/ldb_tdb.c:1280
- ldb = 0x2af6b17f2470
- req = 0x2af6d087a1e0
- ares = 0x2af6d05a1fa0
- #20 0x00002af6cd275597 in ltdb_callback (ev=0x2af6b17ef8c0,
- te=0x2af6d17f75d0, t=..., private_data=0x2af6d1cd7ed0)
- at ../lib/ldb/ldb_tdb/ldb_tdb.c:1390
- ctx = 0x2af6d1cd7ed0
- ret = 0
- #21 0x00002af6b3343259 in tevent_common_loop_timer_delay (ev=0x2af6b17ef8c0)
- at ../lib/tevent/tevent_timed.c:341
- current_time = {tv_sec = 0, tv_usec = 0}
- te = 0x2af6d17f75d0
- #22 0x00002af6b334558a in epoll_event_loop_once (ev=0x2af6b17ef8c0,
- location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
- at ../lib/tevent/tevent_epoll.c:912
- epoll_ev = 0x2af6b17efb00
- tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
- panic_triggered = false
- #23 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
- location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
- at ../lib/tevent/tevent_standard.c:112
- glue_ptr = 0x2af6b17ef9b0
- glue = 0x2af6b17ef9b0
- ret = 10998
- #24 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
- location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
- at ../lib/tevent/tevent.c:530
- ret = 0
- nesting_stack_ptr = 0x0
- #25 0x00002af6b1e154c4 in ldb_wait (handle=0x2af6d67624c0, type=LDB_WAIT_ALL)
- at ../lib/ldb/common/ldb.c:621
- ev = 0x2af6b17ef8c0
- ret = 0
- #26 0x00002af6b1e1786b in ldb_extended (ldb=0x2af6b17f2470,
- oid=0x2af6b4c4f9ce "1.3.6.1.4.1.7165.4.4.1", data=0x2af6d0e2bc60,
- _res=0x7fff67c78240) at ../lib/ldb/common/ldb.c:1506
- req = 0x2af6d0c45a00
- ret = 0
- res = 0x2af6d69238f0
- #27 0x00002af6b4c4a0d6 in dsdb_replicated_objects_commit (ldb=0x2af6b17f2470,
- working_schema=0x0, objects=0x2af6d0e2bc60, notify_uSN=0x2af6d14a65f0)
- at ../source4/dsdb/repl/replicated_objects.c:773
- werr = {w = 0}
- ext_res = 0x0
- cur_schema = 0x0
- new_schema = 0x0
- ret = 0
- seq_num1 = 5554
- seq_num2 = 47239626746464
- used_global_schema = false
- tmp_ctx = 0x2af6d03c5860
- __FUNCTION__ = "dsdb_replicated_objects_commit"
- #28 0x00002af6c1c6babb in dreplsrv_op_pull_source_apply_changes_trigger (
- req=0x2af6d17daed0, r=0x2af6d17db0d0, ctr_level=6, ctr1=0x0,
- ctr6=0x2af6d1b02bb0) at ../source4/dsdb/repl/drepl_out_helpers.c:717
- state = 0x2af6d17db050
- rf1 = {blobsize = 274, consecutive_sync_failures = 0,
- last_success = 130323684670000000,
- last_attempt = 130323687610000000, result_last_attempt = {w = 0},
- other_info = 0x2af6d0949910, other_info_length = 66,
- replica_flags = 112, schedule = '\021' <repeats 84 times>,
- reserved = 0, highwatermark = {tmp_highest_usn = 12398,
- reserved_usn = 0, highest_usn = 12398}, source_dsa_obj_guid = {
- time_low = 984092159, time_mid = 850,
- time_hi_and_version = 18870, clock_seq = "\251X",
- node = "UF\324\223\205\241"}, source_dsa_invocation_id = {
- time_low = 1460694408, time_mid = 52035,
- time_hi_and_version = 18738, clock_seq = "\204}",
- node = "\264\365\276\372\256\303"}, transport_guid = {
- time_low = 0, time_mid = 0, time_hi_and_version = 0,
- clock_seq = "\000", node = "\000\000\000\000\000"}}
- service = 0x2af6d0ff6b00
- partition = 0x2af6d0b6f220
- drsuapi = 0x2af6d1c8d480
- schema = 0x2af6d05e5570
- working_schema = 0x0
- mapping_ctr = 0x2af6d1b02c10
- object_count = 50
- first_object = 0x2af6d0571800
- linked_attributes_count = 0
- linked_attributes = 0x2af6d5212140
- uptodateness_vector = 0x2af6d1a741c0
- objects = 0x2af6d0e2bc60
- more_data = false
- status = {w = 0}
- nt_status = {v = 3006553120}
- dsdb_repl_flags = 0
- __FUNCTION__ = "dreplsrv_op_pull_source_apply_changes_trigger"
- #29 0x00002af6c1c6b3e7 in dreplsrv_op_pull_source_get_changes_done (
- subreq=0x0) at ../source4/dsdb/repl/drepl_out_helpers.c:599
- req = 0x2af6d17daed0
- state = 0x2af6d17db050
- status = {v = 0}
- r = 0x2af6d17db0d0
- ctr_level = 6
- ctr1 = 0x0
- ctr6 = 0x2af6d1b02bb0
- extended_ret = DRSUAPI_EXOP_ERR_NONE
- #30 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d1a73f70,
- location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
- at ../lib/tevent/tevent_req.c:102
- No locals.
- #31 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d1a73f70,
- state=TEVENT_REQ_DONE,
- location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
- at ../lib/tevent/tevent_req.c:117
- No locals.
- #32 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d1a73f70,
- location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
- at ../lib/tevent/tevent_req.c:123
- No locals.
- #33 0x00002af6c1c708df in dcerpc_drsuapi_DsGetNCChanges_r_done (
- subreq=0x2af6d122f4c0) at default/librpc/gen_ndr/ndr_drsuapi_c.c:712
- req = 0x2af6d1a73f70
- status = {v = 0}
- #34 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d122f4c0,
- location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
- at ../lib/tevent/tevent_req.c:102
- No locals.
- #35 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d122f4c0,
- state=TEVENT_REQ_DONE,
- location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
- at ../lib/tevent/tevent_req.c:117
- No locals.
- #36 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d122f4c0,
- location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
- at ../lib/tevent/tevent_req.c:123
- No locals.
- #37 0x00002af6b5757ede in dcerpc_binding_handle_call_done (subreq=0x0)
- at ../librpc/rpc/binding_handle.c:517
- req = 0x2af6d122f4c0
- state = 0x2af6d122f640
- h = 0x2af6d0959d10
- error = {v = 0}
- out_flags = 0
- ndr_err = NDR_ERR_SUCCESS
- #38 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d522f7a0,
- location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
- at ../lib/tevent/tevent_req.c:102
- No locals.
- #39 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d522f7a0,
- state=TEVENT_REQ_DONE,
- location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
- at ../lib/tevent/tevent_req.c:117
- No locals.
- #40 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d522f7a0,
- location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
- at ../lib/tevent/tevent_req.c:123
- No locals.
- #41 0x00002af6b5757398 in dcerpc_binding_handle_raw_call_done (subreq=0x0)
- at ../librpc/rpc/binding_handle.c:188
- req = 0x2af6d522f7a0
- state = 0x2af6d522f920
- error = {v = 0}
- #42 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d0712430,
- location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
- at ../lib/tevent/tevent_req.c:102
- No locals.
- #43 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d0712430,
- state=TEVENT_REQ_DONE,
- location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
- at ../lib/tevent/tevent_req.c:117
- No locals.
- #44 0x00002af6b333e472 in tevent_req_trigger (ev=0x2af6b17ef8c0,
- im=0x2af6d0712500, private_data=0x2af6d0712430)
- at ../lib/tevent/tevent_req.c:174
- req = 0x2af6d0712430
- #45 0x00002af6b333d6d4 in tevent_common_loop_immediate (ev=0x2af6b17ef8c0)
- at ../lib/tevent/tevent_immediate.c:135
- im = 0x2af6d0712500
- handler = 0x2af6b333e423 <tevent_req_trigger>
- private_data = 0x2af6d0712430
- #46 0x00002af6b3345570 in epoll_event_loop_once (ev=0x2af6b17ef8c0,
- location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
- at ../lib/tevent/tevent_epoll.c:907
- epoll_ev = 0x2af6b17efb00
- tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
- panic_triggered = false
- #47 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
- location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
- at ../lib/tevent/tevent_standard.c:112
- glue_ptr = 0x2af6b17ef9b0
- glue = 0x2af6b17ef9b0
- ret = 10998
- #48 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
- location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
- at ../lib/tevent/tevent.c:530
- ret = 0
- nesting_stack_ptr = 0x0
- #49 0x00002af6b333ca11 in tevent_common_loop_wait (ev=0x2af6b17ef8c0,
- location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
- at ../lib/tevent/tevent.c:634
- ret = 0
- #50 0x00002af6b3342405 in std_event_loop_wait (ev=0x2af6b17ef8c0,
- location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
- at ../lib/tevent/tevent_standard.c:138
- glue_ptr = 0x2af6b17ef9b0
- glue = 0x2af6b17ef9b0
- ret = 10998
- #51 0x00002af6b333cadc in _tevent_loop_wait (ev=0x2af6b17ef8c0,
- location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
- at ../lib/tevent/tevent.c:653
- No locals.
- #52 0x00002af6b15a37bc in binary_smbd_main (
- binary_name=0x2af6b15a737b "samba", argc=6, argv=0x7fff67c78de8)
- at ../source4/smbd/server.c:503
- opt_daemon = false
- opt_interactive = true
- opt = -1
- pc = 0x2af6b17d5040
- static_init = {0x2af6b2ac7d8c <server_service_auth_init>,
- 0x2af6b2aca9e7 <server_service_echo_init>, 0}
- shared_init = 0x2af6b18143b0
- event_ctx = 0x2af6b17ef8c0
- stdin_event_flags = 1
- status = {v = 0}
- model = 0x2af6b17d5b90 "single"
- max_runtime = 7500
-
-Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
-Autobuild-Date(master): Mon Jan 6 01:16:13 CET 2014 on sn-devel-104
-(cherry picked from commit 056008df62cb66090b3e30cb09c0edacfbdb5720)
----
- source4/selftest/tests.py | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
-index c3a33c7..9567a8e 100755
---- a/source4/selftest/tests.py
-+++ b/source4/selftest/tests.py
-@@ -309,8 +309,6 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
- plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
- plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
- plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
--for env in ["dc", "s4member", "rodc", "promoted_dc"]:
-- plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
- plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
- plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
- plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
-@@ -502,6 +500,10 @@ for env in ['vampire_dc', 'promoted_dc']:
- extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
-
- plantestsuite("samba4.blackbox.samba_tool_demote(%s)" % env, env, [os.path.join(samba4srcdir, "utils/tests/test_demote.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$DOMAIN', '$DC_SERVER', '$PREFIX/%s' % env, smbclient4])
-+
-+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
-+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
-+
- # TODO: Verifying the databases really should be a part of the
- # environment teardown.
- # check the databases are all OK. PLEASE LEAVE THIS AS THE LAST TEST
---
-1.9.3
-
-
-From 3e44e7485dbfea37cb84034c4d13c96059bd9687 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 3 Jan 2014 08:35:27 +0100
-Subject: [PATCH 144/249] s4:librpc: always try to negotiate
- DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
-
-If the gensec backend supports it there's no reason not sign the header.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 7db1dc13b0149441a2beebca65b75f6e11af13a3)
----
- librpc/rpc/binding.c | 1 -
- librpc/rpc/rpc_common.h | 5 ++++-
- source4/librpc/rpc/dcerpc.c | 12 ++----------
- source4/librpc/rpc/dcerpc_auth.c | 14 ++++++++++----
- 4 files changed, 16 insertions(+), 16 deletions(-)
-
-diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
-index 49651e8..52122cf 100644
---- a/librpc/rpc/binding.c
-+++ b/librpc/rpc/binding.c
-@@ -88,7 +88,6 @@ static const struct {
- {"padcheck", DCERPC_DEBUG_PAD_CHECK},
- {"bigendian", DCERPC_PUSH_BIGENDIAN},
- {"smb2", DCERPC_SMB2},
-- {"hdrsign", DCERPC_HEADER_SIGNING},
- {"ndr64", DCERPC_NDR64},
- {"localaddress", DCERPC_LOCALADDRESS}
- };
-diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
-index 978229e..93d3bb4 100644
---- a/librpc/rpc/rpc_common.h
-+++ b/librpc/rpc/rpc_common.h
-@@ -98,7 +98,7 @@ struct dcerpc_binding {
- /* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */
- #define DCERPC_CONCURRENT_MULTIPLEX (1<<19)
-
--/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
-+/* this indicates DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag was negotiated */
- #define DCERPC_HEADER_SIGNING (1<<20)
-
- /* use NDR64 transport */
-@@ -113,6 +113,9 @@ struct dcerpc_binding {
- /* use aes schannel with hmac-sh256 session key */
- #define DCERPC_SCHANNEL_AES (1<<24)
-
-+/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
-+#define DCERPC_PROPOSE_HEADER_SIGNING (1<<25)
-+
- /* The following definitions come from ../librpc/rpc/dcerpc_error.c */
-
- const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
-diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
-index 56b821e..2f6c8dd 100644
---- a/source4/librpc/rpc/dcerpc.c
-+++ b/source4/librpc/rpc/dcerpc.c
-@@ -1162,7 +1162,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx,
- pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
- }
-
-- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
-+ if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) {
- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
- }
-
-@@ -1304,7 +1304,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq,
- conn->flags |= DCERPC_CONCURRENT_MULTIPLEX;
- }
-
-- if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) &&
-+ if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) &&
- (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
- conn->flags |= DCERPC_HEADER_SIGNING;
- }
-@@ -1352,10 +1352,6 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
- pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
- }
-
-- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
-- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-- }
--
- /* construct the NDR form of the packet */
- status = ncacn_push_auth(&blob, mem_ctx,
- &pkt,
-@@ -2046,10 +2042,6 @@ struct tevent_req *dcerpc_alter_context_send(TALLOC_CTX *mem_ctx,
- pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
- }
-
-- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
-- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-- }
--
- pkt.u.alter.max_xmit_frag = 5840;
- pkt.u.alter.max_recv_frag = 5840;
- pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;
-diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
-index d5e5620..9a5d04d 100644
---- a/source4/librpc/rpc/dcerpc_auth.c
-+++ b/source4/librpc/rpc/dcerpc_auth.c
-@@ -173,10 +173,6 @@ static void bind_auth_next_step(struct composite_context *c)
-
- if (!composite_is_ok(c)) return;
-
-- if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
-- gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
-- }
--
- if (state->credentials.length == 0) {
- composite_done(c);
- return;
-@@ -234,6 +230,12 @@ static void bind_auth_recv_bindreply(struct tevent_req *subreq)
- TALLOC_FREE(subreq);
- if (!composite_is_ok(c)) return;
-
-+ if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
-+ struct dcecli_security *sec = &state->pipe->conn->security_state;
-+
-+ gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
-+ }
-+
- if (!state->more_processing) {
- /* The first gensec_update has not requested a second run, so
- * we're done here. */
-@@ -395,6 +397,10 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
-
- sec->auth_info->credentials = state->credentials;
-
-+ if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
-+ state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
-+ }
-+
- /* The first request always is a dcerpc_bind. The subsequent ones
- * depend on gensec results */
- subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
---
-1.9.3
-
-
-From 6bdc135a63647fbbc31c7b2e673396231541641d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 3 Jan 2014 08:39:12 +0100
-Subject: [PATCH 145/249] s4:rpc_server: support
- DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default
-
-If the gensec backend supports it there's no reason to disable it.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 661fe3cf890b91f8750872b0f5a09da536f76ae2)
----
- source4/rpc_server/dcerpc_server.c | 6 ------
- source4/rpc_server/dcesrv_auth.c | 37 ++++++++++++++++++++++++++++++++-----
- 2 files changed, 32 insertions(+), 11 deletions(-)
-
-diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
-index ad53685..3b35703 100644
---- a/source4/rpc_server/dcerpc_server.c
-+++ b/source4/rpc_server/dcerpc_server.c
-@@ -610,12 +610,6 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
- call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
- }
-
-- if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
-- lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
-- call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
-- extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-- }
--
- /* handle any authentication that is being requested */
- if (!dcesrv_auth_bind(call)) {
- talloc_free(call->context);
-diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
-index c891cc6..152715b 100644
---- a/source4/rpc_server/dcesrv_auth.c
-+++ b/source4/rpc_server/dcesrv_auth.c
-@@ -92,10 +92,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
- return false;
- }
-
-- if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
-- gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER);
-- }
--
- return true;
- }
-
-@@ -107,11 +103,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
- {
- struct dcesrv_connection *dce_conn = call->conn;
- NTSTATUS status;
-+ bool want_header_signing = false;
-
- if (!call->conn->auth_state.gensec_security) {
- return NT_STATUS_OK;
- }
-
-+ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
-+ want_header_signing = true;
-+ }
-+
-+ if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
-+ want_header_signing = false;
-+ }
-+
- status = gensec_update(dce_conn->auth_state.gensec_security,
- call, call->event_ctx,
- dce_conn->auth_state.auth_info->credentials,
-@@ -126,9 +131,17 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
- return status;
- }
-
-- if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
-+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
-+ GENSEC_FEATURE_SIGN_PKT_HEADER))
-+ {
-+ want_header_signing = false;
-+ }
-+
-+ if (want_header_signing) {
- gensec_want_feature(dce_conn->auth_state.gensec_security,
- GENSEC_FEATURE_SIGN_PKT_HEADER);
-+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
-+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
- }
-
- /* Now that we are authenticated, go back to the generic session key... */
-@@ -137,6 +150,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
- } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- dce_conn->auth_state.auth_info->auth_pad_length = 0;
- dce_conn->auth_state.auth_info->auth_reserved = 0;
-+
-+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
-+ GENSEC_FEATURE_SIGN_PKT_HEADER))
-+ {
-+ want_header_signing = false;
-+ }
-+
-+ if (want_header_signing) {
-+ gensec_want_feature(dce_conn->auth_state.gensec_security,
-+ GENSEC_FEATURE_SIGN_PKT_HEADER);
-+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
-+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-+ }
-+
- return NT_STATUS_OK;
- } else {
- DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
---
-1.9.3
-
-
-From 868676160bb3bcfb4145a5c4b47fbb513c0bfac4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 31 Dec 2013 09:53:55 +0100
-Subject: [PATCH 146/249] auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is
- always supported
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 64fc015a85f9b5ed74f3dabe05dbdff185093278)
----
- auth/ntlmssp/gensec_ntlmssp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
-index 654c0e3..5672589 100644
---- a/auth/ntlmssp/gensec_ntlmssp.c
-+++ b/auth/ntlmssp/gensec_ntlmssp.c
-@@ -102,6 +102,10 @@ bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
- return true;
- }
- }
-+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
-+ return true;
-+ }
-+
- return false;
- }
-
---
-1.9.3
-
-
-From e486316c74d3781413e66e451b51737fc194bdc2 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 31 Dec 2013 09:54:54 +0100
-Subject: [PATCH 147/249] s4:auth/gensec_gssapi: handle
- GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 14f6c41754960d73f46aca1bade2266b7e934d03)
----
- source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index 63a53bf..ffdefcf 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -1275,6 +1275,18 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
- if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
- return true;
- }
-+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
-+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
-+ /* TODO: implement this using gss_wrap_iov() */
-+ return false;
-+ }
-+
-+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
-+ return true;
-+ }
-+
-+ return false;
-+ }
- return false;
- }
-
---
-1.9.3
-
-
-From fa8d0a7726240f8fc6648424d9724bcd65949bfd Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 3 Jan 2014 15:30:46 +0100
-Subject: [PATCH 148/249] s4:gensec_gssapi: make sure
- gensec_gssapi_[un]seal_packet() rejects header signing
-
-If header signing is requested we should error out instead of
-silently ignoring it, our peer would hopefully reject it,
-but we should also do that.
-
-TODO: we should implement header signing using gss_wrap_iov().
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 54b5b3067f5b7a0eb6dd9f1326c903f9fe4a5592)
----
- source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index ffdefcf..b8f007d 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -1028,6 +1028,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
- int conf_state;
- ssize_t sig_length;
-
-+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
-+ DEBUG(1, ("gensec_gssapi_seal_packet: "
-+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
- input_token.length = length;
- input_token.value = data;
-
-@@ -1082,6 +1088,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
-
- dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
-
-+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
-+ DEBUG(1, ("gensec_gssapi_unseal_packet: "
-+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
- in = data_blob_talloc(gensec_security, NULL, sig->length + length);
-
- memcpy(in.data, sig->data, sig->length);
---
-1.9.3
-
-
-From 2b1f62e3d99047e2981dcdd32c6820346917dc04 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 31 Dec 2013 09:42:36 +0100
-Subject: [PATCH 149/249] auth/gensec: move libcli/auth/schannel_sign.c into
- schannel.c
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 616cd009955b1722e6749019e2c1cac8bbb94e52)
----
- auth/gensec/schannel.c | 380 ++++++++++++++++++++++++++++++++++++++++
- libcli/auth/schannel_proto.h | 14 --
- libcli/auth/schannel_sign.c | 404 -------------------------------------------
- libcli/auth/wscript_build | 2 +-
- 4 files changed, 381 insertions(+), 419 deletions(-)
- delete mode 100644 libcli/auth/schannel_sign.c
-
-diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
-index eb2e100..c60ab4f 100644
---- a/auth/gensec/schannel.c
-+++ b/auth/gensec/schannel.c
-@@ -31,6 +31,386 @@
- #include "librpc/gen_ndr/dcerpc.h"
- #include "param/param.h"
- #include "auth/gensec/gensec_toplevel_proto.h"
-+#include "lib/crypto/crypto.h"
-+
-+struct schannel_state {
-+ uint64_t seq_num;
-+ bool initiator;
-+ struct netlogon_creds_CredentialState *creds;
-+};
-+
-+#define SETUP_SEQNUM(state, buf, initiator) do { \
-+ uint8_t *_buf = buf; \
-+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
-+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
-+ if (initiator) { \
-+ _seq_num_high |= 0x80000000; \
-+ } \
-+ RSIVAL(_buf, 0, _seq_num_low); \
-+ RSIVAL(_buf, 4, _seq_num_high); \
-+} while(0)
-+
-+static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState *creds,
-+ bool initiator)
-+{
-+ struct schannel_state *state;
-+
-+ state = talloc(mem_ctx, struct schannel_state);
-+ if (state == NULL) {
-+ return NULL;
-+ }
-+
-+ state->initiator = initiator;
-+ state->seq_num = 0;
-+ state->creds = netlogon_creds_copy(state, creds);
-+ if (state->creds == NULL) {
-+ talloc_free(state);
-+ return NULL;
-+ }
-+
-+ return state;
-+}
-+
-+static void netsec_offset_and_sizes(struct schannel_state *state,
-+ bool do_seal,
-+ uint32_t *_min_sig_size,
-+ uint32_t *_used_sig_size,
-+ uint32_t *_checksum_length,
-+ uint32_t *_confounder_ofs)
-+{
-+ uint32_t min_sig_size;
-+ uint32_t used_sig_size;
-+ uint32_t checksum_length;
-+ uint32_t confounder_ofs;
-+
-+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ min_sig_size = 48;
-+ used_sig_size = 56;
-+ /*
-+ * Note: windows has a bug here and uses the old values...
-+ *
-+ * checksum_length = 32;
-+ * confounder_ofs = 48;
-+ */
-+ checksum_length = 8;
-+ confounder_ofs = 24;
-+ } else {
-+ min_sig_size = 24;
-+ used_sig_size = 32;
-+ checksum_length = 8;
-+ confounder_ofs = 24;
-+ }
-+
-+ if (do_seal) {
-+ min_sig_size += 8;
-+ }
-+
-+ if (_min_sig_size) {
-+ *_min_sig_size = min_sig_size;
-+ }
-+
-+ if (_used_sig_size) {
-+ *_used_sig_size = used_sig_size;
-+ }
-+
-+ if (_checksum_length) {
-+ *_checksum_length = checksum_length;
-+ }
-+
-+ if (_confounder_ofs) {
-+ *_confounder_ofs = confounder_ofs;
-+ }
-+}
-+
-+/*******************************************************************
-+ Encode or Decode the sequence number (which is symmetric)
-+ ********************************************************************/
-+static void netsec_do_seq_num(struct schannel_state *state,
-+ const uint8_t *checksum,
-+ uint32_t checksum_length,
-+ uint8_t seq_num[8])
-+{
-+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ AES_KEY key;
-+ uint8_t iv[AES_BLOCK_SIZE];
-+
-+ AES_set_encrypt_key(state->creds->session_key, 128, &key);
-+ ZERO_STRUCT(iv);
-+ memcpy(iv+0, checksum, 8);
-+ memcpy(iv+8, checksum, 8);
-+
-+ aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
-+ } else {
-+ static const uint8_t zeros[4];
-+ uint8_t sequence_key[16];
-+ uint8_t digest1[16];
-+
-+ hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
-+ hmac_md5(digest1, checksum, checksum_length, sequence_key);
-+ arcfour_crypt(seq_num, sequence_key, 8);
-+ }
-+
-+ state->seq_num++;
-+}
-+
-+static void netsec_do_seal(struct schannel_state *state,
-+ const uint8_t seq_num[8],
-+ uint8_t confounder[8],
-+ uint8_t *data, uint32_t length,
-+ bool forward)
-+{
-+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ AES_KEY key;
-+ uint8_t iv[AES_BLOCK_SIZE];
-+ uint8_t sess_kf0[16];
-+ int i;
-+
-+ for (i = 0; i < 16; i++) {
-+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
-+ }
-+
-+ AES_set_encrypt_key(sess_kf0, 128, &key);
-+ ZERO_STRUCT(iv);
-+ memcpy(iv+0, seq_num, 8);
-+ memcpy(iv+8, seq_num, 8);
-+
-+ if (forward) {
-+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
-+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
-+ } else {
-+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
-+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
-+ }
-+ } else {
-+ uint8_t sealing_key[16];
-+ static const uint8_t zeros[4];
-+ uint8_t digest2[16];
-+ uint8_t sess_kf0[16];
-+ int i;
-+
-+ for (i = 0; i < 16; i++) {
-+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
-+ }
-+
-+ hmac_md5(sess_kf0, zeros, 4, digest2);
-+ hmac_md5(digest2, seq_num, 8, sealing_key);
-+
-+ arcfour_crypt(confounder, sealing_key, 8);
-+ arcfour_crypt(data, sealing_key, length);
-+ }
-+}
-+
-+/*******************************************************************
-+ Create a digest over the entire packet (including the data), and
-+ MD5 it with the session key.
-+ ********************************************************************/
-+static void netsec_do_sign(struct schannel_state *state,
-+ const uint8_t *confounder,
-+ const uint8_t *data, size_t length,
-+ uint8_t header[8],
-+ uint8_t *checksum)
-+{
-+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ struct HMACSHA256Context ctx;
-+
-+ hmac_sha256_init(state->creds->session_key,
-+ sizeof(state->creds->session_key),
-+ &ctx);
-+
-+ if (confounder) {
-+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
-+ SSVAL(header, 2, NL_SEAL_AES128);
-+ SSVAL(header, 4, 0xFFFF);
-+ SSVAL(header, 6, 0x0000);
-+
-+ hmac_sha256_update(header, 8, &ctx);
-+ hmac_sha256_update(confounder, 8, &ctx);
-+ } else {
-+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
-+ SSVAL(header, 2, NL_SEAL_NONE);
-+ SSVAL(header, 4, 0xFFFF);
-+ SSVAL(header, 6, 0x0000);
-+
-+ hmac_sha256_update(header, 8, &ctx);
-+ }
-+
-+ hmac_sha256_update(data, length, &ctx);
-+
-+ hmac_sha256_final(checksum, &ctx);
-+ } else {
-+ uint8_t packet_digest[16];
-+ static const uint8_t zeros[4];
-+ MD5_CTX ctx;
-+
-+ MD5Init(&ctx);
-+ MD5Update(&ctx, zeros, 4);
-+ if (confounder) {
-+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
-+ SSVAL(header, 2, NL_SEAL_RC4);
-+ SSVAL(header, 4, 0xFFFF);
-+ SSVAL(header, 6, 0x0000);
-+
-+ MD5Update(&ctx, header, 8);
-+ MD5Update(&ctx, confounder, 8);
-+ } else {
-+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
-+ SSVAL(header, 2, NL_SEAL_NONE);
-+ SSVAL(header, 4, 0xFFFF);
-+ SSVAL(header, 6, 0x0000);
-+
-+ MD5Update(&ctx, header, 8);
-+ }
-+ MD5Update(&ctx, data, length);
-+ MD5Final(packet_digest, &ctx);
-+
-+ hmac_md5(state->creds->session_key,
-+ packet_digest, sizeof(packet_digest),
-+ checksum);
-+ }
-+}
-+
-+static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
-+ bool do_unseal,
-+ uint8_t *data, size_t length,
-+ const DATA_BLOB *sig)
-+{
-+ uint32_t min_sig_size = 0;
-+ uint8_t header[8];
-+ uint8_t checksum[32];
-+ uint32_t checksum_length = sizeof(checksum_length);
-+ uint8_t _confounder[8];
-+ uint8_t *confounder = NULL;
-+ uint32_t confounder_ofs = 0;
-+ uint8_t seq_num[8];
-+ int ret;
-+
-+ netsec_offset_and_sizes(state,
-+ do_unseal,
-+ &min_sig_size,
-+ NULL,
-+ &checksum_length,
-+ &confounder_ofs);
-+
-+ if (sig->length < min_sig_size) {
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
-+ if (do_unseal) {
-+ confounder = _confounder;
-+ memcpy(confounder, sig->data+confounder_ofs, 8);
-+ } else {
-+ confounder = NULL;
-+ }
-+
-+ SETUP_SEQNUM(state, seq_num, !state->initiator);
-+
-+ if (do_unseal) {
-+ netsec_do_seal(state, seq_num,
-+ confounder,
-+ data, length,
-+ false);
-+ }
-+
-+ netsec_do_sign(state, confounder,
-+ data, length,
-+ header, checksum);
-+
-+ ret = memcmp(checksum, sig->data+16, checksum_length);
-+ if (ret != 0) {
-+ dump_data_pw("calc digest:", checksum, checksum_length);
-+ dump_data_pw("wire digest:", sig->data+16, checksum_length);
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
-+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
-+
-+ ret = memcmp(seq_num, sig->data+8, 8);
-+ if (ret != 0) {
-+ dump_data_pw("calc seq num:", seq_num, 8);
-+ dump_data_pw("wire seq num:", sig->data+8, 8);
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
-+static uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
-+{
-+ uint32_t sig_size = 0;
-+
-+ netsec_offset_and_sizes(state,
-+ true,
-+ NULL,
-+ &sig_size,
-+ NULL,
-+ NULL);
-+
-+ return sig_size;
-+}
-+
-+static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
-+ TALLOC_CTX *mem_ctx,
-+ bool do_seal,
-+ uint8_t *data, size_t length,
-+ DATA_BLOB *sig)
-+{
-+ uint32_t min_sig_size = 0;
-+ uint32_t used_sig_size = 0;
-+ uint8_t header[8];
-+ uint8_t checksum[32];
-+ uint32_t checksum_length = sizeof(checksum_length);
-+ uint8_t _confounder[8];
-+ uint8_t *confounder = NULL;
-+ uint32_t confounder_ofs = 0;
-+ uint8_t seq_num[8];
-+
-+ netsec_offset_and_sizes(state,
-+ do_seal,
-+ &min_sig_size,
-+ &used_sig_size,
-+ &checksum_length,
-+ &confounder_ofs);
-+
-+ SETUP_SEQNUM(state, seq_num, state->initiator);
-+
-+ if (do_seal) {
-+ confounder = _confounder;
-+ generate_random_buffer(confounder, 8);
-+ } else {
-+ confounder = NULL;
-+ }
-+
-+ netsec_do_sign(state, confounder,
-+ data, length,
-+ header, checksum);
-+
-+ if (do_seal) {
-+ netsec_do_seal(state, seq_num,
-+ confounder,
-+ data, length,
-+ true);
-+ }
-+
-+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
-+
-+ (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
-+
-+ memcpy(sig->data, header, 8);
-+ memcpy(sig->data+8, seq_num, 8);
-+ memcpy(sig->data+16, checksum, checksum_length);
-+
-+ if (confounder) {
-+ memcpy(sig->data+confounder_ofs, confounder, 8);
-+ }
-+
-+ dump_data_pw("signature:", sig->data+ 0, 8);
-+ dump_data_pw("seq_num :", sig->data+ 8, 8);
-+ dump_data_pw("digest :", sig->data+16, checksum_length);
-+ dump_data_pw("confound :", sig->data+confounder_ofs, 8);
-+
-+ return NT_STATUS_OK;
-+}
-
- _PUBLIC_ NTSTATUS gensec_schannel_init(void);
-
-diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
-index da76559..bce37c8 100644
---- a/libcli/auth/schannel_proto.h
-+++ b/libcli/auth/schannel_proto.h
-@@ -28,18 +28,4 @@ struct schannel_state;
- struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx);
-
--struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
-- struct netlogon_creds_CredentialState *creds,
-- bool initiator);
--NTSTATUS netsec_incoming_packet(struct schannel_state *state,
-- bool do_unseal,
-- uint8_t *data, size_t length,
-- const DATA_BLOB *sig);
--uint32_t netsec_outgoing_sig_size(struct schannel_state *state);
--NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
-- TALLOC_CTX *mem_ctx,
-- bool do_seal,
-- uint8_t *data, size_t length,
-- DATA_BLOB *sig);
--
- #endif
-diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
-deleted file mode 100644
-index 9502cba..0000000
---- a/libcli/auth/schannel_sign.c
-+++ /dev/null
-@@ -1,404 +0,0 @@
--/*
-- Unix SMB/CIFS implementation.
--
-- schannel library code
--
-- Copyright (C) Andrew Tridgell 2004
-- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
--
-- This program is free software; you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by
-- the Free Software Foundation; either version 3 of the License, or
-- (at your option) any later version.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- GNU General Public License for more details.
--
-- You should have received a copy of the GNU General Public License
-- along with this program. If not, see <http://www.gnu.org/licenses/>.
--*/
--
--#include "includes.h"
--#include "../libcli/auth/schannel.h"
--#include "../lib/crypto/crypto.h"
--
--struct schannel_state {
-- uint64_t seq_num;
-- bool initiator;
-- struct netlogon_creds_CredentialState *creds;
--};
--
--#define SETUP_SEQNUM(state, buf, initiator) do { \
-- uint8_t *_buf = buf; \
-- uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
-- uint32_t _seq_num_high = (state)->seq_num >> 32; \
-- if (initiator) { \
-- _seq_num_high |= 0x80000000; \
-- } \
-- RSIVAL(_buf, 0, _seq_num_low); \
-- RSIVAL(_buf, 4, _seq_num_high); \
--} while(0)
--
--struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
-- struct netlogon_creds_CredentialState *creds,
-- bool initiator)
--{
-- struct schannel_state *state;
--
-- state = talloc(mem_ctx, struct schannel_state);
-- if (state == NULL) {
-- return NULL;
-- }
--
-- state->initiator = initiator;
-- state->seq_num = 0;
-- state->creds = netlogon_creds_copy(state, creds);
-- if (state->creds == NULL) {
-- talloc_free(state);
-- return NULL;
-- }
--
-- return state;
--}
--
--static void netsec_offset_and_sizes(struct schannel_state *state,
-- bool do_seal,
-- uint32_t *_min_sig_size,
-- uint32_t *_used_sig_size,
-- uint32_t *_checksum_length,
-- uint32_t *_confounder_ofs)
--{
-- uint32_t min_sig_size;
-- uint32_t used_sig_size;
-- uint32_t checksum_length;
-- uint32_t confounder_ofs;
--
-- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- min_sig_size = 48;
-- used_sig_size = 56;
-- /*
-- * Note: windows has a bug here and uses the old values...
-- *
-- * checksum_length = 32;
-- * confounder_ofs = 48;
-- */
-- checksum_length = 8;
-- confounder_ofs = 24;
-- } else {
-- min_sig_size = 24;
-- used_sig_size = 32;
-- checksum_length = 8;
-- confounder_ofs = 24;
-- }
--
-- if (do_seal) {
-- min_sig_size += 8;
-- }
--
-- if (_min_sig_size) {
-- *_min_sig_size = min_sig_size;
-- }
--
-- if (_used_sig_size) {
-- *_used_sig_size = used_sig_size;
-- }
--
-- if (_checksum_length) {
-- *_checksum_length = checksum_length;
-- }
--
-- if (_confounder_ofs) {
-- *_confounder_ofs = confounder_ofs;
-- }
--}
--
--/*******************************************************************
-- Encode or Decode the sequence number (which is symmetric)
-- ********************************************************************/
--static void netsec_do_seq_num(struct schannel_state *state,
-- const uint8_t *checksum,
-- uint32_t checksum_length,
-- uint8_t seq_num[8])
--{
-- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- AES_KEY key;
-- uint8_t iv[AES_BLOCK_SIZE];
--
-- AES_set_encrypt_key(state->creds->session_key, 128, &key);
-- ZERO_STRUCT(iv);
-- memcpy(iv+0, checksum, 8);
-- memcpy(iv+8, checksum, 8);
--
-- aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
-- } else {
-- static const uint8_t zeros[4];
-- uint8_t sequence_key[16];
-- uint8_t digest1[16];
--
-- hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
-- hmac_md5(digest1, checksum, checksum_length, sequence_key);
-- arcfour_crypt(seq_num, sequence_key, 8);
-- }
--
-- state->seq_num++;
--}
--
--static void netsec_do_seal(struct schannel_state *state,
-- const uint8_t seq_num[8],
-- uint8_t confounder[8],
-- uint8_t *data, uint32_t length,
-- bool forward)
--{
-- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- AES_KEY key;
-- uint8_t iv[AES_BLOCK_SIZE];
-- uint8_t sess_kf0[16];
-- int i;
--
-- for (i = 0; i < 16; i++) {
-- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
-- }
--
-- AES_set_encrypt_key(sess_kf0, 128, &key);
-- ZERO_STRUCT(iv);
-- memcpy(iv+0, seq_num, 8);
-- memcpy(iv+8, seq_num, 8);
--
-- if (forward) {
-- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
-- aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
-- } else {
-- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
-- aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
-- }
-- } else {
-- uint8_t sealing_key[16];
-- static const uint8_t zeros[4];
-- uint8_t digest2[16];
-- uint8_t sess_kf0[16];
-- int i;
--
-- for (i = 0; i < 16; i++) {
-- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
-- }
--
-- hmac_md5(sess_kf0, zeros, 4, digest2);
-- hmac_md5(digest2, seq_num, 8, sealing_key);
--
-- arcfour_crypt(confounder, sealing_key, 8);
-- arcfour_crypt(data, sealing_key, length);
-- }
--}
--
--/*******************************************************************
-- Create a digest over the entire packet (including the data), and
-- MD5 it with the session key.
-- ********************************************************************/
--static void netsec_do_sign(struct schannel_state *state,
-- const uint8_t *confounder,
-- const uint8_t *data, size_t length,
-- uint8_t header[8],
-- uint8_t *checksum)
--{
-- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- struct HMACSHA256Context ctx;
--
-- hmac_sha256_init(state->creds->session_key,
-- sizeof(state->creds->session_key),
-- &ctx);
--
-- if (confounder) {
-- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
-- SSVAL(header, 2, NL_SEAL_AES128);
-- SSVAL(header, 4, 0xFFFF);
-- SSVAL(header, 6, 0x0000);
--
-- hmac_sha256_update(header, 8, &ctx);
-- hmac_sha256_update(confounder, 8, &ctx);
-- } else {
-- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
-- SSVAL(header, 2, NL_SEAL_NONE);
-- SSVAL(header, 4, 0xFFFF);
-- SSVAL(header, 6, 0x0000);
--
-- hmac_sha256_update(header, 8, &ctx);
-- }
--
-- hmac_sha256_update(data, length, &ctx);
--
-- hmac_sha256_final(checksum, &ctx);
-- } else {
-- uint8_t packet_digest[16];
-- static const uint8_t zeros[4];
-- MD5_CTX ctx;
--
-- MD5Init(&ctx);
-- MD5Update(&ctx, zeros, 4);
-- if (confounder) {
-- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
-- SSVAL(header, 2, NL_SEAL_RC4);
-- SSVAL(header, 4, 0xFFFF);
-- SSVAL(header, 6, 0x0000);
--
-- MD5Update(&ctx, header, 8);
-- MD5Update(&ctx, confounder, 8);
-- } else {
-- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
-- SSVAL(header, 2, NL_SEAL_NONE);
-- SSVAL(header, 4, 0xFFFF);
-- SSVAL(header, 6, 0x0000);
--
-- MD5Update(&ctx, header, 8);
-- }
-- MD5Update(&ctx, data, length);
-- MD5Final(packet_digest, &ctx);
--
-- hmac_md5(state->creds->session_key,
-- packet_digest, sizeof(packet_digest),
-- checksum);
-- }
--}
--
--NTSTATUS netsec_incoming_packet(struct schannel_state *state,
-- bool do_unseal,
-- uint8_t *data, size_t length,
-- const DATA_BLOB *sig)
--{
-- uint32_t min_sig_size = 0;
-- uint8_t header[8];
-- uint8_t checksum[32];
-- uint32_t checksum_length = sizeof(checksum_length);
-- uint8_t _confounder[8];
-- uint8_t *confounder = NULL;
-- uint32_t confounder_ofs = 0;
-- uint8_t seq_num[8];
-- int ret;
--
-- netsec_offset_and_sizes(state,
-- do_unseal,
-- &min_sig_size,
-- NULL,
-- &checksum_length,
-- &confounder_ofs);
--
-- if (sig->length < min_sig_size) {
-- return NT_STATUS_ACCESS_DENIED;
-- }
--
-- if (do_unseal) {
-- confounder = _confounder;
-- memcpy(confounder, sig->data+confounder_ofs, 8);
-- } else {
-- confounder = NULL;
-- }
--
-- SETUP_SEQNUM(state, seq_num, !state->initiator);
--
-- if (do_unseal) {
-- netsec_do_seal(state, seq_num,
-- confounder,
-- data, length,
-- false);
-- }
--
-- netsec_do_sign(state, confounder,
-- data, length,
-- header, checksum);
--
-- ret = memcmp(checksum, sig->data+16, checksum_length);
-- if (ret != 0) {
-- dump_data_pw("calc digest:", checksum, checksum_length);
-- dump_data_pw("wire digest:", sig->data+16, checksum_length);
-- return NT_STATUS_ACCESS_DENIED;
-- }
--
-- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
--
-- ret = memcmp(seq_num, sig->data+8, 8);
-- if (ret != 0) {
-- dump_data_pw("calc seq num:", seq_num, 8);
-- dump_data_pw("wire seq num:", sig->data+8, 8);
-- return NT_STATUS_ACCESS_DENIED;
-- }
--
-- return NT_STATUS_OK;
--}
--
--uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
--{
-- uint32_t sig_size = 0;
--
-- netsec_offset_and_sizes(state,
-- true,
-- NULL,
-- &sig_size,
-- NULL,
-- NULL);
--
-- return sig_size;
--}
--
--NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
-- TALLOC_CTX *mem_ctx,
-- bool do_seal,
-- uint8_t *data, size_t length,
-- DATA_BLOB *sig)
--{
-- uint32_t min_sig_size = 0;
-- uint32_t used_sig_size = 0;
-- uint8_t header[8];
-- uint8_t checksum[32];
-- uint32_t checksum_length = sizeof(checksum_length);
-- uint8_t _confounder[8];
-- uint8_t *confounder = NULL;
-- uint32_t confounder_ofs = 0;
-- uint8_t seq_num[8];
--
-- netsec_offset_and_sizes(state,
-- do_seal,
-- &min_sig_size,
-- &used_sig_size,
-- &checksum_length,
-- &confounder_ofs);
--
-- SETUP_SEQNUM(state, seq_num, state->initiator);
--
-- if (do_seal) {
-- confounder = _confounder;
-- generate_random_buffer(confounder, 8);
-- } else {
-- confounder = NULL;
-- }
--
-- netsec_do_sign(state, confounder,
-- data, length,
-- header, checksum);
--
-- if (do_seal) {
-- netsec_do_seal(state, seq_num,
-- confounder,
-- data, length,
-- true);
-- }
--
-- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
--
-- (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
--
-- memcpy(sig->data, header, 8);
-- memcpy(sig->data+8, seq_num, 8);
-- memcpy(sig->data+16, checksum, checksum_length);
--
-- if (confounder) {
-- memcpy(sig->data+confounder_ofs, confounder, 8);
-- }
--
-- dump_data_pw("signature:", sig->data+ 0, 8);
-- dump_data_pw("seq_num :", sig->data+ 8, 8);
-- dump_data_pw("digest :", sig->data+16, checksum_length);
-- dump_data_pw("confound :", sig->data+confounder_ofs, 8);
--
-- return NT_STATUS_OK;
--}
-diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
-index df23058..ca2be2d 100755
---- a/libcli/auth/wscript_build
-+++ b/libcli/auth/wscript_build
-@@ -24,7 +24,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
-
-
- bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
-- source='schannel_state_tdb.c schannel_sign.c',
-+ source='schannel_state_tdb.c',
- deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
- )
-
---
-1.9.3
-
-
-From 307627065568a259eb9e94953b872bf723477be6 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 31 Dec 2013 10:11:18 +0100
-Subject: [PATCH 150/249] auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER
- in schannel.c
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 03006d0e4471465f071517097145806fbe46fdba)
----
- auth/gensec/schannel.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
- 1 file changed, 46 insertions(+), 10 deletions(-)
-
-diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
-index c60ab4f..3d30e83 100644
---- a/auth/gensec/schannel.c
-+++ b/auth/gensec/schannel.c
-@@ -34,6 +34,7 @@
- #include "lib/crypto/crypto.h"
-
- struct schannel_state {
-+ struct gensec_security *gensec;
- uint64_t seq_num;
- bool initiator;
- struct netlogon_creds_CredentialState *creds;
-@@ -50,17 +51,19 @@ struct schannel_state {
- RSIVAL(_buf, 4, _seq_num_high); \
- } while(0)
-
--static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
-+static struct schannel_state *netsec_create_state(
-+ struct gensec_security *gensec,
- struct netlogon_creds_CredentialState *creds,
- bool initiator)
- {
- struct schannel_state *state;
-
-- state = talloc(mem_ctx, struct schannel_state);
-+ state = talloc(gensec, struct schannel_state);
- if (state == NULL) {
- return NULL;
- }
-
-+ state->gensec = gensec;
- state->initiator = initiator;
- state->seq_num = 0;
- state->creds = netlogon_creds_copy(state, creds);
-@@ -69,6 +72,8 @@ static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-+ gensec->private_data = state;
-+
- return state;
- }
-
-@@ -273,6 +278,7 @@ static void netsec_do_sign(struct schannel_state *state,
- static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
- bool do_unseal,
- uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
- const DATA_BLOB *sig)
- {
- uint32_t min_sig_size = 0;
-@@ -284,6 +290,8 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
- uint32_t confounder_ofs = 0;
- uint8_t seq_num[8];
- int ret;
-+ const uint8_t *sign_data = NULL;
-+ size_t sign_length = 0;
-
- netsec_offset_and_sizes(state,
- do_unseal,
-@@ -312,8 +320,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
- false);
- }
-
-+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
-+ sign_data = whole_pdu;
-+ sign_length = pdu_length;
-+ } else {
-+ sign_data = data;
-+ sign_length = length;
-+ }
-+
- netsec_do_sign(state, confounder,
-- data, length,
-+ sign_data, sign_length,
- header, checksum);
-
- ret = memcmp(checksum, sig->data+16, checksum_length);
-@@ -353,6 +369,7 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
- TALLOC_CTX *mem_ctx,
- bool do_seal,
- uint8_t *data, size_t length,
-+ const uint8_t *whole_pdu, size_t pdu_length,
- DATA_BLOB *sig)
- {
- uint32_t min_sig_size = 0;
-@@ -364,6 +381,8 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
- uint8_t *confounder = NULL;
- uint32_t confounder_ofs = 0;
- uint8_t seq_num[8];
-+ const uint8_t *sign_data = NULL;
-+ size_t sign_length = 0;
-
- netsec_offset_and_sizes(state,
- do_seal,
-@@ -381,8 +400,16 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
- confounder = NULL;
- }
-
-+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
-+ sign_data = whole_pdu;
-+ sign_length = pdu_length;
-+ } else {
-+ sign_data = data;
-+ sign_length = length;
-+ }
-+
- netsec_do_sign(state, confounder,
-- data, length,
-+ sign_data, sign_length,
- header, checksum);
-
- if (do_seal) {
-@@ -457,7 +484,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
- if (state == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-- gensec_security->private_data = state;
-
- bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
- #if 0
-@@ -553,7 +579,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
- if (state == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-- gensec_security->private_data = state;
-
- bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
- bind_schannel_ack.Flags = 0;
-@@ -608,6 +633,9 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
- if (feature & GENSEC_FEATURE_DCE_STYLE) {
- return true;
- }
-+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
-+ return true;
-+ }
- return false;
- }
-
-@@ -625,7 +653,9 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
-
- return netsec_incoming_packet(state, true,
- discard_const_p(uint8_t, data),
-- length, sig);
-+ length,
-+ whole_pdu, pdu_length,
-+ sig);
- }
-
- /*
-@@ -642,7 +672,9 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
-
- return netsec_incoming_packet(state, false,
- discard_const_p(uint8_t, data),
-- length, sig);
-+ length,
-+ whole_pdu, pdu_length,
-+ sig);
- }
- /*
- seal a packet
-@@ -658,7 +690,9 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
- struct schannel_state);
-
- return netsec_outgoing_packet(state, mem_ctx, true,
-- data, length, sig);
-+ data, length,
-+ whole_pdu, pdu_length,
-+ sig);
- }
-
- /*
-@@ -676,7 +710,9 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
-
- return netsec_outgoing_packet(state, mem_ctx, false,
- discard_const_p(uint8_t, data),
-- length, sig);
-+ length,
-+ whole_pdu, pdu_length,
-+ sig);
- }
-
- static const struct gensec_security_ops gensec_schannel_security_ops = {
---
-1.9.3
-
-
-From 5b457559dfaeaf8f3d9227a93e5b75e0e7464c23 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 5 Jan 2014 06:16:03 +0100
-Subject: [PATCH 151/249] s3:rpc_client: talloc_zero pipe_auth_data
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 5b39a351a8ceb3bec04236ceb4b2fe10651958a9)
----
- source3/rpc_client/cli_pipe.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index a343997..7d1e347 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2101,7 +2101,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
- {
- struct pipe_auth_data *result;
-
-- result = talloc(mem_ctx, struct pipe_auth_data);
-+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
- if (result == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-@@ -2125,7 +2125,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
- {
- struct pipe_auth_data *result;
-
-- result = talloc(mem_ctx, struct pipe_auth_data);
-+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
- if (result == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-@@ -2160,7 +2160,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
- struct pipe_auth_data *result;
- NTSTATUS status;
-
-- result = talloc(mem_ctx, struct pipe_auth_data);
-+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
- if (result == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
---
-1.9.3
-
-
-From dd35874efea280b91ccaadf14a9a18e8a9017ea4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 5 Jan 2014 06:31:44 +0100
-Subject: [PATCH 152/249] s3:rpc_client: make rpc_api_pipe_req_send/recv static
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 946e29dbc148d40fadbee81d4d530a36c0f2f1e6)
----
- source3/rpc_client/cli_pipe.c | 4 ++--
- source3/rpc_client/cli_pipe.h | 10 ----------
- 2 files changed, 2 insertions(+), 12 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 7d1e347..3d12454 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1153,7 +1153,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq);
- static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
- bool *is_last_frag);
-
--struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
-+static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct rpc_pipe_client *cli,
- uint8_t op_num,
-@@ -1366,7 +1366,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
- tevent_req_done(req);
- }
-
--NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
-+static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
- DATA_BLOB *reply_pdu)
- {
- struct rpc_api_pipe_req_state *state = tevent_req_data(
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index ab99373..826f9bf 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -27,16 +27,6 @@
-
- /* The following definitions come from rpc_client/cli_pipe.c */
-
--struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
-- struct tevent_context *ev,
-- struct rpc_pipe_client *cli,
-- uint8_t op_num,
-- DATA_BLOB *req_data);
--
--NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req,
-- TALLOC_CTX *mem_ctx,
-- DATA_BLOB *reply_pdu);
--
- struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct rpc_pipe_client *cli,
---
-1.9.3
-
-
-From 9ea586bbac52bf17e6a1147420bfc9648e697706 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 5 Jan 2014 07:56:20 +0100
-Subject: [PATCH 153/249] s3:rpc_client: add some const to
- rpc_api_pipe_req_send()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 4d3376e919b5c33f272b3a584d8172729a7468e0)
----
- source3/rpc_client/cli_pipe.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 3d12454..6b7fee2 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1142,7 +1142,7 @@ struct rpc_api_pipe_req_state {
- struct rpc_pipe_client *cli;
- uint8_t op_num;
- uint32_t call_id;
-- DATA_BLOB *req_data;
-+ const DATA_BLOB *req_data;
- uint32_t req_data_sent;
- DATA_BLOB rpc_out;
- DATA_BLOB reply_pdu;
-@@ -1157,7 +1157,7 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct rpc_pipe_client *cli,
- uint8_t op_num,
-- DATA_BLOB *req_data)
-+ const DATA_BLOB *req_data)
- {
- struct tevent_req *req, *subreq;
- struct rpc_api_pipe_req_state *state;
---
-1.9.3
-
-
-From cc6303171f06ae26bce9d54013a63a6296563dd7 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 5 Jan 2014 08:26:15 +0100
-Subject: [PATCH 154/249] s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as
- any other gensec backend
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit f7bf7e705e704d2f1702e42a8e400baff9521066)
----
- source3/rpc_client/cli_pipe.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 6b7fee2..b142774 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1627,11 +1627,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
-
- case DCERPC_AUTH_TYPE_NONE:
- case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
-- case DCERPC_AUTH_TYPE_SCHANNEL:
- /* Bind complete. */
- tevent_req_done(req);
- return;
-
-+ case DCERPC_AUTH_TYPE_SCHANNEL:
- case DCERPC_AUTH_TYPE_NTLMSSP:
- case DCERPC_AUTH_TYPE_SPNEGO:
- case DCERPC_AUTH_TYPE_KRB5:
-@@ -1666,11 +1666,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
-
- case DCERPC_AUTH_TYPE_NONE:
- case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
-- case DCERPC_AUTH_TYPE_SCHANNEL:
- /* Bind complete. */
- tevent_req_done(req);
- return;
-
-+ case DCERPC_AUTH_TYPE_SCHANNEL:
- case DCERPC_AUTH_TYPE_NTLMSSP:
- case DCERPC_AUTH_TYPE_KRB5:
- case DCERPC_AUTH_TYPE_SPNEGO:
---
-1.9.3
-
-
-From 044ca24f9d8a3bf57d6981c89e6dcc5e4477059d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 3 Jan 2014 22:41:33 +0100
-Subject: [PATCH 155/249] s3:rpc_client: implement
- DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 61bdbc23cd09a594a63f49ff8626934c85a8e51a)
----
- source3/librpc/rpc/dcerpc.h | 4 +++-
- source3/rpc_client/cli_pipe.c | 44 +++++++++++++++++++++++++++++++++++++------
- 2 files changed, 41 insertions(+), 7 deletions(-)
-
-diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
-index b18b7ba..aaf8d68 100644
---- a/source3/librpc/rpc/dcerpc.h
-+++ b/source3/librpc/rpc/dcerpc.h
-@@ -39,7 +39,9 @@ struct NL_AUTH_MESSAGE;
- struct pipe_auth_data {
- enum dcerpc_AuthType auth_type;
- enum dcerpc_AuthLevel auth_level;
--
-+ bool client_hdr_signing;
-+ bool hdr_signing;
-+
- void *auth_ctx;
-
- /* Only the client code uses these 3 for now */
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index b142774..1cab580 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1002,16 +1002,31 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
-
- static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
-- DATA_BLOB *auth_token)
-+ DATA_BLOB *auth_token,
-+ bool *client_hdr_signing)
- {
- struct gensec_security *gensec_security;
- DATA_BLOB null_blob = data_blob_null;
-+ NTSTATUS status;
-
- gensec_security = talloc_get_type_abort(cli->auth->auth_ctx,
- struct gensec_security);
-
- DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
-- return gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
-+ status = gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
-+
-+ if (!NT_STATUS_IS_OK(status) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
-+ {
-+ return status;
-+ }
-+
-+ if (client_hdr_signing != NULL) {
-+ *client_hdr_signing = gensec_have_feature(gensec_security,
-+ GENSEC_FEATURE_SIGN_PKT_HEADER);
-+ }
-+
-+ return status;
- }
-
- /*******************************************************************
-@@ -1024,17 +1039,23 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
- const struct ndr_syntax_id *abstract,
- const struct ndr_syntax_id *transfer,
- const DATA_BLOB *auth_info,
-+ bool client_hdr_signing,
- DATA_BLOB *blob)
- {
- uint16 auth_len = auth_info->length;
- NTSTATUS status;
- union dcerpc_payload u;
- struct dcerpc_ctx_list ctx_list;
-+ uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
-
- if (auth_len) {
- auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
- }
-
-+ if (client_hdr_signing) {
-+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-+ }
-+
- ctx_list.context_id = 0;
- ctx_list.num_transfer_syntaxes = 1;
- ctx_list.abstract_syntax = *abstract;
-@@ -1048,9 +1069,7 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
- u.bind.auth_info = *auth_info;
-
- status = dcerpc_push_ncacn_packet(mem_ctx,
-- ptype,
-- DCERPC_PFC_FLAG_FIRST |
-- DCERPC_PFC_FLAG_LAST,
-+ ptype, pfc_flags,
- auth_len,
- rpc_call_id,
- &u,
-@@ -1084,7 +1103,9 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
- case DCERPC_AUTH_TYPE_NTLMSSP:
- case DCERPC_AUTH_TYPE_KRB5:
- case DCERPC_AUTH_TYPE_SPNEGO:
-- ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
-+ ret = create_generic_auth_rpc_bind_req(cli, mem_ctx,
-+ &auth_token,
-+ &auth->client_hdr_signing);
-
- if (!NT_STATUS_IS_OK(ret) &&
- !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-@@ -1126,6 +1147,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
- abstract,
- transfer,
- &auth_info,
-+ auth->client_hdr_signing,
- rpc_out);
- return ret;
- }
-@@ -1507,6 +1529,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
- abstract,
- transfer,
- &auth_info,
-+ false, /* client_hdr_signing */
- rpc_out);
- data_blob_free(&auth_info);
- return status;
-@@ -1676,6 +1699,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
- case DCERPC_AUTH_TYPE_SPNEGO:
- gensec_security = talloc_get_type_abort(pauth->auth_ctx,
- struct gensec_security);
-+
-+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
-+ if (pauth->client_hdr_signing) {
-+ pauth->hdr_signing = true;
-+ gensec_want_feature(gensec_security,
-+ GENSEC_FEATURE_SIGN_PKT_HEADER);
-+ }
-+ }
-+
- status = gensec_update(gensec_security, state, NULL,
- auth.credentials, &auth_token);
- if (NT_STATUS_EQUAL(status,
---
-1.9.3
-
-
-From 472b11d1b0fdbb1ca61e64979e4b5fd7dc1756a5 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 3 Jan 2014 22:56:03 +0100
-Subject: [PATCH 156/249] s3:rpc_server: add support for
- DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
-
-If the backend supports it there's no reason to avoid it.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 523d616268af5f94e11c863f9acdebabace80608)
----
- source3/rpc_server/srv_pipe.c | 25 ++++++++++++++++++++++---
- 1 file changed, 22 insertions(+), 3 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 5f834fb..f572819 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -42,6 +42,7 @@
- #include "rpc_server/rpc_contexts.h"
- #include "lib/param/param.h"
- #include "librpc/ndr/ndr_table.h"
-+#include "auth/gensec/gensec.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_SRV
-@@ -418,10 +419,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
- *******************************************************************/
-
- static bool pipe_auth_generic_bind(struct pipes_struct *p,
-- TALLOC_CTX *mem_ctx,
-+ struct ncacn_packet *pkt,
- struct dcerpc_auth *auth_info,
- DATA_BLOB *response)
- {
-+ TALLOC_CTX *mem_ctx = pkt;
- struct gensec_security *gensec_security = NULL;
- NTSTATUS status;
-
-@@ -444,6 +446,17 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
- p->auth.auth_ctx = gensec_security;
- p->auth.auth_type = auth_info->auth_type;
-
-+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
-+ p->auth.client_hdr_signing = true;
-+ p->auth.hdr_signing = gensec_have_feature(gensec_security,
-+ GENSEC_FEATURE_SIGN_PKT_HEADER);
-+ }
-+
-+ if (p->auth.hdr_signing) {
-+ gensec_want_feature(gensec_security,
-+ GENSEC_FEATURE_SIGN_PKT_HEADER);
-+ }
-+
- return true;
- }
-
-@@ -548,6 +561,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
- NTSTATUS status;
- struct ndr_syntax_id id;
-+ uint8_t pfc_flags = 0;
- union dcerpc_payload u;
- struct dcerpc_ack_ctx bind_ack_ctx;
- DATA_BLOB auth_resp = data_blob_null;
-@@ -792,10 +806,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- * header and are never sending more than one PDU here.
- */
-
-+ pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
-+
-+ if (p->auth.hdr_signing) {
-+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-+ }
-+
- status = dcerpc_push_ncacn_packet(p->mem_ctx,
- DCERPC_PKT_BIND_ACK,
-- DCERPC_PFC_FLAG_FIRST |
-- DCERPC_PFC_FLAG_LAST,
-+ pfc_flags,
- auth_resp.length,
- pkt->call_id,
- &u,
---
-1.9.3
-
-
-From 4e6bea89ffcca074e0320b98e65485f348a469a5 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 3 Jan 2014 09:25:23 +0100
-Subject: [PATCH 157/249] librpc/ndr: add
- LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
-
-This lets ndr_pull_subcontext_end() make sure that all
-subcontext bytes are consumed otherwise it returns NDR_ERR_UNREAD_BYTES.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit b62308ed994e9734dfd934d230531010d9e7cefa)
----
- librpc/idl/idl_types.h | 2 ++
- librpc/ndr/libndr.h | 6 ++++++
- librpc/ndr/ndr.c | 20 ++++++++++++++++++++
- 3 files changed, 28 insertions(+)
-
-diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h
-index c50efac..838c219 100644
---- a/librpc/idl/idl_types.h
-+++ b/librpc/idl/idl_types.h
-@@ -53,3 +53,5 @@
-
- #define NDR_RELATIVE_REVERSE LIBNDR_FLAG_RELATIVE_REVERSE
- #define NDR_NO_RELATIVE_REVERSE LIBNDR_FLAG_NO_RELATIVE_REVERSE
-+
-+#define NDR_SUBCONTEXT_NO_UNREAD_BYTES LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
-diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
-index a950519..8070c3c 100644
---- a/librpc/ndr/libndr.h
-+++ b/librpc/ndr/libndr.h
-@@ -123,6 +123,12 @@ struct ndr_print {
- #define LIBNDR_FLAG_STR_RAW8 (1<<13)
- #define LIBNDR_STRING_FLAGS (0x7FFC)
-
-+/*
-+ * This lets ndr_pull_subcontext_end() return
-+ * NDR_ERR_UNREAD_BYTES.
-+ */
-+#define LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES (1<<17)
-+
- /* set if relative pointers should *not* be marshalled in reverse order */
- #define LIBNDR_FLAG_NO_RELATIVE_REVERSE (1<<18)
-
-diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
-index e86cf2f..15a7f12 100644
---- a/librpc/ndr/ndr.c
-+++ b/librpc/ndr/ndr.c
-@@ -638,6 +638,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
- ssize_t size_is)
- {
- uint32_t advance;
-+ uint32_t highest_ofs;
-+
- if (size_is >= 0) {
- advance = size_is;
- } else if (header_size > 0) {
-@@ -645,6 +647,24 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
- } else {
- advance = subndr->offset;
- }
-+
-+ if (subndr->offset > ndr->relative_highest_offset) {
-+ highest_ofs = subndr->offset;
-+ } else {
-+ highest_ofs = subndr->relative_highest_offset;
-+ }
-+ if (!(subndr->flags & LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES)) {
-+ /*
-+ * avoid an error unless SUBCONTEXT_NO_UNREAD_BYTES is specified
-+ */
-+ highest_ofs = advance;
-+ }
-+ if (highest_ofs < advance) {
-+ return ndr_pull_error(subndr, NDR_ERR_UNREAD_BYTES,
-+ "not all bytes consumed ofs[%u] advance[%u]",
-+ highest_ofs, advance);
-+ }
-+
- NDR_CHECK(ndr_pull_advance(ndr, advance));
- return NDR_ERR_SUCCESS;
- }
---
-1.9.3
-
-
-From 5960d93d9cddca327ad8d24a41c64421ac6bb561 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 3 Jan 2014 15:06:23 +0100
-Subject: [PATCH 158/249] dcerpc.idl: add documentation references
-
-To [C706 - DCE 1.1: Remote Procedure Call] and [MS-RPCE].
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 66c39420e29e7c257d9cdc5d04c061472bbefd19)
----
- librpc/idl/dcerpc.idl | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
-index 86f22a4..23cac89 100644
---- a/librpc/idl/dcerpc.idl
-+++ b/librpc/idl/dcerpc.idl
-@@ -5,8 +5,17 @@
- but given that pidl can handle it nicely it simplifies things a lot
- to do it this way
-
-- see http://www.opengroup.org/onlinepubs/9629399/chap12.htm for packet
-- layouts
-+ See [C706 - DCE 1.1: Remote Procedure Call] for the OpenGroup
-+ DCERPC specification:
-+ http://pubs.opengroup.org/onlinepubs/9629399/toc.htm
-+
-+ See C706 - Chapter 12: RPC PDU Encodings for packet layouts:
-+ http://www.opengroup.org/onlinepubs/9629399/chap12.htm
-+
-+ See also [MS-RPCE] for the Microsoft
-+ "Remote Procedure Call Protocol Extensions".
-+ http://msdn.microsoft.com/en-us/library/cc243560.aspx
-+
- */
- import "misc.idl";
-
---
-1.9.3
-
-
-From 812cb7e6010b39fb752cf85026fd8d8a5dccbb39 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 2 Jan 2014 11:18:38 +0100
-Subject: [PATCH 159/249] dcerpc.idl: add dcerpc_sec_verification_trailer
-
-See [MS-RPCE] 2.2.2.13 Verification Trailer for details.
-
-Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
-
-Signed-off-by: Gregor Beck <gbeck@sernet.de>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit c0dc2fb7e1dadcef35a132040448cb27ff1d5bfa)
----
- librpc/idl/dcerpc.idl | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
- librpc/ndr/ndr_dcerpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
- librpc/wscript_build | 2 +-
- 3 files changed, 134 insertions(+), 1 deletion(-)
- create mode 100644 librpc/ndr/ndr_dcerpc.c
-
-diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
-index 23cac89..8e9be0e 100644
---- a/librpc/idl/dcerpc.idl
-+++ b/librpc/idl/dcerpc.idl
-@@ -19,6 +19,8 @@
- */
- import "misc.idl";
-
-+cpp_quote("extern const uint8_t DCERPC_SEC_VT_MAGIC[8];")
-+
- interface dcerpc
- {
- typedef struct {
-@@ -514,4 +516,69 @@ interface dcerpc
- uint8 serial_low;
- [switch_is(ptype)] dcerpc_payload u;
- } ncadg_packet;
-+
-+ typedef [bitmap16bit] bitmap {
-+ DCERPC_SEC_VT_COMMAND_ENUM = 0x3FFF,
-+ DCERPC_SEC_VT_COMMAND_END = 0x4000,
-+ DCERPC_SEC_VT_MUST_PROCESS = 0x8000
-+ } dcerpc_sec_vt_command;
-+
-+ typedef [enum16bit] enum {
-+ DCERPC_SEC_VT_COMMAND_BITMASK1 = 0x0001,
-+ DCERPC_SEC_VT_COMMAND_PCONTEXT = 0x0002,
-+ DCERPC_SEC_VT_COMMAND_HEADER2 = 0x0003
-+ } dcerpc_sec_vt_command_enum;
-+
-+ typedef [bitmap32bit] bitmap {
-+ DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING = 0x00000001
-+ } dcerpc_sec_vt_bitmask1;
-+
-+ typedef struct {
-+ ndr_syntax_id abstract_syntax;
-+ ndr_syntax_id transfer_syntax;
-+ } dcerpc_sec_vt_pcontext;
-+
-+ typedef struct {
-+ dcerpc_pkt_type ptype; /* Packet type */
-+ [value(0)] uint8 reserved1;
-+ [value(0)] uint16 reserved2;
-+ uint8 drep[4]; /* NDR data representation */
-+ uint32 call_id; /* Call identifier */
-+ uint16 context_id;
-+ uint16 opnum;
-+ } dcerpc_sec_vt_header2;
-+
-+ typedef [switch_type(dcerpc_sec_vt_command_enum),nodiscriminant] union {
-+ [case(DCERPC_SEC_VT_COMMAND_BITMASK1)] dcerpc_sec_vt_bitmask1 bitmask1;
-+ [case(DCERPC_SEC_VT_COMMAND_PCONTEXT)] dcerpc_sec_vt_pcontext pcontext;
-+ [case(DCERPC_SEC_VT_COMMAND_HEADER2)] dcerpc_sec_vt_header2 header2;
-+ [default,flag(NDR_REMAINING)] DATA_BLOB _unknown;
-+ } dcerpc_sec_vt_union;
-+
-+ typedef struct {
-+ dcerpc_sec_vt_command command;
-+ [switch_is(command & DCERPC_SEC_VT_COMMAND_ENUM)]
-+ [subcontext(2),flag(NDR_SUBCONTEXT_NO_UNREAD_BYTES)]
-+ dcerpc_sec_vt_union u;
-+ } dcerpc_sec_vt;
-+
-+ typedef [public,nopush,nopull] struct {
-+ uint16 count;
-+ } dcerpc_sec_vt_count;
-+
-+ /*
-+ * We assume that the whole verification trailer fits into
-+ * the last 1024 bytes after the stub data.
-+ *
-+ * There're currently only 3 commands defined and each should
-+ * only be used once.
-+ */
-+ const uint16 DCERPC_SEC_VT_MAX_SIZE = 1024;
-+
-+ typedef [public,flag(NDR_PAHEX)] struct {
-+ [flag(NDR_ALIGN4)] DATA_BLOB _pad;
-+ [value(DCERPC_SEC_VT_MAGIC)] uint8 magic[8];
-+ dcerpc_sec_vt_count count;
-+ dcerpc_sec_vt commands[count.count];
-+ } dcerpc_sec_verification_trailer;
- }
-diff --git a/librpc/ndr/ndr_dcerpc.c b/librpc/ndr/ndr_dcerpc.c
-new file mode 100644
-index 0000000..88a7f38
---- /dev/null
-+++ b/librpc/ndr/ndr_dcerpc.c
-@@ -0,0 +1,66 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+
-+ Manually parsed structures found in the DCERPC protocol
-+
-+ Copyright (C) Stefan Metzmacher 2014
-+ Copyright (C) Gregor Beck 2014
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "includes.h"
-+#include "bin/default/librpc/gen_ndr/ndr_dcerpc.h"
-+
-+#include "librpc/gen_ndr/ndr_misc.h"
-+
-+const uint8_t DCERPC_SEC_VT_MAGIC[] = {0x8a,0xe3,0x13,0x71,0x02,0xf4,0x36,0x71};
-+
-+_PUBLIC_ enum ndr_err_code ndr_push_dcerpc_sec_vt_count(struct ndr_push *ndr, int ndr_flags, const struct dcerpc_sec_vt_count *r)
-+{
-+ NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
-+ /* nothing */
-+ return NDR_ERR_SUCCESS;
-+}
-+
-+_PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_sec_vt_count(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_sec_vt_count *r)
-+{
-+ uint32_t _saved_ofs = ndr->offset;
-+
-+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-+
-+ if (!(ndr_flags & NDR_SCALARS)) {
-+ return NDR_ERR_SUCCESS;
-+ }
-+
-+ r->count = 0;
-+
-+ while (true) {
-+ uint16_t command;
-+ uint16_t length;
-+
-+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &command));
-+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &length));
-+ NDR_CHECK(ndr_pull_advance(ndr, length));
-+
-+ r->count += 1;
-+
-+ if (command & DCERPC_SEC_VT_COMMAND_END) {
-+ break;
-+ }
-+ }
-+
-+ ndr->offset = _saved_ofs;
-+ return NDR_ERR_SUCCESS;
-+}
-diff --git a/librpc/wscript_build b/librpc/wscript_build
-index 2017a29..a5cf687 100644
---- a/librpc/wscript_build
-+++ b/librpc/wscript_build
-@@ -301,7 +301,7 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP',
- )
-
- bld.SAMBA_SUBSYSTEM('NDR_DCERPC',
-- source='gen_ndr/ndr_dcerpc.c',
-+ source='gen_ndr/ndr_dcerpc.c ndr/ndr_dcerpc.c',
- public_deps='ndr',
- public_headers='gen_ndr/ndr_dcerpc.h gen_ndr/dcerpc.h',
- header_path= [ ('*gen_ndr*', 'gen_ndr') ],
---
-1.9.3
-
-
-From 3480b809bd9426ce6b976b9965a54de32d246a66 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 5 Jan 2014 07:57:51 +0100
-Subject: [PATCH 160/249] s3:rpc_client: fill alloc_hint with the remaining
- data not the total data.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit f0532fe0cd69aeb161088ca990d376f119102e61)
----
- source3/rpc_client/cli_pipe.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 1cab580..5edd897 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1277,7 +1277,7 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
-
- ZERO_STRUCT(u.request);
-
-- u.request.alloc_hint = state->req_data->length;
-+ u.request.alloc_hint = data_left;
- u.request.context_id = 0;
- u.request.opnum = state->op_num;
-
---
-1.9.3
-
-
-From bd675cd6e4848bee8798dacf1768556de48f3112 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 5 Jan 2014 08:12:45 +0100
-Subject: [PATCH 161/249] s3:rpc_client: send a dcerpc_sec_verification_trailer
- if needed
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Tue Jan 7 02:24:42 CET 2014 on sn-devel-104
-(cherry picked from commit 6ab9164c74e0ad57bdde8abb568953026b644e27)
----
- source3/librpc/rpc/dcerpc.h | 1 +
- source3/rpc_client/cli_pipe.c | 202 ++++++++++++++++++++++++++++++++++++++--
- source3/rpc_client/rpc_client.h | 1 +
- 3 files changed, 194 insertions(+), 10 deletions(-)
-
-diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
-index aaf8d68..9d0f861 100644
---- a/source3/librpc/rpc/dcerpc.h
-+++ b/source3/librpc/rpc/dcerpc.h
-@@ -41,6 +41,7 @@ struct pipe_auth_data {
- enum dcerpc_AuthLevel auth_level;
- bool client_hdr_signing;
- bool hdr_signing;
-+ bool verified_bitmask1;
-
- void *auth_ctx;
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 5edd897..a45023f 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1166,12 +1166,17 @@ struct rpc_api_pipe_req_state {
- uint32_t call_id;
- const DATA_BLOB *req_data;
- uint32_t req_data_sent;
-+ DATA_BLOB req_trailer;
-+ uint32_t req_trailer_sent;
-+ bool verify_bitmask1;
-+ bool verify_pcontext;
- DATA_BLOB rpc_out;
- DATA_BLOB reply_pdu;
- };
-
- static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
- static void rpc_api_pipe_req_done(struct tevent_req *subreq);
-+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
- static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
- bool *is_last_frag);
-
-@@ -1207,6 +1212,11 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
- goto post_status;
- }
-
-+ status = prepare_verification_trailer(state);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ goto post_status;
-+ }
-+
- status = prepare_next_frag(state, &is_last_frag);
- if (!NT_STATUS_IS_OK(status)) {
- goto post_status;
-@@ -1241,25 +1251,164 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
-+{
-+ struct pipe_auth_data *a = state->cli->auth;
-+ struct dcerpc_sec_verification_trailer *t;
-+ struct dcerpc_sec_vt *c = NULL;
-+ struct ndr_push *ndr = NULL;
-+ enum ndr_err_code ndr_err;
-+ size_t align = 0;
-+ size_t pad = 0;
-+
-+ if (a == NULL) {
-+ return NT_STATUS_OK;
-+ }
-+
-+ if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
-+ return NT_STATUS_OK;
-+ }
-+
-+ t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
-+ if (t == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ if (!a->verified_bitmask1) {
-+ t->commands = talloc_realloc(t, t->commands,
-+ struct dcerpc_sec_vt,
-+ t->count.count + 1);
-+ if (t->commands == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ c = &t->commands[t->count.count++];
-+ ZERO_STRUCTP(c);
-+
-+ c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
-+ if (a->client_hdr_signing) {
-+ c->u.bitmask1 = DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING;
-+ }
-+ state->verify_bitmask1 = true;
-+ }
-+
-+ if (!state->cli->verified_pcontext) {
-+ t->commands = talloc_realloc(t, t->commands,
-+ struct dcerpc_sec_vt,
-+ t->count.count + 1);
-+ if (t->commands == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ c = &t->commands[t->count.count++];
-+ ZERO_STRUCTP(c);
-+
-+ c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
-+ c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
-+ c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
-+
-+ state->verify_pcontext = true;
-+ }
-+
-+ if (!a->hdr_signing) {
-+ t->commands = talloc_realloc(t, t->commands,
-+ struct dcerpc_sec_vt,
-+ t->count.count + 1);
-+ if (t->commands == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ c = &t->commands[t->count.count++];
-+ ZERO_STRUCTP(c);
-+
-+ c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
-+ c->u.header2.ptype = DCERPC_PKT_REQUEST;
-+ c->u.header2.drep[0] = DCERPC_DREP_LE;
-+ c->u.header2.drep[1] = 0;
-+ c->u.header2.drep[2] = 0;
-+ c->u.header2.drep[3] = 0;
-+ c->u.header2.call_id = state->call_id;
-+ c->u.header2.context_id = 0;
-+ c->u.header2.opnum = state->op_num;
-+ }
-+
-+ if (t->count.count == 0) {
-+ TALLOC_FREE(t);
-+ return NT_STATUS_OK;
-+ }
-+
-+ c = &t->commands[t->count.count - 1];
-+ c->command |= DCERPC_SEC_VT_COMMAND_END;
-+
-+ if (DEBUGLEVEL >= 10) {
-+ NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
-+ }
-+
-+ ndr = ndr_push_init_ctx(state);
-+ if (ndr == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
-+ NDR_SCALARS | NDR_BUFFERS,
-+ t);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ return ndr_map_error2ntstatus(ndr_err);
-+ }
-+ state->req_trailer = ndr_push_blob(ndr);
-+
-+ align = state->req_data->length & 0x3;
-+ if (align > 0) {
-+ pad = 4 - align;
-+ }
-+ if (pad > 0) {
-+ bool ok;
-+ uint8_t *p;
-+ const uint8_t zeros[4] = { 0, };
-+
-+ ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
-+ if (!ok) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ /* move the padding to the start */
-+ p = state->req_trailer.data;
-+ memmove(p + pad, p, state->req_trailer.length - pad);
-+ memset(p, 0, pad);
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
- static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
- bool *is_last_frag)
- {
-- size_t data_sent_thistime;
- size_t auth_len;
- size_t frag_len;
- uint8_t flags = 0;
- size_t pad_len;
- size_t data_left;
-+ size_t data_thistime;
-+ size_t trailer_left;
-+ size_t trailer_thistime = 0;
-+ size_t total_left;
-+ size_t total_thistime;
- NTSTATUS status;
-+ bool ok;
- union dcerpc_payload u;
-
- data_left = state->req_data->length - state->req_data_sent;
-+ trailer_left = state->req_trailer.length - state->req_trailer_sent;
-+ total_left = data_left + trailer_left;
-+ if ((total_left < data_left) || (total_left < trailer_left)) {
-+ /*
-+ * overflow
-+ */
-+ return NT_STATUS_INVALID_PARAMETER_MIX;
-+ }
-
- status = dcerpc_guess_sizes(state->cli->auth,
-- DCERPC_REQUEST_LENGTH, data_left,
-+ DCERPC_REQUEST_LENGTH, total_left,
- state->cli->max_xmit_frag,
- CLIENT_NDR_PADDING_SIZE,
-- &data_sent_thistime,
-+ &total_thistime,
- &frag_len, &auth_len, &pad_len);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
-@@ -1269,15 +1418,20 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
- flags = DCERPC_PFC_FLAG_FIRST;
- }
-
-- if (data_sent_thistime == data_left) {
-+ if (total_thistime == total_left) {
- flags |= DCERPC_PFC_FLAG_LAST;
- }
-
-+ data_thistime = MIN(total_thistime, data_left);
-+ if (data_thistime < total_thistime) {
-+ trailer_thistime = total_thistime - data_thistime;
-+ }
-+
- data_blob_free(&state->rpc_out);
-
- ZERO_STRUCT(u.request);
-
-- u.request.alloc_hint = data_left;
-+ u.request.alloc_hint = total_left;
- u.request.context_id = 0;
- u.request.opnum = state->op_num;
-
-@@ -1297,11 +1451,26 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
- * at this stage */
- dcerpc_set_frag_length(&state->rpc_out, frag_len);
-
-- /* Copy in the data. */
-- if (!data_blob_append(NULL, &state->rpc_out,
-+ if (data_thistime > 0) {
-+ /* Copy in the data. */
-+ ok = data_blob_append(NULL, &state->rpc_out,
- state->req_data->data + state->req_data_sent,
-- data_sent_thistime)) {
-- return NT_STATUS_NO_MEMORY;
-+ data_thistime);
-+ if (!ok) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ state->req_data_sent += data_thistime;
-+ }
-+
-+ if (trailer_thistime > 0) {
-+ /* Copy in the verification trailer. */
-+ ok = data_blob_append(NULL, &state->rpc_out,
-+ state->req_trailer.data + state->req_trailer_sent,
-+ trailer_thistime);
-+ if (!ok) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ state->req_trailer_sent += trailer_thistime;
- }
-
- switch (state->cli->auth->auth_level) {
-@@ -1321,7 +1490,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-- state->req_data_sent += data_sent_thistime;
- *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
-
- return status;
-@@ -1385,6 +1553,20 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
- tevent_req_nterror(req, status);
- return;
- }
-+
-+ if (state->cli->auth == NULL) {
-+ tevent_req_done(req);
-+ return;
-+ }
-+
-+ if (state->verify_bitmask1) {
-+ state->cli->auth->verified_bitmask1 = true;
-+ }
-+
-+ if (state->verify_pcontext) {
-+ state->cli->verified_pcontext = true;
-+ }
-+
- tevent_req_done(req);
- }
-
-diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
-index 6561b28..8024f01 100644
---- a/source3/rpc_client/rpc_client.h
-+++ b/source3/rpc_client/rpc_client.h
-@@ -39,6 +39,7 @@ struct rpc_pipe_client {
-
- struct ndr_syntax_id abstract_syntax;
- struct ndr_syntax_id transfer_syntax;
-+ bool verified_pcontext;
-
- char *desthost;
- char *srv_name_slash;
---
-1.9.3
-
-
-From 3df8f8c1dda254a85e4fa02b74d23a4802bc595c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 18 Apr 2013 19:16:42 +0200
-Subject: [PATCH 162/249] libcli/auth: add netlogon_creds_cli* infrastructure
-
-This provides an abstraction to hide netlogon_creds_CredentialState,
-which is stored in a node local tdb.
-
-Where the global state (netlogon_creds_CredentialState) between client and
-server was only kept in memory (on the client side), we now use
-the abstracted netlogon_creds_cli_context.
-
-We now use a node specific computer name in order to establish
-individual netlogon sessions per node.
-
-If the caller wants to use some netlogon calls with credential chain
-(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
-to get the current netlogon_creds_CredentialState in a g_lock'ed
-fashion, a talloc_free() will release the lock.
-
-The locking is needed as there might be more than one process
-(multiple winbindd child, cmdline tools) which want to talk
-to a specific domain controller. The usage of netlogon_creds_CredentialState
-needs to be serialized as it uses sequence numbers.
-
-LogonSamLogonEx doesn't use the credential chain, but for some operations
-it needs the global session in order to de/encrypt individual fields.
-It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
-functions, which just make sure the session hasn't changed between
-get and validate.
-
-This is prepares the proper fix for a large number of bugs:
-https://bugzilla.samba.org/show_bug.cgi?id=6563
-https://bugzilla.samba.org/show_bug.cgi?id=7944
-https://bugzilla.samba.org/show_bug.cgi?id=7945
-https://bugzilla.samba.org/show_bug.cgi?id=7568
-https://bugzilla.samba.org/show_bug.cgi?id=8599
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 6e6d9f9f12284ed06a21cc02080e436b7326065f)
----
- libcli/auth/netlogon_creds_cli.c | 2596 ++++++++++++++++++++++++++++++++++++++
- libcli/auth/netlogon_creds_cli.h | 138 ++
- libcli/auth/wscript_build | 4 +
- 3 files changed, 2738 insertions(+)
- create mode 100644 libcli/auth/netlogon_creds_cli.c
- create mode 100644 libcli/auth/netlogon_creds_cli.h
-
-diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
-new file mode 100644
-index 0000000..75d6b2c
---- /dev/null
-+++ b/libcli/auth/netlogon_creds_cli.c
-@@ -0,0 +1,2596 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+
-+ module to store/fetch session keys for the schannel client
-+
-+ Copyright (C) Stefan Metzmacher 2013
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "includes.h"
-+#include "system/filesys.h"
-+#include <tevent.h>
-+#include "lib/util/tevent_ntstatus.h"
-+#include "lib/dbwrap/dbwrap.h"
-+#include "lib/dbwrap/dbwrap_rbt.h"
-+#include "lib/util/util_tdb.h"
-+#include "libcli/security/security.h"
-+#include "../lib/param/param.h"
-+#include "../libcli/auth/schannel.h"
-+#include "../librpc/gen_ndr/ndr_schannel.h"
-+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
-+#include "../librpc/gen_ndr/server_id.h"
-+#include "netlogon_creds_cli.h"
-+#include "source3/include/messages.h"
-+#include "source3/include/g_lock.h"
-+
-+struct netlogon_creds_cli_locked_state;
-+
-+struct netlogon_creds_cli_context {
-+ struct {
-+ const char *computer;
-+ const char *account;
-+ uint32_t proposed_flags;
-+ uint32_t required_flags;
-+ enum netr_SchannelType type;
-+ enum dcerpc_AuthLevel auth_level;
-+ } client;
-+
-+ struct {
-+ const char *computer;
-+ const char *netbios_domain;
-+ uint32_t cached_flags;
-+ bool try_validation6;
-+ bool try_logon_ex;
-+ bool try_logon_with;
-+ } server;
-+
-+ struct {
-+ const char *key_name;
-+ TDB_DATA key_data;
-+ struct db_context *ctx;
-+ struct g_lock_ctx *g_ctx;
-+ struct netlogon_creds_cli_locked_state *locked_state;
-+ } db;
-+};
-+
-+struct netlogon_creds_cli_locked_state {
-+ struct netlogon_creds_cli_context *context;
-+ bool is_glocked;
-+ struct netlogon_creds_CredentialState *creds;
-+};
-+
-+static int netlogon_creds_cli_locked_state_destructor(
-+ struct netlogon_creds_cli_locked_state *state)
-+{
-+ struct netlogon_creds_cli_context *context = state->context;
-+
-+ if (context == NULL) {
-+ return 0;
-+ }
-+
-+ if (context->db.locked_state == state) {
-+ context->db.locked_state = NULL;
-+ }
-+
-+ if (state->is_glocked) {
-+ g_lock_unlock(context->db.g_ctx,
-+ context->db.key_name);
-+ }
-+
-+ return 0;
-+}
-+
-+static NTSTATUS netlogon_creds_cli_context_common(
-+ const char *client_computer,
-+ const char *client_account,
-+ enum netr_SchannelType type,
-+ enum dcerpc_AuthLevel auth_level,
-+ uint32_t proposed_flags,
-+ uint32_t required_flags,
-+ const char *server_computer,
-+ const char *server_netbios_domain,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **_context)
-+{
-+ struct netlogon_creds_cli_context *context = NULL;
-+
-+ *_context = NULL;
-+
-+ context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
-+ if (context == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ context->client.computer = talloc_strdup(context, client_computer);
-+ if (context->client.computer == NULL) {
-+ talloc_free(context);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ context->client.account = talloc_strdup(context, client_account);
-+ if (context->client.account == NULL) {
-+ talloc_free(context);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ context->client.proposed_flags = proposed_flags;
-+ context->client.required_flags = required_flags;
-+ context->client.type = type;
-+ context->client.auth_level = auth_level;
-+
-+ context->server.computer = talloc_strdup(context, server_computer);
-+ if (context->server.computer == NULL) {
-+ talloc_free(context);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
-+ if (context->server.netbios_domain == NULL) {
-+ talloc_free(context);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
-+ client_computer,
-+ client_account,
-+ server_computer,
-+ server_netbios_domain);
-+ if (context->db.key_name == NULL) {
-+ talloc_free(context);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ context->db.key_data = string_term_tdb_data(context->db.key_name);
-+
-+ *_context = context;
-+ return NT_STATUS_OK;
-+}
-+
-+static struct db_context *netlogon_creds_cli_global_db;
-+
-+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
-+{
-+ char *fname;
-+ struct db_context *global_db;
-+
-+ if (netlogon_creds_cli_global_db != NULL) {
-+ return NT_STATUS_OK;
-+ }
-+
-+ fname = lpcfg_private_db_path(talloc_autofree_context(), lp_ctx, "netlogon_creds_cli");
-+ if (fname == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ global_db = dbwrap_local_open(talloc_autofree_context(), lp_ctx,
-+ fname, 0,
-+ TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-+ O_RDWR|O_CREAT,
-+ 0600, DBWRAP_LOCK_ORDER_2);
-+ if (global_db == NULL) {
-+ DEBUG(0,("netlogon_creds_cli_open_global_db: Failed to open %s - %s\n",
-+ fname, strerror(errno)));
-+ talloc_free(fname);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ TALLOC_FREE(fname);
-+
-+ netlogon_creds_cli_global_db = global_db;
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
-+ struct messaging_context *msg_ctx,
-+ const char *client_account,
-+ enum netr_SchannelType type,
-+ const char *server_computer,
-+ const char *server_netbios_domain,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **_context)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ NTSTATUS status;
-+ struct netlogon_creds_cli_context *context = NULL;
-+ const char *client_computer;
-+ uint32_t proposed_flags;
-+ uint32_t required_flags = 0;
-+ bool reject_md5_servers = false;
-+ bool require_strong_key = false;
-+ int require_sign_or_seal = true;
-+ bool seal_secure_channel = true;
-+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
-+ bool neutralize_nt4_emulation = false;
-+ struct server_id self = {
-+ .vnn = NONCLUSTER_VNN,
-+ .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
-+ };
-+
-+ if (msg_ctx != NULL) {
-+ self = messaging_server_id(msg_ctx);
-+ }
-+
-+ *_context = NULL;
-+
-+ if (self.vnn != NONCLUSTER_VNN) {
-+ client_computer = talloc_asprintf(frame,
-+ "%s_cluster_vnn_%u",
-+ lpcfg_netbios_name(lp_ctx),
-+ (unsigned)self.vnn);
-+ if (client_computer == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ } else {
-+ client_computer = lpcfg_netbios_name(lp_ctx);
-+ }
-+
-+ /*
-+ * allow overwrite per domain
-+ * reject md5 servers:<netbios_domain>
-+ */
-+ //TODO: add lpcfp_reject_md5_servers()
-+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
-+ "__default__",
-+ "reject md5 servers",
-+ reject_md5_servers);
-+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
-+ "reject md5 servers",
-+ server_netbios_domain,
-+ reject_md5_servers);
-+
-+ /*
-+ * allow overwrite per domain
-+ * require strong key:<netbios_domain>
-+ */
-+ //TODO: add lpcfp_require_strong_key()
-+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
-+ "__default__",
-+ "require strong key",
-+ require_strong_key);
-+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
-+ "require strong key",
-+ server_netbios_domain,
-+ require_strong_key);
-+
-+ /*
-+ * allow overwrite per domain
-+ * client schannel:<netbios_domain>
-+ */
-+ require_sign_or_seal = lpcfg_client_schannel(lp_ctx);
-+ require_sign_or_seal = lpcfg_parm_int(lp_ctx, NULL,
-+ "client schannel",
-+ server_netbios_domain,
-+ require_sign_or_seal);
-+
-+ /*
-+ * allow overwrite per domain
-+ * winbind sealed pipes:<netbios_domain>
-+ */
-+ seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
-+ seal_secure_channel = lpcfg_parm_bool(lp_ctx, NULL,
-+ "winbind sealed pipes",
-+ server_netbios_domain,
-+ seal_secure_channel);
-+
-+ /*
-+ * allow overwrite per domain
-+ * neutralize nt4 emulation:<netbios_domain>
-+ */
-+ //TODO: add lpcfp_neutralize_nt4_emulation()
-+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
-+ "__default__",
-+ "neutralize nt4 emulation",
-+ neutralize_nt4_emulation);
-+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
-+ "neutralize nt4 emulation",
-+ server_netbios_domain,
-+ neutralize_nt4_emulation);
-+
-+ proposed_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-+ proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
-+
-+ switch (type) {
-+ case SEC_CHAN_WKSTA:
-+ if (lpcfg_security(lp_ctx) == SEC_ADS) {
-+ /*
-+ * AD domains should be secure
-+ */
-+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
-+ require_sign_or_seal = true;
-+ require_strong_key = true;
-+ }
-+ break;
-+
-+ case SEC_CHAN_DOMAIN:
-+ break;
-+
-+ case SEC_CHAN_DNS_DOMAIN:
-+ /*
-+ * AD domains should be secure
-+ */
-+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
-+ require_sign_or_seal = true;
-+ require_strong_key = true;
-+ neutralize_nt4_emulation = true;
-+ break;
-+
-+ case SEC_CHAN_BDC:
-+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
-+ require_sign_or_seal = true;
-+ require_strong_key = true;
-+ break;
-+
-+ case SEC_CHAN_RODC:
-+ required_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
-+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
-+ require_sign_or_seal = true;
-+ require_strong_key = true;
-+ neutralize_nt4_emulation = true;
-+ break;
-+
-+ default:
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_PARAMETER;
-+ }
-+
-+ if (neutralize_nt4_emulation) {
-+ proposed_flags |= NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
-+ }
-+
-+ if (require_sign_or_seal == false) {
-+ proposed_flags &= ~NETLOGON_NEG_AUTHENTICATED_RPC;
-+ } else {
-+ required_flags |= NETLOGON_NEG_ARCFOUR;
-+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
-+ }
-+
-+ if (reject_md5_servers) {
-+ required_flags |= NETLOGON_NEG_ARCFOUR;
-+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
-+ required_flags |= NETLOGON_NEG_SUPPORTS_AES;
-+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
-+ }
-+
-+ if (require_strong_key) {
-+ required_flags |= NETLOGON_NEG_ARCFOUR;
-+ required_flags |= NETLOGON_NEG_STRONG_KEYS;
-+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
-+ }
-+
-+ proposed_flags |= required_flags;
-+
-+ if (seal_secure_channel) {
-+ auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-+ } else {
-+ auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
-+ }
-+
-+ status = netlogon_creds_cli_context_common(client_computer,
-+ client_account,
-+ type,
-+ auth_level,
-+ proposed_flags,
-+ required_flags,
-+ server_computer,
-+ server_netbios_domain,
-+ mem_ctx,
-+ &context);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ if (msg_ctx != NULL) {
-+ context->db.g_ctx = g_lock_ctx_init(context, msg_ctx);
-+ if (context->db.g_ctx == NULL) {
-+ TALLOC_FREE(context);
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+
-+ if (netlogon_creds_cli_global_db != NULL) {
-+ context->db.ctx = netlogon_creds_cli_global_db;
-+ *_context = context;
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
-+ }
-+
-+ status = netlogon_creds_cli_open_global_db(lp_ctx);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(context);
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ context->db.ctx = netlogon_creds_cli_global_db;
-+ *_context = context;
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
-+ const char *client_account,
-+ enum netr_SchannelType type,
-+ uint32_t proposed_flags,
-+ uint32_t required_flags,
-+ enum dcerpc_AuthLevel auth_level,
-+ const char *server_computer,
-+ const char *server_netbios_domain,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **_context)
-+{
-+ NTSTATUS status;
-+ struct netlogon_creds_cli_context *context = NULL;
-+
-+ *_context = NULL;
-+
-+ status = netlogon_creds_cli_context_common(client_computer,
-+ client_account,
-+ type,
-+ auth_level,
-+ proposed_flags,
-+ required_flags,
-+ server_computer,
-+ server_netbios_domain,
-+ mem_ctx,
-+ &context);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ context->db.ctx = db_open_rbt(context);
-+ if (context->db.ctx == NULL) {
-+ talloc_free(context);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ *_context = context;
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_context_copy(
-+ const struct netlogon_creds_cli_context *src,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **_dst)
-+{
-+ struct netlogon_creds_cli_context *dst;
-+
-+ dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
-+ if (dst == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ *dst = *src;
-+
-+ dst->client.computer = talloc_strdup(dst, src->client.computer);
-+ if (dst->client.computer == NULL) {
-+ TALLOC_FREE(dst);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ dst->client.account = talloc_strdup(dst, src->client.account);
-+ if (dst->client.account == NULL) {
-+ TALLOC_FREE(dst);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ dst->server.computer = talloc_strdup(dst, src->server.computer);
-+ if (dst->server.computer == NULL) {
-+ TALLOC_FREE(dst);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
-+ if (dst->server.netbios_domain == NULL) {
-+ TALLOC_FREE(dst);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ dst->db.key_name = talloc_strdup(dst, src->db.key_name);
-+ if (dst->db.key_name == NULL) {
-+ TALLOC_FREE(dst);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ dst->db.key_data = string_term_tdb_data(dst->db.key_name);
-+
-+ *_dst = dst;
-+ return NT_STATUS_OK;
-+}
-+
-+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
-+ struct netlogon_creds_cli_context *context)
-+{
-+ return context->client.auth_level;
-+}
-+
-+struct netlogon_creds_cli_fetch_state {
-+ TALLOC_CTX *mem_ctx;
-+ struct netlogon_creds_CredentialState *creds;
-+ uint32_t required_flags;
-+ NTSTATUS status;
-+};
-+
-+static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
-+ void *private_data)
-+{
-+ struct netlogon_creds_cli_fetch_state *state =
-+ (struct netlogon_creds_cli_fetch_state *)private_data;
-+ enum ndr_err_code ndr_err;
-+ DATA_BLOB blob;
-+ uint32_t tmp_flags;
-+
-+ state->creds = talloc_zero(state->mem_ctx,
-+ struct netlogon_creds_CredentialState);
-+ if (state->creds == NULL) {
-+ state->status = NT_STATUS_NO_MEMORY;
-+ return;
-+ }
-+
-+ blob.data = data.dptr;
-+ blob.length = data.dsize;
-+
-+ ndr_err = ndr_pull_struct_blob(&blob, state->creds, state->creds,
-+ (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ TALLOC_FREE(state->creds);
-+ state->status = ndr_map_error2ntstatus(ndr_err);
-+ return;
-+ }
-+
-+ tmp_flags = state->creds->negotiate_flags;
-+ tmp_flags &= state->required_flags;
-+ if (tmp_flags != state->required_flags) {
-+ TALLOC_FREE(state->creds);
-+ state->status = NT_STATUS_DOWNGRADE_DETECTED;
-+ return;
-+ }
-+
-+ state->status = NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState **_creds)
-+{
-+ NTSTATUS status;
-+ struct netlogon_creds_cli_fetch_state fstate = {
-+ .mem_ctx = mem_ctx,
-+ .status = NT_STATUS_INTERNAL_ERROR,
-+ .required_flags = context->client.required_flags,
-+ };
-+ static const struct netr_Credential zero_creds;
-+
-+ *_creds = NULL;
-+
-+ status = dbwrap_parse_record(context->db.ctx,
-+ context->db.key_data,
-+ netlogon_creds_cli_fetch_parser,
-+ &fstate);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+ status = fstate.status;
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ /*
-+ * mark it as invalid for step operations.
-+ */
-+ fstate.creds->sequence = 0;
-+ fstate.creds->seed = zero_creds;
-+ fstate.creds->client = zero_creds;
-+ fstate.creds->server = zero_creds;
-+
-+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
-+ *_creds = fstate.creds;
-+ return NT_STATUS_OK;
-+ }
-+
-+ /*
-+ * It is really important to try SamLogonEx here,
-+ * because multiple processes can talk to the same
-+ * domain controller, without using the credential
-+ * chain.
-+ *
-+ * With a normal SamLogon call, we must keep the
-+ * credentials chain updated and intact between all
-+ * users of the machine account (which would imply
-+ * cross-node communication for every NTLM logon).
-+ *
-+ * The credentials chain is not per NETLOGON pipe
-+ * connection, but globally on the server/client pair
-+ * by computer name, while the client is free to use
-+ * any computer name. We include the cluster node number
-+ * in our computer name in order to avoid cross node
-+ * coordination of the credential chain.
-+ *
-+ * It's also important to use NetlogonValidationSamInfo4 (6),
-+ * because it relies on the rpc transport encryption
-+ * and avoids using the global netlogon schannel
-+ * session key to en/decrypt secret information
-+ * like the user_session_key for network logons.
-+ *
-+ * [MS-APDS] 3.1.5.2 NTLM Network Logon
-+ * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
-+ * NETLOGON_NEG_AUTHENTICATED_RPC set together
-+ * are the indication that the server supports
-+ * NetlogonValidationSamInfo4 (6). And it must only
-+ * be used if "SealSecureChannel" is used.
-+ *
-+ * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
-+ * check is done in netlogon_creds_cli_LogonSamLogon*().
-+ */
-+ context->server.cached_flags = fstate.creds->negotiate_flags;
-+ context->server.try_validation6 = true;
-+ context->server.try_logon_ex = true;
-+ context->server.try_logon_with = true;
-+
-+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-+ context->server.try_validation6 = false;
-+ context->server.try_logon_ex = false;
-+ }
-+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
-+ context->server.try_validation6 = false;
-+ }
-+
-+ *_creds = fstate.creds;
-+ return NT_STATUS_OK;
-+}
-+
-+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
-+ const struct netlogon_creds_CredentialState *creds1)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct netlogon_creds_CredentialState *creds2;
-+ DATA_BLOB blob1;
-+ DATA_BLOB blob2;
-+ NTSTATUS status;
-+ enum ndr_err_code ndr_err;
-+ int cmp;
-+
-+ status = netlogon_creds_cli_get(context, frame, &creds2);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return false;
-+ }
-+
-+ ndr_err = ndr_push_struct_blob(&blob1, frame, creds1,
-+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ TALLOC_FREE(frame);
-+ return false;
-+ }
-+
-+ ndr_err = ndr_push_struct_blob(&blob2, frame, creds2,
-+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ TALLOC_FREE(frame);
-+ return false;
-+ }
-+
-+ if (blob1.length != blob2.length) {
-+ TALLOC_FREE(frame);
-+ return false;
-+ }
-+
-+ cmp = memcmp(blob1.data, blob2.data, blob1.length);
-+ if (cmp != 0) {
-+ TALLOC_FREE(frame);
-+ return false;
-+ }
-+
-+ TALLOC_FREE(frame);
-+ return true;
-+}
-+
-+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
-+ struct netlogon_creds_CredentialState **_creds)
-+{
-+ struct netlogon_creds_CredentialState *creds = *_creds;
-+ NTSTATUS status;
-+ enum ndr_err_code ndr_err;
-+ DATA_BLOB blob;
-+ TDB_DATA data;
-+
-+ *_creds = NULL;
-+
-+ if (context->db.locked_state == NULL) {
-+ /*
-+ * this was not the result of netlogon_creds_cli_lock*()
-+ */
-+ TALLOC_FREE(creds);
-+ return NT_STATUS_INVALID_PAGE_PROTECTION;
-+ }
-+
-+ if (context->db.locked_state->creds != creds) {
-+ /*
-+ * this was not the result of netlogon_creds_cli_lock*()
-+ */
-+ TALLOC_FREE(creds);
-+ return NT_STATUS_INVALID_PAGE_PROTECTION;
-+ }
-+
-+ ndr_err = ndr_push_struct_blob(&blob, creds, creds,
-+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ TALLOC_FREE(creds);
-+ status = ndr_map_error2ntstatus(ndr_err);
-+ return status;
-+ }
-+
-+ data.dptr = blob.data;
-+ data.dsize = blob.length;
-+
-+ status = dbwrap_store(context->db.ctx,
-+ context->db.key_data,
-+ data, TDB_REPLACE);
-+ TALLOC_FREE(creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
-+ struct netlogon_creds_CredentialState **_creds)
-+{
-+ struct netlogon_creds_CredentialState *creds = *_creds;
-+ NTSTATUS status;
-+
-+ *_creds = NULL;
-+
-+ if (context->db.locked_state == NULL) {
-+ /*
-+ * this was not the result of netlogon_creds_cli_lock*()
-+ */
-+ TALLOC_FREE(creds);
-+ return NT_STATUS_INVALID_PAGE_PROTECTION;
-+ }
-+
-+ if (context->db.locked_state->creds != creds) {
-+ /*
-+ * this was not the result of netlogon_creds_cli_lock*()
-+ */
-+ TALLOC_FREE(creds);
-+ return NT_STATUS_INVALID_PAGE_PROTECTION;
-+ }
-+
-+ status = dbwrap_delete(context->db.ctx,
-+ context->db.key_data);
-+ TALLOC_FREE(creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
-+struct netlogon_creds_cli_lock_state {
-+ struct netlogon_creds_cli_locked_state *locked_state;
-+ struct netlogon_creds_CredentialState *creds;
-+};
-+
-+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
-+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req);
-+
-+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context)
-+{
-+ struct tevent_req *req;
-+ struct netlogon_creds_cli_lock_state *state;
-+ struct netlogon_creds_cli_locked_state *locked_state;
-+ struct tevent_req *subreq;
-+
-+ req = tevent_req_create(mem_ctx, &state,
-+ struct netlogon_creds_cli_lock_state);
-+ if (req == NULL) {
-+ return NULL;
-+ }
-+
-+ if (context->db.locked_state != NULL) {
-+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
-+ if (tevent_req_nomem(locked_state, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+ talloc_set_destructor(locked_state,
-+ netlogon_creds_cli_locked_state_destructor);
-+ locked_state->context = context;
-+
-+ context->db.locked_state = locked_state;
-+ state->locked_state = locked_state;
-+
-+ if (context->db.g_ctx == NULL) {
-+ netlogon_creds_cli_lock_fetch(req);
-+ if (!tevent_req_is_in_progress(req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ return req;
-+ }
-+
-+ subreq = g_lock_lock_send(state, ev,
-+ context->db.g_ctx,
-+ context->db.key_name,
-+ G_LOCK_WRITE);
-+ if (tevent_req_nomem(subreq, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+ tevent_req_set_callback(subreq, netlogon_creds_cli_lock_done, req);
-+
-+ return req;
-+}
-+
-+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct netlogon_creds_cli_lock_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_lock_state);
-+ NTSTATUS status;
-+
-+ status = g_lock_lock_recv(subreq);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+ state->locked_state->is_glocked = true;
-+
-+ netlogon_creds_cli_lock_fetch(req);
-+}
-+
-+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
-+{
-+ struct netlogon_creds_cli_lock_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_lock_state);
-+ struct netlogon_creds_cli_context *context = state->locked_state->context;
-+ struct netlogon_creds_cli_fetch_state fstate = {
-+ .status = NT_STATUS_INTERNAL_ERROR,
-+ .required_flags = context->client.required_flags,
-+ };
-+ NTSTATUS status;
-+
-+ fstate.mem_ctx = state;
-+ status = dbwrap_parse_record(context->db.ctx,
-+ context->db.key_data,
-+ netlogon_creds_cli_fetch_parser,
-+ &fstate);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+ status = fstate.status;
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+
-+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
-+ state->creds = fstate.creds;
-+ tevent_req_done(req);
-+ return;
-+ }
-+
-+ context->server.cached_flags = fstate.creds->negotiate_flags;
-+ context->server.try_validation6 = true;
-+ context->server.try_logon_ex = true;
-+ context->server.try_logon_with = true;
-+
-+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-+ context->server.try_validation6 = false;
-+ context->server.try_logon_ex = false;
-+ }
-+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
-+ context->server.try_validation6 = false;
-+ }
-+
-+ state->creds = fstate.creds;
-+ tevent_req_done(req);
-+ return;
-+}
-+
-+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState **creds)
-+{
-+ struct netlogon_creds_cli_lock_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_lock_state);
-+ NTSTATUS status;
-+
-+ if (tevent_req_is_nterror(req, &status)) {
-+ tevent_req_received(req);
-+ return status;
-+ }
-+
-+ talloc_steal(state->creds, state->locked_state);
-+ state->locked_state->creds = state->creds;
-+ *creds = talloc_move(mem_ctx, &state->creds);
-+ tevent_req_received(req);
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState **creds)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct tevent_context *ev;
-+ struct tevent_req *req;
-+ NTSTATUS status = NT_STATUS_NO_MEMORY;
-+
-+ ev = samba_tevent_context_init(frame);
-+ if (ev == NULL) {
-+ goto fail;
-+ }
-+ req = netlogon_creds_cli_lock_send(frame, ev, context);
-+ if (req == NULL) {
-+ goto fail;
-+ }
-+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
-+ goto fail;
-+ }
-+ status = netlogon_creds_cli_lock_recv(req, mem_ctx, creds);
-+ fail:
-+ TALLOC_FREE(frame);
-+ return status;
-+}
-+
-+struct netlogon_creds_cli_auth_state {
-+ struct tevent_context *ev;
-+ struct netlogon_creds_cli_context *context;
-+ struct dcerpc_binding_handle *binding_handle;
-+ struct samr_Password current_nt_hash;
-+ struct samr_Password previous_nt_hash;
-+ struct samr_Password used_nt_hash;
-+ char *srv_name_slash;
-+ uint32_t current_flags;
-+ struct netr_Credential client_challenge;
-+ struct netr_Credential server_challenge;
-+ struct netlogon_creds_CredentialState *creds;
-+ struct netr_Credential client_credential;
-+ struct netr_Credential server_credential;
-+ uint32_t rid;
-+ bool try_auth3;
-+ bool try_auth2;
-+ bool require_auth2;
-+ bool try_previous_nt_hash;
-+ struct netlogon_creds_cli_locked_state *locked_state;
-+};
-+
-+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq);
-+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req);
-+
-+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ struct samr_Password current_nt_hash,
-+ const struct samr_Password *previous_nt_hash)
-+{
-+ struct tevent_req *req;
-+ struct netlogon_creds_cli_auth_state *state;
-+ struct netlogon_creds_cli_locked_state *locked_state;
-+ NTSTATUS status;
-+
-+ req = tevent_req_create(mem_ctx, &state,
-+ struct netlogon_creds_cli_auth_state);
-+ if (req == NULL) {
-+ return NULL;
-+ }
-+
-+ state->ev = ev;
-+ state->context = context;
-+ state->binding_handle = b;
-+ state->current_nt_hash = current_nt_hash;
-+ if (previous_nt_hash != NULL) {
-+ state->previous_nt_hash = *previous_nt_hash;
-+ state->try_previous_nt_hash = true;
-+ }
-+
-+ if (context->db.locked_state != NULL) {
-+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
-+ if (tevent_req_nomem(locked_state, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+ talloc_set_destructor(locked_state,
-+ netlogon_creds_cli_locked_state_destructor);
-+ locked_state->context = context;
-+
-+ context->db.locked_state = locked_state;
-+ state->locked_state = locked_state;
-+
-+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
-+ context->server.computer);
-+ if (tevent_req_nomem(state->srv_name_slash, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ state->try_auth3 = true;
-+ state->try_auth2 = true;
-+
-+ if (context->client.required_flags != 0) {
-+ state->require_auth2 = true;
-+ }
-+
-+ state->used_nt_hash = state->current_nt_hash;
-+ state->current_flags = context->client.proposed_flags;
-+
-+ if (context->db.g_ctx != NULL) {
-+ struct tevent_req *subreq;
-+
-+ subreq = g_lock_lock_send(state, ev,
-+ context->db.g_ctx,
-+ context->db.key_name,
-+ G_LOCK_WRITE);
-+ if (tevent_req_nomem(subreq, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_auth_locked,
-+ req);
-+
-+ return req;
-+ }
-+
-+ status = dbwrap_delete(state->context->db.ctx,
-+ state->context->db.key_data);
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
-+ status = NT_STATUS_OK;
-+ }
-+ if (tevent_req_nterror(req, status)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ netlogon_creds_cli_auth_challenge_start(req);
-+ if (!tevent_req_is_in_progress(req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ return req;
-+}
-+
-+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct netlogon_creds_cli_auth_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_auth_state);
-+ NTSTATUS status;
-+
-+ status = g_lock_lock_recv(subreq);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+ state->locked_state->is_glocked = true;
-+
-+ status = dbwrap_delete(state->context->db.ctx,
-+ state->context->db.key_data);
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
-+ status = NT_STATUS_OK;
-+ }
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+
-+ netlogon_creds_cli_auth_challenge_start(req);
-+}
-+
-+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq);
-+
-+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
-+{
-+ struct netlogon_creds_cli_auth_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_auth_state);
-+ struct tevent_req *subreq;
-+
-+ TALLOC_FREE(state->creds);
-+
-+ generate_random_buffer(state->client_challenge.data,
-+ sizeof(state->client_challenge.data));
-+
-+ subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->context->client.computer,
-+ &state->client_challenge,
-+ &state->server_challenge);
-+ if (tevent_req_nomem(subreq, req)) {
-+ return;
-+ }
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_auth_challenge_done,
-+ req);
-+}
-+
-+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq);
-+
-+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct netlogon_creds_cli_auth_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_auth_state);
-+ NTSTATUS status;
-+ NTSTATUS result;
-+
-+ status = dcerpc_netr_ServerReqChallenge_recv(subreq, state, &result);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+ if (tevent_req_nterror(req, result)) {
-+ return;
-+ }
-+
-+ if (!state->try_auth3 && !state->try_auth2) {
-+ state->current_flags = 0;
-+ }
-+
-+ /* Calculate the session key and client credentials */
-+
-+ state->creds = netlogon_creds_client_init(state,
-+ state->context->client.account,
-+ state->context->client.computer,
-+ state->context->client.type,
-+ &state->client_challenge,
-+ &state->server_challenge,
-+ &state->used_nt_hash,
-+ &state->client_credential,
-+ state->current_flags);
-+ if (tevent_req_nomem(state->creds, req)) {
-+ return;
-+ }
-+
-+ if (state->try_auth3) {
-+ subreq = dcerpc_netr_ServerAuthenticate3_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->context->client.account,
-+ state->context->client.type,
-+ state->context->client.computer,
-+ &state->client_credential,
-+ &state->server_credential,
-+ &state->creds->negotiate_flags,
-+ &state->rid);
-+ if (tevent_req_nomem(subreq, req)) {
-+ return;
-+ }
-+ } else if (state->try_auth2) {
-+ state->rid = 0;
-+
-+ subreq = dcerpc_netr_ServerAuthenticate2_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->context->client.account,
-+ state->context->client.type,
-+ state->context->client.computer,
-+ &state->client_credential,
-+ &state->server_credential,
-+ &state->creds->negotiate_flags);
-+ if (tevent_req_nomem(subreq, req)) {
-+ return;
-+ }
-+ } else {
-+ state->rid = 0;
-+
-+ subreq = dcerpc_netr_ServerAuthenticate_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->context->client.account,
-+ state->context->client.type,
-+ state->context->client.computer,
-+ &state->client_credential,
-+ &state->server_credential);
-+ if (tevent_req_nomem(subreq, req)) {
-+ return;
-+ }
-+ }
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_auth_srvauth_done,
-+ req);
-+}
-+
-+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct netlogon_creds_cli_auth_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_auth_state);
-+ NTSTATUS status;
-+ NTSTATUS result;
-+ bool ok;
-+ enum ndr_err_code ndr_err;
-+ DATA_BLOB blob;
-+ TDB_DATA data;
-+ uint32_t tmp_flags;
-+
-+ if (state->try_auth3) {
-+ status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
-+ &result);
-+ TALLOC_FREE(subreq);
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-+ state->try_auth3 = false;
-+ netlogon_creds_cli_auth_challenge_start(req);
-+ return;
-+ }
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+ } else if (state->try_auth2) {
-+ status = dcerpc_netr_ServerAuthenticate2_recv(subreq, state,
-+ &result);
-+ TALLOC_FREE(subreq);
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-+ state->try_auth2 = false;
-+ if (state->require_auth2) {
-+ status = NT_STATUS_DOWNGRADE_DETECTED;
-+ tevent_req_nterror(req, status);
-+ return;
-+ }
-+ netlogon_creds_cli_auth_challenge_start(req);
-+ return;
-+ }
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+ } else {
-+ status = dcerpc_netr_ServerAuthenticate_recv(subreq, state,
-+ &result);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+ }
-+
-+ if (!NT_STATUS_IS_OK(result) &&
-+ !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
-+ {
-+ tevent_req_nterror(req, result);
-+ return;
-+ }
-+
-+ tmp_flags = state->creds->negotiate_flags;
-+ tmp_flags &= state->context->client.required_flags;
-+ if (tmp_flags != state->context->client.required_flags) {
-+ if (NT_STATUS_IS_OK(result)) {
-+ tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
-+ return;
-+ }
-+ tevent_req_nterror(req, result);
-+ return;
-+ }
-+
-+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
-+
-+ tmp_flags = state->context->client.proposed_flags;
-+ if ((state->current_flags == tmp_flags) &&
-+ (state->creds->negotiate_flags != tmp_flags))
-+ {
-+ /*
-+ * lets retry with the negotiated flags
-+ */
-+ state->current_flags = state->creds->negotiate_flags;
-+ netlogon_creds_cli_auth_challenge_start(req);
-+ return;
-+ }
-+
-+ if (!state->try_previous_nt_hash) {
-+ /*
-+ * we already retried, giving up...
-+ */
-+ tevent_req_nterror(req, result);
-+ return;
-+ }
-+
-+ /*
-+ * lets retry with the old nt hash.
-+ */
-+ state->try_previous_nt_hash = false;
-+ state->used_nt_hash = state->previous_nt_hash;
-+ state->current_flags = state->context->client.proposed_flags;
-+ netlogon_creds_cli_auth_challenge_start(req);
-+ return;
-+ }
-+
-+ ok = netlogon_creds_client_check(state->creds,
-+ &state->server_credential);
-+ if (!ok) {
-+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
-+ return;
-+ }
-+
-+ ndr_err = ndr_push_struct_blob(&blob, state, state->creds,
-+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ status = ndr_map_error2ntstatus(ndr_err);
-+ tevent_req_nterror(req, status);
-+ return;
-+ }
-+
-+ data.dptr = blob.data;
-+ data.dsize = blob.length;
-+
-+ status = dbwrap_store(state->context->db.ctx,
-+ state->context->db.key_data,
-+ data, TDB_REPLACE);
-+ TALLOC_FREE(state->locked_state);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+
-+ tevent_req_done(req);
-+}
-+
-+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
-+{
-+ NTSTATUS status;
-+
-+ if (tevent_req_is_nterror(req, &status)) {
-+ tevent_req_received(req);
-+ return status;
-+ }
-+
-+ tevent_req_received(req);
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ struct samr_Password current_nt_hash,
-+ const struct samr_Password *previous_nt_hash)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct tevent_context *ev;
-+ struct tevent_req *req;
-+ NTSTATUS status = NT_STATUS_NO_MEMORY;
-+
-+ ev = samba_tevent_context_init(frame);
-+ if (ev == NULL) {
-+ goto fail;
-+ }
-+ req = netlogon_creds_cli_auth_send(frame, ev, context, b,
-+ current_nt_hash,
-+ previous_nt_hash);
-+ if (req == NULL) {
-+ goto fail;
-+ }
-+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
-+ goto fail;
-+ }
-+ status = netlogon_creds_cli_auth_recv(req);
-+ fail:
-+ TALLOC_FREE(frame);
-+ return status;
-+}
-+
-+struct netlogon_creds_cli_check_state {
-+ struct tevent_context *ev;
-+ struct netlogon_creds_cli_context *context;
-+ struct dcerpc_binding_handle *binding_handle;
-+
-+ char *srv_name_slash;
-+
-+ union netr_Capabilities caps;
-+
-+ struct netlogon_creds_CredentialState *creds;
-+ struct netlogon_creds_CredentialState tmp_creds;
-+ struct netr_Authenticator req_auth;
-+ struct netr_Authenticator rep_auth;
-+};
-+
-+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
-+ NTSTATUS status);
-+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
-+
-+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b)
-+{
-+ struct tevent_req *req;
-+ struct netlogon_creds_cli_check_state *state;
-+ struct tevent_req *subreq;
-+ enum dcerpc_AuthType auth_type;
-+ enum dcerpc_AuthLevel auth_level;
-+
-+ req = tevent_req_create(mem_ctx, &state,
-+ struct netlogon_creds_cli_check_state);
-+ if (req == NULL) {
-+ return NULL;
-+ }
-+
-+ state->ev = ev;
-+ state->context = context;
-+ state->binding_handle = b;
-+
-+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
-+ context->server.computer);
-+ if (tevent_req_nomem(state->srv_name_slash, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ dcerpc_binding_handle_auth_info(state->binding_handle,
-+ &auth_type, &auth_level);
-+
-+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ switch (auth_level) {
-+ case DCERPC_AUTH_LEVEL_INTEGRITY:
-+ case DCERPC_AUTH_LEVEL_PRIVACY:
-+ break;
-+ default:
-+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
-+ state->context);
-+ if (tevent_req_nomem(subreq, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_check_locked,
-+ req);
-+
-+ return req;
-+}
-+
-+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
-+ NTSTATUS status)
-+{
-+ struct netlogon_creds_cli_check_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_check_state);
-+
-+ if (state->creds == NULL) {
-+ return;
-+ }
-+
-+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
-+ TALLOC_FREE(state->creds);
-+ return;
-+ }
-+
-+ netlogon_creds_cli_delete(state->context, &state->creds);
-+}
-+
-+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq);
-+
-+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct netlogon_creds_cli_check_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_check_state);
-+ NTSTATUS status;
-+
-+ status = netlogon_creds_cli_lock_recv(subreq, state,
-+ &state->creds);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+
-+ /*
-+ * we defer all callbacks in order to cleanup
-+ * the database record.
-+ */
-+ tevent_req_defer_callback(req, state->ev);
-+
-+ state->tmp_creds = *state->creds;
-+ netlogon_creds_client_authenticator(&state->tmp_creds,
-+ &state->req_auth);
-+ ZERO_STRUCT(state->rep_auth);
-+
-+ subreq = dcerpc_netr_LogonGetCapabilities_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->context->client.computer,
-+ &state->req_auth,
-+ &state->rep_auth,
-+ 1,
-+ &state->caps);
-+ if (tevent_req_nomem(subreq, req)) {
-+ status = NT_STATUS_NO_MEMORY;
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ return;
-+ }
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_check_caps,
-+ req);
-+}
-+
-+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct netlogon_creds_cli_check_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_check_state);
-+ NTSTATUS status;
-+ NTSTATUS result;
-+ bool ok;
-+
-+ status = dcerpc_netr_LogonGetCapabilities_recv(subreq, state,
-+ &result);
-+ TALLOC_FREE(subreq);
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-+ /*
-+ * Note that the negotiated flags are already checked
-+ * for our required flags after the ServerAuthenticate3/2 call.
-+ */
-+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
-+
-+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
-+ /*
-+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
-+ * already, we expect this to work!
-+ */
-+ status = NT_STATUS_DOWNGRADE_DETECTED;
-+ tevent_req_nterror(req, status);
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ return;
-+ }
-+
-+ if (negotiated & NETLOGON_NEG_STRONG_KEYS) {
-+ /*
-+ * If we have negotiated NETLOGON_NEG_STRONG_KEYS
-+ * we expect this to work at least as far as the
-+ * NOT_SUPPORTED error handled below!
-+ *
-+ * NT 4.0 and Old Samba servers are not
-+ * allowed without "require strong key = no"
-+ */
-+ status = NT_STATUS_DOWNGRADE_DETECTED;
-+ tevent_req_nterror(req, status);
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ return;
-+ }
-+
-+ /*
-+ * If we not require NETLOGON_NEG_SUPPORTS_AES or
-+ * NETLOGON_NEG_STRONG_KEYS, it's ok to ignore
-+ * NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
-+ *
-+ * This is needed against NT 4.0 and old Samba servers.
-+ *
-+ * As we're using DCERPC_AUTH_TYPE_SCHANNEL with
-+ * DCERPC_AUTH_LEVEL_INTEGRITY or DCERPC_AUTH_LEVEL_PRIVACY
-+ * we should detect a faked NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
-+ * with the next request as the sequence number processing
-+ * gets out of sync.
-+ */
-+ netlogon_creds_cli_check_cleanup(req, result);
-+ tevent_req_done(req);
-+ return;
-+ }
-+ if (tevent_req_nterror(req, status)) {
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ return;
-+ }
-+
-+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-+ /*
-+ * Note that the negotiated flags are already checked
-+ * for our required flags after the ServerAuthenticate3/2 call.
-+ */
-+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
-+
-+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
-+ /*
-+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
-+ * already, we expect this to work!
-+ */
-+ status = NT_STATUS_DOWNGRADE_DETECTED;
-+ tevent_req_nterror(req, status);
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ return;
-+ }
-+
-+ /*
-+ * This is ok, the server does not support
-+ * NETLOGON_NEG_SUPPORTS_AES.
-+ *
-+ * netr_LogonGetCapabilities() was
-+ * netr_LogonDummyRoutine1() before
-+ * NETLOGON_NEG_SUPPORTS_AES was invented.
-+ */
-+ netlogon_creds_cli_check_cleanup(req, result);
-+ tevent_req_done(req);
-+ return;
-+ }
-+
-+ ok = netlogon_creds_client_check(&state->tmp_creds,
-+ &state->rep_auth.cred);
-+ if (!ok) {
-+ status = NT_STATUS_ACCESS_DENIED;
-+ tevent_req_nterror(req, status);
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ return;
-+ }
-+
-+ if (tevent_req_nterror(req, result)) {
-+ netlogon_creds_cli_check_cleanup(req, result);
-+ return;
-+ }
-+
-+ if (state->caps.server_capabilities != state->tmp_creds.negotiate_flags) {
-+ status = NT_STATUS_DOWNGRADE_DETECTED;
-+ tevent_req_nterror(req, status);
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ return;
-+ }
-+
-+ /*
-+ * This is the key check that makes this check secure. If we
-+ * get OK here (rather than NOT_SUPPORTED), then the server
-+ * did support AES. If the server only proposed STRONG_KEYS
-+ * and not AES, then it should have failed with
-+ * NOT_IMPLEMENTED. We always send AES as a client, so the
-+ * server should always have returned it.
-+ */
-+ if (!(state->caps.server_capabilities & NETLOGON_NEG_SUPPORTS_AES)) {
-+ status = NT_STATUS_DOWNGRADE_DETECTED;
-+ tevent_req_nterror(req, status);
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ return;
-+ }
-+
-+ *state->creds = state->tmp_creds;
-+ status = netlogon_creds_cli_store(state->context,
-+ &state->creds);
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+
-+ tevent_req_done(req);
-+}
-+
-+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req)
-+{
-+ NTSTATUS status;
-+
-+ if (tevent_req_is_nterror(req, &status)) {
-+ netlogon_creds_cli_check_cleanup(req, status);
-+ tevent_req_received(req);
-+ return status;
-+ }
-+
-+ tevent_req_received(req);
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct tevent_context *ev;
-+ struct tevent_req *req;
-+ NTSTATUS status = NT_STATUS_NO_MEMORY;
-+
-+ ev = samba_tevent_context_init(frame);
-+ if (ev == NULL) {
-+ goto fail;
-+ }
-+ req = netlogon_creds_cli_check_send(frame, ev, context, b);
-+ if (req == NULL) {
-+ goto fail;
-+ }
-+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
-+ goto fail;
-+ }
-+ status = netlogon_creds_cli_check_recv(req);
-+ fail:
-+ TALLOC_FREE(frame);
-+ return status;
-+}
-+
-+struct netlogon_creds_cli_ServerPasswordSet_state {
-+ struct tevent_context *ev;
-+ struct netlogon_creds_cli_context *context;
-+ struct dcerpc_binding_handle *binding_handle;
-+ uint32_t old_timeout;
-+
-+ char *srv_name_slash;
-+ enum dcerpc_AuthType auth_type;
-+ enum dcerpc_AuthLevel auth_level;
-+
-+ struct samr_CryptPassword samr_crypt_password;
-+ struct netr_CryptPassword netr_crypt_password;
-+ struct samr_Password samr_password;
-+
-+ struct netlogon_creds_CredentialState *creds;
-+ struct netlogon_creds_CredentialState tmp_creds;
-+ struct netr_Authenticator req_auth;
-+ struct netr_Authenticator rep_auth;
-+};
-+
-+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
-+ NTSTATUS status);
-+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq);
-+
-+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ const char *new_password,
-+ const uint32_t *new_version)
-+{
-+ struct tevent_req *req;
-+ struct netlogon_creds_cli_ServerPasswordSet_state *state;
-+ struct tevent_req *subreq;
-+ bool ok;
-+
-+ req = tevent_req_create(mem_ctx, &state,
-+ struct netlogon_creds_cli_ServerPasswordSet_state);
-+ if (req == NULL) {
-+ return NULL;
-+ }
-+
-+ state->ev = ev;
-+ state->context = context;
-+ state->binding_handle = b;
-+
-+ /*
-+ * netr_ServerPasswordSet
-+ */
-+ E_md4hash(new_password, state->samr_password.hash);
-+
-+ /*
-+ * netr_ServerPasswordSet2
-+ */
-+ ok = encode_pw_buffer(state->samr_crypt_password.data,
-+ new_password, STR_UNICODE);
-+ if (!ok) {
-+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ if (new_version != NULL) {
-+ struct NL_PASSWORD_VERSION version;
-+ uint32_t len = IVAL(state->samr_crypt_password.data, 512);
-+ uint32_t ofs = 512 - len;
-+ uint8_t *p;
-+
-+ if (ofs < 12) {
-+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-+ return tevent_req_post(req, ev);
-+ }
-+ ofs -= 12;
-+
-+ version.ReservedField = 0;
-+ version.PasswordVersionNumber = *new_version;
-+ version.PasswordVersionPresent =
-+ NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT;
-+
-+ p = state->samr_crypt_password.data + ofs;
-+ SIVAL(p, 0, version.ReservedField);
-+ SIVAL(p, 4, version.PasswordVersionNumber);
-+ SIVAL(p, 8, version.PasswordVersionPresent);
-+ }
-+
-+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
-+ context->server.computer);
-+ if (tevent_req_nomem(state->srv_name_slash, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ dcerpc_binding_handle_auth_info(state->binding_handle,
-+ &state->auth_type,
-+ &state->auth_level);
-+
-+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
-+ state->context);
-+ if (tevent_req_nomem(subreq, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_ServerPasswordSet_locked,
-+ req);
-+
-+ return req;
-+}
-+
-+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
-+ NTSTATUS status)
-+{
-+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_ServerPasswordSet_state);
-+
-+ if (state->creds == NULL) {
-+ return;
-+ }
-+
-+ dcerpc_binding_handle_set_timeout(state->binding_handle,
-+ state->old_timeout);
-+
-+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
-+ TALLOC_FREE(state->creds);
-+ return;
-+ }
-+
-+ netlogon_creds_cli_delete(state->context, &state->creds);
-+}
-+
-+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq);
-+
-+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_ServerPasswordSet_state);
-+ NTSTATUS status;
-+
-+ status = netlogon_creds_cli_lock_recv(subreq, state,
-+ &state->creds);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+
-+ if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
-+ switch (state->auth_level) {
-+ case DCERPC_AUTH_LEVEL_INTEGRITY:
-+ case DCERPC_AUTH_LEVEL_PRIVACY:
-+ break;
-+ default:
-+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-+ return;
-+ }
-+ } else {
-+ uint32_t tmp = state->creds->negotiate_flags;
-+
-+ if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
-+ /*
-+ * if DCERPC_AUTH_TYPE_SCHANNEL is supported
-+ * it should be used, which means
-+ * we had a chance to verify no downgrade
-+ * happened.
-+ *
-+ * This relies on netlogon_creds_cli_check*
-+ * being called before, as first request after
-+ * the DCERPC bind.
-+ */
-+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
-+ return;
-+ }
-+ }
-+
-+ state->old_timeout = dcerpc_binding_handle_set_timeout(
-+ state->binding_handle, 600000);
-+
-+ /*
-+ * we defer all callbacks in order to cleanup
-+ * the database record.
-+ */
-+ tevent_req_defer_callback(req, state->ev);
-+
-+ state->tmp_creds = *state->creds;
-+ netlogon_creds_client_authenticator(&state->tmp_creds,
-+ &state->req_auth);
-+ ZERO_STRUCT(state->rep_auth);
-+
-+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
-+
-+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ netlogon_creds_aes_encrypt(&state->tmp_creds,
-+ state->samr_crypt_password.data,
-+ 516);
-+ } else {
-+ netlogon_creds_arcfour_crypt(&state->tmp_creds,
-+ state->samr_crypt_password.data,
-+ 516);
-+ }
-+
-+ memcpy(state->netr_crypt_password.data,
-+ state->samr_crypt_password.data, 512);
-+ state->netr_crypt_password.length =
-+ IVAL(state->samr_crypt_password.data, 512);
-+
-+ subreq = dcerpc_netr_ServerPasswordSet2_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->tmp_creds.account_name,
-+ state->tmp_creds.secure_channel_type,
-+ state->tmp_creds.computer_name,
-+ &state->req_auth,
-+ &state->rep_auth,
-+ &state->netr_crypt_password);
-+ if (tevent_req_nomem(subreq, req)) {
-+ status = NT_STATUS_NO_MEMORY;
-+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
-+ return;
-+ }
-+ } else {
-+ netlogon_creds_des_encrypt(&state->tmp_creds,
-+ &state->samr_password);
-+
-+ subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->tmp_creds.account_name,
-+ state->tmp_creds.secure_channel_type,
-+ state->tmp_creds.computer_name,
-+ &state->req_auth,
-+ &state->rep_auth,
-+ &state->samr_password);
-+ if (tevent_req_nomem(subreq, req)) {
-+ status = NT_STATUS_NO_MEMORY;
-+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
-+ return;
-+ }
-+ }
-+
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_ServerPasswordSet_done,
-+ req);
-+}
-+
-+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_ServerPasswordSet_state);
-+ NTSTATUS status;
-+ NTSTATUS result;
-+ bool ok;
-+
-+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
-+ status = dcerpc_netr_ServerPasswordSet2_recv(subreq, state,
-+ &result);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
-+ return;
-+ }
-+ } else {
-+ status = dcerpc_netr_ServerPasswordSet_recv(subreq, state,
-+ &result);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
-+ return;
-+ }
-+ }
-+
-+ ok = netlogon_creds_client_check(&state->tmp_creds,
-+ &state->rep_auth.cred);
-+ if (!ok) {
-+ status = NT_STATUS_ACCESS_DENIED;
-+ tevent_req_nterror(req, status);
-+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
-+ return;
-+ }
-+
-+ if (tevent_req_nterror(req, result)) {
-+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, result);
-+ return;
-+ }
-+
-+ dcerpc_binding_handle_set_timeout(state->binding_handle,
-+ state->old_timeout);
-+
-+ *state->creds = state->tmp_creds;
-+ status = netlogon_creds_cli_store(state->context,
-+ &state->creds);
-+ if (tevent_req_nterror(req, status)) {
-+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
-+ return;
-+ }
-+
-+ tevent_req_done(req);
-+}
-+
-+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
-+{
-+ NTSTATUS status;
-+
-+ if (tevent_req_is_nterror(req, &status)) {
-+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
-+ tevent_req_received(req);
-+ return status;
-+ }
-+
-+ tevent_req_received(req);
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ const char *new_password,
-+ const uint32_t *new_version)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct tevent_context *ev;
-+ struct tevent_req *req;
-+ NTSTATUS status = NT_STATUS_NO_MEMORY;
-+
-+ ev = samba_tevent_context_init(frame);
-+ if (ev == NULL) {
-+ goto fail;
-+ }
-+ req = netlogon_creds_cli_ServerPasswordSet_send(frame, ev, context, b,
-+ new_password,
-+ new_version);
-+ if (req == NULL) {
-+ goto fail;
-+ }
-+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
-+ goto fail;
-+ }
-+ status = netlogon_creds_cli_ServerPasswordSet_recv(req);
-+ fail:
-+ TALLOC_FREE(frame);
-+ return status;
-+}
-+
-+struct netlogon_creds_cli_LogonSamLogon_state {
-+ struct tevent_context *ev;
-+ struct netlogon_creds_cli_context *context;
-+ struct dcerpc_binding_handle *binding_handle;
-+
-+ char *srv_name_slash;
-+
-+ enum netr_LogonInfoClass logon_level;
-+ const union netr_LogonLevel *const_logon;
-+ union netr_LogonLevel *logon;
-+ uint32_t flags;
-+
-+ uint16_t validation_level;
-+ union netr_Validation *validation;
-+ uint8_t authoritative;
-+
-+ /*
-+ * do we need encryption at the application layer?
-+ */
-+ bool user_encrypt;
-+ bool try_logon_ex;
-+ bool try_validation6;
-+
-+ /*
-+ * the read only credentials before we started the operation
-+ */
-+ struct netlogon_creds_CredentialState *ro_creds;
-+
-+ struct netlogon_creds_CredentialState *lk_creds;
-+
-+ struct netlogon_creds_CredentialState tmp_creds;
-+ struct netr_Authenticator req_auth;
-+ struct netr_Authenticator rep_auth;
-+};
-+
-+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req);
-+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
-+ NTSTATUS status);
-+
-+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ enum netr_LogonInfoClass logon_level,
-+ const union netr_LogonLevel *logon,
-+ uint32_t flags)
-+{
-+ struct tevent_req *req;
-+ struct netlogon_creds_cli_LogonSamLogon_state *state;
-+
-+ req = tevent_req_create(mem_ctx, &state,
-+ struct netlogon_creds_cli_LogonSamLogon_state);
-+ if (req == NULL) {
-+ return NULL;
-+ }
-+
-+ state->ev = ev;
-+ state->context = context;
-+ state->binding_handle = b;
-+
-+ state->logon_level = logon_level;
-+ state->const_logon = logon;
-+ state->flags = flags;
-+
-+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
-+ context->server.computer);
-+ if (tevent_req_nomem(state->srv_name_slash, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ switch (logon_level) {
-+ case NetlogonInteractiveInformation:
-+ case NetlogonInteractiveTransitiveInformation:
-+ case NetlogonServiceInformation:
-+ case NetlogonServiceTransitiveInformation:
-+ case NetlogonGenericInformation:
-+ state->user_encrypt = true;
-+ break;
-+
-+ case NetlogonNetworkInformation:
-+ case NetlogonNetworkTransitiveInformation:
-+ break;
-+ }
-+
-+ state->validation = talloc_zero(state, union netr_Validation);
-+ if (tevent_req_nomem(state->validation, req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ netlogon_creds_cli_LogonSamLogon_start(req);
-+ if (!tevent_req_is_in_progress(req)) {
-+ return tevent_req_post(req, ev);
-+ }
-+
-+ /*
-+ * we defer all callbacks in order to cleanup
-+ * the database record.
-+ */
-+ tevent_req_defer_callback(req, state->ev);
-+ return req;
-+}
-+
-+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
-+ NTSTATUS status)
-+{
-+ struct netlogon_creds_cli_LogonSamLogon_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_LogonSamLogon_state);
-+
-+ if (state->lk_creds == NULL) {
-+ return;
-+ }
-+
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-+ /*
-+ * This is a hack to recover from a bug in old
-+ * Samba servers, when LogonSamLogonEx() fails:
-+ *
-+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
-+ *
-+ * All following request will get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
-+ *
-+ * A second bug generates NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE,
-+ * instead of NT_STATUS_ACCESS_DENIED or NT_STATUS_RPC_SEC_PKG_ERROR
-+ * If the sign/seal check fails.
-+ *
-+ * In that case we need to cleanup the netlogon session.
-+ *
-+ * It's the job of the caller to disconnect the current
-+ * connection, if netlogon_creds_cli_LogonSamLogon()
-+ * returns NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
-+ */
-+ if (!state->context->server.try_logon_with) {
-+ status = NT_STATUS_NETWORK_ACCESS_DENIED;
-+ }
-+ }
-+
-+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
-+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
-+ TALLOC_FREE(state->lk_creds);
-+ return;
-+ }
-+
-+ netlogon_creds_cli_delete(state->context, &state->lk_creds);
-+}
-+
-+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq);
-+
-+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
-+{
-+ struct netlogon_creds_cli_LogonSamLogon_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_LogonSamLogon_state);
-+ struct tevent_req *subreq;
-+ NTSTATUS status;
-+ enum dcerpc_AuthType auth_type;
-+ enum dcerpc_AuthLevel auth_level;
-+
-+ TALLOC_FREE(state->ro_creds);
-+ TALLOC_FREE(state->logon);
-+ ZERO_STRUCTP(state->validation);
-+
-+ dcerpc_binding_handle_auth_info(state->binding_handle,
-+ &auth_type, &auth_level);
-+
-+ state->try_logon_ex = state->context->server.try_logon_ex;
-+ state->try_validation6 = state->context->server.try_validation6;
-+
-+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-+ state->try_logon_ex = false;
-+ }
-+
-+ if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
-+ state->try_validation6 = false;
-+ }
-+
-+ if (state->try_logon_ex) {
-+ if (state->try_validation6) {
-+ state->validation_level = 6;
-+ } else {
-+ state->validation_level = 3;
-+ state->user_encrypt = true;
-+ }
-+
-+ state->logon = netlogon_creds_shallow_copy_logon(state,
-+ state->logon_level,
-+ state->const_logon);
-+ if (tevent_req_nomem(state->logon, req)) {
-+ status = NT_STATUS_NO_MEMORY;
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+
-+ if (state->user_encrypt) {
-+ status = netlogon_creds_cli_get(state->context,
-+ state,
-+ &state->ro_creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ status = NT_STATUS_ACCESS_DENIED;
-+ tevent_req_nterror(req, status);
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+
-+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
-+ state->logon_level,
-+ state->logon);
-+ }
-+
-+ subreq = dcerpc_netr_LogonSamLogonEx_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->context->client.computer,
-+ state->logon_level,
-+ state->logon,
-+ state->validation_level,
-+ state->validation,
-+ &state->authoritative,
-+ &state->flags);
-+ if (tevent_req_nomem(subreq, req)) {
-+ status = NT_STATUS_NO_MEMORY;
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_LogonSamLogon_done,
-+ req);
-+ return;
-+ }
-+
-+ if (state->lk_creds == NULL) {
-+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
-+ state->context);
-+ if (tevent_req_nomem(subreq, req)) {
-+ status = NT_STATUS_NO_MEMORY;
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_LogonSamLogon_done,
-+ req);
-+ return;
-+ }
-+
-+ state->tmp_creds = *state->lk_creds;
-+ netlogon_creds_client_authenticator(&state->tmp_creds,
-+ &state->req_auth);
-+ ZERO_STRUCT(state->rep_auth);
-+
-+ state->logon = netlogon_creds_shallow_copy_logon(state,
-+ state->logon_level,
-+ state->const_logon);
-+ if (tevent_req_nomem(state->logon, req)) {
-+ status = NT_STATUS_NO_MEMORY;
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+
-+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
-+ state->logon_level,
-+ state->logon);
-+
-+ state->validation_level = 3;
-+
-+ if (state->context->server.try_logon_with) {
-+ subreq = dcerpc_netr_LogonSamLogonWithFlags_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->context->client.computer,
-+ &state->req_auth,
-+ &state->rep_auth,
-+ state->logon_level,
-+ state->logon,
-+ state->validation_level,
-+ state->validation,
-+ &state->authoritative,
-+ &state->flags);
-+ if (tevent_req_nomem(subreq, req)) {
-+ status = NT_STATUS_NO_MEMORY;
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+ } else {
-+ state->flags = 0;
-+
-+ subreq = dcerpc_netr_LogonSamLogon_send(state, state->ev,
-+ state->binding_handle,
-+ state->srv_name_slash,
-+ state->context->client.computer,
-+ &state->req_auth,
-+ &state->rep_auth,
-+ state->logon_level,
-+ state->logon,
-+ state->validation_level,
-+ state->validation,
-+ &state->authoritative);
-+ if (tevent_req_nomem(subreq, req)) {
-+ status = NT_STATUS_NO_MEMORY;
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+ }
-+
-+ tevent_req_set_callback(subreq,
-+ netlogon_creds_cli_LogonSamLogon_done,
-+ req);
-+}
-+
-+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
-+{
-+ struct tevent_req *req =
-+ tevent_req_callback_data(subreq,
-+ struct tevent_req);
-+ struct netlogon_creds_cli_LogonSamLogon_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_LogonSamLogon_state);
-+ NTSTATUS status;
-+ NTSTATUS result;
-+ bool ok;
-+
-+ if (state->try_logon_ex) {
-+ status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
-+ state->validation,
-+ &result);
-+ TALLOC_FREE(subreq);
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-+ state->context->server.try_validation6 = false;
-+ state->context->server.try_logon_ex = false;
-+ netlogon_creds_cli_LogonSamLogon_start(req);
-+ return;
-+ }
-+ if (tevent_req_nterror(req, status)) {
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+
-+ if ((state->validation_level == 6) &&
-+ (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
-+ NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
-+ NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)))
-+ {
-+ state->context->server.try_validation6 = false;
-+ netlogon_creds_cli_LogonSamLogon_start(req);
-+ return;
-+ }
-+
-+ if (tevent_req_nterror(req, result)) {
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
-+ return;
-+ }
-+
-+ if (state->ro_creds == NULL) {
-+ tevent_req_done(req);
-+ return;
-+ }
-+
-+ ok = netlogon_creds_cli_validate(state->context, state->ro_creds);
-+ if (!ok) {
-+ /*
-+ * We got a race, lets retry with on authenticator
-+ * protection.
-+ */
-+ TALLOC_FREE(state->ro_creds);
-+ state->try_logon_ex = false;
-+ netlogon_creds_cli_LogonSamLogon_start(req);
-+ return;
-+ }
-+
-+ netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
-+ state->validation_level,
-+ state->validation);
-+
-+ tevent_req_done(req);
-+ return;
-+ }
-+
-+ if (state->lk_creds == NULL) {
-+ status = netlogon_creds_cli_lock_recv(subreq, state,
-+ &state->lk_creds);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+
-+ netlogon_creds_cli_LogonSamLogon_start(req);
-+ return;
-+ }
-+
-+ if (state->context->server.try_logon_with) {
-+ status = dcerpc_netr_LogonSamLogonWithFlags_recv(subreq,
-+ state->validation,
-+ &result);
-+ TALLOC_FREE(subreq);
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-+ state->context->server.try_logon_with = false;
-+ netlogon_creds_cli_LogonSamLogon_start(req);
-+ return;
-+ }
-+ if (tevent_req_nterror(req, status)) {
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+ } else {
-+ status = dcerpc_netr_LogonSamLogon_recv(subreq,
-+ state->validation,
-+ &result);
-+ TALLOC_FREE(subreq);
-+ if (tevent_req_nterror(req, status)) {
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+ }
-+
-+ ok = netlogon_creds_client_check(&state->tmp_creds,
-+ &state->rep_auth.cred);
-+ if (!ok) {
-+ status = NT_STATUS_ACCESS_DENIED;
-+ tevent_req_nterror(req, status);
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+
-+ *state->lk_creds = state->tmp_creds;
-+ status = netlogon_creds_cli_store(state->context,
-+ &state->lk_creds);
-+ if (tevent_req_nterror(req, status)) {
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ return;
-+ }
-+
-+ if (tevent_req_nterror(req, result)) {
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
-+ return;
-+ }
-+
-+ netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
-+ state->validation_level,
-+ state->validation);
-+
-+ tevent_req_done(req);
-+}
-+
-+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
-+ TALLOC_CTX *mem_ctx,
-+ uint16_t *validation_level,
-+ union netr_Validation **validation,
-+ uint8_t *authoritative,
-+ uint32_t *flags)
-+{
-+ struct netlogon_creds_cli_LogonSamLogon_state *state =
-+ tevent_req_data(req,
-+ struct netlogon_creds_cli_LogonSamLogon_state);
-+ NTSTATUS status;
-+
-+ /* authoritative is also returned on error */
-+ *authoritative = state->authoritative;
-+
-+ if (tevent_req_is_nterror(req, &status)) {
-+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
-+ tevent_req_received(req);
-+ return status;
-+ }
-+
-+ *validation_level = state->validation_level;
-+ *validation = talloc_move(mem_ctx, &state->validation);
-+ *flags = state->flags;
-+
-+ tevent_req_received(req);
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS netlogon_creds_cli_LogonSamLogon(
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ enum netr_LogonInfoClass logon_level,
-+ const union netr_LogonLevel *logon,
-+ TALLOC_CTX *mem_ctx,
-+ uint16_t *validation_level,
-+ union netr_Validation **validation,
-+ uint8_t *authoritative,
-+ uint32_t *flags)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct tevent_context *ev;
-+ struct tevent_req *req;
-+ NTSTATUS status = NT_STATUS_NO_MEMORY;
-+
-+ ev = samba_tevent_context_init(frame);
-+ if (ev == NULL) {
-+ goto fail;
-+ }
-+ req = netlogon_creds_cli_LogonSamLogon_send(frame, ev, context, b,
-+ logon_level, logon,
-+ *flags);
-+ if (req == NULL) {
-+ goto fail;
-+ }
-+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
-+ goto fail;
-+ }
-+ status = netlogon_creds_cli_LogonSamLogon_recv(req, mem_ctx,
-+ validation_level,
-+ validation,
-+ authoritative,
-+ flags);
-+ fail:
-+ TALLOC_FREE(frame);
-+ return status;
-+}
-diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
-new file mode 100644
-index 0000000..f8f2bef
---- /dev/null
-+++ b/libcli/auth/netlogon_creds_cli.h
-@@ -0,0 +1,138 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+
-+ module to store/fetch session keys for the schannel client
-+
-+ Copyright (C) Stefan Metzmacher 2013
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#ifndef NETLOGON_CREDS_CLI_H
-+#define NETLOGON_CREDS_CLI_H
-+
-+#include "librpc/gen_ndr/dcerpc.h"
-+#include "librpc/gen_ndr/schannel.h"
-+
-+struct netlogon_creds_cli_context;
-+struct messaging_context;
-+struct dcerpc_binding_handle;
-+
-+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
-+
-+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
-+ struct messaging_context *msg_ctx,
-+ const char *client_account,
-+ enum netr_SchannelType type,
-+ const char *server_computer,
-+ const char *server_netbios_domain,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **_context);
-+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
-+ const char *client_account,
-+ enum netr_SchannelType type,
-+ enum dcerpc_AuthLevel auth_level,
-+ uint32_t proposed_flags,
-+ uint32_t required_flags,
-+ const char *server_computer,
-+ const char *server_netbios_domain,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **_context);
-+NTSTATUS netlogon_creds_cli_context_copy(
-+ const struct netlogon_creds_cli_context *src,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **_dst);
-+
-+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
-+ struct netlogon_creds_cli_context *context);
-+
-+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState **_creds);
-+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
-+ const struct netlogon_creds_CredentialState *creds1);
-+
-+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
-+ struct netlogon_creds_CredentialState **_creds);
-+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
-+ struct netlogon_creds_CredentialState **_creds);
-+
-+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context);
-+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState **creds);
-+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_CredentialState **creds);
-+
-+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ struct samr_Password current_nt_hash,
-+ const struct samr_Password *previous_nt_hash);
-+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
-+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ struct samr_Password current_nt_hash,
-+ const struct samr_Password *previous_nt_hash);
-+
-+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b);
-+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req);
-+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b);
-+
-+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ const char *new_password,
-+ const uint32_t *new_version);
-+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
-+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ const char *new_password,
-+ const uint32_t *new_version);
-+
-+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ enum netr_LogonInfoClass logon_level,
-+ const union netr_LogonLevel *logon,
-+ uint32_t flags);
-+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
-+ TALLOC_CTX *mem_ctx,
-+ uint16_t *validation_level,
-+ union netr_Validation **validation,
-+ uint8_t *authoritative,
-+ uint32_t *flags);
-+NTSTATUS netlogon_creds_cli_LogonSamLogon(
-+ struct netlogon_creds_cli_context *context,
-+ struct dcerpc_binding_handle *b,
-+ enum netr_LogonInfoClass logon_level,
-+ const union netr_LogonLevel *logon,
-+ TALLOC_CTX *mem_ctx,
-+ uint16_t *validation_level,
-+ union netr_Validation **validation,
-+ uint8_t *authoritative,
-+ uint32_t *flags);
-+
-+#endif /* NETLOGON_CREDS_CLI_H */
-diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
-index ca2be2d..51eb293 100755
---- a/libcli/auth/wscript_build
-+++ b/libcli/auth/wscript_build
-@@ -28,6 +28,10 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
- deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
- )
-
-+bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
-+ source='netlogon_creds_cli.c',
-+ deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
-+ )
-
- bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
- source='pam_errors.c',
---
-1.9.3
-
-
-From e4a4e18ea7f9a9742de16e477917da6ae11ac42e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 13 Dec 2013 17:31:45 +0100
-Subject: [PATCH 163/249] libcli/auth: use unique key_name values in
- netlogon_creds_cli_context_common()
-
-Until all callers are fixed to pass the same 'server_computer'
-value, we try to calculate a server_netbios_name and use this
-as unique identifier for a specific domain controller.
-
-Otherwise winbind would use 'hostname.example.com'
-while 'net rpc testjoin' would use 'HOSTNAME',
-which leads to 2 records in netlogon_creds_cli.tdb
-for the same domain controller.
-
-Once all callers are fixed we can think about reverting this
-commit.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit dc96b1ddccfe8eb1a631355f9471ee0b620d682c)
----
- libcli/auth/netlogon_creds_cli.c | 58 +++++++++++++++++++++++++++++++++-------
- 1 file changed, 48 insertions(+), 10 deletions(-)
-
-diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
-index 75d6b2c..a872b31 100644
---- a/libcli/auth/netlogon_creds_cli.c
-+++ b/libcli/auth/netlogon_creds_cli.c
-@@ -106,23 +106,30 @@ static NTSTATUS netlogon_creds_cli_context_common(
- struct netlogon_creds_cli_context **_context)
- {
- struct netlogon_creds_cli_context *context = NULL;
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ char *_key_name = NULL;
-+ char *server_netbios_name = NULL;
-+ char *p = NULL;
-
- *_context = NULL;
-
- context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
- if (context == NULL) {
-+ TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
- context->client.computer = talloc_strdup(context, client_computer);
- if (context->client.computer == NULL) {
-- talloc_free(context);
-+ TALLOC_FREE(context);
-+ TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
- context->client.account = talloc_strdup(context, client_account);
- if (context->client.account == NULL) {
-- talloc_free(context);
-+ TALLOC_FREE(context);
-+ TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
-@@ -133,29 +140,60 @@ static NTSTATUS netlogon_creds_cli_context_common(
-
- context->server.computer = talloc_strdup(context, server_computer);
- if (context->server.computer == NULL) {
-- talloc_free(context);
-+ TALLOC_FREE(context);
-+ TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
- context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
- if (context->server.netbios_domain == NULL) {
-- talloc_free(context);
-+ TALLOC_FREE(context);
-+ TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
-- context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
-- client_computer,
-- client_account,
-- server_computer,
-- server_netbios_domain);
-+ /*
-+ * TODO:
-+ * Force the callers to provide a unique
-+ * value for server_computer and use this directly.
-+ *
-+ * For now we have to deal with
-+ * "HOSTNAME" vs. "hostname.example.com".
-+ */
-+ server_netbios_name = talloc_strdup(frame, server_computer);
-+ if (server_netbios_name == NULL) {
-+ TALLOC_FREE(context);
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ p = strchr(server_netbios_name, '.');
-+ if (p != NULL) {
-+ p[0] = '\0';
-+ }
-+
-+ _key_name = talloc_asprintf(frame, "CLI[%s/%s]/SRV[%s/%s]",
-+ client_computer,
-+ client_account,
-+ server_netbios_name,
-+ server_netbios_domain);
-+ if (_key_name == NULL) {
-+ TALLOC_FREE(context);
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ context->db.key_name = talloc_strdup_upper(context, _key_name);
- if (context->db.key_name == NULL) {
-- talloc_free(context);
-+ TALLOC_FREE(context);
-+ TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
- context->db.key_data = string_term_tdb_data(context->db.key_name);
-
- *_context = context;
-+ TALLOC_FREE(frame);
- return NT_STATUS_OK;
- }
-
---
-1.9.3
-
-
-From 29bc7cb7a1c0ef62c923ce859cdd07de2846c5f5 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 17 Oct 2013 19:01:28 +0200
-Subject: [PATCH 164/249] s3:param: set Globals.bWinbindSealedPipes = true
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 99d8653d83aa2e2e3a0ea097ab7cb65d62d76daf)
----
- source3/param/loadparm.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 40f3242..7d95256 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -834,6 +834,7 @@ static void init_globals(bool reinit_globals)
- Globals.security = SEC_USER;
- Globals.bEncryptPasswords = true;
- Globals.clientSchannel = Auto;
-+ Globals.bWinbindSealedPipes = true;
- Globals.serverSchannel = Auto;
- Globals.bReadRaw = true;
- Globals.bWriteRaw = true;
---
-1.9.3
-
-
-From 21b9d9847ba236d78156de07dd24032e64f2124d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 17 Oct 2013 18:39:56 +0200
-Subject: [PATCH 165/249] lib/param: add "neutralize nt4 emulation" option,
- defaulting to false
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit b39ca3a2aefdd43a55b9cdd8fa5136254b283927)
----
- .../smbdotconf/winbind/netutralizent4emulation.xml | 19 +++++++++++++++++++
- lib/param/param_functions.c | 1 +
- lib/param/param_table.c | 9 +++++++++
- 3 files changed, 29 insertions(+)
- create mode 100644 docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
-
-diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
-new file mode 100644
-index 0000000..8294a90
---- /dev/null
-+++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
-@@ -0,0 +1,19 @@
-+<samba:parameter name="neutralize nt4 emulation"
-+ context="G"
-+ type="boolean"
-+ advanced="1" developer="1"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This option controls whether winbindd sends
-+ the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
-+ the NT4 emulation of a domain controller.</para>
-+
-+ <para>Typically you should not need set this.
-+ It can be useful for upgrades from NT4 to AD domains.</para>
-+
-+ <para>The behavior can be controlled per netbios domain
-+ by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
-+</description>
-+
-+<value type="default">no</value>
-+</samba:parameter>
-diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
-index 60f9c07..aef091b 100644
---- a/lib/param/param_functions.c
-+++ b/lib/param/param_functions.c
-@@ -192,6 +192,7 @@ FN_GLOBAL_BOOL(log_writeable_files_on_exit, bLogWriteableFilesOnExit)
- FN_GLOBAL_BOOL(map_untrusted_to_domain, bMapUntrustedToDomain)
- FN_GLOBAL_BOOL(ms_add_printer_wizard, bMsAddPrinterWizard)
- FN_GLOBAL_BOOL(multicast_dns_register, bMulticastDnsRegister)
-+FN_GLOBAL_BOOL(neutralize_nt4_emulation, bNeutralizeNT4Emulation)
- FN_GLOBAL_BOOL(nis_home_map, bNISHomeMap)
- FN_GLOBAL_BOOL(nmbd_bind_explicit_broadcast, bNmbdBindExplicitBroadcast)
- FN_GLOBAL_BOOL(ntlm_auth, bNTLMAuth)
-diff --git a/lib/param/param_table.c b/lib/param/param_table.c
-index 8e3f952..edf6829 100644
---- a/lib/param/param_table.c
-+++ b/lib/param/param_table.c
-@@ -4188,6 +4188,15 @@ static struct parm_struct parm_table[] = {
- .enum_list = NULL,
- .flags = FLAG_ADVANCED,
- },
-+ {
-+ .label = "neutralize nt4 emulation",
-+ .type = P_BOOL,
-+ .p_class = P_GLOBAL,
-+ .offset = GLOBAL_VAR(bNeutralizeNT4Emulation),
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-
- {N_("DNS options"), P_SEP, P_SEPARATOR},
- {
---
-1.9.3
-
-
-From d1cfe2d0f3f72e8b7700eee01e47b0bb9d3b9ca3 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 17 Oct 2013 18:39:56 +0200
-Subject: [PATCH 166/249] lib/param: add "reject md5 servers" option,
- defaulting to false
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit de4f8f0825790452455a9d51e9d84d4d4a5c0d3b)
----
- docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 23 +++++++++++++++++++++++
- lib/param/param_functions.c | 1 +
- lib/param/param_table.c | 9 +++++++++
- 3 files changed, 33 insertions(+)
- create mode 100644 docs-xml/smbdotconf/winbind/rejectmd5servers.xml
-
-diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
-new file mode 100644
-index 0000000..18f8bcb
---- /dev/null
-+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
-@@ -0,0 +1,23 @@
-+<samba:parameter name="reject md5 servers"
-+ context="G"
-+ type="boolean"
-+ advanced="1"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This option controls whether winbindd requires support
-+ for aes support for the netlogon secure channel.</para>
-+
-+ <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
-+ NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
-+
-+ <para>You can set this to yes if all domain controllers support aes.
-+ This will prevent downgrade attacks.</para>
-+
-+ <para>The behavior can be controlled per netbios domain
-+ by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
-+
-+ <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
-+</description>
-+
-+<value type="default">no</value>
-+</samba:parameter>
-diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
-index aef091b..ecd7f8e 100644
---- a/lib/param/param_functions.c
-+++ b/lib/param/param_functions.c
-@@ -204,6 +204,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
- FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
- FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
- FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
-+FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
- FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
- FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
- FN_GLOBAL_BOOL(stat_cache, bStatCache)
-diff --git a/lib/param/param_table.c b/lib/param/param_table.c
-index edf6829..b53f850 100644
---- a/lib/param/param_table.c
-+++ b/lib/param/param_table.c
-@@ -4197,6 +4197,15 @@ static struct parm_struct parm_table[] = {
- .enum_list = NULL,
- .flags = FLAG_ADVANCED,
- },
-+ {
-+ .label = "reject md5 servers",
-+ .type = P_BOOL,
-+ .p_class = P_GLOBAL,
-+ .offset = GLOBAL_VAR(bRejectMD5Servers),
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-
- {N_("DNS options"), P_SEP, P_SEPARATOR},
- {
---
-1.9.3
-
-
-From 2545090f09da279655510f87d02c631c74409eb1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 17 Oct 2013 18:39:56 +0200
-Subject: [PATCH 167/249] lib/param: add "require strong key" option,
- defaulting to true
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 6630c68cce8fbbd700e7d4cd92ec3ebb2a268f06)
----
- docs-xml/smbdotconf/winbind/requirestrongkey.xml | 27 ++++++++++++++++++++++++
- lib/param/loadparm.c | 1 +
- lib/param/param_functions.c | 1 +
- lib/param/param_table.c | 9 ++++++++
- 4 files changed, 38 insertions(+)
- create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml
-
-diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
-new file mode 100644
-index 0000000..de749bb
---- /dev/null
-+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
-@@ -0,0 +1,27 @@
-+<samba:parameter name="require strong key"
-+ context="G"
-+ type="boolean"
-+ advanced="1"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This option controls whether winbindd requires support
-+ for md5 strong key support for the netlogon secure channel.</para>
-+
-+ <para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
-+ NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
-+
-+ <para>You can set this to no if some domain controllers only support des.
-+ This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
-+
-+ <para>The behavior can be controlled per netbios domain
-+ by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
-+
-+ <para>Note for active directory domain this option is hardcoded to 'yes'</para>
-+
-+ <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
-+
-+ <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
-+</description>
-+
-+<value type="default">yes</value>
-+</samba:parameter>
-diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
-index 23b45e2..a84a166 100644
---- a/lib/param/loadparm.c
-+++ b/lib/param/loadparm.c
-@@ -2183,6 +2183,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
-
- lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
- lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
-+ lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
- lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
- lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
- lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
-diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
-index ecd7f8e..41b137f 100644
---- a/lib/param/param_functions.c
-+++ b/lib/param/param_functions.c
-@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
- FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
- FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
- FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
-+FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
- FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
- FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
- FN_GLOBAL_BOOL(stat_cache, bStatCache)
-diff --git a/lib/param/param_table.c b/lib/param/param_table.c
-index b53f850..36e8554 100644
---- a/lib/param/param_table.c
-+++ b/lib/param/param_table.c
-@@ -4206,6 +4206,15 @@ static struct parm_struct parm_table[] = {
- .enum_list = NULL,
- .flags = FLAG_ADVANCED,
- },
-+ {
-+ .label = "require strong key",
-+ .type = P_BOOL,
-+ .p_class = P_GLOBAL,
-+ .offset = GLOBAL_VAR(bRequireStrongKey),
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-
- {N_("DNS options"), P_SEP, P_SEPARATOR},
- {
---
-1.9.3
-
-
-From 4e604cc566b2854045c5b794a846c1ab1ef4a35f Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 17 Oct 2013 19:01:47 +0200
-Subject: [PATCH 168/249] s3:param: set Globals.bRequireStrongKey = true
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit e7954bcc04ec6761b2ed6dad08b90c65efafa948)
----
- source3/param/loadparm.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 7d95256..ed46e53 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -835,6 +835,7 @@ static void init_globals(bool reinit_globals)
- Globals.bEncryptPasswords = true;
- Globals.clientSchannel = Auto;
- Globals.bWinbindSealedPipes = true;
-+ Globals.bRequireStrongKey = true;
- Globals.serverSchannel = Auto;
- Globals.bReadRaw = true;
- Globals.bWriteRaw = true;
---
-1.9.3
-
-
-From 382f69a0f3762947a3e8cc02e8e9817533073195 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 17 Oct 2013 18:48:15 +0200
-Subject: [PATCH 169/249] libcli/auth: make use of real options in
- netlogon_creds_cli_context_global()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit fa3af7c2e8f1bf292e190ba3d933b6e1d552595d)
----
- libcli/auth/netlogon_creds_cli.c | 18 +++---------------
- 1 file changed, 3 insertions(+), 15 deletions(-)
-
-diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
-index a872b31..6590b21 100644
---- a/libcli/auth/netlogon_creds_cli.c
-+++ b/libcli/auth/netlogon_creds_cli.c
-@@ -279,11 +279,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
- * allow overwrite per domain
- * reject md5 servers:<netbios_domain>
- */
-- //TODO: add lpcfp_reject_md5_servers()
-- reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
-- "__default__",
-- "reject md5 servers",
-- reject_md5_servers);
-+ reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
- reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
- "reject md5 servers",
- server_netbios_domain,
-@@ -293,11 +289,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
- * allow overwrite per domain
- * require strong key:<netbios_domain>
- */
-- //TODO: add lpcfp_require_strong_key()
-- require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
-- "__default__",
-- "require strong key",
-- require_strong_key);
-+ require_strong_key = lpcfg_require_strong_key(lp_ctx);
- require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
- "require strong key",
- server_netbios_domain,
-@@ -327,11 +319,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
- * allow overwrite per domain
- * neutralize nt4 emulation:<netbios_domain>
- */
-- //TODO: add lpcfp_neutralize_nt4_emulation()
-- neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
-- "__default__",
-- "neutralize nt4 emulation",
-- neutralize_nt4_emulation);
-+ neutralize_nt4_emulation = lpcfg_neutralize_nt4_emulation(lp_ctx);
- neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
- "neutralize nt4 emulation",
- server_netbios_domain,
---
-1.9.3
-
-
-From 79e8c0c97591ed8bc129561e44b0d94757fcc4e1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 23 Dec 2013 10:45:27 +0100
-Subject: [PATCH 170/249] docs-xml: explain the interaction between security =
- ads and other options.
-
-It implies 'require strong key = yes' and 'client schannel = yes'.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit f703a37a56e215827dbb2a7ec8da6738bf17f600)
----
- docs-xml/smbdotconf/security/security.xml | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
-index 406089f..2f5c3f7 100644
---- a/docs-xml/smbdotconf/security/security.xml
-+++ b/docs-xml/smbdotconf/security/security.xml
-@@ -99,7 +99,10 @@
-
- <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
- Controller. </para>
--
-+
-+ <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
-+ and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
-+
- <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
- </description>
-
---
-1.9.3
-
-
-From 27ea332df51e3cd8ed9601633282b688e6f288a7 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 23 Dec 2013 10:46:57 +0100
-Subject: [PATCH 171/249] docs-xml: explain the interaction of 'client
- schannel' with 'require strong key = yes'
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 1d69fdddd5287757c2e67b0982d00241a6d75d26)
----
- docs-xml/smbdotconf/security/clientschannel.xml | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
-index e229182..ac4cc59 100644
---- a/docs-xml/smbdotconf/security/clientschannel.xml
-+++ b/docs-xml/smbdotconf/security/clientschannel.xml
-@@ -12,6 +12,11 @@
- enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access
- if the server is not able to speak netlogon schannel.
- </para>
-+
-+ <para>Note that for active directory domains this is hardcoded to
-+ <smbconfoption name="client schannel">yes</smbconfoption>.</para>
-+
-+ <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
- </description>
- <value type="default">auto</value>
- <value type="example">yes</value>
---
-1.9.3
-
-
-From 4853daeffb1916db3b92dc6ba9e5776652ec5f4e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 17 Oct 2013 19:31:58 +0200
-Subject: [PATCH 172/249] s3:winbindd: make use of the "winbind sealed pipes"
- option for all connections
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 225982e1cb6276ed5c6a47c0e4827d75e8ab2fb1)
----
- source3/winbindd/winbindd.h | 3 +++
- source3/winbindd/winbindd_cm.c | 20 +++++++++++++++++---
- 2 files changed, 20 insertions(+), 3 deletions(-)
-
-diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
-index 72eb3ec..afde685 100644
---- a/source3/winbindd/winbindd.h
-+++ b/source3/winbindd/winbindd.h
-@@ -25,6 +25,7 @@
-
- #include "nsswitch/winbind_struct_protocol.h"
- #include "nsswitch/libwbclient/wbclient.h"
-+#include "librpc/gen_ndr/dcerpc.h"
- #include "librpc/gen_ndr/wbint.h"
-
- #include "talloc_dict.h"
-@@ -105,6 +106,8 @@ struct getpwent_user {
- struct winbindd_cm_conn {
- struct cli_state *cli;
-
-+ enum dcerpc_AuthLevel auth_level;
-+
- struct rpc_pipe_client *samr_pipe;
- struct policy_handle sam_connect_handle, sam_domain_handle;
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index c4f59d3..6c1244e 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -1722,6 +1722,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
- }
-
- if (NT_STATUS_IS_OK(result)) {
-+ bool seal_pipes = true;
-
- winbindd_set_locator_kdc_envs(domain);
-
-@@ -1741,6 +1742,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
- */
- store_current_dc_in_gencache(domain->name, domain->dcname,
- new_conn->cli);
-+
-+ seal_pipes = lp_winbind_sealed_pipes();
-+ seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
-+ domain->name,
-+ seal_pipes);
-+
-+ if (seal_pipes) {
-+ new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-+ } else {
-+ new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
-+ }
- } else {
- /* Ensure we setup the retry handler. */
- set_domain_offline(domain);
-@@ -1813,6 +1825,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
- }
- }
-
-+ conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-+
- if (conn->cli) {
- cli_shutdown(conn->cli);
- }
-@@ -2363,7 +2377,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- &ndr_table_samr,
- NCACN_NP,
- GENSEC_OID_NTLMSSP,
-- DCERPC_AUTH_LEVEL_PRIVACY,
-+ conn->auth_level,
- smbXcli_conn_remote_name(conn->cli->conn),
- domain_name,
- machine_account,
-@@ -2534,7 +2548,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
-
- if (conn->lsa_pipe_tcp &&
- conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
-- conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
-+ conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
- rpccli_is_connected(conn->lsa_pipe_tcp)) {
- goto done;
- }
-@@ -2602,7 +2616,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- result = cli_rpc_pipe_open_spnego
- (conn->cli, &ndr_table_lsarpc, NCACN_NP,
- GENSEC_OID_NTLMSSP,
-- DCERPC_AUTH_LEVEL_PRIVACY,
-+ conn->auth_level,
- smbXcli_conn_remote_name(conn->cli->conn),
- conn->cli->domain, conn->cli->user_name, conn->cli->password,
- &conn->lsa_pipe);
---
-1.9.3
-
-
-From c2116e6a1ee32ff36942091287e90b08d1ecf6d1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 14 Nov 2013 18:53:06 +0100
-Subject: [PATCH 173/249] docs-xml: update 'winbind sealed pipes' description
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 11aed7cd3dbd967593b34a206f0802fd0002bf27)
----
- docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-index 26f446e..63f5588 100644
---- a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-@@ -4,12 +4,12 @@
- advanced="1" developer="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
- <description>
-- <para>This option controls whether any requests made over the Samba 4 winbind
-+ <para>This option controls whether any requests from winbindd to domain controllers
- pipe will be sealed. Disabling sealing can be useful for debugging
- purposes.</para>
-
-- <para>Note that this option only applies to the Samba 4 winbind and not
-- to the standard winbind.</para>
-+ <para>The behavior can be controlled per netbios domain
-+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
- </description>
-
- <value type="default">yes</value>
---
-1.9.3
-
-
-From ea14b4a713a85a2d87cba6ad88127020e1d5e813 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 27 Jul 2013 11:30:13 +0200
-Subject: [PATCH 174/249] s3:rpc_client: make use of the new
- netlogon_creds_cli_context
-
-This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
-and lets the secure channel session state be stored in node local database.
-
-This is the proper fix for a large number of bugs:
-https://bugzilla.samba.org/show_bug.cgi?id=6563
-https://bugzilla.samba.org/show_bug.cgi?id=7944
-https://bugzilla.samba.org/show_bug.cgi?id=7945
-https://bugzilla.samba.org/show_bug.cgi?id=7568
-https://bugzilla.samba.org/show_bug.cgi?id=8599
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 38d4dba37406515181e4d6f1a1faffc18e652e27)
----
- source3/libnet/libnet_join.c | 3 +-
- source3/libnet/libnet_samsync.c | 19 +-
- source3/rpc_client/cli_netlogon.c | 436 ++++++++-------------------------
- source3/rpc_client/cli_pipe.c | 139 +++--------
- source3/rpc_client/cli_pipe.h | 2 +-
- source3/rpc_client/cli_pipe_schannel.c | 3 +-
- source3/rpc_client/rpc_client.h | 2 +-
- source3/rpcclient/cmd_netlogon.c | 57 ++++-
- source3/winbindd/winbindd.h | 9 -
- source3/winbindd/winbindd_cm.c | 36 +--
- source3/winbindd/winbindd_pam.c | 136 ++--------
- source3/wscript_build | 6 +-
- 12 files changed, 250 insertions(+), 598 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index c1eccda..5dc620f 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -1279,7 +1279,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
- status = cli_rpc_pipe_open_schannel_with_key(
- cli, &ndr_table_netlogon, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY,
-- netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
-+ netbios_domain_name,
-+ netlogon_pipe->netlogon_creds, &pipe_hnd);
-
- cli_shutdown(cli);
-
-diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
-index a103785..02d3fc6 100644
---- a/source3/libnet/libnet_samsync.c
-+++ b/source3/libnet/libnet_samsync.c
-@@ -30,6 +30,7 @@
- #include "../librpc/gen_ndr/ndr_netlogon_c.h"
- #include "../libcli/security/security.h"
- #include "messages.h"
-+#include "../libcli/auth/netlogon_creds_cli.h"
-
- /**
- * Fix up the delta, dealing with encryption issues so that the final
-@@ -213,8 +214,15 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
-
- do {
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-
-- netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
-+ status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
-+ mem_ctx, &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ netlogon_creds_client_authenticator(creds, &credential);
-
- if (ctx->single_object_replication &&
- !ctx->force_full_replication) {
-@@ -254,28 +262,33 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
- }
-
- if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(creds);
- return status;
- }
-
- /* Check returned credentials. */
-- if (!netlogon_creds_client_check(ctx->cli->dc,
-+ if (!netlogon_creds_client_check(creds,
- &return_authenticator.cred)) {
-+ TALLOC_FREE(creds);
- DEBUG(0,("credentials chain check failed\n"));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
-+ TALLOC_FREE(creds);
- return result;
- }
-
- if (NT_STATUS_IS_ERR(result)) {
-+ TALLOC_FREE(creds);
- break;
- }
-
- samsync_fix_delta_array(mem_ctx,
-- ctx->cli->dc,
-+ creds,
- database_id,
- delta_enum_array);
-+ TALLOC_FREE(creds);
-
- /* Process results */
- callback_status = ctx->ops->process_objects(mem_ctx, database_id,
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 5e8a2fc..fcd24d6 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -23,11 +23,13 @@
- #include "includes.h"
- #include "rpc_client/rpc_client.h"
- #include "../libcli/auth/libcli_auth.h"
-+#include "../libcli/auth/netlogon_creds_cli.h"
- #include "../librpc/gen_ndr/ndr_netlogon_c.h"
- #include "rpc_client/cli_netlogon.h"
- #include "rpc_client/init_netlogon.h"
- #include "rpc_client/util_netlogon.h"
- #include "../libcli/security/security.h"
-+#include "lib/param/param.h"
-
- /****************************************************************************
- Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
-@@ -44,113 +46,81 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
- enum netr_SchannelType sec_chan_type,
- uint32_t *neg_flags_inout)
- {
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct loadparm_context *lp_ctx;
- NTSTATUS status;
-- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-- struct netr_Credential clnt_chal_send;
-- struct netr_Credential srv_chal_recv;
- struct samr_Password password;
-- bool retried = false;
- fstring mach_acct;
-- uint32_t neg_flags = *neg_flags_inout;
- struct dcerpc_binding_handle *b = cli->binding_handle;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-
- if (!ndr_syntax_id_equal(&cli->abstract_syntax,
- &ndr_table_netlogon.syntax_id)) {
-+ TALLOC_FREE(frame);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-- TALLOC_FREE(cli->dc);
--
-- /* Store the machine account password we're going to use. */
-- memcpy(password.hash, machine_pwd, 16);
--
-- fstr_sprintf( mach_acct, "%s$", machine_account);
--
-- again:
-- /* Create the client challenge. */
-- generate_random_buffer(clnt_chal_send.data, 8);
--
-- /* Get the server challenge. */
-- status = dcerpc_netr_ServerReqChallenge(b, talloc_tos(),
-- cli->srv_name_slash,
-- clnt_name,
-- &clnt_chal_send,
-- &srv_chal_recv,
-- &result);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
-- if (!NT_STATUS_IS_OK(result)) {
-- return result;
-+ if (!strequal(lp_netbios_name(), clnt_name)) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_PARAMETER;
- }
-
-- /* Calculate the session key and client credentials */
-+ TALLOC_FREE(cli->netlogon_creds);
-
-- cli->dc = netlogon_creds_client_init(cli,
-- mach_acct,
-- clnt_name,
-- sec_chan_type,
-- &clnt_chal_send,
-- &srv_chal_recv,
-- &password,
-- &clnt_chal_send,
-- neg_flags);
-+ fstr_sprintf( mach_acct, "%s$", machine_account);
-
-- if (!cli->dc) {
-+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
-+ if (lp_ctx == NULL) {
-+ TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
--
-- /*
-- * Send client auth-2 challenge and receive server repy.
-- */
--
-- status = dcerpc_netr_ServerAuthenticate2(b, talloc_tos(),
-- cli->srv_name_slash,
-- cli->dc->account_name,
-- sec_chan_type,
-- cli->dc->computer_name,
-- &clnt_chal_send, /* input. */
-- &srv_chal_recv, /* output. */
-- &neg_flags,
-- &result);
-+ status = netlogon_creds_cli_context_global(lp_ctx,
-+ NULL, /* msg_ctx */
-+ mach_acct,
-+ sec_chan_type,
-+ server_name,
-+ domain,
-+ cli, &cli->netlogon_creds);
-+ talloc_unlink(frame, lp_ctx);
- if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
- return status;
- }
-- /* we might be talking to NT4, so let's downgrade in that case and retry
-- * with the returned neg_flags - gd */
-
-- if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
-- retried = true;
-- TALLOC_FREE(cli->dc);
-- goto again;
-+ status = netlogon_creds_cli_get(cli->netlogon_creds,
-+ frame, &creds);
-+ if (NT_STATUS_IS_OK(status)) {
-+ DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
-+ "cached credential\n",
-+ cli->desthost));
-+ *neg_flags_inout = creds->negotiate_flags;
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
- }
-
-- if (!NT_STATUS_IS_OK(result)) {
-- return result;
-- }
--
-- /*
-- * Check the returned value using the initial
-- * server received challenge.
-- */
--
-- if (!netlogon_creds_client_check(cli->dc, &srv_chal_recv)) {
-- /*
-- * Server replied with bad credential. Fail.
-- */
-- DEBUG(0,("rpccli_netlogon_setup_creds: server %s "
-- "replied with bad credential\n",
-- cli->desthost ));
-- return NT_STATUS_ACCESS_DENIED;
-- }
-+ /* Store the machine account password we're going to use. */
-+ memcpy(password.hash, machine_pwd, 16);
-
- DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
- "chain established.\n",
- cli->desthost ));
-
-- cli->dc->negotiate_flags = neg_flags;
-- *neg_flags_inout = neg_flags;
-+ status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
-+ password, NULL);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ status = netlogon_creds_cli_get(cli->netlogon_creds,
-+ frame, &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INTERNAL_ERROR;
-+ }
-
-+ *neg_flags_inout = creds->negotiate_flags;
-+ TALLOC_FREE(frame);
- return NT_STATUS_OK;
- }
-
-@@ -163,20 +133,16 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
- const char *username,
- const char *password,
- const char *workstation,
-- uint16_t validation_level,
-+ uint16_t _ignored_validation_level,
- int logon_type)
- {
-- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- NTSTATUS status;
-- struct netr_Authenticator clnt_creds;
-- struct netr_Authenticator ret_creds;
- union netr_LogonLevel *logon;
-- union netr_Validation validation;
-- uint8_t authoritative;
-+ uint16_t validation_level = 0;
-+ union netr_Validation *validation = NULL;
-+ uint8_t authoritative = 0;
-+ uint32_t flags = 0;
- fstring clnt_name_slash;
-- struct dcerpc_binding_handle *b = cli->binding_handle;
--
-- ZERO_STRUCT(ret_creds);
-
- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
- if (!logon) {
-@@ -191,8 +157,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
-
- /* Initialise input parameters */
-
-- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
--
- switch (logon_type) {
- case NetlogonInteractiveInformation: {
-
-@@ -208,17 +172,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
-
- nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
-
-- if (cli->dc->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- netlogon_creds_aes_encrypt(cli->dc, lmpassword.hash, 16);
-- netlogon_creds_aes_encrypt(cli->dc, ntpassword.hash, 16);
-- } else if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-- netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16);
-- netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16);
-- } else {
-- netlogon_creds_des_encrypt(cli->dc, &lmpassword);
-- netlogon_creds_des_encrypt(cli->dc, &ntpassword);
-- }
--
- password_info->identity_info.domain_name.string = domain;
- password_info->identity_info.parameter_control = logon_parameters;
- password_info->identity_info.logon_id_low = 0xdead;
-@@ -281,28 +234,20 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
- return NT_STATUS_INVALID_INFO_CLASS;
- }
-
-- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
-- cli->srv_name_slash,
-- lp_netbios_name(),
-- &clnt_creds,
-- &ret_creds,
-- logon_type,
-- logon,
-- validation_level,
-- &validation,
-- &authoritative,
-- &result);
-+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
-+ cli->binding_handle,
-+ logon_type,
-+ logon,
-+ mem_ctx,
-+ &validation_level,
-+ &validation,
-+ &authoritative,
-+ &flags);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
-- /* Always check returned credentials */
-- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
-- DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n"));
-- return NT_STATUS_ACCESS_DENIED;
-- }
--
-- return result;
-+ return NT_STATUS_OK;
- }
-
- static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
-@@ -366,29 +311,24 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
- const char *domain,
- const char *workstation,
- const uint8 chal[8],
-- uint16_t validation_level,
-+ uint16_t _ignored_validation_level,
- DATA_BLOB lm_response,
- DATA_BLOB nt_response,
- struct netr_SamInfo3 **info3)
- {
-- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- NTSTATUS status;
- const char *workstation_name_slash;
-- const char *server_name_slash;
-- struct netr_Authenticator clnt_creds;
-- struct netr_Authenticator ret_creds;
- union netr_LogonLevel *logon = NULL;
- struct netr_NetworkInfo *network_info;
-- uint8_t authoritative;
-- union netr_Validation validation;
-+ uint16_t validation_level = 0;
-+ union netr_Validation *validation = NULL;
-+ uint8_t authoritative = 0;
-+ uint32_t flags = 0;
- struct netr_ChallengeResponse lm;
- struct netr_ChallengeResponse nt;
-- struct dcerpc_binding_handle *b = cli->binding_handle;
-
- *info3 = NULL;
-
-- ZERO_STRUCT(ret_creds);
--
- ZERO_STRUCT(lm);
- ZERO_STRUCT(nt);
-
-@@ -402,21 +342,13 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
- return NT_STATUS_NO_MEMORY;
- }
-
-- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
--
-- if (server[0] != '\\' && server[1] != '\\') {
-- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
-- } else {
-- server_name_slash = server;
-- }
--
- if (workstation[0] != '\\' && workstation[1] != '\\') {
- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
- } else {
- workstation_name_slash = workstation;
- }
-
-- if (!workstation_name_slash || !server_name_slash) {
-+ if (!workstation_name_slash) {
- DEBUG(0, ("talloc_asprintf failed!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-@@ -443,40 +375,27 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
-
- /* Marshall data and send request */
-
-- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
-- server_name_slash,
-- lp_netbios_name(),
-- &clnt_creds,
-- &ret_creds,
-- NetlogonNetworkInformation,
-- logon,
-- validation_level,
-- &validation,
-- &authoritative,
-- &result);
-+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
-+ cli->binding_handle,
-+ NetlogonNetworkInformation,
-+ logon,
-+ mem_ctx,
-+ &validation_level,
-+ &validation,
-+ &authoritative,
-+ &flags);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
-- /* Always check returned credentials. */
-- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
-- DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n"));
-- return NT_STATUS_ACCESS_DENIED;
-- }
--
-- if (!NT_STATUS_IS_OK(result)) {
-- return result;
-- }
--
-- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
-- &validation);
--
-- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
-- if (!NT_STATUS_IS_OK(result)) {
-- return result;
-+ status = map_validation_to_info3(mem_ctx,
-+ validation_level, validation,
-+ info3);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
- }
-
-- return result;
-+ return NT_STATUS_OK;
- }
-
- NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
-@@ -492,100 +411,18 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
- DATA_BLOB nt_response,
- struct netr_SamInfo3 **info3)
- {
-- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-- NTSTATUS status;
-- const char *workstation_name_slash;
-- const char *server_name_slash;
-- union netr_LogonLevel *logon = NULL;
-- struct netr_NetworkInfo *network_info;
-- uint8_t authoritative;
-- union netr_Validation validation;
-- struct netr_ChallengeResponse lm;
-- struct netr_ChallengeResponse nt;
-- uint32_t flags = 0;
-- struct dcerpc_binding_handle *b = cli->binding_handle;
--
-- *info3 = NULL;
--
-- ZERO_STRUCT(lm);
-- ZERO_STRUCT(nt);
--
-- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
-- if (!logon) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
-- if (!network_info) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- if (server[0] != '\\' && server[1] != '\\') {
-- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
-- } else {
-- server_name_slash = server;
-- }
--
-- if (workstation[0] != '\\' && workstation[1] != '\\') {
-- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
-- } else {
-- workstation_name_slash = workstation;
-- }
--
-- if (!workstation_name_slash || !server_name_slash) {
-- DEBUG(0, ("talloc_asprintf failed!\n"));
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- /* Initialise input parameters */
--
-- lm.data = lm_response.data;
-- lm.length = lm_response.length;
-- nt.data = nt_response.data;
-- nt.length = nt_response.length;
--
-- network_info->identity_info.domain_name.string = domain;
-- network_info->identity_info.parameter_control = logon_parameters;
-- network_info->identity_info.logon_id_low = 0xdead;
-- network_info->identity_info.logon_id_high = 0xbeef;
-- network_info->identity_info.account_name.string = username;
-- network_info->identity_info.workstation.string = workstation_name_slash;
--
-- memcpy(network_info->challenge, chal, 8);
-- network_info->nt = nt;
-- network_info->lm = lm;
--
-- logon->network = network_info;
--
-- /* Marshall data and send request */
--
-- status = dcerpc_netr_LogonSamLogonEx(b, mem_ctx,
-- server_name_slash,
-- lp_netbios_name(),
-- NetlogonNetworkInformation,
-- logon,
-- validation_level,
-- &validation,
-- &authoritative,
-- &flags,
-- &result);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- if (!NT_STATUS_IS_OK(result)) {
-- return result;
-- }
--
-- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
-- &validation);
--
-- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
-- if (!NT_STATUS_IS_OK(result)) {
-- return result;
-- }
--
-- return result;
-+ return rpccli_netlogon_sam_network_logon(cli,
-+ mem_ctx,
-+ logon_parameters,
-+ server,
-+ username,
-+ domain,
-+ workstation,
-+ chal,
-+ validation_level,
-+ lm_response,
-+ nt_response,
-+ info3);
- }
-
- /*********************************************************
-@@ -605,11 +442,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
- const unsigned char new_trust_passwd_hash[16],
- enum netr_SchannelType sec_channel_type)
- {
-- NTSTATUS result, status;
-- struct netr_Authenticator clnt_creds, srv_cred;
-- struct dcerpc_binding_handle *b = cli->binding_handle;
-+ NTSTATUS result;
-
-- if (!cli->dc) {
-+ if (cli->netlogon_creds == NULL) {
- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
- NETLOGON_NEG_SUPPORTS_AES;
- result = rpccli_netlogon_setup_creds(cli,
-@@ -627,77 +462,16 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
- }
- }
-
-- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
--
-- if (cli->dc->negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
--
-- struct netr_CryptPassword new_password;
-- uint32_t old_timeout;
--
-- init_netr_CryptPassword(new_trust_pwd_cleartext,
-- cli->dc,
-- &new_password);
--
-- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
--
-- status = dcerpc_netr_ServerPasswordSet2(b, mem_ctx,
-- cli->srv_name_slash,
-- cli->dc->account_name,
-- sec_channel_type,
-- cli->dc->computer_name,
-- &clnt_creds,
-- &srv_cred,
-- &new_password,
-- &result);
--
-- dcerpc_binding_handle_set_timeout(b, old_timeout);
--
-- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("dcerpc_netr_ServerPasswordSet2 failed: %s\n",
-- nt_errstr(status)));
-- return status;
-- }
-- } else {
--
-- struct samr_Password new_password;
-- uint32_t old_timeout;
--
-- memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash));
-- netlogon_creds_des_encrypt(cli->dc, &new_password);
--
-- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
--
-- status = dcerpc_netr_ServerPasswordSet(b, mem_ctx,
-- cli->srv_name_slash,
-- cli->dc->account_name,
-- sec_channel_type,
-- cli->dc->computer_name,
-- &clnt_creds,
-- &srv_cred,
-- &new_password,
-- &result);
--
-- dcerpc_binding_handle_set_timeout(b, old_timeout);
--
-- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("dcerpc_netr_ServerPasswordSet failed: %s\n",
-- nt_errstr(status)));
-- return status;
-- }
-- }
--
-- /* Always check returned credentials. */
-- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
-- DEBUG(0,("credentials chain check failed\n"));
-- return NT_STATUS_ACCESS_DENIED;
-- }
--
-+ result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
-+ cli->binding_handle,
-+ new_trust_pwd_cleartext,
-+ NULL); /* new_version */
- if (!NT_STATUS_IS_OK(result)) {
-- DEBUG(0,("dcerpc_netr_ServerPasswordSet{2} failed: %s\n",
-+ DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
- nt_errstr(result)));
- return result;
- }
-
-- return result;
-+ return NT_STATUS_OK;
- }
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index a45023f..fe1613d 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -24,6 +24,7 @@
- #include "librpc/gen_ndr/ndr_epmapper_c.h"
- #include "../librpc/gen_ndr/ndr_dssetup.h"
- #include "../libcli/auth/schannel.h"
-+#include "../libcli/auth/netlogon_creds_cli.h"
- #include "auth_generic.h"
- #include "librpc/gen_ndr/ndr_dcerpc.h"
- #include "librpc/gen_ndr/ndr_netlogon_c.h"
-@@ -3024,34 +3025,39 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-- struct netlogon_creds_CredentialState **pdc,
-+ struct netlogon_creds_cli_context *netlogon_creds,
- struct rpc_pipe_client **_rpccli)
- {
- struct rpc_pipe_client *rpccli;
- struct pipe_auth_data *rpcauth;
-+ struct netlogon_creds_CredentialState *creds = NULL;
- NTSTATUS status;
-- NTSTATUS result;
-- struct netlogon_creds_CredentialState save_creds;
-- struct netr_Authenticator auth;
-- struct netr_Authenticator return_auth;
-- union netr_Capabilities capabilities;
- const char *target_service = table->authservices->names[0];
-+ int rpc_pipe_bind_dbglvl = 0;
-
- status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
-+ status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
-+ nt_errstr(status)));
-+ TALLOC_FREE(rpccli);
-+ return status;
-+ }
-+
- status = rpccli_generic_bind_data(rpccli,
- DCERPC_AUTH_TYPE_SCHANNEL,
- auth_level,
- NULL,
- target_service,
- domain,
-- (*pdc)->computer_name,
-+ creds->computer_name,
- NULL,
- CRED_AUTO_USE_KERBEROS,
-- *pdc,
-+ creds,
- &rpcauth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
-@@ -3060,120 +3066,43 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- return status;
- }
-
-- /*
-- * The credentials on a new netlogon pipe are the ones we are passed
-- * in - copy them over
-- *
-- * This may get overwritten... in rpc_pipe_bind()...
-- */
-- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
-- if (rpccli->dc == NULL) {
-- TALLOC_FREE(rpccli);
-- return NT_STATUS_NO_MEMORY;
-- }
--
- status = rpc_pipe_bind(rpccli, rpcauth);
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
-+ rpc_pipe_bind_dbglvl = 1;
-+ netlogon_creds_cli_delete(netlogon_creds, &creds);
-+ }
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
-- "cli_rpc_pipe_bind failed with error %s\n",
-- nt_errstr(status) ));
-+ DEBUG(rpc_pipe_bind_dbglvl,
-+ ("cli_rpc_pipe_open_schannel_with_key: "
-+ "rpc_pipe_bind failed with error %s\n",
-+ nt_errstr(status)));
- TALLOC_FREE(rpccli);
- return status;
- }
-
-- if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
-- goto done;
-- }
--
-- save_creds = *rpccli->dc;
-- ZERO_STRUCT(return_auth);
-- ZERO_STRUCT(capabilities);
-+ TALLOC_FREE(creds);
-
-- netlogon_creds_client_authenticator(&save_creds, &auth);
--
-- status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
-- talloc_tos(),
-- rpccli->srv_name_slash,
-- save_creds.computer_name,
-- &auth, &return_auth,
-- 1, &capabilities,
-- &result);
-- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- DEBUG(5, ("AES was negotiated and the error was %s - "
-- "downgrade detected\n",
-- nt_errstr(status)));
-- TALLOC_FREE(rpccli);
-- return NT_STATUS_INVALID_NETWORK_RESPONSE;
-- }
--
-- /* This is probably an old Samba Version */
-- DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
-- nt_errstr(status)));
-+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
- goto done;
- }
-
-+ status = netlogon_creds_cli_check(netlogon_creds,
-+ rpccli->binding_handle);
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
-+ DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
- nt_errstr(status)));
- TALLOC_FREE(rpccli);
- return status;
- }
-
-- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- /* This means AES isn't supported. */
-- DEBUG(5, ("AES was negotiated and the result was %s - "
-- "downgrade detected\n",
-- nt_errstr(result)));
-- TALLOC_FREE(rpccli);
-- return NT_STATUS_INVALID_NETWORK_RESPONSE;
-- }
--
-- /* This is probably an old Windows version */
-- DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
-- nt_errstr(result)));
-- goto done;
-- }
--
-- /*
-- * We need to check the credential state here, cause win2k3 and earlier
-- * returns NT_STATUS_NOT_IMPLEMENTED
-- */
-- if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
-- /*
-- * Server replied with bad credential. Fail.
-- */
-- DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
-- "replied with bad credential\n",
-- rpccli->desthost));
-- TALLOC_FREE(rpccli);
-- return NT_STATUS_INVALID_NETWORK_RESPONSE;
-- }
-- *rpccli->dc = save_creds;
--
-- if (!NT_STATUS_IS_OK(result)) {
-- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
-- nt_errstr(result)));
-- TALLOC_FREE(rpccli);
-- return result;
-- }
--
-- if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
-- /* This means AES isn't supported. */
-- DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
-- "was OK - downgrade detected\n"));
-- TALLOC_FREE(rpccli);
-- return NT_STATUS_INVALID_NETWORK_RESPONSE;
-- }
--
-- if (save_creds.negotiate_flags != capabilities.server_capabilities) {
-- DEBUG(0, ("The client capabilities don't match the server "
-- "capabilities: local[0x%08X] remote[0x%08X]\n",
-- save_creds.negotiate_flags,
-- capabilities.server_capabilities));
-+ status = netlogon_creds_cli_context_copy(netlogon_creds,
-+ rpccli,
-+ &rpccli->netlogon_creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
-+ nt_errstr(status)));
- TALLOC_FREE(rpccli);
-- return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ return status;
- }
-
- done:
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index 826f9bf..cf0c5c6 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -96,7 +96,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-- struct netlogon_creds_CredentialState **pdc,
-+ struct netlogon_creds_cli_context *netlogon_creds,
- struct rpc_pipe_client **presult);
-
- NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index aaae44b..e3d65c8 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -112,7 +112,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
- }
-
- status = cli_rpc_pipe_open_schannel_with_key(
-- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
-+ cli, table, transport, auth_level, domain,
-+ netlogon_pipe->netlogon_creds,
- &result);
-
- /* Now we've bound using the session key we can close the netlog pipe. */
-diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
-index 8024f01..7c4cceb 100644
---- a/source3/rpc_client/rpc_client.h
-+++ b/source3/rpc_client/rpc_client.h
-@@ -50,7 +50,7 @@ struct rpc_pipe_client {
- struct pipe_auth_data *auth;
-
- /* The following is only non-null on a netlogon client pipe. */
-- struct netlogon_creds_CredentialState *dc;
-+ struct netlogon_creds_cli_context *netlogon_creds;
- };
-
- #endif /* _RPC_CLIENT_H */
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index d92434b..2e0b5e5 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -26,6 +26,7 @@
- #include "../librpc/gen_ndr/ndr_netlogon_c.h"
- #include "rpc_client/cli_netlogon.h"
- #include "secrets.h"
-+#include "../libcli/auth/netlogon_creds_cli.h"
-
- static WERROR cmd_netlogon_logon_ctrl2(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx, int argc,
-@@ -630,8 +631,15 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
-
- do {
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-
-- netlogon_creds_client_authenticator(cli->dc, &credential);
-+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
-+ mem_ctx, &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ netlogon_creds_client_authenticator(creds, &credential);
-
- status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
- logon_server,
-@@ -645,15 +653,18 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
- 0xffff,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(creds);
- return status;
- }
-
- /* Check returned credentials. */
-- if (!netlogon_creds_client_check(cli->dc,
-+ if (!netlogon_creds_client_check(creds,
- &return_authenticator.cred)) {
- DEBUG(0,("credentials chain check failed\n"));
-+ TALLOC_FREE(creds);
- return NT_STATUS_ACCESS_DENIED;
- }
-+ TALLOC_FREE(creds);
-
- if (NT_STATUS_IS_ERR(result)) {
- break;
-@@ -699,8 +710,15 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
-
- do {
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-+
-+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
-+ mem_ctx, &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-
-- netlogon_creds_client_authenticator(cli->dc, &credential);
-+ netlogon_creds_client_authenticator(creds, &credential);
-
- status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
- logon_server,
-@@ -713,15 +731,18 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
- 0xffff,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(creds);
- return status;
- }
-
- /* Check returned credentials. */
-- if (!netlogon_creds_client_check(cli->dc,
-+ if (!netlogon_creds_client_check(creds,
- &return_authenticator.cred)) {
- DEBUG(0,("credentials chain check failed\n"));
-+ TALLOC_FREE(creds);
- return NT_STATUS_ACCESS_DENIED;
- }
-+ TALLOC_FREE(creds);
-
- if (NT_STATUS_IS_ERR(result)) {
- break;
-@@ -1129,6 +1150,7 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
- struct netr_ChangeLogEntry e;
- uint32_t rid = 500;
- struct dcerpc_binding_handle *b = cli->binding_handle;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-
- if (argc > 2) {
- fprintf(stderr, "Usage: %s <user rid>\n", argv[0]);
-@@ -1158,7 +1180,13 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
- return status;
- }
-
-- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
-+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
-+ mem_ctx, &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ netlogon_creds_client_authenticator(creds, &clnt_creds);
-
- ZERO_STRUCT(e);
-
-@@ -1176,13 +1204,16 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
- &delta_enum_array,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(creds);
- return status;
- }
-
-- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
-+ if (!netlogon_creds_client_check(creds, &srv_cred.cred)) {
- DEBUG(0,("credentials chain check failed\n"));
-+ TALLOC_FREE(creds);
- return NT_STATUS_ACCESS_DENIED;
- }
-+ TALLOC_FREE(creds);
-
- return result;
- }
-@@ -1198,6 +1229,7 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
- union netr_Capabilities capabilities;
- uint32_t level = 1;
- struct dcerpc_binding_handle *b = cli->binding_handle;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-
- if (argc > 2) {
- fprintf(stderr, "Usage: %s <level>\n", argv[0]);
-@@ -1210,7 +1242,13 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
-
- ZERO_STRUCT(return_authenticator);
-
-- netlogon_creds_client_authenticator(cli->dc, &credential);
-+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
-+ mem_ctx, &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ netlogon_creds_client_authenticator(creds, &credential);
-
- status = dcerpc_netr_LogonGetCapabilities(b, mem_ctx,
- cli->desthost,
-@@ -1221,14 +1259,17 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
- &capabilities,
- &result);
- if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(creds);
- return status;
- }
-
-- if (!netlogon_creds_client_check(cli->dc,
-+ if (!netlogon_creds_client_check(creds,
- &return_authenticator.cred)) {
- DEBUG(0,("credentials chain check failed\n"));
-+ TALLOC_FREE(creds);
- return NT_STATUS_ACCESS_DENIED;
- }
-+ TALLOC_FREE(creds);
-
- printf("capabilities: 0x%08x\n", capabilities.server_capabilities);
-
-diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
-index afde685..b5fc010 100644
---- a/source3/winbindd/winbindd.h
-+++ b/source3/winbindd/winbindd.h
-@@ -165,16 +165,7 @@ struct winbindd_domain {
- time_t startup_time; /* When we set "startup" true. monotonic clock */
- bool startup; /* are we in the first 30 seconds after startup_time ? */
-
-- bool can_do_samlogon_ex; /* Due to the lack of finer control what type
-- * of DC we have, let us try to do a
-- * credential-chain less samlogon_ex call
-- * with AD and schannel. If this fails with
-- * DCERPC_FAULT_OP_RNG_ERROR, then set this
-- * to False. This variable is around so that
-- * we don't have to try _ex every time. */
--
- bool can_do_ncacn_ip_tcp;
-- bool can_do_validation6;
-
- /* Lookup methods for this domain (LDAP or RPC) */
- struct winbindd_methods *methods;
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 6c1244e..e0d1d0c 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2047,7 +2047,6 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
- domain->active_directory ? "" : "NOT "));
-
- domain->can_do_ncacn_ip_tcp = domain->active_directory;
-- domain->can_do_validation6 = domain->active_directory;
-
- domain->initialized = True;
-
-@@ -2248,7 +2247,6 @@ done:
- domain->name, domain->active_directory ? "" : "NOT "));
-
- domain->can_do_ncacn_ip_tcp = domain->active_directory;
-- domain->can_do_validation6 = domain->active_directory;
-
- TALLOC_FREE(cli);
-
-@@ -2289,7 +2287,7 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
- ***********************************************************************/
-
- static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
-- struct netlogon_creds_CredentialState **ppdc)
-+ struct netlogon_creds_cli_context **ppdc)
- {
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- struct rpc_pipe_client *netlogon_pipe;
-@@ -2306,11 +2304,11 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
- /* Return a pointer to the struct netlogon_creds_CredentialState from the
- netlogon pipe. */
-
-- if (!domain->conn.netlogon_pipe->dc) {
-+ if (!domain->conn.netlogon_pipe->netlogon_creds) {
- return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
- }
-
-- *ppdc = domain->conn.netlogon_pipe->dc;
-+ *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
- return NT_STATUS_OK;
- }
-
-@@ -2319,7 +2317,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- {
- struct winbindd_cm_conn *conn;
- NTSTATUS status, result;
-- struct netlogon_creds_CredentialState *p_creds;
-+ struct netlogon_creds_cli_context *p_creds;
- char *machine_password = NULL;
- char *machine_account = NULL;
- const char *domain_name = NULL;
-@@ -2431,7 +2429,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- status = cli_rpc_pipe_open_schannel_with_key
- (conn->cli, &ndr_table_samr, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY,
-- domain->name, &p_creds, &conn->samr_pipe);
-+ domain->name, p_creds, &conn->samr_pipe);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
-@@ -2534,7 +2532,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
- struct rpc_pipe_client **cli)
- {
- struct winbindd_cm_conn *conn;
-- struct netlogon_creds_CredentialState *creds;
-+ struct netlogon_creds_cli_context *creds;
- NTSTATUS status;
-
- DEBUG(10,("cm_connect_lsa_tcp\n"));
-@@ -2565,7 +2563,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
- NCACN_IP_TCP,
- DCERPC_AUTH_LEVEL_PRIVACY,
- domain->name,
-- &creds,
-+ creds,
- &conn->lsa_pipe_tcp);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
-@@ -2589,7 +2587,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- {
- struct winbindd_cm_conn *conn;
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-- struct netlogon_creds_CredentialState *p_creds;
-+ struct netlogon_creds_cli_context *p_creds;
-
- result = init_dc_connection_rpc(domain);
- if (!NT_STATUS_IS_OK(result))
-@@ -2662,7 +2660,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- result = cli_rpc_pipe_open_schannel_with_key
- (conn->cli, &ndr_table_lsarpc, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY,
-- domain->name, &p_creds, &conn->lsa_pipe);
-+ domain->name, p_creds, &conn->lsa_pipe);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
-@@ -2826,10 +2824,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- no_schannel:
- if ((lp_client_schannel() == False) ||
- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-- /*
-- * NetSamLogonEx only works for schannel
-- */
-- domain->can_do_samlogon_ex = False;
-
- /* We're done - just keep the existing connection to NETLOGON
- * open */
-@@ -2845,7 +2839,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
-
- result = cli_rpc_pipe_open_schannel_with_key(
- conn->cli, &ndr_table_netlogon, NCACN_NP,
-- DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
-+ DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
-+ netlogon_pipe->netlogon_creds,
- &conn->netlogon_pipe);
-
- /* We can now close the initial netlogon pipe. */
-@@ -2859,15 +2854,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- return result;
- }
-
-- /*
-- * Always try netr_LogonSamLogonEx. We will fall back for NT4
-- * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
-- * supported). We used to only try SamLogonEx for AD, but
-- * Samba DCs can also do it. And because we don't distinguish
-- * between Samba and NT4, always try it once.
-- */
-- domain->can_do_samlogon_ex = true;
--
- *cli = conn->netlogon_pipe;
- return NT_STATUS_OK;
- }
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index c356686..39483a5 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -1228,8 +1228,6 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
-
- do {
- struct rpc_pipe_client *netlogon_pipe;
-- const struct pipe_auth_data *auth;
-- uint32_t neg_flags = 0;
-
- ZERO_STRUCTP(info3);
- retry = false;
-@@ -1278,75 +1276,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
- }
- netr_attempts = 0;
-
-- auth = netlogon_pipe->auth;
-- if (netlogon_pipe->dc) {
-- neg_flags = netlogon_pipe->dc->negotiate_flags;
-- }
--
-- /* It is really important to try SamLogonEx here,
-- * because in a clustered environment, we want to use
-- * one machine account from multiple physical
-- * computers.
-- *
-- * With a normal SamLogon call, we must keep the
-- * credentials chain updated and intact between all
-- * users of the machine account (which would imply
-- * cross-node communication for every NTLM logon).
-- *
-- * (The credentials chain is not per NETLOGON pipe
-- * connection, but globally on the server/client pair
-- * by machine name).
-- *
-- * When using SamLogonEx, the credentials are not
-- * supplied, but the session key is implied by the
-- * wrapping SamLogon context.
-- *
-- * -- abartlet 21 April 2008
-- *
-- * It's also important to use NetlogonValidationSamInfo4 (6),
-- * because it relies on the rpc transport encryption
-- * and avoids using the global netlogon schannel
-- * session key to en/decrypt secret information
-- * like the user_session_key for network logons.
-- *
-- * [MS-APDS] 3.1.5.2 NTLM Network Logon
-- * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
-- * NETLOGON_NEG_AUTHENTICATED_RPC set together
-- * are the indication that the server supports
-- * NetlogonValidationSamInfo4 (6). And it must only
-- * be used if "SealSecureChannel" is used.
-- *
-- * -- metze 4 February 2011
-- */
--
-- if (auth == NULL) {
-- domain->can_do_validation6 = false;
-- } else if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-- domain->can_do_validation6 = false;
-- } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
-- domain->can_do_validation6 = false;
-- } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
-- domain->can_do_validation6 = false;
-- } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-- domain->can_do_validation6 = false;
-- }
--
-- if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
-- result = rpccli_netlogon_sam_network_logon_ex(
-- netlogon_pipe,
-- mem_ctx,
-- logon_parameters,
-- server, /* server name */
-- username, /* user name */
-- domainname, /* target domain */
-- workstation, /* workstation */
-- chal,
-- 6,
-- lm_response,
-- nt_response,
-- info3);
-- } else {
-- result = rpccli_netlogon_sam_network_logon(
-+ result = rpccli_netlogon_sam_network_logon(
- netlogon_pipe,
- mem_ctx,
- logon_parameters,
-@@ -1355,48 +1285,10 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
- domainname, /* target domain */
- workstation, /* workstation */
- chal,
-- domain->can_do_validation6 ? 6 : 3,
-+ -1, /* ignored */
- lm_response,
- nt_response,
- info3);
-- }
--
-- if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
--
-- /*
-- * It's likely that the server also does not support
-- * validation level 6
-- */
-- domain->can_do_validation6 = false;
--
-- if (domain->can_do_samlogon_ex) {
-- DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
-- "retrying with NetSamLogon\n"));
-- domain->can_do_samlogon_ex = false;
-- retry = true;
-- continue;
-- }
--
--
-- /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
-- * (no Ex). This happens against old Samba
-- * DCs. Drop the connection.
-- */
-- invalidate_cm_connection(&domain->conn);
-- result = NT_STATUS_LOGON_FAILURE;
-- break;
-- }
--
-- if (domain->can_do_validation6 &&
-- (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
-- NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
-- NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
-- DEBUG(3,("Got a DC that can not do validation level 6, "
-- "retrying with level 3\n"));
-- domain->can_do_validation6 = false;
-- retry = true;
-- continue;
-- }
-
- /*
- * we increment this after the "feature negotiation"
-@@ -1428,6 +1320,30 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
- retry = true;
- }
-
-+ if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-+ /*
-+ * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
-+ * (no Ex). This happens against old Samba
-+ * DCs, if LogonSamLogonEx() fails with an error
-+ * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
-+ *
-+ * The server will log something like this:
-+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
-+ *
-+ * This sets the whole connection into a fault_state mode
-+ * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
-+ *
-+ * This also happens to our retry with LogonSamLogonWithFlags()
-+ * and LogonSamLogon().
-+ *
-+ * In order to recover from this situation, we need to
-+ * drop the connection.
-+ */
-+ invalidate_cm_connection(&domain->conn);
-+ result = NT_STATUS_LOGON_FAILURE;
-+ break;
-+ }
-+
- } while ( (attempts < 2) && retry );
-
- if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 13d15c3..0d3ba8e 100755
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -671,8 +671,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
- deps='''ndr ndr-standard
- RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
- LIBTSOCKET gse dcerpc-binding
-- libsmb
-- ndr-table''',
-+ libsmb ndr-table NETLOGON_CREDS_CLI
-+ ''',
- vars=locals(),
- private_library=True)
-
-@@ -1114,7 +1114,7 @@ bld.SAMBA3_LIBRARY('libcli_lsa3',
-
- bld.SAMBA3_LIBRARY('libcli_netlogon3',
- source=LIBCLI_NETLOGON_SRC,
-- deps='RPC_NDR_NETLOGON INIT_NETLOGON cliauth param',
-+ deps='msrpc3 RPC_NDR_NETLOGON INIT_NETLOGON cliauth param NETLOGON_CREDS_CLI',
- private_library=True)
-
- bld.SAMBA3_LIBRARY('cli_spoolss',
---
-1.9.3
-
-
-From 0b489bffb452e05d595abc2894532100162a4e8c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 17 Oct 2013 17:03:00 +0200
-Subject: [PATCH 175/249] s3:rpc_client: use netlogon_creds_cli_auth_level() in
- cli_rpc_pipe_open_schannel_with_key()
-
-This means the auth level is now based on the "winbindd sealed pipes" option,
-defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 5adfc5f9f737c003b84b0187fa17b9fc3784442e)
----
- source3/libnet/libnet_join.c | 1 -
- source3/rpc_client/cli_pipe.c | 4 +++-
- source3/rpc_client/cli_pipe.h | 1 -
- source3/rpc_client/cli_pipe_schannel.c | 2 +-
- source3/winbindd/winbindd_cm.c | 5 +----
- 5 files changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 5dc620f..b2805ee 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -1278,7 +1278,6 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
-
- status = cli_rpc_pipe_open_schannel_with_key(
- cli, &ndr_table_netlogon, NCACN_NP,
-- DCERPC_AUTH_LEVEL_PRIVACY,
- netbios_domain_name,
- netlogon_pipe->netlogon_creds, &pipe_hnd);
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index fe1613d..31cd7f5 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -3023,7 +3023,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
- NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
-- enum dcerpc_AuthLevel auth_level,
- const char *domain,
- struct netlogon_creds_cli_context *netlogon_creds,
- struct rpc_pipe_client **_rpccli)
-@@ -3031,6 +3030,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- struct rpc_pipe_client *rpccli;
- struct pipe_auth_data *rpcauth;
- struct netlogon_creds_CredentialState *creds = NULL;
-+ enum dcerpc_AuthLevel auth_level;
- NTSTATUS status;
- const char *target_service = table->authservices->names[0];
- int rpc_pipe_bind_dbglvl = 0;
-@@ -3048,6 +3048,8 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- return status;
- }
-
-+ auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
-+
- status = rpccli_generic_bind_data(rpccli,
- DCERPC_AUTH_TYPE_SCHANNEL,
- auth_level,
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index cf0c5c6..c21c55d 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -94,7 +94,6 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
- NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
-- enum dcerpc_AuthLevel auth_level,
- const char *domain,
- struct netlogon_creds_cli_context *netlogon_creds,
- struct rpc_pipe_client **presult);
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index e3d65c8..8f9161f 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -112,7 +112,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
- }
-
- status = cli_rpc_pipe_open_schannel_with_key(
-- cli, table, transport, auth_level, domain,
-+ cli, table, transport, domain,
- netlogon_pipe->netlogon_creds,
- &result);
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index e0d1d0c..1546002 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2428,7 +2428,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- }
- status = cli_rpc_pipe_open_schannel_with_key
- (conn->cli, &ndr_table_samr, NCACN_NP,
-- DCERPC_AUTH_LEVEL_PRIVACY,
- domain->name, p_creds, &conn->samr_pipe);
-
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2561,7 +2560,6 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
- status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
- &ndr_table_lsarpc,
- NCACN_IP_TCP,
-- DCERPC_AUTH_LEVEL_PRIVACY,
- domain->name,
- creds,
- &conn->lsa_pipe_tcp);
-@@ -2659,7 +2657,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- }
- result = cli_rpc_pipe_open_schannel_with_key
- (conn->cli, &ndr_table_lsarpc, NCACN_NP,
-- DCERPC_AUTH_LEVEL_PRIVACY,
- domain->name, p_creds, &conn->lsa_pipe);
-
- if (!NT_STATUS_IS_OK(result)) {
-@@ -2839,7 +2836,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
-
- result = cli_rpc_pipe_open_schannel_with_key(
- conn->cli, &ndr_table_netlogon, NCACN_NP,
-- DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
-+ domain->name,
- netlogon_pipe->netlogon_creds,
- &conn->netlogon_pipe);
-
---
-1.9.3
-
-
-From 0f19f3b64e4f0b969eec4f2048df7c40be661e82 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 7 Aug 2013 11:27:25 +0200
-Subject: [PATCH 176/249] s3:rpc_client: add
- rpccli_{create,setup}_netlogon_creds()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 14ceb7b501fce6623be284cbcceb573fd2e10d3a)
----
- source3/rpc_client/cli_netlogon.c | 105 ++++++++++++++++++++++++++++++++++++++
- source3/rpc_client/cli_netlogon.h | 16 ++++++
- 2 files changed, 121 insertions(+)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index fcd24d6..89aec37 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -21,15 +21,19 @@
- */
-
- #include "includes.h"
-+#include "libsmb/libsmb.h"
- #include "rpc_client/rpc_client.h"
-+#include "rpc_client/cli_pipe.h"
- #include "../libcli/auth/libcli_auth.h"
- #include "../libcli/auth/netlogon_creds_cli.h"
- #include "../librpc/gen_ndr/ndr_netlogon_c.h"
-+#include "../librpc/gen_ndr/schannel.h"
- #include "rpc_client/cli_netlogon.h"
- #include "rpc_client/init_netlogon.h"
- #include "rpc_client/util_netlogon.h"
- #include "../libcli/security/security.h"
- #include "lib/param/param.h"
-+#include "libcli/smb/smbXcli_base.h"
-
- /****************************************************************************
- Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
-@@ -124,6 +128,107 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
- return NT_STATUS_OK;
- }
-
-+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
-+ const char *server_netbios_domain,
-+ const char *client_account,
-+ enum netr_SchannelType sec_chan_type,
-+ struct messaging_context *msg_ctx,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **netlogon_creds)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct loadparm_context *lp_ctx;
-+ NTSTATUS status;
-+
-+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
-+ if (lp_ctx == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ status = netlogon_creds_cli_context_global(lp_ctx,
-+ msg_ctx,
-+ client_account,
-+ sec_chan_type,
-+ server_computer,
-+ server_netbios_domain,
-+ mem_ctx, netlogon_creds);
-+ TALLOC_FREE(frame);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
-+ struct netlogon_creds_cli_context *netlogon_creds,
-+ bool force_reauth,
-+ struct samr_Password current_nt_hash,
-+ const struct samr_Password *previous_nt_hash)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct rpc_pipe_client *netlogon_pipe = NULL;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-+ NTSTATUS status;
-+
-+ status = netlogon_creds_cli_get(netlogon_creds,
-+ frame, &creds);
-+ if (NT_STATUS_IS_OK(status)) {
-+ const char *action = "using";
-+
-+ if (force_reauth) {
-+ action = "overwrite";
-+ }
-+
-+ DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
-+ __FUNCTION__, action,
-+ creds->account_name, creds->computer_name,
-+ smbXcli_conn_remote_name(cli->conn)));
-+ if (!force_reauth) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
-+ }
-+ TALLOC_FREE(creds);
-+ }
-+
-+ status = cli_rpc_pipe_open_noauth(cli,
-+ &ndr_table_netlogon,
-+ &netlogon_pipe);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
-+ __FUNCTION__,
-+ smbXcli_conn_remote_name(cli->conn),
-+ nt_errstr(status)));
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+ talloc_steal(frame, netlogon_pipe);
-+
-+ status = netlogon_creds_cli_auth(netlogon_creds,
-+ netlogon_pipe->binding_handle,
-+ current_nt_hash,
-+ previous_nt_hash);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ status = netlogon_creds_cli_get(netlogon_creds,
-+ frame, &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INTERNAL_ERROR;
-+ }
-+
-+ DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
-+ __FUNCTION__,
-+ creds->account_name, creds->computer_name,
-+ smbXcli_conn_remote_name(cli->conn)));
-+
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
-+}
-+
- /* Logon domain user */
-
- NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index ad59d5b..82e0923 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -23,6 +23,10 @@
- #ifndef _RPC_CLIENT_CLI_NETLOGON_H_
- #define _RPC_CLIENT_CLI_NETLOGON_H_
-
-+struct cli_state;
-+struct messaging_context;
-+struct netlogon_creds_cli_context;
-+
- /* The following definitions come from rpc_client/cli_netlogon.c */
-
- NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
-@@ -33,6 +37,18 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
- const unsigned char machine_pwd[16],
- enum netr_SchannelType sec_chan_type,
- uint32_t *neg_flags_inout);
-+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
-+ const char *server_netbios_domain,
-+ const char *client_account,
-+ enum netr_SchannelType sec_chan_type,
-+ struct messaging_context *msg_ctx,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **netlogon_creds);
-+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
-+ struct netlogon_creds_cli_context *netlogon_creds,
-+ bool force_reauth,
-+ struct samr_Password current_nt_hash,
-+ const struct samr_Password *previous_nt_hash);
- NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- uint32 logon_parameters,
---
-1.9.3
-
-
-From de0ed0882a458e52ef232e7d44234bf393311fc0 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 17 Dec 2013 20:05:56 +0100
-Subject: [PATCH 177/249] s3:rpc_client: add rpccli_pre_open_netlogon_creds()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3c025af657899c9a2ff14f868c03ff72ab74cf8e)
----
- source3/rpc_client/cli_netlogon.c | 21 +++++++++++++++++++++
- source3/rpc_client/cli_netlogon.h | 1 +
- 2 files changed, 22 insertions(+)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 89aec37..9342fc3 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -128,6 +128,27 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
- return NT_STATUS_OK;
- }
-
-+NTSTATUS rpccli_pre_open_netlogon_creds(void)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct loadparm_context *lp_ctx;
-+ NTSTATUS status;
-+
-+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
-+ if (lp_ctx == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ status = netlogon_creds_cli_open_global_db(lp_ctx);
-+ TALLOC_FREE(frame);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
- NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
- const char *server_netbios_domain,
- const char *client_account,
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index 82e0923..3096c48 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -37,6 +37,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
- const unsigned char machine_pwd[16],
- enum netr_SchannelType sec_chan_type,
- uint32_t *neg_flags_inout);
-+NTSTATUS rpccli_pre_open_netlogon_creds(void);
- NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
- const char *server_netbios_domain,
- const char *client_account,
---
-1.9.3
-
-
-From f4f7df785d1641f1e21ad8374140715fd41be07a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 27 Aug 2013 14:07:43 +0200
-Subject: [PATCH 178/249] s3:rpc_client: remove unused
- rpccli_netlogon_sam_network_logon_ex()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a07cc9a1c6ab8fee516e069a6f90bb48a7abf875)
----
- source3/rpc_client/cli_netlogon.c | 27 ---------------------------
- source3/rpc_client/cli_netlogon.h | 12 ------------
- 2 files changed, 39 deletions(-)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 9342fc3..253d060 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -524,33 +524,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
- return NT_STATUS_OK;
- }
-
--NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- uint32 logon_parameters,
-- const char *server,
-- const char *username,
-- const char *domain,
-- const char *workstation,
-- const uint8 chal[8],
-- uint16_t validation_level,
-- DATA_BLOB lm_response,
-- DATA_BLOB nt_response,
-- struct netr_SamInfo3 **info3)
--{
-- return rpccli_netlogon_sam_network_logon(cli,
-- mem_ctx,
-- logon_parameters,
-- server,
-- username,
-- domain,
-- workstation,
-- chal,
-- validation_level,
-- lm_response,
-- nt_response,
-- info3);
--}
--
- /*********************************************************
- Change the domain password on the PDC.
-
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index 3096c48..f10e5c7 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -71,18 +71,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
- DATA_BLOB lm_response,
- DATA_BLOB nt_response,
- struct netr_SamInfo3 **info3);
--NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- uint32 logon_parameters,
-- const char *server,
-- const char *username,
-- const char *domain,
-- const char *workstation,
-- const uint8 chal[8],
-- uint16_t validation_level,
-- DATA_BLOB lm_response,
-- DATA_BLOB nt_response,
-- struct netr_SamInfo3 **info3);
- NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- const char *account_name,
---
-1.9.3
-
-
-From b250859baf6c720e636c2435b0593af83acf6acc Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 27 Aug 2013 14:36:24 +0200
-Subject: [PATCH 179/249] s3:rpc_client: add rpccli_netlogon_network_logon()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 5196493c9e599b741417b119b48188ba0d646a37)
----
- source3/rpc_client/cli_netlogon.c | 103 ++++++++++++++++++++++++++++++++++++++
- source3/rpc_client/cli_netlogon.h | 14 ++++++
- 2 files changed, 117 insertions(+)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 253d060..e335423 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -524,6 +524,109 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
- return NT_STATUS_OK;
- }
-
-+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
-+ struct dcerpc_binding_handle *binding_handle,
-+ TALLOC_CTX *mem_ctx,
-+ uint32_t logon_parameters,
-+ const char *username,
-+ const char *domain,
-+ const char *workstation,
-+ const uint8 chal[8],
-+ DATA_BLOB lm_response,
-+ DATA_BLOB nt_response,
-+ uint8_t *authoritative,
-+ uint32_t *flags,
-+ struct netr_SamInfo3 **info3)
-+{
-+ NTSTATUS status;
-+ const char *workstation_name_slash;
-+ union netr_LogonLevel *logon = NULL;
-+ struct netr_NetworkInfo *network_info;
-+ uint16_t validation_level = 0;
-+ union netr_Validation *validation = NULL;
-+ uint8_t _authoritative = 0;
-+ uint32_t _flags = 0;
-+ struct netr_ChallengeResponse lm;
-+ struct netr_ChallengeResponse nt;
-+
-+ *info3 = NULL;
-+
-+ if (authoritative == NULL) {
-+ authoritative = &_authoritative;
-+ }
-+ if (flags == NULL) {
-+ flags = &_flags;
-+ }
-+
-+ ZERO_STRUCT(lm);
-+ ZERO_STRUCT(nt);
-+
-+ logon = talloc_zero(mem_ctx, union netr_LogonLevel);
-+ if (!logon) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
-+ if (!network_info) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ if (workstation[0] != '\\' && workstation[1] != '\\') {
-+ workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
-+ } else {
-+ workstation_name_slash = workstation;
-+ }
-+
-+ if (!workstation_name_slash) {
-+ DEBUG(0, ("talloc_asprintf failed!\n"));
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ /* Initialise input parameters */
-+
-+ lm.data = lm_response.data;
-+ lm.length = lm_response.length;
-+ nt.data = nt_response.data;
-+ nt.length = nt_response.length;
-+
-+ network_info->identity_info.domain_name.string = domain;
-+ network_info->identity_info.parameter_control = logon_parameters;
-+ network_info->identity_info.logon_id_low = 0xdead;
-+ network_info->identity_info.logon_id_high = 0xbeef;
-+ network_info->identity_info.account_name.string = username;
-+ network_info->identity_info.workstation.string = workstation_name_slash;
-+
-+ memcpy(network_info->challenge, chal, 8);
-+ network_info->nt = nt;
-+ network_info->lm = lm;
-+
-+ logon->network = network_info;
-+
-+ /* Marshall data and send request */
-+
-+ status = netlogon_creds_cli_LogonSamLogon(creds,
-+ binding_handle,
-+ NetlogonNetworkInformation,
-+ logon,
-+ mem_ctx,
-+ &validation_level,
-+ &validation,
-+ authoritative,
-+ flags);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ status = map_validation_to_info3(mem_ctx,
-+ validation_level, validation,
-+ info3);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
- /*********************************************************
- Change the domain password on the PDC.
-
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index f10e5c7..54ed7ae 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -26,6 +26,7 @@
- struct cli_state;
- struct messaging_context;
- struct netlogon_creds_cli_context;
-+struct dcerpc_binding_handle;
-
- /* The following definitions come from rpc_client/cli_netlogon.c */
-
-@@ -71,6 +72,19 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
- DATA_BLOB lm_response,
- DATA_BLOB nt_response,
- struct netr_SamInfo3 **info3);
-+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
-+ struct dcerpc_binding_handle *binding_handle,
-+ TALLOC_CTX *mem_ctx,
-+ uint32_t logon_parameters,
-+ const char *username,
-+ const char *domain,
-+ const char *workstation,
-+ const uint8 chal[8],
-+ DATA_BLOB lm_response,
-+ DATA_BLOB nt_response,
-+ uint8_t *authoritative,
-+ uint32_t *flags,
-+ struct netr_SamInfo3 **info3);
- NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- const char *account_name,
---
-1.9.3
-
-
-From 2488e78fdf3058bf3a48c2086afd0f3248a43417 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 27 Aug 2013 14:56:06 +0200
-Subject: [PATCH 180/249] s3:rpc_client: add rpccli_netlogon_password_logon()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit b7dc3fb20468aa67ea7ddc1cea21fbe458e74565)
----
- source3/rpc_client/cli_netlogon.c | 133 ++++++++++++++++++++++++++++++++++++++
- source3/rpc_client/cli_netlogon.h | 8 +++
- 2 files changed, 141 insertions(+)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index e335423..a9f8604 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -376,6 +376,139 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
- return NT_STATUS_OK;
- }
-
-+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
-+ struct dcerpc_binding_handle *binding_handle,
-+ uint32_t logon_parameters,
-+ const char *domain,
-+ const char *username,
-+ const char *password,
-+ const char *workstation,
-+ enum netr_LogonInfoClass logon_type)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ NTSTATUS status;
-+ union netr_LogonLevel *logon;
-+ uint16_t validation_level = 0;
-+ union netr_Validation *validation = NULL;
-+ uint8_t authoritative = 0;
-+ uint32_t flags = 0;
-+ char *workstation_slash = NULL;
-+
-+ logon = talloc_zero(frame, union netr_LogonLevel);
-+ if (logon == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ if (workstation == NULL) {
-+ workstation = lp_netbios_name();
-+ }
-+
-+ workstation_slash = talloc_asprintf(frame, "\\\\%s", workstation);
-+ if (workstation_slash == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ /* Initialise input parameters */
-+
-+ switch (logon_type) {
-+ case NetlogonInteractiveInformation: {
-+
-+ struct netr_PasswordInfo *password_info;
-+
-+ struct samr_Password lmpassword;
-+ struct samr_Password ntpassword;
-+
-+ password_info = talloc_zero(frame, struct netr_PasswordInfo);
-+ if (password_info == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
-+
-+ password_info->identity_info.domain_name.string = domain;
-+ password_info->identity_info.parameter_control = logon_parameters;
-+ password_info->identity_info.logon_id_low = 0xdead;
-+ password_info->identity_info.logon_id_high = 0xbeef;
-+ password_info->identity_info.account_name.string = username;
-+ password_info->identity_info.workstation.string = workstation_slash;
-+
-+ password_info->lmpassword = lmpassword;
-+ password_info->ntpassword = ntpassword;
-+
-+ logon->password = password_info;
-+
-+ break;
-+ }
-+ case NetlogonNetworkInformation: {
-+ struct netr_NetworkInfo *network_info;
-+ uint8 chal[8];
-+ unsigned char local_lm_response[24];
-+ unsigned char local_nt_response[24];
-+ struct netr_ChallengeResponse lm;
-+ struct netr_ChallengeResponse nt;
-+
-+ ZERO_STRUCT(lm);
-+ ZERO_STRUCT(nt);
-+
-+ network_info = talloc_zero(frame, struct netr_NetworkInfo);
-+ if (network_info == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ generate_random_buffer(chal, 8);
-+
-+ SMBencrypt(password, chal, local_lm_response);
-+ SMBNTencrypt(password, chal, local_nt_response);
-+
-+ lm.length = 24;
-+ lm.data = local_lm_response;
-+
-+ nt.length = 24;
-+ nt.data = local_nt_response;
-+
-+ network_info->identity_info.domain_name.string = domain;
-+ network_info->identity_info.parameter_control = logon_parameters;
-+ network_info->identity_info.logon_id_low = 0xdead;
-+ network_info->identity_info.logon_id_high = 0xbeef;
-+ network_info->identity_info.account_name.string = username;
-+ network_info->identity_info.workstation.string = workstation_slash;
-+
-+ memcpy(network_info->challenge, chal, 8);
-+ network_info->nt = nt;
-+ network_info->lm = lm;
-+
-+ logon->network = network_info;
-+
-+ break;
-+ }
-+ default:
-+ DEBUG(0, ("switch value %d not supported\n",
-+ logon_type));
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_INFO_CLASS;
-+ }
-+
-+ status = netlogon_creds_cli_LogonSamLogon(creds,
-+ binding_handle,
-+ logon_type,
-+ logon,
-+ frame,
-+ &validation_level,
-+ &validation,
-+ &authoritative,
-+ &flags);
-+ TALLOC_FREE(frame);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
- static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
- uint16_t validation_level,
- union netr_Validation *validation,
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index 54ed7ae..d4c6670 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -60,6 +60,14 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
- const char *workstation,
- uint16_t validation_level,
- int logon_type);
-+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
-+ struct dcerpc_binding_handle *binding_handle,
-+ uint32_t logon_parameters,
-+ const char *domain,
-+ const char *username,
-+ const char *password,
-+ const char *workstation,
-+ enum netr_LogonInfoClass logon_type);
- NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- uint32 logon_parameters,
---
-1.9.3
-
-
-From 10c272f991643913358efd5fefb28fc1ce307c70 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 17 Dec 2013 20:06:14 +0100
-Subject: [PATCH 181/249] s3:winbindd: call rpccli_pre_open_netlogon_creds() in
- the parent
-
-This opens the CLEAR_IF_FIRST tdb in the long living parent.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 07126b6fb22cebce660d1d1a4f0f9fb905064aa0)
----
- source3/winbindd/winbindd.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
-index 69a17bf..a90c8fe 100644
---- a/source3/winbindd/winbindd.c
-+++ b/source3/winbindd/winbindd.c
-@@ -31,6 +31,7 @@
- #include "../librpc/gen_ndr/srv_lsa.h"
- #include "../librpc/gen_ndr/srv_samr.h"
- #include "secrets.h"
-+#include "rpc_client/cli_netlogon.h"
- #include "idmap.h"
- #include "lib/addrchange.h"
- #include "serverid.h"
-@@ -1538,6 +1539,13 @@ int main(int argc, char **argv, char **envp)
- return False;
- }
-
-+ status = rpccli_pre_open_netlogon_creds();
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("rpccli_pre_open_netlogon_creds() - %s\n",
-+ nt_errstr(status)));
-+ exit(1);
-+ }
-+
- /* Unblock all signals we are interested in as they may have been
- blocked by the parent process. */
-
---
-1.9.3
-
-
-From 4cb4ec2065f1f8b3598eb37ca24ce0f8fdf567aa Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 7 Aug 2013 11:32:44 +0200
-Subject: [PATCH 182/249] s3:winbindd: make use of
- rpccli_{create,setup}_netlogon_creds()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 22e4e2c1d1252e434cb928d4530c378a62a64138)
----
- source3/winbindd/winbindd.h | 3 +
- source3/winbindd/winbindd_cm.c | 125 ++++++++++++++++++++---------------
- source3/winbindd/winbindd_dual_srv.c | 1 +
- 3 files changed, 77 insertions(+), 52 deletions(-)
-
-diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
-index b5fc010..8f89e27 100644
---- a/source3/winbindd/winbindd.h
-+++ b/source3/winbindd/winbindd.h
-@@ -116,6 +116,9 @@ struct winbindd_cm_conn {
- struct policy_handle lsa_policy;
-
- struct rpc_pipe_client *netlogon_pipe;
-+ struct netlogon_creds_cli_context *netlogon_creds;
-+ uint32_t netlogon_flags;
-+ bool netlogon_force_reauth;
- };
-
- /* Async child */
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 1546002..7b6cc96 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -79,6 +79,7 @@
- #include "auth/gensec/gensec.h"
- #include "../libcli/smb/smbXcli_base.h"
- #include "lib/param/loadparm.h"
-+#include "libcli/auth/netlogon_creds_cli.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_WINBIND
-@@ -1826,6 +1827,9 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
- }
-
- conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-+ conn->netlogon_force_reauth = false;
-+ conn->netlogon_flags = 0;
-+ TALLOC_FREE(conn->netlogon_creds);
-
- if (conn->cli) {
- cli_shutdown(conn->cli);
-@@ -2292,8 +2296,18 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- struct rpc_pipe_client *netlogon_pipe;
-
-- if (lp_client_schannel() == False) {
-- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-+ *ppdc = NULL;
-+
-+ if ((!IS_DC) && (!domain->primary)) {
-+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
-+ }
-+
-+ if (domain->conn.netlogon_creds != NULL) {
-+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
-+ }
-+ *ppdc = domain->conn.netlogon_creds;
-+ return NT_STATUS_OK;
- }
-
- result = cm_connect_netlogon(domain, &netlogon_pipe);
-@@ -2301,14 +2315,15 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
- return result;
- }
-
-- /* Return a pointer to the struct netlogon_creds_CredentialState from the
-- netlogon pipe. */
-+ if (domain->conn.netlogon_creds == NULL) {
-+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
-+ }
-
-- if (!domain->conn.netlogon_pipe->netlogon_creds) {
-- return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
-+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
- }
-
-- *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
-+ *ppdc = domain->conn.netlogon_creds;
- return NT_STATUS_OK;
- }
-
-@@ -2747,14 +2762,16 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
- NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- struct rpc_pipe_client **cli)
- {
-+ struct messaging_context *msg_ctx = winbind_messaging_context();
- struct winbindd_cm_conn *conn;
- NTSTATUS result;
--
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
-- uint8_t mach_pwd[16];
- enum netr_SchannelType sec_chan_type;
-+ const char *_account_name;
- const char *account_name;
-- struct rpc_pipe_client *netlogon_pipe = NULL;
-+ struct samr_Password current_nt_hash;
-+ struct samr_Password *previous_nt_hash = NULL;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-+ bool ok;
-
- *cli = NULL;
-
-@@ -2771,60 +2788,68 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- }
-
- TALLOC_FREE(conn->netlogon_pipe);
--
-- result = cli_rpc_pipe_open_noauth(conn->cli,
-- &ndr_table_netlogon,
-- &netlogon_pipe);
-- if (!NT_STATUS_IS_OK(result)) {
-- return result;
-- }
-+ conn->netlogon_flags = 0;
-+ TALLOC_FREE(conn->netlogon_creds);
-
- if ((!IS_DC) && (!domain->primary)) {
-- /* Clear the schannel request bit and drop down */
-- neg_flags &= ~NETLOGON_NEG_SCHANNEL;
- goto no_schannel;
- }
-
-- if (lp_client_schannel() != False) {
-- neg_flags |= NETLOGON_NEG_SCHANNEL;
-+ ok = get_trust_pw_hash(domain->name,
-+ current_nt_hash.hash,
-+ &_account_name,
-+ &sec_chan_type);
-+ if (!ok) {
-+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
-- if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
-- &sec_chan_type))
-- {
-- TALLOC_FREE(netlogon_pipe);
-- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
-+ if (account_name == NULL) {
-+ return NT_STATUS_NO_MEMORY;
- }
-
-- result = rpccli_netlogon_setup_creds(
-- netlogon_pipe,
-- domain->dcname, /* server name. */
-- domain->name, /* domain name */
-- lp_netbios_name(), /* client name */
-- account_name, /* machine account */
-- mach_pwd, /* machine password */
-- sec_chan_type, /* from get_trust_pw */
-- &neg_flags);
-+ result = rpccli_create_netlogon_creds(domain->dcname,
-+ domain->name,
-+ account_name,
-+ sec_chan_type,
-+ msg_ctx,
-+ domain,
-+ &conn->netlogon_creds);
-+ if (!NT_STATUS_IS_OK(result)) {
-+ SAFE_FREE(previous_nt_hash);
-+ return result;
-+ }
-
-+ result = rpccli_setup_netlogon_creds(conn->cli,
-+ conn->netlogon_creds,
-+ conn->netlogon_force_reauth,
-+ current_nt_hash,
-+ previous_nt_hash);
-+ conn->netlogon_force_reauth = false;
-+ SAFE_FREE(previous_nt_hash);
- if (!NT_STATUS_IS_OK(result)) {
-- TALLOC_FREE(netlogon_pipe);
- return result;
- }
-
-- if ((lp_client_schannel() == True) &&
-- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-- DEBUG(3, ("Server did not offer schannel\n"));
-- TALLOC_FREE(netlogon_pipe);
-- return NT_STATUS_ACCESS_DENIED;
-+ result = netlogon_creds_cli_get(conn->netlogon_creds,
-+ talloc_tos(),
-+ &creds);
-+ if (!NT_STATUS_IS_OK(result)) {
-+ return result;
- }
-+ conn->netlogon_flags = creds->negotiate_flags;
-+ TALLOC_FREE(creds);
-
- no_schannel:
-- if ((lp_client_schannel() == False) ||
-- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+ if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-+ result = cli_rpc_pipe_open_noauth(conn->cli,
-+ &ndr_table_netlogon,
-+ &conn->netlogon_pipe);
-+ if (!NT_STATUS_IS_OK(result)) {
-+ invalidate_cm_connection(conn);
-+ return result;
-+ }
-
-- /* We're done - just keep the existing connection to NETLOGON
-- * open */
-- conn->netlogon_pipe = netlogon_pipe;
- *cli = conn->netlogon_pipe;
- return NT_STATUS_OK;
- }
-@@ -2837,12 +2862,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- result = cli_rpc_pipe_open_schannel_with_key(
- conn->cli, &ndr_table_netlogon, NCACN_NP,
- domain->name,
-- netlogon_pipe->netlogon_creds,
-+ conn->netlogon_creds,
- &conn->netlogon_pipe);
--
-- /* We can now close the initial netlogon pipe. */
-- TALLOC_FREE(netlogon_pipe);
--
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
- "was %s\n", nt_errstr(result)));
-diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
-index b873655..001591a 100644
---- a/source3/winbindd/winbindd_dual_srv.c
-+++ b/source3/winbindd/winbindd_dual_srv.c
-@@ -580,6 +580,7 @@ NTSTATUS _wbint_CheckMachineAccount(struct pipes_struct *p,
-
- again:
- invalidate_cm_connection(&domain->conn);
-+ domain->conn.netlogon_force_reauth = true;
-
- {
- struct rpc_pipe_client *netlogon_pipe;
---
-1.9.3
-
-
-From dc77edf0b74a88950f4de2472c05a73fcc629dc1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 27 Aug 2013 13:07:45 +0200
-Subject: [PATCH 183/249] s3:auth_domain: simplify
- connect_to_domain_password_server()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit d9d55f5406949187901476d673c7d6ff0fc165c2)
----
- source3/auth/auth_domain.c | 31 ++++++++++++-------------------
- 1 file changed, 12 insertions(+), 19 deletions(-)
-
-diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
-index 9f88c4a..ae27bf0 100644
---- a/source3/auth/auth_domain.c
-+++ b/source3/auth/auth_domain.c
-@@ -47,16 +47,17 @@ static struct named_mutex *mutex;
- *
- **/
-
--static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
-+static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
- const char *domain,
- const char *dc_name,
- const struct sockaddr_storage *dc_ss,
- struct rpc_pipe_client **pipe_ret)
- {
-- NTSTATUS result;
-+ NTSTATUS result;
-+ struct cli_state *cli = NULL;
- struct rpc_pipe_client *netlogon_pipe = NULL;
-
-- *cli = NULL;
-+ *cli_ret = NULL;
-
- *pipe_ret = NULL;
-
-@@ -80,7 +81,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
- }
-
- /* Attempt connection */
-- result = cli_full_connection(cli, lp_netbios_name(), dc_name, dc_ss, 0,
-+ result = cli_full_connection(&cli, lp_netbios_name(), dc_name, dc_ss, 0,
- "IPC$", "IPC", "", "", "", 0, SMB_SIGNING_DEFAULT);
-
- if (!NT_STATUS_IS_OK(result)) {
-@@ -89,11 +90,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
- result = NT_STATUS_NO_LOGON_SERVERS;
- }
-
-- if (*cli) {
-- cli_shutdown(*cli);
-- *cli = NULL;
-- }
--
- TALLOC_FREE(mutex);
- return result;
- }
-@@ -115,18 +111,17 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
- if (lp_client_schannel()) {
- /* We also setup the creds chain in the open_schannel call. */
- result = cli_rpc_pipe_open_schannel(
-- *cli, &ndr_table_netlogon, NCACN_NP,
-+ cli, &ndr_table_netlogon, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
- } else {
- result = cli_rpc_pipe_open_noauth(
-- *cli, &ndr_table_netlogon, &netlogon_pipe);
-+ cli, &ndr_table_netlogon, &netlogon_pipe);
- }
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
- machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
-- cli_shutdown(*cli);
-- *cli = NULL;
-+ cli_shutdown(cli);
- TALLOC_FREE(mutex);
- return result;
- }
-@@ -145,8 +140,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
- DEBUG(0, ("connect_to_domain_password_server: could not fetch "
- "trust account password for domain '%s'\n",
- domain));
-- cli_shutdown(*cli);
-- *cli = NULL;
-+ cli_shutdown(cli);
- TALLOC_FREE(mutex);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-@@ -161,8 +155,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
- &neg_flags);
-
- if (!NT_STATUS_IS_OK(result)) {
-- cli_shutdown(*cli);
-- *cli = NULL;
-+ cli_shutdown(cli);
- TALLOC_FREE(mutex);
- return result;
- }
-@@ -172,14 +165,14 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
- DEBUG(0, ("connect_to_domain_password_server: unable to open "
- "the domain client session to machine %s. Error "
- "was : %s.\n", dc_name, nt_errstr(result)));
-- cli_shutdown(*cli);
-- *cli = NULL;
-+ cli_shutdown(cli);
- TALLOC_FREE(mutex);
- return NT_STATUS_NO_LOGON_SERVERS;
- }
-
- /* We exit here with the mutex *locked*. JRA */
-
-+ *cli_ret = cli;
- *pipe_ret = netlogon_pipe;
-
- return NT_STATUS_OK;
---
-1.9.3
-
-
-From 8fc2ffafd545dbc4af4c1ebab5fb631da18cade4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 27 Aug 2013 15:01:10 +0200
-Subject: [PATCH 184/249] s3:auth_domain: make use of
- rpccli_{create,setup}_netlogon_creds()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 34e66780e573bebf4b971fb96e1ed8680c1488a9)
----
- source3/auth/auth_domain.c | 136 ++++++++++++++++++++++++++++-----------------
- 1 file changed, 85 insertions(+), 51 deletions(-)
-
-diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
-index ae27bf0..bf2671c 100644
---- a/source3/auth/auth_domain.c
-+++ b/source3/auth/auth_domain.c
-@@ -27,6 +27,7 @@
- #include "secrets.h"
- #include "passdb.h"
- #include "libsmb/libsmb.h"
-+#include "libcli/auth/netlogon_creds_cli.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_AUTH
-@@ -53,9 +54,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
- const struct sockaddr_storage *dc_ss,
- struct rpc_pipe_client **pipe_ret)
- {
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct messaging_context *msg_ctx = server_messaging_context();
- NTSTATUS result;
- struct cli_state *cli = NULL;
- struct rpc_pipe_client *netlogon_pipe = NULL;
-+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-+ uint32_t netlogon_flags = 0;
-+ enum netr_SchannelType sec_chan_type = 0;
-+ const char *_account_name = NULL;
-+ const char *account_name = NULL;
-+ struct samr_Password current_nt_hash;
-+ struct samr_Password *previous_nt_hash = NULL;
-+ bool ok;
-
- *cli_ret = NULL;
-
-@@ -77,6 +89,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
-
- mutex = grab_named_mutex(NULL, dc_name, 10);
- if (mutex == NULL) {
-+ TALLOC_FREE(frame);
- return NT_STATUS_NO_LOGON_SERVERS;
- }
-
-@@ -91,6 +104,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
- }
-
- TALLOC_FREE(mutex);
-+ TALLOC_FREE(frame);
- return result;
- }
-
-@@ -98,67 +112,85 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
- * We now have an anonymous connection to IPC$ on the domain password server.
- */
-
-- /*
-- * Even if the connect succeeds we need to setup the netlogon
-- * pipe here. We do this as we may just have changed the domain
-- * account password on the PDC and yet we may be talking to
-- * a BDC that doesn't have this replicated yet. In this case
-- * a successful connect to a DC needs to take the netlogon connect
-- * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
-- */
-+ ok = get_trust_pw_hash(domain,
-+ current_nt_hash.hash,
-+ &_account_name,
-+ &sec_chan_type);
-+ if (!ok) {
-+ cli_shutdown(cli);
-+ TALLOC_FREE(mutex);
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-+ }
-
-- /* open the netlogon pipe. */
-- if (lp_client_schannel()) {
-- /* We also setup the creds chain in the open_schannel call. */
-- result = cli_rpc_pipe_open_schannel(
-- cli, &ndr_table_netlogon, NCACN_NP,
-- DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
-- } else {
-- result = cli_rpc_pipe_open_noauth(
-- cli, &ndr_table_netlogon, &netlogon_pipe);
-+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
-+ if (account_name == NULL) {
-+ cli_shutdown(cli);
-+ TALLOC_FREE(mutex);
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
- }
-
-+ result = rpccli_create_netlogon_creds(dc_name,
-+ domain,
-+ account_name,
-+ sec_chan_type,
-+ msg_ctx,
-+ talloc_tos(),
-+ &netlogon_creds);
- if (!NT_STATUS_IS_OK(result)) {
-- DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
--machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
- cli_shutdown(cli);
- TALLOC_FREE(mutex);
-+ TALLOC_FREE(frame);
-+ SAFE_FREE(previous_nt_hash);
- return result;
- }
-
-- if (!lp_client_schannel()) {
-- /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-- NETLOGON_NEG_SUPPORTS_AES;
-- enum netr_SchannelType sec_chan_type = 0;
-- unsigned char machine_pwd[16];
-- const char *account_name;
--
-- if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
-- &sec_chan_type))
-- {
-- DEBUG(0, ("connect_to_domain_password_server: could not fetch "
-- "trust account password for domain '%s'\n",
-- domain));
-- cli_shutdown(cli);
-- TALLOC_FREE(mutex);
-- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-- }
-+ result = rpccli_setup_netlogon_creds(cli,
-+ netlogon_creds,
-+ false, /* force_reauth */
-+ current_nt_hash,
-+ previous_nt_hash);
-+ SAFE_FREE(previous_nt_hash);
-+ if (!NT_STATUS_IS_OK(result)) {
-+ cli_shutdown(cli);
-+ TALLOC_FREE(mutex);
-+ TALLOC_FREE(frame);
-+ return result;
-+ }
-
-- result = rpccli_netlogon_setup_creds(netlogon_pipe,
-- dc_name, /* server name */
-- domain, /* domain */
-- lp_netbios_name(), /* client name */
-- account_name, /* machine account name */
-- machine_pwd,
-- sec_chan_type,
-- &neg_flags);
--
-- if (!NT_STATUS_IS_OK(result)) {
-- cli_shutdown(cli);
-- TALLOC_FREE(mutex);
-- return result;
-- }
-+ result = netlogon_creds_cli_get(netlogon_creds,
-+ talloc_tos(),
-+ &creds);
-+ if (!NT_STATUS_IS_OK(result)) {
-+ cli_shutdown(cli);
-+ TALLOC_FREE(mutex);
-+ TALLOC_FREE(frame);
-+ return result;
-+ }
-+ netlogon_flags = creds->negotiate_flags;
-+ TALLOC_FREE(creds);
-+
-+ if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
-+ result = cli_rpc_pipe_open_schannel_with_key(
-+ cli, &ndr_table_netlogon, NCACN_NP,
-+ domain, netlogon_creds, &netlogon_pipe);
-+ } else {
-+ result = cli_rpc_pipe_open_noauth(cli,
-+ &ndr_table_netlogon,
-+ &netlogon_pipe);
-+ }
-+
-+ if (!NT_STATUS_IS_OK(result)) {
-+ DEBUG(0,("connect_to_domain_password_server: "
-+ "unable to open the domain client session to "
-+ "machine %s. Flags[0x%08X] Error was : %s.\n",
-+ dc_name, (unsigned)netlogon_flags,
-+ nt_errstr(result)));
-+ cli_shutdown(cli);
-+ TALLOC_FREE(mutex);
-+ TALLOC_FREE(frame);
-+ return result;
- }
-
- if(!netlogon_pipe) {
-@@ -167,6 +199,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
- "was : %s.\n", dc_name, nt_errstr(result)));
- cli_shutdown(cli);
- TALLOC_FREE(mutex);
-+ TALLOC_FREE(frame);
- return NT_STATUS_NO_LOGON_SERVERS;
- }
-
-@@ -175,6 +208,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
- *cli_ret = cli;
- *pipe_ret = netlogon_pipe;
-
-+ TALLOC_FREE(frame);
- return NT_STATUS_OK;
- }
-
---
-1.9.3
-
-
-From 5cc57e577bc7d144176ffe6f21ed24a95661a861 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 27 Aug 2013 15:02:26 +0200
-Subject: [PATCH 185/249] s3:auth_domain: make use of
- rpccli_netlogon_network_logon()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 531bbf3aff3fb08aaf112b21038f20544db60b69)
----
- source3/auth/auth_domain.c | 36 ++++++++++++++++++++++--------------
- 1 file changed, 22 insertions(+), 14 deletions(-)
-
-diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
-index bf2671c..937841c 100644
---- a/source3/auth/auth_domain.c
-+++ b/source3/auth/auth_domain.c
-@@ -52,7 +52,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
- const char *domain,
- const char *dc_name,
- const struct sockaddr_storage *dc_ss,
-- struct rpc_pipe_client **pipe_ret)
-+ struct rpc_pipe_client **pipe_ret,
-+ struct netlogon_creds_cli_context **creds_ret)
- {
- TALLOC_CTX *frame = talloc_stackframe();
- struct messaging_context *msg_ctx = server_messaging_context();
-@@ -72,6 +73,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
- *cli_ret = NULL;
-
- *pipe_ret = NULL;
-+ *creds_ret = NULL;
-
- /* TODO: Send a SAMLOGON request to determine whether this is a valid
- logonserver. We can avoid a 30-second timeout if the DC is down
-@@ -207,6 +209,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
-
- *cli_ret = cli;
- *pipe_ret = netlogon_pipe;
-+ *creds_ret = netlogon_creds;
-
- TALLOC_FREE(frame);
- return NT_STATUS_OK;
-@@ -230,8 +233,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *info3 = NULL;
- struct cli_state *cli = NULL;
- struct rpc_pipe_client *netlogon_pipe = NULL;
-+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
- NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
- int i;
-+ uint8_t authoritative = 0;
-+ uint32_t flags = 0;
-
- /*
- * At this point, smb_apasswd points to the lanman response to
-@@ -248,7 +254,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
- domain,
- dc_name,
- dc_ss,
-- &netlogon_pipe);
-+ &netlogon_pipe,
-+ &netlogon_creds);
- }
-
- if ( !NT_STATUS_IS_OK(nt_status) ) {
-@@ -268,18 +275,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
- * in the info3 structure.
- */
-
-- nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
-- mem_ctx,
-- user_info->logon_parameters, /* flags such as 'allow workstation logon' */
-- dc_name, /* server name */
-- user_info->client.account_name, /* user name logging on. */
-- user_info->client.domain_name, /* domain name */
-- user_info->workstation_name, /* workstation name */
-- chal, /* 8 byte challenge. */
-- 3, /* validation level */
-- user_info->password.response.lanman, /* lanman 24 byte response */
-- user_info->password.response.nt, /* nt 24 byte response */
-- &info3); /* info3 out */
-+ nt_status = rpccli_netlogon_network_logon(netlogon_creds,
-+ netlogon_pipe->binding_handle,
-+ mem_ctx,
-+ user_info->logon_parameters, /* flags such as 'allow workstation logon' */
-+ user_info->client.account_name, /* user name logging on. */
-+ user_info->client.domain_name, /* domain name */
-+ user_info->workstation_name, /* workstation name */
-+ chal, /* 8 byte challenge. */
-+ user_info->password.response.lanman, /* lanman 24 byte response */
-+ user_info->password.response.nt, /* nt 24 byte response */
-+ &authoritative,
-+ &flags,
-+ &info3); /* info3 out */
-
- /* Let go as soon as possible so we avoid any potential deadlocks
- with winbind lookup up users or groups. */
---
-1.9.3
-
-
-From 5da4eca4d30b3894426a4f7cb0512ae61c097cbc Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 2 Sep 2013 19:32:23 +0200
-Subject: [PATCH 186/249] s3:libnet_join: make use of
- rpccli_{create,setup}_netlogon_creds()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 963800539cea7487fc6258f8ac8f7cacc3426b83)
----
- source3/libnet/libnet_join.c | 110 +++++++++++++++++++++++++++++++------------
- source3/libnet/libnet_join.h | 5 +-
- source3/utils/net_rpc.c | 4 +-
- 3 files changed, 86 insertions(+), 33 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index b2805ee..6e653c3 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -40,6 +40,8 @@
- #include "libsmb/libsmb.h"
- #include "../libcli/smb/smbXcli_base.h"
- #include "lib/param/loadparm.h"
-+#include "libcli/auth/netlogon_creds_cli.h"
-+#include "auth/credentials/credentials.h"
-
- /****************************************************************
- ****************************************************************/
-@@ -1189,38 +1191,52 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
- /****************************************************************
- ****************************************************************/
-
--NTSTATUS libnet_join_ok(const char *netbios_domain_name,
-- const char *machine_name,
-+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
-+ const char *netbios_domain_name,
- const char *dc_name,
- const bool use_kerberos)
- {
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-- NETLOGON_NEG_SUPPORTS_AES;
-+ TALLOC_CTX *frame = talloc_stackframe();
- struct cli_state *cli = NULL;
-- struct rpc_pipe_client *pipe_hnd = NULL;
- struct rpc_pipe_client *netlogon_pipe = NULL;
-+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-+ uint32_t netlogon_flags = 0;
-+ enum netr_SchannelType sec_chan_type = 0;
- NTSTATUS status;
- char *machine_password = NULL;
-- char *machine_account = NULL;
-+ const char *machine_name = NULL;
-+ const char *machine_account = NULL;
- int flags = 0;
-+ struct samr_Password current_nt_hash;
-+ struct samr_Password *previous_nt_hash = NULL;
-+ bool ok;
-
- if (!dc_name) {
-+ TALLOC_FREE(frame);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!secrets_init()) {
-+ TALLOC_FREE(frame);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
-- machine_password = secrets_fetch_machine_password(netbios_domain_name,
-- NULL, NULL);
-- if (!machine_password) {
-- return NT_STATUS_NO_TRUST_LSA_SECRET;
-+ ok = get_trust_pw_clear(netbios_domain_name,
-+ &machine_password,
-+ &machine_name,
-+ &sec_chan_type);
-+ if (!ok) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
-- if (asprintf(&machine_account, "%s$", machine_name) == -1) {
-+ machine_account = talloc_asprintf(frame, "%s$", machine_name);
-+ if (machine_account == NULL) {
- SAFE_FREE(machine_password);
-- return NT_STATUS_NO_MEMORY;
-+ SAFE_FREE(previous_nt_hash);
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
- if (use_kerberos) {
-@@ -1232,12 +1248,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
- NULL, 0,
- "IPC$", "IPC",
- machine_account,
-- NULL,
-+ netbios_domain_name,
- machine_password,
- flags,
- SMB_SIGNING_DEFAULT);
-- free(machine_account);
-- free(machine_password);
-+
-+ E_md4hash(machine_password, current_nt_hash.hash);
-+ SAFE_FREE(machine_password);
-
- if (!NT_STATUS_IS_OK(status)) {
- status = cli_full_connection(&cli, NULL,
-@@ -1252,36 +1269,65 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
- }
-
- if (!NT_STATUS_IS_OK(status)) {
-+ SAFE_FREE(previous_nt_hash);
-+ TALLOC_FREE(frame);
- return status;
- }
-
-- status = get_schannel_session_key(cli, netbios_domain_name,
-- &neg_flags, &netlogon_pipe);
-+ status = rpccli_create_netlogon_creds(dc_name,
-+ netbios_domain_name,
-+ machine_account,
-+ sec_chan_type,
-+ msg_ctx,
-+ frame,
-+ &netlogon_creds);
- if (!NT_STATUS_IS_OK(status)) {
-- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
-- cli_shutdown(cli);
-- return NT_STATUS_OK;
-- }
-+ SAFE_FREE(previous_nt_hash);
-+ cli_shutdown(cli);
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-
-- DEBUG(0,("libnet_join_ok: failed to get schannel session "
-- "key from server %s for domain %s. Error was %s\n",
-- smbXcli_conn_remote_name(cli->conn),
-- netbios_domain_name, nt_errstr(status)));
-+ status = rpccli_setup_netlogon_creds(cli,
-+ netlogon_creds,
-+ true, /* force_reauth */
-+ current_nt_hash,
-+ previous_nt_hash);
-+ SAFE_FREE(previous_nt_hash);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0,("connect_to_domain_password_server: "
-+ "unable to open the domain client session to "
-+ "machine %s. Flags[0x%08X] Error was : %s.\n",
-+ dc_name, (unsigned)netlogon_flags,
-+ nt_errstr(status)));
-+ cli_shutdown(cli);
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ status = netlogon_creds_cli_get(netlogon_creds,
-+ talloc_tos(),
-+ &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
- cli_shutdown(cli);
-+ TALLOC_FREE(frame);
- return status;
- }
-+ netlogon_flags = creds->negotiate_flags;
-+ TALLOC_FREE(creds);
-
-- if (!lp_client_schannel()) {
-+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
- cli_shutdown(cli);
-+ TALLOC_FREE(frame);
- return NT_STATUS_OK;
- }
-
- status = cli_rpc_pipe_open_schannel_with_key(
- cli, &ndr_table_netlogon, NCACN_NP,
- netbios_domain_name,
-- netlogon_pipe->netlogon_creds, &pipe_hnd);
-+ netlogon_creds, &netlogon_pipe);
-
-- cli_shutdown(cli);
-+ TALLOC_FREE(netlogon_pipe);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("libnet_join_ok: failed to open schannel session "
-@@ -1289,9 +1335,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
- "Error was %s\n",
- smbXcli_conn_remote_name(cli->conn),
- netbios_domain_name, nt_errstr(status)));
-+ cli_shutdown(cli);
-+ TALLOC_FREE(frame);
- return status;
- }
-
-+ cli_shutdown(cli);
-+ TALLOC_FREE(frame);
- return NT_STATUS_OK;
- }
-
-@@ -1303,8 +1353,8 @@ static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
- {
- NTSTATUS status;
-
-- status = libnet_join_ok(r->out.netbios_domain_name,
-- r->in.machine_name,
-+ status = libnet_join_ok(r->in.msg_ctx,
-+ r->out.netbios_domain_name,
- r->in.dc_name,
- r->in.use_kerberos);
- if (!NT_STATUS_IS_OK(status)) {
-diff --git a/source3/libnet/libnet_join.h b/source3/libnet/libnet_join.h
-index 58c33b2..b7e2f0b 100644
---- a/source3/libnet/libnet_join.h
-+++ b/source3/libnet/libnet_join.h
-@@ -23,8 +23,9 @@
-
- /* The following definitions come from libnet/libnet_join.c */
-
--NTSTATUS libnet_join_ok(const char *netbios_domain_name,
-- const char *machine_name,
-+struct messaging_context;
-+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
-+ const char *netbios_domain_name,
- const char *dc_name,
- const bool use_kerberos);
- WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index dff8801..9de74c0 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -493,7 +493,9 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
- }
-
- /* Display success or failure */
-- status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
-+ status = libnet_join_ok(c->msg_ctx,
-+ c->opt_workgroup,
-+ dc,
- c->opt_kerberos);
- if (!NT_STATUS_IS_OK(status)) {
- fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
---
-1.9.3
-
-
-From 0da8c0a71d08de50b614e5df69a61e00d0a9cd99 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 5 Sep 2013 20:57:02 +0200
-Subject: [PATCH 187/249] s3:libnet: use rpccli_{create,setup}_netlogon_creds()
- in libnet_join_joindomain_rpc_unsecure
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3a89eee03a95d4b142bf0830f40debc75bfa2e26)
----
- source3/libnet/libnet_join.c | 66 ++++++++++++++++++++++++++++++++++----------
- 1 file changed, 51 insertions(+), 15 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 6e653c3..a87eb38 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -817,14 +817,17 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
- struct libnet_JoinCtx *r,
- struct cli_state *cli)
- {
-- struct rpc_pipe_client *pipe_hnd = NULL;
-- unsigned char orig_trust_passwd_hash[16];
-- unsigned char new_trust_passwd_hash[16];
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct rpc_pipe_client *netlogon_pipe = NULL;
-+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
-+ struct samr_Password current_nt_hash;
-+ const char *account_name = NULL;
- NTSTATUS status;
-
- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
-- &pipe_hnd);
-+ &netlogon_pipe);
- if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
- return status;
- }
-
-@@ -832,22 +835,55 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
- r->in.machine_password = generate_random_password(mem_ctx,
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-- NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
-+ if (r->in.machine_password == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
- }
-
-- E_md4hash(r->in.machine_password, new_trust_passwd_hash);
--
- /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
-- E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
-+ E_md4hash(r->in.admin_password, current_nt_hash.hash);
-
-- status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
-- r->in.machine_name,
-- orig_trust_passwd_hash,
-- r->in.machine_password,
-- new_trust_passwd_hash,
-- r->in.secure_channel_type);
-+ account_name = talloc_asprintf(frame, "%s$",
-+ r->in.machine_name);
-+ if (account_name == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-
-- return status;
-+ status = rpccli_create_netlogon_creds(netlogon_pipe->desthost,
-+ r->in.domain_name,
-+ account_name,
-+ r->in.secure_channel_type,
-+ r->in.msg_ctx,
-+ frame,
-+ &netlogon_creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ status = rpccli_setup_netlogon_creds(cli,
-+ netlogon_creds,
-+ true, /* force_reauth */
-+ current_nt_hash,
-+ NULL); /* previous_nt_hash */
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
-+ netlogon_pipe->binding_handle,
-+ r->in.machine_password,
-+ NULL); /* new_version */
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
- }
-
- /****************************************************************
---
-1.9.3
-
-
-From 9d192bc1d2dd06efada55792203aaed58b349ab9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 11 Sep 2013 10:06:41 +0200
-Subject: [PATCH 188/249] s3:rpc_client: use
- rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 94caf7e190563423914b653d0c2fc4a4abf1f899)
----
- source3/rpc_client/cli_pipe.h | 7 --
- source3/rpc_client/cli_pipe_schannel.c | 162 ++++++++++++++-------------------
- 2 files changed, 66 insertions(+), 103 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index c21c55d..2a76130 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -109,13 +109,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
- struct rpc_pipe_client *cli,
- DATA_BLOB *session_key);
-
--/* The following definitions come from rpc_client/cli_pipe_schannel.c */
--
--NTSTATUS get_schannel_session_key(struct cli_state *cli,
-- const char *domain,
-- uint32 *pneg_flags,
-- struct rpc_pipe_client **presult);
--
- #endif /* _CLI_PIPE_H */
-
- /* vim: set ts=8 sw=8 noet cindent ft=c.doxygen: */
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index 8f9161f..1fcf62e 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -23,67 +23,15 @@
- #include "../libcli/auth/schannel.h"
- #include "rpc_client/cli_netlogon.h"
- #include "rpc_client/cli_pipe.h"
--#include "librpc/gen_ndr/ndr_dcerpc.h"
- #include "librpc/rpc/dcerpc.h"
- #include "passdb.h"
- #include "libsmb/libsmb.h"
--#include "auth/gensec/gensec.h"
- #include "../libcli/smb/smbXcli_base.h"
-+#include "libcli/auth/netlogon_creds_cli.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_CLI
-
--
--/****************************************************************************
-- Get a the schannel session key out of an already opened netlogon pipe.
-- ****************************************************************************/
--static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
-- struct cli_state *cli,
-- const char *domain,
-- uint32 *pneg_flags)
--{
-- enum netr_SchannelType sec_chan_type = 0;
-- unsigned char machine_pwd[16];
-- const char *machine_account;
-- NTSTATUS status;
--
-- /* Get the machine account credentials from secrets.tdb. */
-- if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
-- &sec_chan_type))
-- {
-- DEBUG(0, ("get_schannel_session_key: could not fetch "
-- "trust account password for domain '%s'\n",
-- domain));
-- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-- }
--
-- status = rpccli_netlogon_setup_creds(netlogon_pipe,
-- smbXcli_conn_remote_name(cli->conn), /* server name */
-- domain, /* domain */
-- lp_netbios_name(), /* client name */
-- machine_account, /* machine account name */
-- machine_pwd,
-- sec_chan_type,
-- pneg_flags);
--
-- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(3, ("get_schannel_session_key_common: "
-- "rpccli_netlogon_setup_creds failed with result %s "
-- "to server %s, domain %s, machine account %s.\n",
-- nt_errstr(status), smbXcli_conn_remote_name(cli->conn), domain,
-- machine_account ));
-- return status;
-- }
--
-- if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
-- DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
-- smbXcli_conn_remote_name(cli->conn)));
-- return NT_STATUS_INVALID_NETWORK_RESPONSE;
-- }
--
-- return NT_STATUS_OK;
--}
--
- /****************************************************************************
- Open a named pipe to an SMB server and bind using schannel (bind type 68).
- Fetch the session key ourselves using a temporary netlogon pipe.
-@@ -96,63 +44,85 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
- const char *domain,
- struct rpc_pipe_client **presult)
- {
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-- NETLOGON_NEG_SUPPORTS_AES;
-- struct rpc_pipe_client *netlogon_pipe = NULL;
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct messaging_context *msg_ctx = NULL;
-+ const char *dc_name = smbXcli_conn_remote_name(cli->conn);
- struct rpc_pipe_client *result = NULL;
- NTSTATUS status;
-+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
-+ struct netlogon_creds_CredentialState *creds = NULL;
-+ uint32_t netlogon_flags = 0;
-+ enum netr_SchannelType sec_chan_type = 0;
-+ const char *_account_name = NULL;
-+ const char *account_name = NULL;
-+ struct samr_Password current_nt_hash;
-+ struct samr_Password *previous_nt_hash = NULL;
-+ bool ok;
-+
-+ ok = get_trust_pw_hash(domain,
-+ current_nt_hash.hash,
-+ &_account_name,
-+ &sec_chan_type);
-+ if (!ok) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-+ }
-+
-+ account_name = talloc_asprintf(frame, "%s$", _account_name);
-+ if (account_name == NULL) {
-+ SAFE_FREE(previous_nt_hash);
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ status = rpccli_create_netlogon_creds(dc_name,
-+ domain,
-+ account_name,
-+ sec_chan_type,
-+ msg_ctx,
-+ frame,
-+ &netlogon_creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ SAFE_FREE(previous_nt_hash);
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-
-- status = get_schannel_session_key(cli, domain, &neg_flags,
-- &netlogon_pipe);
-+ status = rpccli_setup_netlogon_creds(cli,
-+ netlogon_creds,
-+ false, /* force_reauth */
-+ current_nt_hash,
-+ previous_nt_hash);
-+ SAFE_FREE(previous_nt_hash);
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
-- "key from server %s for domain %s.\n",
-- smbXcli_conn_remote_name(cli->conn), domain ));
-+ TALLOC_FREE(frame);
- return status;
- }
-
-+ status = netlogon_creds_cli_get(netlogon_creds,
-+ frame,
-+ &creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+ netlogon_flags = creds->negotiate_flags;
-+ TALLOC_FREE(creds);
-+
-+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_DOWNGRADE_DETECTED;
-+ }
-+
- status = cli_rpc_pipe_open_schannel_with_key(
- cli, table, transport, domain,
-- netlogon_pipe->netlogon_creds,
-+ netlogon_creds,
- &result);
-
-- /* Now we've bound using the session key we can close the netlog pipe. */
-- TALLOC_FREE(netlogon_pipe);
--
- if (NT_STATUS_IS_OK(status)) {
- *presult = result;
- }
-
-+ TALLOC_FREE(frame);
- return status;
- }
--
--/****************************************************************************
-- Open a netlogon pipe and get the schannel session key.
-- Now exposed to external callers.
-- ****************************************************************************/
--
--
--NTSTATUS get_schannel_session_key(struct cli_state *cli,
-- const char *domain,
-- uint32 *pneg_flags,
-- struct rpc_pipe_client **presult)
--{
-- struct rpc_pipe_client *netlogon_pipe = NULL;
-- NTSTATUS status;
--
-- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
-- &netlogon_pipe);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
-- pneg_flags);
-- if (!NT_STATUS_IS_OK(status)) {
-- TALLOC_FREE(netlogon_pipe);
-- return status;
-- }
--
-- *presult = netlogon_pipe;
-- return NT_STATUS_OK;
--}
---
-1.9.3
-
-
-From 5fba6641f79a14c208c5947886c005a87b9f3256 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 18:24:44 +0200
-Subject: [PATCH 189/249] s3:rpcclient: add rpcclient_msg_ctx
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a1c468e1d75d490f0e531feb08188ddc3f0d77b5)
----
- source3/rpcclient/rpcclient.c | 5 +++++
- source3/rpcclient/rpcclient.h | 2 ++
- 2 files changed, 7 insertions(+)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index 0cbec20..39bf613 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -33,6 +33,7 @@
- #include "libsmb/libsmb.h"
- #include "auth/gensec/gensec.h"
- #include "../libcli/smb/smbXcli_base.h"
-+#include "messages.h"
-
- enum pipe_auth_type_spnego {
- PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
-@@ -48,6 +49,7 @@ static enum dcerpc_AuthLevel pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
- static unsigned int timeout = 0;
- static enum dcerpc_transport_t default_transport = NCACN_NP;
-
-+struct messaging_context *rpcclient_msg_ctx;
- struct user_auth_info *rpcclient_auth_info;
-
- /* List to hold groups of commands.
-@@ -985,6 +987,9 @@ out_free:
- /* We must load interfaces after we load the smb.conf */
- load_interfaces();
-
-+ rpcclient_msg_ctx = messaging_init(talloc_autofree_context(),
-+ samba_tevent_context_init(talloc_autofree_context()));
-+
- /*
- * Get password
- * from stdin if necessary
-diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
-index 762c54a..219da2a 100644
---- a/source3/rpcclient/rpcclient.h
-+++ b/source3/rpcclient/rpcclient.h
-@@ -41,4 +41,6 @@ struct cmd_set {
- const char *usage;
- };
-
-+extern struct messaging_context *rpcclient_msg_ctx;
-+
- #endif /* RPCCLIENT_H */
---
-1.9.3
-
-
-From c6e02d60ef12431cd1a5615fcf514548e86d6dc8 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 18:29:30 +0200
-Subject: [PATCH 190/249] s3:rpcclient: add rpcclient_netlogon_creds
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 1696b127c61fea76fce3d992632a822ed78de07c)
----
- source3/rpcclient/rpcclient.c | 3 +++
- source3/rpcclient/rpcclient.h | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index 39bf613..a875ff5 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -51,6 +51,7 @@ static enum dcerpc_transport_t default_transport = NCACN_NP;
-
- struct messaging_context *rpcclient_msg_ctx;
- struct user_auth_info *rpcclient_auth_info;
-+struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
-
- /* List to hold groups of commands.
- *
-@@ -797,6 +798,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- }
- }
-
-+ rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
-+
- /* Run command */
-
- if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
-diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
-index 219da2a..9288249 100644
---- a/source3/rpcclient/rpcclient.h
-+++ b/source3/rpcclient/rpcclient.h
-@@ -42,5 +42,6 @@ struct cmd_set {
- };
-
- extern struct messaging_context *rpcclient_msg_ctx;
-+extern struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
-
- #endif /* RPCCLIENT_H */
---
-1.9.3
-
-
-From 849cb578d3aa38e7d6508353914d39501cd6b2c8 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 18:57:09 +0200
-Subject: [PATCH 191/249] s3:rpcclient: remove unused
- rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
-
-rpccli_netlogon_setup_creds() is already called in the main do_cmd()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit fb13b002d599049f229d2014e1b94f82952b7150)
----
- source3/rpcclient/cmd_netlogon.c | 21 +--------------------
- 1 file changed, 1 insertion(+), 20 deletions(-)
-
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index 2e0b5e5..8a865a9 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -1141,12 +1141,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- NTSTATUS result;
- const char *server_name = cli->desthost;
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-- NETLOGON_NEG_SUPPORTS_AES;
- struct netr_Authenticator clnt_creds, srv_cred;
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
-- unsigned char trust_passwd_hash[16];
-- enum netr_SchannelType sec_channel_type = 0;
- struct netr_ChangeLogEntry e;
- uint32_t rid = 500;
- struct dcerpc_binding_handle *b = cli->binding_handle;
-@@ -1161,25 +1157,10 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
- sscanf(argv[1], "%d", &rid);
- }
-
-- if (!secrets_fetch_trust_account_password(lp_workgroup(),
-- trust_passwd_hash,
-- NULL, &sec_channel_type)) {
-+ if (cli->netlogon_creds == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
-- status = rpccli_netlogon_setup_creds(cli,
-- server_name, /* server name */
-- lp_workgroup(), /* domain */
-- lp_netbios_name(), /* client name */
-- lp_netbios_name(), /* machine account name */
-- trust_passwd_hash,
-- sec_channel_type,
-- &neg_flags);
--
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
- status = netlogon_creds_cli_lock(cli->netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
---
-1.9.3
-
-
-From df5ce2ceb4c41e2a952cd9f011626028f8d230ff Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 19:00:22 +0200
-Subject: [PATCH 192/249] s3:rpcclient: make use of rpcclient_netlogon_creds
- instead of cli->netlogon_creds
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3bf77812e80b50f254af64e4935301719f78987e)
----
- source3/rpcclient/cmd_netlogon.c | 22 +++++++++++++++++-----
- 1 file changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index 8a865a9..59e1e4e 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -633,7 +633,11 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
- struct netlogon_creds_CredentialState *creds = NULL;
-
-- status = netlogon_creds_cli_lock(cli->netlogon_creds,
-+ if (rpcclient_netlogon_creds == NULL) {
-+ return NT_STATUS_UNSUCCESSFUL;
-+ }
-+
-+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
-@@ -712,7 +716,11 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
- struct netlogon_creds_CredentialState *creds = NULL;
-
-- status = netlogon_creds_cli_lock(cli->netlogon_creds,
-+ if (rpcclient_netlogon_creds == NULL) {
-+ return NT_STATUS_UNSUCCESSFUL;
-+ }
-+
-+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
-@@ -1157,11 +1165,11 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
- sscanf(argv[1], "%d", &rid);
- }
-
-- if (cli->netlogon_creds == NULL) {
-+ if (rpcclient_netlogon_creds == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
-- status = netlogon_creds_cli_lock(cli->netlogon_creds,
-+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
-@@ -1223,7 +1231,11 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
-
- ZERO_STRUCT(return_authenticator);
-
-- status = netlogon_creds_cli_lock(cli->netlogon_creds,
-+ if (rpcclient_netlogon_creds == NULL) {
-+ return NT_STATUS_UNSUCCESSFUL;
-+ }
-+
-+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
---
-1.9.3
-
-
-From 4e9d9abc0bae5ca08c3a91cc5d1b2bacffc6cbfc Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 19:59:11 +0200
-Subject: [PATCH 193/249] s3:net_rpc: add net_context->netlogon_creds
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit d1340c20b0900f54e2c73c4a363f45988b1ba097)
----
- source3/utils/net.h | 1 +
- source3/utils/net_rpc.c | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/source3/utils/net.h b/source3/utils/net.h
-index e97734a..ce19c57 100644
---- a/source3/utils/net.h
-+++ b/source3/utils/net.h
-@@ -90,6 +90,7 @@ struct net_context {
- bool smb_encrypt;
- struct libnetapi_ctx *netapi_ctx;
- struct messaging_context *msg_ctx;
-+ struct netlogon_creds_cli_context *netlogon_creds;
-
- bool display_usage;
- void *private_data;
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 9de74c0..3bf3f30 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -201,6 +201,7 @@ int run_rpc_command(struct net_context *c,
- nt_errstr(nt_status) ));
- goto fail;
- }
-+ c->netlogon_creds = pipe_hnd->netlogon_creds;
- } else {
- if (conn_flags & NET_FLAGS_SEAL) {
- nt_status = cli_rpc_pipe_open_generic_auth(
---
-1.9.3
-
-
-From 7a4535c1e61de498230abd1f99bfe875ae59c2e0 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 15 Sep 2013 13:19:52 +0200
-Subject: [PATCH 194/249] s3:libsmb: add trust_pw_change()
-
-This protects the password change using a domain specific g_lock,
-so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
-even on multiple cluster nodes doesn't race anymore.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 16c6e4992fa882207eeaff0a1c4d9fe217be48b7)
----
- source3/include/proto.h | 8 ++
- source3/libsmb/trusts_util.c | 179 +++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 187 insertions(+)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 216a377..edda119 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -984,6 +984,14 @@ void update_trustdom_cache( void );
- NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- const char *domain) ;
-+struct netlogon_creds_cli_context;
-+struct messaging_context;
-+struct dcerpc_binding_handle;
-+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
-+ struct messaging_context *msg_ctx,
-+ struct dcerpc_binding_handle *b,
-+ const char *domain,
-+ bool force);
-
- /* The following definitions come from param/loadparm.c */
-
-diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
-index 52fb481..b1bc006 100644
---- a/source3/libsmb/trusts_util.c
-+++ b/source3/libsmb/trusts_util.c
-@@ -20,12 +20,15 @@
-
- #include "includes.h"
- #include "../libcli/auth/libcli_auth.h"
-+#include "../libcli/auth/netlogon_creds_cli.h"
- #include "rpc_client/cli_netlogon.h"
- #include "rpc_client/cli_pipe.h"
- #include "../librpc/gen_ndr/ndr_netlogon.h"
- #include "secrets.h"
- #include "passdb.h"
- #include "libsmb/libsmb.h"
-+#include "source3/include/messages.h"
-+#include "source3/include/g_lock.h"
-
- /*********************************************************
- Change the domain password on the PDC.
-@@ -113,3 +116,179 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
-
- return nt_status;
- }
-+
-+struct trust_pw_change_state {
-+ struct g_lock_ctx *g_ctx;
-+ char *g_lock_key;
-+};
-+
-+static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
-+{
-+ g_lock_unlock(state->g_ctx, state->g_lock_key);
-+ return 0;
-+}
-+
-+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
-+ struct messaging_context *msg_ctx,
-+ struct dcerpc_binding_handle *b,
-+ const char *domain,
-+ bool force)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct trust_pw_change_state *state;
-+ struct samr_Password current_nt_hash;
-+ const struct samr_Password *previous_nt_hash = NULL;
-+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
-+ const char *account_name;
-+ char *new_trust_passwd;
-+ char *pwd;
-+ struct dom_sid sid;
-+ time_t pass_last_set_time;
-+ struct timeval g_timeout = { 0, };
-+ int timeout = 0;
-+ struct timeval tv = { 0, };
-+ NTSTATUS status;
-+
-+ state = talloc_zero(frame, struct trust_pw_change_state);
-+ if (state == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ state->g_ctx = g_lock_ctx_init(state, msg_ctx);
-+ if (state->g_ctx == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ state->g_lock_key = talloc_asprintf(state,
-+ "trust_password_change_%s",
-+ domain);
-+ if (state->g_lock_key == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ g_timeout = timeval_current_ofs(10, 0);
-+ status = g_lock_lock(state->g_ctx,
-+ state->g_lock_key,
-+ G_LOCK_WRITE, g_timeout);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(1, ("could not get g_lock on [%s]!\n",
-+ state->g_lock_key));
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ talloc_set_destructor(state, trust_pw_change_state_destructor);
-+
-+ if (!get_trust_pw_hash(domain, current_nt_hash.hash,
-+ &account_name,
-+ &sec_channel_type)) {
-+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
-+ }
-+
-+ switch (sec_channel_type) {
-+ case SEC_CHAN_WKSTA:
-+ pwd = secrets_fetch_machine_password(domain,
-+ &pass_last_set_time,
-+ NULL);
-+ if (pwd == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
-+ }
-+ break;
-+ case SEC_CHAN_DOMAIN:
-+ if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
-+ }
-+ break;
-+ default:
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NOT_SUPPORTED;
-+ }
-+
-+ timeout = lp_machine_password_timeout();
-+ if (timeout == 0) {
-+ if (!force) {
-+ DEBUG(10,("machine password never expires\n"));
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
-+ }
-+ }
-+
-+ tv.tv_sec = pass_last_set_time;
-+ DEBUG(10, ("password last changed %s\n",
-+ timeval_string(talloc_tos(), &tv, false)));
-+ tv.tv_sec += timeout;
-+ DEBUGADD(10, ("password valid until %s\n",
-+ timeval_string(talloc_tos(), &tv, false)));
-+
-+ if (!force && !timeval_expired(&tv)) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
-+ }
-+
-+ /* Create a random machine account password */
-+ new_trust_passwd = generate_random_password(frame,
-+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
-+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-+ if (new_trust_passwd == NULL) {
-+ DEBUG(0, ("generate_random_password failed\n"));
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ status = netlogon_creds_cli_auth(context, b,
-+ current_nt_hash,
-+ previous_nt_hash);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ status = netlogon_creds_cli_ServerPasswordSet(context, b,
-+ new_trust_passwd, NULL);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
-+ current_timestring(talloc_tos(), False)));
-+
-+ /*
-+ * Return the result of trying to write the new password
-+ * back into the trust account file.
-+ */
-+
-+ switch (sec_channel_type) {
-+
-+ case SEC_CHAN_WKSTA:
-+ if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
-+ }
-+ break;
-+
-+ case SEC_CHAN_DOMAIN:
-+ /*
-+ * we need to get the sid first for the
-+ * pdb_set_trusteddom_pw call
-+ */
-+ if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
-+ }
-+ break;
-+
-+ default:
-+ break;
-+ }
-+
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
-+}
---
-1.9.3
-
-
-From 09dae290b1d49a30eef5b93f5260dc44fb628437 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 18:33:51 +0200
-Subject: [PATCH 195/249] s3:rpcclient: make use of trust_pw_change()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a9281e6570fcc5ff5abe3149615bed7029d1cf71)
----
- source3/rpcclient/cmd_netlogon.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index 59e1e4e..000d65c 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -829,11 +829,11 @@ static NTSTATUS cmd_netlogon_change_trust_pw(struct rpc_pipe_client *cli,
- return NT_STATUS_OK;
- }
-
-- /* Perform the sam logon */
--
-- result = trust_pw_find_change_and_store_it(cli, mem_ctx,
-- lp_workgroup());
--
-+ result = trust_pw_change(rpcclient_netlogon_creds,
-+ rpcclient_msg_ctx,
-+ cli->binding_handle,
-+ lp_workgroup(),
-+ true); /* force */
- if (!NT_STATUS_IS_OK(result))
- goto done;
-
---
-1.9.3
-
-
-From 3731b2163f6bb88922a9fa84e60fa48afbbbda9a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 18:34:48 +0200
-Subject: [PATCH 196/249] s3:net_rpc: make use of trust_pw_change()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit cfd139347c21f4f4ddd16026c2c8c221feabd6c5)
----
- source3/utils/net_rpc.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 3bf3f30..ba49f3e 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -279,7 +279,11 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
- {
- NTSTATUS status;
-
-- status = trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup);
-+ status = trust_pw_change(c->netlogon_creds,
-+ c->msg_ctx,
-+ pipe_hnd->binding_handle,
-+ c->opt_target_workgroup,
-+ true); /* force */
- if (!NT_STATUS_IS_OK(status)) {
- d_fprintf(stderr, _("Failed to change machine account password: %s\n"),
- nt_errstr(status));
---
-1.9.3
-
-
-From cd8fdfc923adcc5b6c700ec52d1bba4643079247 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 18:35:39 +0200
-Subject: [PATCH 197/249] s3:winbindd: use invalidate_cm_connection() to kill
- the netlogon connection
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit dbd49d90bbf175525557eaa983ad57ca5076d710)
----
- source3/winbindd/winbindd_dual.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
-index 64af571..b26cdca 100644
---- a/source3/winbindd/winbindd_dual.c
-+++ b/source3/winbindd/winbindd_dual.c
-@@ -1056,7 +1056,7 @@ static void machine_password_change_handler(struct tevent_context *ctx,
- "password was changed and we didn't know it. "
- "Killing connections to domain %s\n",
- child->domain->name));
-- TALLOC_FREE(child->domain->conn.netlogon_pipe);
-+ invalidate_cm_connection(&child->domain->conn);
- }
-
- if (!calculate_next_machine_pwd_change(child->domain->name,
---
-1.9.3
-
-
-From 6369757af75412746c0d9950971a77be72826b92 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 18:36:43 +0200
-Subject: [PATCH 198/249] s3:winbindd: make use of trust_pw_change() for
- periodic password changes
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 57741dd4ba5a9ed3abf7aad35a2a69fd66b49b4b)
----
- source3/winbindd/winbindd_dual.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
-index b26cdca..1d6a5ba 100644
---- a/source3/winbindd/winbindd_dual.c
-+++ b/source3/winbindd/winbindd_dual.c
-@@ -29,6 +29,7 @@
-
- #include "includes.h"
- #include "winbindd.h"
-+#include "rpc_client/rpc_client.h"
- #include "nsswitch/wb_reqtrans.h"
- #include "secrets.h"
- #include "../lib/util/select.h"
-@@ -999,10 +1000,10 @@ static void machine_password_change_handler(struct tevent_context *ctx,
- struct timeval now,
- void *private_data)
- {
-+ struct messaging_context *msg_ctx = winbind_messaging_context();
- struct winbindd_child *child =
- (struct winbindd_child *)private_data;
- struct rpc_pipe_client *netlogon_pipe = NULL;
-- TALLOC_CTX *frame;
- NTSTATUS result;
- struct timeval next_change;
-
-@@ -1039,15 +1040,14 @@ static void machine_password_change_handler(struct tevent_context *ctx,
- return;
- }
-
-- frame = talloc_stackframe();
--
-- result = trust_pw_find_change_and_store_it(netlogon_pipe,
-- frame,
-- child->domain->name);
-- TALLOC_FREE(frame);
-+ result = trust_pw_change(child->domain->conn.netlogon_creds,
-+ msg_ctx,
-+ netlogon_pipe->binding_handle,
-+ child->domain->name,
-+ false); /* force */
-
- DEBUG(10, ("machine_password_change_handler: "
-- "trust_pw_find_change_and_store_it returned %s\n",
-+ "trust_pw_change returned %s\n",
- nt_errstr(result)));
-
- if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
---
-1.9.3
-
-
-From 5fe11c760d853dff63ad9b3505f3d3721b7e14f6 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 18:37:34 +0200
-Subject: [PATCH 199/249] s3:winbindd: make use of trust_pw_change() in
- _wbint_ChangeMachineAccount()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3c30e19c4a0e60e355b2f1d35edbb0a3b7688089)
----
- source3/winbindd/winbindd_dual_srv.c | 35 +++++++----------------------------
- 1 file changed, 7 insertions(+), 28 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
-index 001591a..f064467 100644
---- a/source3/winbindd/winbindd_dual_srv.c
-+++ b/source3/winbindd/winbindd_dual_srv.c
-@@ -622,48 +622,27 @@ again:
- NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
- struct wbint_ChangeMachineAccount *r)
- {
-+ struct messaging_context *msg_ctx = winbind_messaging_context();
- struct winbindd_domain *domain;
-- int num_retries = 0;
- NTSTATUS status;
- struct rpc_pipe_client *netlogon_pipe;
-- TALLOC_CTX *tmp_ctx;
-
--again:
- domain = wb_child_domain();
- if (domain == NULL) {
- return NT_STATUS_REQUEST_NOT_ACCEPTED;
- }
-
-- invalidate_cm_connection(&domain->conn);
--
-- {
-- status = cm_connect_netlogon(domain, &netlogon_pipe);
-- }
--
-- /* There is a race condition between fetching the trust account
-- password and the periodic machine password change. So it's
-- possible that the trust account password has been changed on us.
-- We are returned NT_STATUS_ACCESS_DENIED if this happens. */
--
--#define MAX_RETRIES 3
--
-- if ((num_retries < MAX_RETRIES)
-- && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
-- num_retries++;
-- goto again;
-- }
--
-+ status = cm_connect_netlogon(domain, &netlogon_pipe);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
- goto done;
- }
-
-- tmp_ctx = talloc_new(p->mem_ctx);
--
-- status = trust_pw_find_change_and_store_it(netlogon_pipe,
-- tmp_ctx,
-- domain->name);
-- talloc_destroy(tmp_ctx);
-+ status = trust_pw_change(domain->conn.netlogon_creds,
-+ msg_ctx,
-+ netlogon_pipe->binding_handle,
-+ domain->name,
-+ true); /* force */
-
- /* Pass back result code - zero for success, other values for
- specific failures. */
---
-1.9.3
-
-
-From 9956ea8b561da89fb79739dd8a8552116c7867f7 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 18:39:52 +0200
-Subject: [PATCH 200/249] s3:libsmb: remove unused
- trust_pw_find_change_and_store_it()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a8ecebe3e840005c81df043cb07773972aaa2371)
----
- source3/include/proto.h | 3 --
- source3/libsmb/trusts_util.c | 81 --------------------------------------------
- 2 files changed, 84 deletions(-)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index edda119..18348e5 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -981,9 +981,6 @@ void update_trustdom_cache( void );
-
- /* The following definitions come from libsmb/trusts_util.c */
-
--NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- const char *domain) ;
- struct netlogon_creds_cli_context;
- struct messaging_context;
- struct dcerpc_binding_handle;
-diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
-index b1bc006..b38aec6 100644
---- a/source3/libsmb/trusts_util.c
-+++ b/source3/libsmb/trusts_util.c
-@@ -36,87 +36,6 @@
- already setup the connection to the NETLOGON pipe
- **********************************************************/
-
--NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- const char *domain)
--{
-- unsigned char old_trust_passwd_hash[16];
-- unsigned char new_trust_passwd_hash[16];
-- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
-- const char *account_name;
-- char *new_trust_passwd;
-- NTSTATUS nt_status;
--
-- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
-- &sec_channel_type)) {
-- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
-- return NT_STATUS_UNSUCCESSFUL;
-- }
--
-- switch (sec_channel_type) {
-- case SEC_CHAN_WKSTA:
-- case SEC_CHAN_DOMAIN:
-- break;
-- default:
-- return NT_STATUS_NOT_SUPPORTED;
-- }
--
-- /* Create a random machine account password */
-- new_trust_passwd = generate_random_password(mem_ctx,
-- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
-- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-- if (new_trust_passwd == NULL) {
-- DEBUG(0, ("generate_random_password failed\n"));
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- E_md4hash(new_trust_passwd, new_trust_passwd_hash);
--
-- nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
-- account_name,
-- old_trust_passwd_hash,
-- new_trust_passwd,
-- new_trust_passwd_hash,
-- sec_channel_type);
--
-- if (NT_STATUS_IS_OK(nt_status)) {
-- DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
-- current_timestring(talloc_tos(), False)));
-- /*
-- * Return the result of trying to write the new password
-- * back into the trust account file.
-- */
--
-- switch (sec_channel_type) {
--
-- case SEC_CHAN_WKSTA:
-- if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
-- nt_status = NT_STATUS_UNSUCCESSFUL;
-- }
-- break;
--
-- case SEC_CHAN_DOMAIN: {
-- char *pwd;
-- struct dom_sid sid;
-- time_t pass_last_set_time;
--
-- /* we need to get the sid first for the
-- * pdb_set_trusteddom_pw call */
--
-- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
-- nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
-- }
-- if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
-- nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
-- }
-- break;
-- }
-- }
-- }
--
-- return nt_status;
--}
--
- struct trust_pw_change_state {
- struct g_lock_ctx *g_ctx;
- char *g_lock_key;
---
-1.9.3
-
-
-From f71cb73d7f034165802aad97e9be6f45ba32d519 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 19:19:39 +0200
-Subject: [PATCH 201/249] s3:libnet: pass in struct netlogon_creds_cli_context
- from the caller.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 77defb175e3ffd1b096485ac7de38ad161594b72)
----
- source3/libnet/libnet_samsync.c | 2 +-
- source3/libnet/libnet_samsync.h | 1 +
- source3/utils/net_rpc_samsync.c | 1 +
- 3 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
-index 02d3fc6..e7e1393 100644
---- a/source3/libnet/libnet_samsync.c
-+++ b/source3/libnet/libnet_samsync.c
-@@ -216,7 +216,7 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
- struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
- struct netlogon_creds_CredentialState *creds = NULL;
-
-- status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
-+ status = netlogon_creds_cli_lock(ctx->netlogon_creds,
- mem_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
-diff --git a/source3/libnet/libnet_samsync.h b/source3/libnet/libnet_samsync.h
-index efdbb37..e1d66ec 100644
---- a/source3/libnet/libnet_samsync.h
-+++ b/source3/libnet/libnet_samsync.h
-@@ -75,6 +75,7 @@ struct samsync_context {
- struct samsync_object *objects;
-
- struct rpc_pipe_client *cli;
-+ struct netlogon_creds_cli_context *netlogon_creds;
- struct messaging_context *msg_ctx;
-
- const struct samsync_ops *ops;
-diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
-index 772651f..6377ad4 100644
---- a/source3/utils/net_rpc_samsync.c
-+++ b/source3/utils/net_rpc_samsync.c
-@@ -129,6 +129,7 @@ NTSTATUS rpc_samdump_internals(struct net_context *c,
-
- ctx->mode = NET_SAMSYNC_MODE_DUMP;
- ctx->cli = pipe_hnd;
-+ ctx->netlogon_creds = c->netlogon_creds;
- ctx->ops = &libnet_samsync_display_ops;
- ctx->domain_name = domain_name;
-
---
-1.9.3
-
-
-From acb678ce415403e1442116b32eb8b8b32b677f4a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 20:51:25 +0200
-Subject: [PATCH 202/249] s3:rpcclient: make use of
- rpccli_{create,setup}_netlogon_creds()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 5107ca02a41673739a1fc4a1c2a0fbe8465f211a)
----
- source3/rpcclient/rpcclient.c | 59 ++++++++++++++++++++++++++++++-------------
- 1 file changed, 41 insertions(+), 18 deletions(-)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index a875ff5..490f8df 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -676,6 +676,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- {
- NTSTATUS ntresult;
- WERROR wresult;
-+ bool ok;
-
- TALLOC_CTX *mem_ctx;
-
-@@ -759,17 +760,20 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- return ntresult;
- }
-
-- if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
-- &ndr_table_netlogon.syntax_id)) {
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-- NETLOGON_NEG_SUPPORTS_AES;
-- enum netr_SchannelType sec_channel_type;
-- uchar trust_password[16];
-- const char *machine_account;
-+ ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
-+ &ndr_table_netlogon.syntax_id);
-+ if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
-+ const char *dc_name = cmd_entry->rpc_pipe->desthost;
-+ const char *domain = get_cmdline_auth_info_domain(auth_info);
-+ enum netr_SchannelType sec_chan_type = 0;
-+ const char *_account_name = NULL;
-+ const char *account_name = NULL;
-+ struct samr_Password current_nt_hash;
-+ struct samr_Password *previous_nt_hash = NULL;
-
- if (!get_trust_pw_hash(get_cmdline_auth_info_domain(auth_info),
-- trust_password, &machine_account,
-- &sec_channel_type))
-+ current_nt_hash.hash, &_account_name,
-+ &sec_chan_type))
- {
- DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
- get_cmdline_auth_info_domain(auth_info),
-@@ -779,22 +783,41 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
-- ntresult = rpccli_netlogon_setup_creds(cmd_entry->rpc_pipe,
-- cmd_entry->rpc_pipe->desthost, /* server name */
-- get_cmdline_auth_info_domain(auth_info), /* domain */
-- lp_netbios_name(), /* client name */
-- machine_account, /* machine account name */
-- trust_password,
-- sec_channel_type,
-- &neg_flags);
-+ account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
-+ if (account_name == NULL) {
-+ SAFE_FREE(previous_nt_hash);
-+ TALLOC_FREE(mem_ctx);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ ntresult = rpccli_create_netlogon_creds(dc_name,
-+ domain,
-+ account_name,
-+ sec_chan_type,
-+ rpcclient_msg_ctx,
-+ talloc_autofree_context(),
-+ &rpcclient_netlogon_creds);
-+ if (!NT_STATUS_IS_OK(ntresult)) {
-+ SAFE_FREE(previous_nt_hash);
-+ TALLOC_FREE(mem_ctx);
-+ return ntresult;
-+ }
-
-+ ntresult = rpccli_setup_netlogon_creds(cli,
-+ rpcclient_netlogon_creds,
-+ false, /* force_reauth */
-+ current_nt_hash,
-+ previous_nt_hash);
-+ SAFE_FREE(previous_nt_hash);
- if (!NT_STATUS_IS_OK(ntresult)) {
- DEBUG(0, ("Could not initialise credentials for %s.\n",
- cmd_entry->table->name));
- TALLOC_FREE(cmd_entry->rpc_pipe);
-- talloc_free(mem_ctx);
-+ TALLOC_FREE(rpcclient_netlogon_creds);
-+ TALLOC_FREE(mem_ctx);
- return ntresult;
- }
-+ cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
- }
- }
-
---
-1.9.3
-
-
-From b04744971aa9cc696aa4a3c56dd46d58db8dda75 Mon Sep 17 00:00:00 2001
-From: Garming Sam <garming@catalyst.net.nz>
-Date: Fri, 29 Nov 2013 14:45:20 +1300
-Subject: [PATCH 203/249] s3:rpcclient: give errors and clean up correctly
- after failing to obtain secret
-
-Signed-off-by: Garming Sam <garming@catalyst.net.nz>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a012e2fdd6733e871ddeb68874a2df8413ad91ed)
----
- source3/rpcclient/rpcclient.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index 490f8df..fd3ebdf 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -785,6 +785,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
-
- account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
- if (account_name == NULL) {
-+ DEBUG(0, ("Out of memory creating account name to connect to %s.\n",
-+ cmd_entry->table->name));
-+ TALLOC_FREE(cmd_entry->rpc_pipe);
- SAFE_FREE(previous_nt_hash);
- TALLOC_FREE(mem_ctx);
- return NT_STATUS_NO_MEMORY;
-@@ -798,6 +801,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- talloc_autofree_context(),
- &rpcclient_netlogon_creds);
- if (!NT_STATUS_IS_OK(ntresult)) {
-+ DEBUG(0, ("Could not initialise credentials for %s.\n",
-+ cmd_entry->table->name));
-+ TALLOC_FREE(cmd_entry->rpc_pipe);
- SAFE_FREE(previous_nt_hash);
- TALLOC_FREE(mem_ctx);
- return ntresult;
---
-1.9.3
-
-
-From 564e6df9361025ff7da6fa92d83491cfd9e60b2b Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 17 Sep 2013 00:46:09 +0200
-Subject: [PATCH 204/249] s3:rpcclient: remove optional auth_level parameter of
- the 'samlogon' cmd
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 4c99e49898151a514e334a07f38eed83fe608c05)
----
- source3/rpcclient/cmd_netlogon.c | 11 ++++-------
- 1 file changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index 000d65c..97b79cb 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -782,9 +782,9 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
-
- /* Check arguments */
-
-- if (argc < 3 || argc > 7) {
-+ if (argc < 3 || argc > 6) {
- fprintf(stderr, "Usage: samlogon <username> <password> [workstation]"
-- "[logon_type (1 or 2)] [auth level (2 or 3)] [logon_parameter]\n");
-+ "[logon_type (1 or 2)] [logon_parameter]\n");
- return NT_STATUS_OK;
- }
-
-@@ -797,11 +797,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
- if (argc >= 5)
- sscanf(argv[4], "%i", &logon_type);
-
-- if (argc >= 6)
-- validation_level = atoi(argv[5]);
--
-- if (argc == 7)
-- sscanf(argv[6], "%x", &logon_param);
-+ if (argc == 6)
-+ sscanf(argv[5], "%x", &logon_param);
-
- /* Perform the sam logon */
-
---
-1.9.3
-
-
-From a61d399c13c9f46e283f85f3d076b0607c2729f3 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 17 Sep 2013 00:48:31 +0200
-Subject: [PATCH 205/249] s3:rpcclient: make use of
- rpccli_netlogon_password_logon() in the 'samlogon' cmd
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit c6bb47f2f199cc13101dccf656ac36e9eb879201)
----
- source3/rpcclient/cmd_netlogon.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index 97b79cb..b637b3e 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -776,7 +776,6 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- int logon_type = NetlogonNetworkInformation;
- const char *username, *password;
-- uint16_t validation_level = 3;
- uint32 logon_param = 0;
- const char *workstation = NULL;
-
-@@ -802,8 +801,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
-
- /* Perform the sam logon */
-
-- result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type);
--
-+ result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
-+ cli->binding_handle,
-+ logon_param,
-+ lp_workgroup(),
-+ username,
-+ password,
-+ workstation,
-+ logon_type);
- if (!NT_STATUS_IS_OK(result))
- goto done;
-
---
-1.9.3
-
-
-From fbe0154a63d401acd47c5190be37b8d69d3d64ba Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 17 Sep 2013 00:56:15 +0200
-Subject: [PATCH 206/249] s3:winbindd: make use of
- rpccli_netlogon_network_logon()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a34c837fdb59df1e66be9b5f23a07990e34fea1c)
----
- source3/winbindd/winbindd_pam.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index 39483a5..3f3ec70 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -1228,6 +1228,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
-
- do {
- struct rpc_pipe_client *netlogon_pipe;
-+ uint8_t authoritative = 0;
-+ uint32_t flags = 0;
-
- ZERO_STRUCTP(info3);
- retry = false;
-@@ -1276,19 +1278,19 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
- }
- netr_attempts = 0;
-
-- result = rpccli_netlogon_sam_network_logon(
-- netlogon_pipe,
-- mem_ctx,
-- logon_parameters,
-- server, /* server name */
-- username, /* user name */
-- domainname, /* target domain */
-- workstation, /* workstation */
-- chal,
-- -1, /* ignored */
-- lm_response,
-- nt_response,
-- info3);
-+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
-+ netlogon_pipe->binding_handle,
-+ mem_ctx,
-+ logon_parameters,
-+ username,
-+ domainname,
-+ workstation,
-+ chal,
-+ lm_response,
-+ nt_response,
-+ &authoritative,
-+ &flags,
-+ info3);
-
- /*
- * we increment this after the "feature negotiation"
---
-1.9.3
-
-
-From cfcb681d6f80253b6f2db769f5c5be1ffb54cc0e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 20:53:51 +0200
-Subject: [PATCH 207/249] s3:rpc_client: make cli_rpc_pipe_open_schannel() more
- flexible
-
-It expects a messaging_context now
-and returns a netlogon_creds_cli_context.
-
-This way we can finally avoid having a rpc_pipe_client->netlogon_creds.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 660150b12a637da7f9ebb820e687f27ac22fb93a)
----
- source3/rpc_client/cli_pipe.h | 5 ++++-
- source3/rpc_client/cli_pipe_schannel.c | 9 +++++++--
- source3/rpcclient/rpcclient.c | 13 +++++++------
- source3/utils/net_rpc.c | 6 +++---
- 4 files changed, 21 insertions(+), 12 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
-index 2a76130..b704d8a 100644
---- a/source3/rpc_client/cli_pipe.h
-+++ b/source3/rpc_client/cli_pipe.h
-@@ -99,11 +99,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- struct rpc_pipe_client **presult);
-
- NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
-+ struct messaging_context *msg_ctx,
- const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-- struct rpc_pipe_client **presult);
-+ struct rpc_pipe_client **presult,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **pcreds);
-
- NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
- struct rpc_pipe_client *cli,
-diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
-index 1fcf62e..a842333 100644
---- a/source3/rpc_client/cli_pipe_schannel.c
-+++ b/source3/rpc_client/cli_pipe_schannel.c
-@@ -38,14 +38,16 @@
- ****************************************************************************/
-
- NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
-+ struct messaging_context *msg_ctx,
- const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *domain,
-- struct rpc_pipe_client **presult)
-+ struct rpc_pipe_client **presult,
-+ TALLOC_CTX *mem_ctx,
-+ struct netlogon_creds_cli_context **pcreds)
- {
- TALLOC_CTX *frame = talloc_stackframe();
-- struct messaging_context *msg_ctx = NULL;
- const char *dc_name = smbXcli_conn_remote_name(cli->conn);
- struct rpc_pipe_client *result = NULL;
- NTSTATUS status;
-@@ -121,6 +123,9 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
-
- if (NT_STATUS_IS_OK(status)) {
- *presult = result;
-+ if (pcreds != NULL) {
-+ *pcreds = talloc_move(mem_ctx, &netlogon_creds);
-+ }
- }
-
- TALLOC_FREE(frame);
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index fd3ebdf..43343e8 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -737,12 +737,16 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- &cmd_entry->rpc_pipe);
- break;
- case DCERPC_AUTH_TYPE_SCHANNEL:
-+ TALLOC_FREE(rpcclient_netlogon_creds);
- ntresult = cli_rpc_pipe_open_schannel(
-- cli, cmd_entry->table,
-+ cli, rpcclient_msg_ctx,
-+ cmd_entry->table,
- default_transport,
- pipe_default_auth_level,
- get_cmdline_auth_info_domain(auth_info),
-- &cmd_entry->rpc_pipe);
-+ &cmd_entry->rpc_pipe,
-+ talloc_autofree_context(),
-+ &rpcclient_netlogon_creds);
- break;
- default:
- DEBUG(0, ("Could not initialise %s. Invalid "
-@@ -762,7 +766,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
-
- ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
- &ndr_table_netlogon.syntax_id);
-- if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
-+ if (rpcclient_netlogon_creds == NULL && ok) {
- const char *dc_name = cmd_entry->rpc_pipe->desthost;
- const char *domain = get_cmdline_auth_info_domain(auth_info);
- enum netr_SchannelType sec_chan_type = 0;
-@@ -823,12 +827,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
- TALLOC_FREE(mem_ctx);
- return ntresult;
- }
-- cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
- }
- }
-
-- rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
--
- /* Run command */
-
- if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index ba49f3e..d0f699a 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -192,16 +192,16 @@ int run_rpc_command(struct net_context *c,
- && (ndr_syntax_id_equal(&table->syntax_id,
- &ndr_table_netlogon.syntax_id))) {
- /* Always try and create an schannel netlogon pipe. */
-+ TALLOC_FREE(c->netlogon_creds);
- nt_status = cli_rpc_pipe_open_schannel(
-- cli, table, NCACN_NP,
-+ cli, c->msg_ctx, table, NCACN_NP,
- DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
-- &pipe_hnd);
-+ &pipe_hnd, c, &c->netlogon_creds);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
- nt_errstr(nt_status) ));
- goto fail;
- }
-- c->netlogon_creds = pipe_hnd->netlogon_creds;
- } else {
- if (conn_flags & NET_FLAGS_SEAL) {
- nt_status = cli_rpc_pipe_open_generic_auth(
---
-1.9.3
-
-
-From 603b40eeee3cf21de94f11471889d0443713ba4f Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 6 Sep 2013 13:54:30 +0200
-Subject: [PATCH 208/249] s3:rpc_client: remove unused
- rpccli_netlogon_set_trust_password()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 6d457ad9c156cf86d99e58dea21dba170defad1b)
----
- source3/rpc_client/cli_netlogon.c | 51 ---------------------------------------
- source3/rpc_client/cli_netlogon.h | 7 ------
- 2 files changed, 58 deletions(-)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index a9f8604..2f23d1b 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -759,54 +759,3 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
-
- return NT_STATUS_OK;
- }
--
--/*********************************************************
-- Change the domain password on the PDC.
--
-- Just changes the password betwen the two values specified.
--
-- Caller must have the cli connected to the netlogon pipe
-- already.
--**********************************************************/
--
--NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- const char *account_name,
-- const unsigned char orig_trust_passwd_hash[16],
-- const char *new_trust_pwd_cleartext,
-- const unsigned char new_trust_passwd_hash[16],
-- enum netr_SchannelType sec_channel_type)
--{
-- NTSTATUS result;
--
-- if (cli->netlogon_creds == NULL) {
-- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-- NETLOGON_NEG_SUPPORTS_AES;
-- result = rpccli_netlogon_setup_creds(cli,
-- cli->desthost, /* server name */
-- lp_workgroup(), /* domain */
-- lp_netbios_name(), /* client name */
-- account_name, /* machine account name */
-- orig_trust_passwd_hash,
-- sec_channel_type,
-- &neg_flags);
-- if (!NT_STATUS_IS_OK(result)) {
-- DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
-- nt_errstr(result)));
-- return result;
-- }
-- }
--
-- result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
-- cli->binding_handle,
-- new_trust_pwd_cleartext,
-- NULL); /* new_version */
-- if (!NT_STATUS_IS_OK(result)) {
-- DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
-- nt_errstr(result)));
-- return result;
-- }
--
-- return NT_STATUS_OK;
--}
--
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index d4c6670..8547db6 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -93,12 +93,5 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
- uint8_t *authoritative,
- uint32_t *flags,
- struct netr_SamInfo3 **info3);
--NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- const char *account_name,
-- const unsigned char orig_trust_passwd_hash[16],
-- const char *new_trust_pwd_cleartext,
-- const unsigned char new_trust_passwd_hash[16],
-- enum netr_SchannelType sec_channel_type);
-
- #endif /* _RPC_CLIENT_CLI_NETLOGON_H_ */
---
-1.9.3
-
-
-From c9dc23d434bc7015f400b1969a055b95faac6594 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 6 Sep 2013 13:06:53 +0200
-Subject: [PATCH 209/249] s3:rpc_client: remove unused
- rpccli_netlogon_setup_creds()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit a4faf57b47095bfc0f4370ac093c8c4cef17584f)
----
- source3/rpc_client/cli_netlogon.c | 92 ---------------------------------------
- source3/rpc_client/cli_netlogon.h | 8 ----
- 2 files changed, 100 deletions(-)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 2f23d1b..687d0c2 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -35,98 +35,6 @@
- #include "lib/param/param.h"
- #include "libcli/smb/smbXcli_base.h"
-
--/****************************************************************************
-- Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
-- credentials chain. Stores the credentials in the struct dcinfo in the
-- netlogon pipe struct.
--****************************************************************************/
--
--NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
-- const char *server_name,
-- const char *domain,
-- const char *clnt_name,
-- const char *machine_account,
-- const unsigned char machine_pwd[16],
-- enum netr_SchannelType sec_chan_type,
-- uint32_t *neg_flags_inout)
--{
-- TALLOC_CTX *frame = talloc_stackframe();
-- struct loadparm_context *lp_ctx;
-- NTSTATUS status;
-- struct samr_Password password;
-- fstring mach_acct;
-- struct dcerpc_binding_handle *b = cli->binding_handle;
-- struct netlogon_creds_CredentialState *creds = NULL;
--
-- if (!ndr_syntax_id_equal(&cli->abstract_syntax,
-- &ndr_table_netlogon.syntax_id)) {
-- TALLOC_FREE(frame);
-- return NT_STATUS_INVALID_PARAMETER;
-- }
--
-- if (!strequal(lp_netbios_name(), clnt_name)) {
-- TALLOC_FREE(frame);
-- return NT_STATUS_INVALID_PARAMETER;
-- }
--
-- TALLOC_FREE(cli->netlogon_creds);
--
-- fstr_sprintf( mach_acct, "%s$", machine_account);
--
-- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
-- if (lp_ctx == NULL) {
-- TALLOC_FREE(frame);
-- return NT_STATUS_NO_MEMORY;
-- }
-- status = netlogon_creds_cli_context_global(lp_ctx,
-- NULL, /* msg_ctx */
-- mach_acct,
-- sec_chan_type,
-- server_name,
-- domain,
-- cli, &cli->netlogon_creds);
-- talloc_unlink(frame, lp_ctx);
-- if (!NT_STATUS_IS_OK(status)) {
-- TALLOC_FREE(frame);
-- return status;
-- }
--
-- status = netlogon_creds_cli_get(cli->netlogon_creds,
-- frame, &creds);
-- if (NT_STATUS_IS_OK(status)) {
-- DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
-- "cached credential\n",
-- cli->desthost));
-- *neg_flags_inout = creds->negotiate_flags;
-- TALLOC_FREE(frame);
-- return NT_STATUS_OK;
-- }
--
-- /* Store the machine account password we're going to use. */
-- memcpy(password.hash, machine_pwd, 16);
--
-- DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
-- "chain established.\n",
-- cli->desthost ));
--
-- status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
-- password, NULL);
-- if (!NT_STATUS_IS_OK(status)) {
-- TALLOC_FREE(frame);
-- return status;
-- }
--
-- status = netlogon_creds_cli_get(cli->netlogon_creds,
-- frame, &creds);
-- if (!NT_STATUS_IS_OK(status)) {
-- TALLOC_FREE(frame);
-- return NT_STATUS_INTERNAL_ERROR;
-- }
--
-- *neg_flags_inout = creds->negotiate_flags;
-- TALLOC_FREE(frame);
-- return NT_STATUS_OK;
--}
-
- NTSTATUS rpccli_pre_open_netlogon_creds(void)
- {
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index 8547db6..0de836a 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -30,14 +30,6 @@ struct dcerpc_binding_handle;
-
- /* The following definitions come from rpc_client/cli_netlogon.c */
-
--NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
-- const char *server_name,
-- const char *domain,
-- const char *clnt_name,
-- const char *machine_account,
-- const unsigned char machine_pwd[16],
-- enum netr_SchannelType sec_chan_type,
-- uint32_t *neg_flags_inout);
- NTSTATUS rpccli_pre_open_netlogon_creds(void);
- NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
- const char *server_netbios_domain,
---
-1.9.3
-
-
-From 2a072da1cc18acc7eb6d82769dc96b7e94ec57fe Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 19:23:18 +0200
-Subject: [PATCH 210/249] s3:rpc_client: remove unused
- rpccli_netlogon_sam_logon()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit e4fea80693b49e79a96acdac09d5ea292756635c)
----
- source3/rpc_client/cli_netlogon.c | 124 --------------------------------------
- source3/rpc_client/cli_netlogon.h | 9 ---
- 2 files changed, 133 deletions(-)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 687d0c2..171337a 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -160,130 +160,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
-
- /* Logon domain user */
-
--NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- uint32 logon_parameters,
-- const char *domain,
-- const char *username,
-- const char *password,
-- const char *workstation,
-- uint16_t _ignored_validation_level,
-- int logon_type)
--{
-- NTSTATUS status;
-- union netr_LogonLevel *logon;
-- uint16_t validation_level = 0;
-- union netr_Validation *validation = NULL;
-- uint8_t authoritative = 0;
-- uint32_t flags = 0;
-- fstring clnt_name_slash;
--
-- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
-- if (!logon) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- if (workstation) {
-- fstr_sprintf( clnt_name_slash, "\\\\%s", workstation );
-- } else {
-- fstr_sprintf( clnt_name_slash, "\\\\%s", lp_netbios_name() );
-- }
--
-- /* Initialise input parameters */
--
-- switch (logon_type) {
-- case NetlogonInteractiveInformation: {
--
-- struct netr_PasswordInfo *password_info;
--
-- struct samr_Password lmpassword;
-- struct samr_Password ntpassword;
--
-- password_info = talloc_zero(mem_ctx, struct netr_PasswordInfo);
-- if (!password_info) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
--
-- password_info->identity_info.domain_name.string = domain;
-- password_info->identity_info.parameter_control = logon_parameters;
-- password_info->identity_info.logon_id_low = 0xdead;
-- password_info->identity_info.logon_id_high = 0xbeef;
-- password_info->identity_info.account_name.string = username;
-- password_info->identity_info.workstation.string = clnt_name_slash;
--
-- password_info->lmpassword = lmpassword;
-- password_info->ntpassword = ntpassword;
--
-- logon->password = password_info;
--
-- break;
-- }
-- case NetlogonNetworkInformation: {
-- struct netr_NetworkInfo *network_info;
-- uint8 chal[8];
-- unsigned char local_lm_response[24];
-- unsigned char local_nt_response[24];
-- struct netr_ChallengeResponse lm;
-- struct netr_ChallengeResponse nt;
--
-- ZERO_STRUCT(lm);
-- ZERO_STRUCT(nt);
--
-- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
-- if (!network_info) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- generate_random_buffer(chal, 8);
--
-- SMBencrypt(password, chal, local_lm_response);
-- SMBNTencrypt(password, chal, local_nt_response);
--
-- lm.length = 24;
-- lm.data = local_lm_response;
--
-- nt.length = 24;
-- nt.data = local_nt_response;
--
-- network_info->identity_info.domain_name.string = domain;
-- network_info->identity_info.parameter_control = logon_parameters;
-- network_info->identity_info.logon_id_low = 0xdead;
-- network_info->identity_info.logon_id_high = 0xbeef;
-- network_info->identity_info.account_name.string = username;
-- network_info->identity_info.workstation.string = clnt_name_slash;
--
-- memcpy(network_info->challenge, chal, 8);
-- network_info->nt = nt;
-- network_info->lm = lm;
--
-- logon->network = network_info;
--
-- break;
-- }
-- default:
-- DEBUG(0, ("switch value %d not supported\n",
-- logon_type));
-- return NT_STATUS_INVALID_INFO_CLASS;
-- }
--
-- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
-- cli->binding_handle,
-- logon_type,
-- logon,
-- mem_ctx,
-- &validation_level,
-- &validation,
-- &authoritative,
-- &flags);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- return NT_STATUS_OK;
--}
--
- NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
- uint32_t logon_parameters,
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index 0de836a..eaa5b0c 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -43,15 +43,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
- bool force_reauth,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash);
--NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- uint32 logon_parameters,
-- const char *domain,
-- const char *username,
-- const char *password,
-- const char *workstation,
-- uint16_t validation_level,
-- int logon_type);
- NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
- uint32_t logon_parameters,
---
-1.9.3
-
-
-From 4092fca5daf42e1cd26af8069b09b97a7d01df9c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 19:23:54 +0200
-Subject: [PATCH 211/249] s3:rpc_client: remove unused
- rpccli_netlogon_sam_network_logon()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3f41b583840ffa2220f61eea61833bf3c6bd33db)
----
- source3/rpc_client/cli_netlogon.c | 94 ---------------------------------------
- source3/rpc_client/cli_netlogon.h | 12 -----
- 2 files changed, 106 deletions(-)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 171337a..ca2d9bf 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -346,100 +346,6 @@ static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
- * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
- **/
-
--NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- uint32 logon_parameters,
-- const char *server,
-- const char *username,
-- const char *domain,
-- const char *workstation,
-- const uint8 chal[8],
-- uint16_t _ignored_validation_level,
-- DATA_BLOB lm_response,
-- DATA_BLOB nt_response,
-- struct netr_SamInfo3 **info3)
--{
-- NTSTATUS status;
-- const char *workstation_name_slash;
-- union netr_LogonLevel *logon = NULL;
-- struct netr_NetworkInfo *network_info;
-- uint16_t validation_level = 0;
-- union netr_Validation *validation = NULL;
-- uint8_t authoritative = 0;
-- uint32_t flags = 0;
-- struct netr_ChallengeResponse lm;
-- struct netr_ChallengeResponse nt;
--
-- *info3 = NULL;
--
-- ZERO_STRUCT(lm);
-- ZERO_STRUCT(nt);
--
-- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
-- if (!logon) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
-- if (!network_info) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- if (workstation[0] != '\\' && workstation[1] != '\\') {
-- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
-- } else {
-- workstation_name_slash = workstation;
-- }
--
-- if (!workstation_name_slash) {
-- DEBUG(0, ("talloc_asprintf failed!\n"));
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- /* Initialise input parameters */
--
-- lm.data = lm_response.data;
-- lm.length = lm_response.length;
-- nt.data = nt_response.data;
-- nt.length = nt_response.length;
--
-- network_info->identity_info.domain_name.string = domain;
-- network_info->identity_info.parameter_control = logon_parameters;
-- network_info->identity_info.logon_id_low = 0xdead;
-- network_info->identity_info.logon_id_high = 0xbeef;
-- network_info->identity_info.account_name.string = username;
-- network_info->identity_info.workstation.string = workstation_name_slash;
--
-- memcpy(network_info->challenge, chal, 8);
-- network_info->nt = nt;
-- network_info->lm = lm;
--
-- logon->network = network_info;
--
-- /* Marshall data and send request */
--
-- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
-- cli->binding_handle,
-- NetlogonNetworkInformation,
-- logon,
-- mem_ctx,
-- &validation_level,
-- &validation,
-- &authoritative,
-- &flags);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- status = map_validation_to_info3(mem_ctx,
-- validation_level, validation,
-- info3);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- return NT_STATUS_OK;
--}
-
- NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index eaa5b0c..61fed4a 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -51,18 +51,6 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
- const char *password,
- const char *workstation,
- enum netr_LogonInfoClass logon_type);
--NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
-- TALLOC_CTX *mem_ctx,
-- uint32 logon_parameters,
-- const char *server,
-- const char *username,
-- const char *domain,
-- const char *workstation,
-- const uint8 chal[8],
-- uint16_t validation_level,
-- DATA_BLOB lm_response,
-- DATA_BLOB nt_response,
-- struct netr_SamInfo3 **info3);
- NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
- TALLOC_CTX *mem_ctx,
---
-1.9.3
-
-
-From bdfc02fd5830ed6e2f14aaf90456e572028ada6a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 16 Sep 2013 19:25:27 +0200
-Subject: [PATCH 212/249] s3:rpc_client: finally remove unused
- rpc_pipe_client->netlogon_creds
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit c0761c3eae34175d772476006caf5caad68bd8c6)
----
- source3/rpc_client/cli_pipe.c | 9 ---------
- source3/rpc_client/rpc_client.h | 3 ---
- 2 files changed, 12 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 31cd7f5..8613a21 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -3097,15 +3097,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
- return status;
- }
-
-- status = netlogon_creds_cli_context_copy(netlogon_creds,
-- rpccli,
-- &rpccli->netlogon_creds);
-- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
-- nt_errstr(status)));
-- TALLOC_FREE(rpccli);
-- return status;
-- }
-
- done:
- DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
-diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
-index 7c4cceb..7c5ff0e 100644
---- a/source3/rpc_client/rpc_client.h
-+++ b/source3/rpc_client/rpc_client.h
-@@ -48,9 +48,6 @@ struct rpc_pipe_client {
- uint16 max_recv_frag;
-
- struct pipe_auth_data *auth;
--
-- /* The following is only non-null on a netlogon client pipe. */
-- struct netlogon_creds_cli_context *netlogon_creds;
- };
-
- #endif /* _RPC_CLIENT_H */
---
-1.9.3
-
-
-From 710124dca6a97d9148d62bc9aa727568d5284e45 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 17 Oct 2013 19:17:12 +0200
-Subject: [PATCH 213/249] libcli/auth: remove unused
- netlogon_creds_cli_context_copy()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3d45d4dc3c69557bf1d1fe6d4a880ad74a2a41f1)
----
- libcli/auth/netlogon_creds_cli.c | 47 ----------------------------------------
- libcli/auth/netlogon_creds_cli.h | 4 ----
- 2 files changed, 51 deletions(-)
-
-diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
-index 6590b21..1724064 100644
---- a/libcli/auth/netlogon_creds_cli.c
-+++ b/libcli/auth/netlogon_creds_cli.c
-@@ -488,53 +488,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
- return NT_STATUS_OK;
- }
-
--NTSTATUS netlogon_creds_cli_context_copy(
-- const struct netlogon_creds_cli_context *src,
-- TALLOC_CTX *mem_ctx,
-- struct netlogon_creds_cli_context **_dst)
--{
-- struct netlogon_creds_cli_context *dst;
--
-- dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
-- if (dst == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- *dst = *src;
--
-- dst->client.computer = talloc_strdup(dst, src->client.computer);
-- if (dst->client.computer == NULL) {
-- TALLOC_FREE(dst);
-- return NT_STATUS_NO_MEMORY;
-- }
-- dst->client.account = talloc_strdup(dst, src->client.account);
-- if (dst->client.account == NULL) {
-- TALLOC_FREE(dst);
-- return NT_STATUS_NO_MEMORY;
-- }
-- dst->server.computer = talloc_strdup(dst, src->server.computer);
-- if (dst->server.computer == NULL) {
-- TALLOC_FREE(dst);
-- return NT_STATUS_NO_MEMORY;
-- }
-- dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
-- if (dst->server.netbios_domain == NULL) {
-- TALLOC_FREE(dst);
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- dst->db.key_name = talloc_strdup(dst, src->db.key_name);
-- if (dst->db.key_name == NULL) {
-- TALLOC_FREE(dst);
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- dst->db.key_data = string_term_tdb_data(dst->db.key_name);
--
-- *_dst = dst;
-- return NT_STATUS_OK;
--}
--
- enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
- struct netlogon_creds_cli_context *context)
- {
-diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
-index f8f2bef..5bd8bd3 100644
---- a/libcli/auth/netlogon_creds_cli.h
-+++ b/libcli/auth/netlogon_creds_cli.h
-@@ -49,10 +49,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
- const char *server_netbios_domain,
- TALLOC_CTX *mem_ctx,
- struct netlogon_creds_cli_context **_context);
--NTSTATUS netlogon_creds_cli_context_copy(
-- const struct netlogon_creds_cli_context *src,
-- TALLOC_CTX *mem_ctx,
-- struct netlogon_creds_cli_context **_dst);
-
- enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
- struct netlogon_creds_cli_context *context);
---
-1.9.3
-
-
-From aa3a65e9770bb81e73b30e71b49855b18d012e68 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 6 Dec 2013 11:38:21 +0100
-Subject: [PATCH 214/249] lib/param: add "allow nt4 crypto" option, defaulting
- to false
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 87bdc88328568359e51af6615b378ba8dc67f647)
----
- docs-xml/smbdotconf/logon/allownt4crypto.xml | 26 ++++++++++++++++++++++++++
- lib/param/param_functions.c | 1 +
- lib/param/param_table.c | 9 +++++++++
- 3 files changed, 36 insertions(+)
- create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml
-
-diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
-new file mode 100644
-index 0000000..4d417c7
---- /dev/null
-+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
-@@ -0,0 +1,26 @@
-+<samba:parameter name="allow nt4 crypto"
-+ context="G"
-+ type="boolean"
-+ advanced="1"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This option controls whether the netlogon server (currently
-+ only in 'active directory domain controller' mode), will
-+ reject clients which does not support NETLOGON_NEG_STRONG_KEYS
-+ nor NETLOGON_NEG_SUPPORTS_AES.</para>
-+
-+ <para>This option was added with Samba 4.2.0. It may lock out clients
-+ which worked fine with Samba versions up to 4.1.x. as the effective default
-+ was "yes" there, while it is "no" now.</para>
-+
-+ <para>If you have clients without RequireStrongKey = 1 in the registry,
-+ you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
-+ </para>
-+
-+ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
-+
-+ <para>This option yields precedence to the 'reject md5 clients' option.</para>
-+</description>
-+
-+<value type="default">no</value>
-+</samba:parameter>
-diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
-index 41b137f..bf931c6 100644
---- a/lib/param/param_functions.c
-+++ b/lib/param/param_functions.c
-@@ -154,6 +154,7 @@ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
- FN_LOCAL_BOOL(durable_handles, bDurableHandles)
-
- FN_GLOBAL_BOOL(allow_insecure_widelinks, bAllowInsecureWidelinks)
-+FN_GLOBAL_BOOL(allow_nt4_crypto, bAllowNT4Crypto)
- FN_GLOBAL_BOOL(allow_trusted_domains, bAllowTrustedDomains)
- FN_GLOBAL_BOOL(async_smb_echo_handler, bAsyncSMBEchoHandler)
- FN_GLOBAL_BOOL(bind_interfaces_only, bBindInterfacesOnly)
-diff --git a/lib/param/param_table.c b/lib/param/param_table.c
-index 36e8554..5ef78de 100644
---- a/lib/param/param_table.c
-+++ b/lib/param/param_table.c
-@@ -4324,6 +4324,15 @@ static struct parm_struct parm_table[] = {
- .special = NULL,
- .enum_list = NULL
- },
-+ {
-+ .label = "allow nt4 crypto",
-+ .type = P_BOOL,
-+ .p_class = P_GLOBAL,
-+ .offset = GLOBAL_VAR(bAllowNT4Crypto),
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-
- {N_("TLS options"), P_SEP, P_SEPARATOR},
-
---
-1.9.3
-
-
-From 51323c0574963065e2edf9346f310f08ce2b59e8 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 6 Dec 2013 11:39:15 +0100
-Subject: [PATCH 215/249] lib/param: add "reject md5 client" option, defaulting
- to false
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 807bcb4981fb20a9b97e69f01c3545ea7e85666e)
----
- docs-xml/smbdotconf/logon/rejectmd5clients.xml | 18 ++++++++++++++++++
- lib/param/param_functions.c | 1 +
- lib/param/param_table.c | 9 +++++++++
- 3 files changed, 28 insertions(+)
- create mode 100644 docs-xml/smbdotconf/logon/rejectmd5clients.xml
-
-diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
-new file mode 100644
-index 0000000..04a5b4d
---- /dev/null
-+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
-@@ -0,0 +1,18 @@
-+<samba:parameter name="reject md5 clients"
-+ context="G"
-+ type="boolean"
-+ advanced="1"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This option controls whether the netlogon server (currently
-+ only in 'active directory domain controller' mode), will
-+ reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
-+
-+ <para>You can set this to yes if all domain members support aes.
-+ This will prevent downgrade attacks.</para>
-+
-+ <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
-+</description>
-+
-+<value type="default">no</value>
-+</samba:parameter>
-diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
-index bf931c6..99f0b7f 100644
---- a/lib/param/param_functions.c
-+++ b/lib/param/param_functions.c
-@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
- FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
- FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
- FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
-+FN_GLOBAL_BOOL(reject_md5_clients, bRejectMD5Clients)
- FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
- FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
- FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
-diff --git a/lib/param/param_table.c b/lib/param/param_table.c
-index 5ef78de..4850324 100644
---- a/lib/param/param_table.c
-+++ b/lib/param/param_table.c
-@@ -4333,6 +4333,15 @@ static struct parm_struct parm_table[] = {
- .enum_list = NULL,
- .flags = FLAG_ADVANCED,
- },
-+ {
-+ .label = "reject md5 clients",
-+ .type = P_BOOL,
-+ .p_class = P_GLOBAL,
-+ .offset = GLOBAL_VAR(bRejectMD5Clients),
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-
- {N_("TLS options"), P_SEP, P_SEPARATOR},
-
---
-1.9.3
-
-
-From 4f3cd17f89ddedaf6e34bc17b220f6ae6993d0c0 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 6 Dec 2013 13:41:43 +0100
-Subject: [PATCH 216/249] selftest/Samba4: use "allow nt4 crypto = yes" for
- testing
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 0d4806f9f056c3e37f5aed1ef19e2924aa8f4151)
----
- selftest/target/Samba4.pm | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
-index ac2fdd9..ee6a365 100644
---- a/selftest/target/Samba4.pm
-+++ b/selftest/target/Samba4.pm
-@@ -776,6 +776,7 @@ sub provision($$$$$$$$$)
- server max protocol = SMB2
- host msdfs = $msdfs
- lanman auth = yes
-+ allow nt4 crypto = yes
-
- $extra_smbconf_options
-
---
-1.9.3
-
-
-From 32f88ae5a3d254c6e1b94ea2aaa45febf475af9e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 23 Dec 2013 10:12:24 +0100
-Subject: [PATCH 217/249] s4:netlogon: correctly calculate the negotiate_flags
-
-We need to bit-wise AND the client and server flags.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3b77b804cdc9e7621f026ef9bc8e7059f471348e)
----
- source4/rpc_server/netlogon/dcerpc_netlogon.c | 59 +++++++++++++--------------
- 1 file changed, 28 insertions(+), 31 deletions(-)
-
-diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-index c41cd02..b001cb5 100644
---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
-+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-@@ -120,6 +120,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
-
- const char *trust_dom_attrs[] = {"flatname", NULL};
- const char *account_name;
-+ uint32_t server_flags = 0;
- uint32_t negotiate_flags = 0;
-
- ZERO_STRUCTP(r->out.return_credentials);
-@@ -176,37 +177,33 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
- memcache_delete(global_challenge_table,
- SINGLETON_CACHE, challenge_key);
-
-- negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
-- NETLOGON_NEG_PERSISTENT_SAMREPL |
-- NETLOGON_NEG_ARCFOUR |
-- NETLOGON_NEG_PROMOTION_COUNT |
-- NETLOGON_NEG_CHANGELOG_BDC |
-- NETLOGON_NEG_FULL_SYNC_REPL |
-- NETLOGON_NEG_MULTIPLE_SIDS |
-- NETLOGON_NEG_REDO |
-- NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
-- NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
-- NETLOGON_NEG_GENERIC_PASSTHROUGH |
-- NETLOGON_NEG_CONCURRENT_RPC |
-- NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
-- NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
-- NETLOGON_NEG_TRANSITIVE_TRUSTS |
-- NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
-- NETLOGON_NEG_PASSWORD_SET2 |
-- NETLOGON_NEG_GETDOMAININFO |
-- NETLOGON_NEG_CROSS_FOREST_TRUSTS |
-- NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
-- NETLOGON_NEG_RODC_PASSTHROUGH |
-- NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
-- NETLOGON_NEG_AUTHENTICATED_RPC;
--
-- if (*r->in.negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
-- negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
-- }
--
-- if (*r->in.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-- negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
-- }
-+ server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
-+ NETLOGON_NEG_PERSISTENT_SAMREPL |
-+ NETLOGON_NEG_ARCFOUR |
-+ NETLOGON_NEG_PROMOTION_COUNT |
-+ NETLOGON_NEG_CHANGELOG_BDC |
-+ NETLOGON_NEG_FULL_SYNC_REPL |
-+ NETLOGON_NEG_MULTIPLE_SIDS |
-+ NETLOGON_NEG_REDO |
-+ NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
-+ NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
-+ NETLOGON_NEG_GENERIC_PASSTHROUGH |
-+ NETLOGON_NEG_CONCURRENT_RPC |
-+ NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
-+ NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
-+ NETLOGON_NEG_STRONG_KEYS |
-+ NETLOGON_NEG_TRANSITIVE_TRUSTS |
-+ NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
-+ NETLOGON_NEG_PASSWORD_SET2 |
-+ NETLOGON_NEG_GETDOMAININFO |
-+ NETLOGON_NEG_CROSS_FOREST_TRUSTS |
-+ NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
-+ NETLOGON_NEG_RODC_PASSTHROUGH |
-+ NETLOGON_NEG_SUPPORTS_AES |
-+ NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
-+ NETLOGON_NEG_AUTHENTICATED_RPC;
-+
-+ negotiate_flags = *r->in.negotiate_flags & server_flags;
-
- /*
- * According to Microsoft (see bugid #6099)
---
-1.9.3
-
-
-From ce8c9b651d9da88a13a8cd0fe02e5f3e2f1f6b51 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 23 Dec 2013 10:10:17 +0100
-Subject: [PATCH 218/249] s4:netlogon: don't generate a debug message for
- SEC_CHAN_NULL.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 2e36fbc77dc43f31ec78cdbef23b94bd00d6f565)
----
- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-index b001cb5..45a7262 100644
---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
-+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-@@ -220,6 +220,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
- case SEC_CHAN_BDC:
- case SEC_CHAN_RODC:
- break;
-+ case SEC_CHAN_NULL:
-+ return NT_STATUS_INVALID_PARAMETER;
- default:
- DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
- r->in.secure_channel_type));
---
-1.9.3
-
-
-From b4d5ace784d207f8562a4c93b55de415a81cec42 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 6 Dec 2013 12:08:50 +0100
-Subject: [PATCH 219/249] s4:netlogon: implement "allow nt4 crypto" and "reject
- md5 clients" features.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Tue Jan 7 16:53:31 CET 2014 on sn-devel-104
-(cherry picked from commit 7d2abf520df1ff46d79dfd8ff579c230f2bc3c2a)
----
- source4/rpc_server/netlogon/dcerpc_netlogon.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-index 45a7262..6b57cda 100644
---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
-+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-@@ -122,6 +122,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
- const char *account_name;
- uint32_t server_flags = 0;
- uint32_t negotiate_flags = 0;
-+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
-+ bool reject_des_client = !allow_nt4_crypto;
-+ bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
-
- ZERO_STRUCTP(r->out.return_credentials);
- *r->out.rid = 0;
-@@ -205,6 +208,23 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
-
- negotiate_flags = *r->in.negotiate_flags & server_flags;
-
-+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
-+ reject_des_client = false;
-+ }
-+
-+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+ reject_des_client = false;
-+ reject_md5_client = false;
-+ }
-+
-+ if (reject_des_client || reject_md5_client) {
-+ /*
-+ * Here we match Windows 2012 and return no flags.
-+ */
-+ *r->out.negotiate_flags = 0;
-+ return NT_STATUS_DOWNGRADE_DETECTED;
-+ }
-+
- /*
- * According to Microsoft (see bugid #6099)
- * Windows 7 looks at the negotiate_flags
---
-1.9.3
-
-
-From ff28e17cdcbe8e1ec4a275d80b3e749da4920c6d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 8 Jan 2014 12:04:22 +0100
-Subject: [PATCH 220/249] libcli/auth: fix usage of an uninitialized variable
- in netlogon_creds_cli_check_caps()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 0e62f3279525ea864590f713f334f4dc5f5d3a32)
----
- libcli/auth/netlogon_creds_cli.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
-index 1724064..51b30a1 100644
---- a/libcli/auth/netlogon_creds_cli.c
-+++ b/libcli/auth/netlogon_creds_cli.c
-@@ -1390,7 +1390,7 @@ struct netlogon_creds_cli_check_state {
- };
-
- static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
-- NTSTATUS status);
-+ NTSTATUS status);
- static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
-
- struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
-@@ -1582,7 +1582,7 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
- * with the next request as the sequence number processing
- * gets out of sync.
- */
-- netlogon_creds_cli_check_cleanup(req, result);
-+ netlogon_creds_cli_check_cleanup(req, status);
- tevent_req_done(req);
- return;
- }
---
-1.9.3
-
-
-From d4902881482eeecf5a219342b3862ac0fbb7b7a9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 17 Jan 2014 14:00:27 +0100
-Subject: [PATCH 221/249] libcli/auth: add netlogon_creds_cli_set_global_db()
-
-This can be used to inject a db_context from dbwrap_ctdb.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit ece3ba10a16138a75b207a0cf9fe299759253d99)
----
- libcli/auth/netlogon_creds_cli.c | 10 ++++++++++
- libcli/auth/netlogon_creds_cli.h | 2 ++
- 2 files changed, 12 insertions(+)
-
-diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
-index 51b30a1..37bdf74 100644
---- a/libcli/auth/netlogon_creds_cli.c
-+++ b/libcli/auth/netlogon_creds_cli.c
-@@ -199,6 +199,16 @@ static NTSTATUS netlogon_creds_cli_context_common(
-
- static struct db_context *netlogon_creds_cli_global_db;
-
-+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
-+{
-+ if (netlogon_creds_cli_global_db != NULL) {
-+ return NT_STATUS_INVALID_PARAMETER_MIX;
-+ }
-+
-+ netlogon_creds_cli_global_db = talloc_move(talloc_autofree_context(), db);
-+ return NT_STATUS_OK;
-+}
-+
- NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
- {
- char *fname;
-diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
-index 5bd8bd3..90d0182 100644
---- a/libcli/auth/netlogon_creds_cli.h
-+++ b/libcli/auth/netlogon_creds_cli.h
-@@ -28,7 +28,9 @@
- struct netlogon_creds_cli_context;
- struct messaging_context;
- struct dcerpc_binding_handle;
-+struct db_context;
-
-+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
- NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
-
- NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
---
-1.9.3
-
-
-From 80407a74da35cac64bef252698a2477787f0997d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 17 Jan 2014 14:07:37 +0100
-Subject: [PATCH 222/249] s3:rpc_client: use db_open() to open
- "netlogon_creds_cli.tdb"
-
-This uses dbwrap_ctdb if running in a cluster.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 8cf4eff201aa9e1ba8127311bcfc2a357fb4ef03)
----
- source3/rpc_client/cli_netlogon.c | 38 ++++++++++++++++++++++++++++++++++++--
- 1 file changed, 36 insertions(+), 2 deletions(-)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index ca2d9bf..b7b490f 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -21,6 +21,7 @@
- */
-
- #include "includes.h"
-+#include "system/filesys.h"
- #include "libsmb/libsmb.h"
- #include "rpc_client/rpc_client.h"
- #include "rpc_client/cli_pipe.h"
-@@ -34,26 +35,53 @@
- #include "../libcli/security/security.h"
- #include "lib/param/param.h"
- #include "libcli/smb/smbXcli_base.h"
-+#include "dbwrap/dbwrap.h"
-+#include "dbwrap/dbwrap_open.h"
-+#include "util_tdb.h"
-
-
- NTSTATUS rpccli_pre_open_netlogon_creds(void)
- {
-- TALLOC_CTX *frame = talloc_stackframe();
-+ static bool already_open = false;
-+ TALLOC_CTX *frame;
- struct loadparm_context *lp_ctx;
-+ char *fname;
-+ struct db_context *global_db;
- NTSTATUS status;
-
-+ if (already_open) {
-+ return NT_STATUS_OK;
-+ }
-+
-+ frame = talloc_stackframe();
-+
- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
- if (lp_ctx == NULL) {
- TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
-- status = netlogon_creds_cli_open_global_db(lp_ctx);
-+ fname = lpcfg_private_db_path(frame, lp_ctx, "netlogon_creds_cli");
-+ if (fname == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ global_db = db_open(talloc_autofree_context(), fname,
-+ 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
-+ if (global_db == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ status = netlogon_creds_cli_set_global_db(&global_db);
- TALLOC_FREE(frame);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
-+ already_open = true;
- return NT_STATUS_OK;
- }
-
-@@ -69,6 +97,12 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
- struct loadparm_context *lp_ctx;
- NTSTATUS status;
-
-+ status = rpccli_pre_open_netlogon_creds();
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
- if (lp_ctx == NULL) {
- TALLOC_FREE(frame);
---
-1.9.3
-
-
-From 2ed3041405f5808031f2d5fd0e42f48246d22b7b Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 17 Jan 2014 14:08:59 +0100
-Subject: [PATCH 223/249] libcli/auth: don't alter the computer_name in cluster
- mode.
-
-This breaks NTLMv2 authentication.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 387ed2e15df085274f72cebda341040a1e767a4b)
----
- libcli/auth/netlogon_creds_cli.c | 22 +++-------------------
- 1 file changed, 3 insertions(+), 19 deletions(-)
-
-diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
-index 37bdf74..88893ad 100644
---- a/libcli/auth/netlogon_creds_cli.c
-+++ b/libcli/auth/netlogon_creds_cli.c
-@@ -261,28 +261,12 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
- bool seal_secure_channel = true;
- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
- bool neutralize_nt4_emulation = false;
-- struct server_id self = {
-- .vnn = NONCLUSTER_VNN,
-- .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
-- };
--
-- if (msg_ctx != NULL) {
-- self = messaging_server_id(msg_ctx);
-- }
-
- *_context = NULL;
-
-- if (self.vnn != NONCLUSTER_VNN) {
-- client_computer = talloc_asprintf(frame,
-- "%s_cluster_vnn_%u",
-- lpcfg_netbios_name(lp_ctx),
-- (unsigned)self.vnn);
-- if (client_computer == NULL) {
-- TALLOC_FREE(frame);
-- return NT_STATUS_NO_MEMORY;
-- }
-- } else {
-- client_computer = lpcfg_netbios_name(lp_ctx);
-+ client_computer = lpcfg_netbios_name(lp_ctx);
-+ if (strlen(client_computer) > 15) {
-+ return NT_STATUS_INVALID_PARAMETER_MIX;
- }
-
- /*
---
-1.9.3
-
-
-From 8257c3a5d6e8319578d224e544242da81b043a54 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 10 Jan 2014 13:13:40 +0100
-Subject: [PATCH 224/249] libcli/auth: reject computer_name longer than 15
- chars
-
-This matches Windows, it seems they use a fixed size field to store
-netlogon_creds_CredentialState.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit b8fdeb8ca7ce362058bb86a4e58b34fb6340867e)
----
- libcli/auth/schannel_state_tdb.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
-index 8f9c1f0..b91e242 100644
---- a/libcli/auth/schannel_state_tdb.c
-+++ b/libcli/auth/schannel_state_tdb.c
-@@ -78,6 +78,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
- char *name_upper;
- NTSTATUS status;
-
-+ if (strlen(creds->computer_name) > 15) {
-+ /*
-+ * We may want to check for a completely
-+ * valid netbios name.
-+ */
-+ return STATUS_BUFFER_OVERFLOW;
-+ }
-+
- name_upper = strupper_talloc(mem_ctx, creds->computer_name);
- if (!name_upper) {
- return NT_STATUS_NO_MEMORY;
---
-1.9.3
-
-
-From d6af8ed76f728621a8ba7515cf1180d6654c8d83 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 11 Jan 2014 17:13:04 +0100
-Subject: [PATCH 225/249] s3:rpc_server/netlogon: return a zero
- return_authenticator on error
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit dcc2c8362df9af088613722ebd8a6261fb098a5c)
----
- source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
-index 09857b6..7bb9dd6 100644
---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
- talloc_unlink(p->mem_ctx, lp_ctx);
-
- if (!NT_STATUS_IS_OK(status)) {
-+ ZERO_STRUCTP(r->out.return_credentials);
- goto out;
- }
-
---
-1.9.3
-
-
-From be06629b25f8340ac54a9e674e6a5da1eb01e733 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 11 Jan 2014 17:13:04 +0100
-Subject: [PATCH 226/249] s4:rpc_server/netlogon: return a zero
- return_authenticator and rid on error
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 25fb73f2821821630dde4cc263794e754ca03d68)
----
- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-index 6b57cda..afa15d8 100644
---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
-+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-@@ -348,9 +348,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
- return NT_STATUS_INTERNAL_ERROR;
- }
-
-- *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
-- "objectSid", 0);
--
- mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
- if (mach_pwd == NULL) {
- return NT_STATUS_ACCESS_DENIED;
-@@ -383,8 +380,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
- nt_status = schannel_save_creds_state(mem_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
- creds);
-+ if (!NT_STATUS_IS_OK(nt_status)) {
-+ ZERO_STRUCTP(r->out.return_credentials);
-+ return nt_status;
-+ }
-
-- return nt_status;
-+ *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
-+ "objectSid", 0);
-+
-+ return NT_STATUS_OK;
- }
-
- static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
---
-1.9.3
-
-
-From f5fe58d49fc66867db743393a92e1cd8e4cb293b Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Wed, 29 Jan 2014 16:58:37 +0100
-Subject: [PATCH 227/249] dbwrap_tool: remove the short form "-p" of
- "--persistent"
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 6dd1008c4e8b0b798d589959021c9b578db74ff4)
----
- source3/utils/dbwrap_tool.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
-index 79b40d2..406e89e 100644
---- a/source3/utils/dbwrap_tool.c
-+++ b/source3/utils/dbwrap_tool.c
-@@ -420,7 +420,7 @@ int main(int argc, const char **argv)
- struct poptOption popt_options[] = {
- POPT_AUTOHELP
- POPT_COMMON_SAMBA
-- { "persistent", 'p', POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
-+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
- POPT_TABLEEND
- };
- int opt;
---
-1.9.3
-
-
-From 209b5ec86620f8caadcc714db0cbec4789db0377 Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Thu, 30 Jan 2014 10:33:00 +0100
-Subject: [PATCH 228/249] docs: remove short form "-p" of --persistent from
- dbwrap_tool manpage
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 6f748fef652bbea3c8dbbbfb96b95270e6f1dcfc)
----
- docs-xml/manpages/dbwrap_tool.1.xml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
-index 074d819..94ae281 100644
---- a/docs-xml/manpages/dbwrap_tool.1.xml
-+++ b/docs-xml/manpages/dbwrap_tool.1.xml
-@@ -19,7 +19,7 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>dbwrap_tool</command>
-- <arg choice="opt">-p|--persistent</arg>
-+ <arg choice="opt">--persistent</arg>
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-s <config file></arg>
- <arg choice="opt">-l <log file base></arg>
-@@ -70,7 +70,7 @@
-
- <variablelist>
- <varlistentry>
-- <term>-p|--persistent</term>
-+ <term>--persistent</term>
- <listitem><para>Open the database as a persistent database.
- If this option is not specified, the database is opened as
- non-persistent.
---
-1.9.3
-
-
-From f3b8b74ff6d74fe9a0047256074e21c3363b112f Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Thu, 30 Jan 2014 10:29:49 +0100
-Subject: [PATCH 229/249] dbwrap_tool: add option "--non-persistent" and force
- excatly one of "--[non-]persistent"
-
-We want to force users of dbwrap_tool to explicitly specify
-persistent or non-persistent. Otherwise, one could easily
-by accident wipe a whole database that is actually persistent
-but not currently opened by a samba process, just by openeing
-the DB with the default non-persistent mode...
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit c3f93271ef447f9f16cd3002307c630c5f149f5a)
----
- source3/utils/dbwrap_tool.c | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
-index 406e89e..ffca6b6 100644
---- a/source3/utils/dbwrap_tool.c
-+++ b/source3/utils/dbwrap_tool.c
-@@ -411,6 +411,7 @@ int main(int argc, const char **argv)
- enum dbwrap_type type;
- const char *valuestr = "0";
- int persistent = 0;
-+ int non_persistent = 0;
- int tdb_flags = TDB_DEFAULT;
-
- TALLOC_CTX *mem_ctx = talloc_stackframe();
-@@ -420,7 +421,13 @@ int main(int argc, const char **argv)
- struct poptOption popt_options[] = {
- POPT_AUTOHELP
- POPT_COMMON_SAMBA
-- { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
-+ { "non-persistent", 0, POPT_ARG_NONE, &non_persistent, 0,
-+ "treat the database as non-persistent "
-+ "(CAVEAT: This mode might wipe your database!)",
-+ NULL },
-+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0,
-+ "treat the database as persistent",
-+ NULL },
- POPT_TABLEEND
- };
- int opt;
-@@ -463,6 +470,16 @@ int main(int argc, const char **argv)
- goto done;
- }
-
-+ if ((persistent == 0 && non_persistent == 0) ||
-+ (persistent == 1 && non_persistent == 1))
-+ {
-+ d_fprintf(stderr, "ERROR: you must specify exactly one "
-+ "of --persistent and --non-persistent\n");
-+ goto done;
-+ } else if (non_persistent == 1) {
-+ tdb_flags |= TDB_CLEAR_IF_FIRST;
-+ }
-+
- dbname = extra_argv[0];
- opname = extra_argv[1];
-
-@@ -563,10 +580,6 @@ int main(int argc, const char **argv)
- goto done;
- }
-
-- if (persistent == 0) {
-- tdb_flags |= TDB_CLEAR_IF_FIRST;
-- }
--
- switch (op) {
- case OP_FETCH:
- case OP_STORE:
---
-1.9.3
-
-
-From 7209e84e02c722365bec4e2a473c24217cbeb22b Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Thu, 30 Jan 2014 10:36:46 +0100
-Subject: [PATCH 230/249] docs: document new --non-persistent option to
- dbwrap_tool
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 1e3b352f799038ec25437db53e051dadb9d97c95)
----
- docs-xml/manpages/dbwrap_tool.1.xml | 20 ++++++++++++++++++--
- 1 file changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
-index 94ae281..ff0e478 100644
---- a/docs-xml/manpages/dbwrap_tool.1.xml
-+++ b/docs-xml/manpages/dbwrap_tool.1.xml
-@@ -20,6 +20,7 @@
- <cmdsynopsis>
- <command>dbwrap_tool</command>
- <arg choice="opt">--persistent</arg>
-+ <arg choice="opt">--non-persistent</arg>
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-s <config file></arg>
- <arg choice="opt">-l <log file base></arg>
-@@ -72,8 +73,23 @@
- <varlistentry>
- <term>--persistent</term>
- <listitem><para>Open the database as a persistent database.
-- If this option is not specified, the database is opened as
-- non-persistent.
-+ </para>
-+ <para>
-+ Exactly one of --persistent and --non-persistent must be
-+ specified.
-+ </para></listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>--non-persistent</term>
-+ <listitem><para>Open the database as a non-persistent database.
-+ </para>
-+ <para>
-+ Caveat: opening a database as non-persistent when there
-+ is currently no other opener will wipe the database.
-+ </para>
-+ <para>
-+ Exactly one of --persistent and --non-persistent must be
-+ specified.
- </para></listitem>
- </varlistentry>
- &popt.common.samba.client;
---
-1.9.3
-
-
-From accf5a617055c161540384fdfe195ad9c43cd048 Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Thu, 30 Jan 2014 10:47:15 +0100
-Subject: [PATCH 231/249] docs: remove extra spaces in synopsis of dbwrap_tool
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit e93f052e37e736e5776fe7f7c7d246f9ecc4b4c8)
----
- docs-xml/manpages/dbwrap_tool.1.xml | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
-index ff0e478..68a88df 100644
---- a/docs-xml/manpages/dbwrap_tool.1.xml
-+++ b/docs-xml/manpages/dbwrap_tool.1.xml
-@@ -30,9 +30,7 @@
- <arg choice="req"><operation></arg>
- <arg choice="opt"><key>
- <arg choice="opt"><type>
-- <arg choice="opt"><value></arg>
-- </arg>
-- </arg>
-+ <arg choice="opt"><value></arg></arg></arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
---
-1.9.3
-
-
-From 0e193981caa2ad9458e758a46076664d2efdb70e Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Fri, 24 Jan 2014 00:09:50 +0100
-Subject: [PATCH 232/249] smbd:smb2: fix durable reconnect: set fsp->fnum from
- the smbXsrv_open->local_id
-
-Originally, fsp->fnum was left at the INVALID fnum value.
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 6b2d67a345e90306f0d35402d0f4e3067a014057)
----
- source3/smbd/durable.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c
-index c3d0a6f..471c5b9 100644
---- a/source3/smbd/durable.c
-+++ b/source3/smbd/durable.c
-@@ -703,6 +703,7 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
- fsp->share_access = e->share_access;
- fsp->can_read = ((fsp->access_mask & (FILE_READ_DATA)) != 0);
- fsp->can_write = ((fsp->access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) != 0);
-+ fsp->fnum = op->local_id;
-
- /*
- * TODO:
---
-1.9.3
-
-
-From dbc1d6f8479cf84c714c4ed6b69df2a3673d0a46 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 24 Dec 2013 09:00:01 +0100
-Subject: [PATCH 233/249] s3:smbd: skip empty records in smbXsrv_open_cleanup()
-
-This should avoid scary ndr_pull errors, if there's
-a cleanup race.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Thu Jan 30 18:49:37 CET 2014 on sn-devel-104
-(cherry picked from commit 0b23345676c6f02d5bb1a327174d8456705ec0c7)
----
- source3/smbd/smbXsrv_open.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
-index 27dd50c..29c172c 100644
---- a/source3/smbd/smbXsrv_open.c
-+++ b/source3/smbd/smbXsrv_open.c
-@@ -1380,6 +1380,7 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
- struct smbXsrv_open_global0 *op = NULL;
- uint8_t key_buf[SMBXSRV_OPEN_GLOBAL_TDB_KEY_SIZE];
- TDB_DATA key;
-+ TDB_DATA val;
- struct db_record *rec;
- bool delete_open = false;
- uint32_t global_id = persistent_id & UINT32_MAX;
-@@ -1395,6 +1396,14 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
- goto done;
- }
-
-+ val = dbwrap_record_get_value(rec);
-+ if (val.dsize == 0) {
-+ DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
-+ "empty record in %s, skipping...\n",
-+ global_id, dbwrap_name(smbXsrv_open_global_db_ctx)));
-+ goto done;
-+ }
-+
- status = smbXsrv_open_global_parse_record(talloc_tos(), rec, &op);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("smbXsrv_open_cleanup[global: 0x%08x] "
---
-1.9.3
-
-
-From 838d9da4a7fe6c90ba7cae6563f0af5d8b6cf6d5 Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Mon, 27 Jan 2014 13:38:51 +0100
-Subject: [PATCH 234/249] dbwrap: add flags DBWRAP_FLAG_NONE
-
-This is in preparation of adding a dbwrap_flags argument to db_open
-and firends.
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 229dcfd3501e4743d5d9aea5c9f7a97d7612a499)
----
- lib/dbwrap/dbwrap.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
-index 8bf3286..4064ba2 100644
---- a/lib/dbwrap/dbwrap.h
-+++ b/lib/dbwrap/dbwrap.h
-@@ -32,6 +32,8 @@ enum dbwrap_lock_order {
- };
- #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
-
-+#define DBWRAP_FLAG_NONE 0x0000000000000000ULL
-+
- /* The following definitions come from lib/dbwrap.c */
-
- TDB_DATA dbwrap_record_get_key(const struct db_record *rec);
---
-1.9.3
-
-
-From 868d8e2fa389ab0c697e9a70a4373908aa7df80b Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Mon, 27 Jan 2014 14:49:12 +0100
-Subject: [PATCH 235/249] dbwrap: add a dbwrap_flags argument to db_open()
-
-This is in preparation to support handing flags to backends,
-in particular activating read only record support for ctdb
-databases. For a start, this does nothing but adding the
-parameter, and all databases use DBWRAP_FLAG_NONE.
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-(similar to commit cf0cb0add9ed47b8974272237fee0e1a4ba7bf68)
----
- source3/groupdb/mapping_tdb.c | 2 +-
- source3/lib/dbwrap/dbwrap_open.c | 3 ++-
- source3/lib/dbwrap/dbwrap_open.h | 3 ++-
- source3/lib/dbwrap/dbwrap_watch.c | 3 ++-
- source3/lib/g_lock.c | 3 ++-
- source3/lib/serverid.c | 3 ++-
- source3/lib/sharesec.c | 2 +-
- source3/locking/brlock.c | 2 +-
- source3/locking/share_mode_lock.c | 2 +-
- source3/modules/vfs_acl_tdb.c | 2 +-
- source3/modules/vfs_xattr_tdb.c | 2 +-
- source3/passdb/account_pol.c | 4 ++--
- source3/passdb/pdb_tdb.c | 6 +++---
- source3/passdb/secrets.c | 2 +-
- source3/printing/printer_list.c | 3 ++-
- source3/registry/reg_backend_db.c | 6 +++---
- source3/rpc_client/cli_netlogon.c | 3 ++-
- source3/smbd/notify_internal.c | 2 +-
- source3/smbd/smbXsrv_open.c | 3 ++-
- source3/smbd/smbXsrv_session.c | 3 ++-
- source3/smbd/smbXsrv_tcon.c | 3 ++-
- source3/smbd/smbXsrv_version.c | 3 ++-
- source3/torture/test_dbwrap_watch.c | 3 ++-
- source3/torture/test_idmap_tdb_common.c | 2 +-
- source3/torture/torture.c | 3 ++-
- source3/utils/dbwrap_tool.c | 2 +-
- source3/utils/dbwrap_torture.c | 2 +-
- source3/utils/net_idmap.c | 6 +++---
- source3/utils/net_idmap_check.c | 2 +-
- source3/utils/net_registry_check.c | 4 ++--
- source3/utils/status.c | 2 +-
- source3/winbindd/idmap_autorid.c | 2 +-
- source3/winbindd/idmap_tdb.c | 2 +-
- source3/winbindd/idmap_tdb2.c | 2 +-
- 34 files changed, 55 insertions(+), 42 deletions(-)
-
-diff --git a/source3/groupdb/mapping_tdb.c b/source3/groupdb/mapping_tdb.c
-index 088874f..0863187 100644
---- a/source3/groupdb/mapping_tdb.c
-+++ b/source3/groupdb/mapping_tdb.c
-@@ -54,7 +54,7 @@ static bool init_group_mapping(void)
-
- db = db_open(NULL, state_path("group_mapping.tdb"), 0,
- TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (db == NULL) {
- DEBUG(0, ("Failed to open group mapping database: %s\n",
- strerror(errno)));
-diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
-index 515b4bf..6c9280c 100644
---- a/source3/lib/dbwrap/dbwrap_open.c
-+++ b/source3/lib/dbwrap/dbwrap_open.c
-@@ -60,7 +60,8 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
- const char *name,
- int hash_size, int tdb_flags,
- int open_flags, mode_t mode,
-- enum dbwrap_lock_order lock_order)
-+ enum dbwrap_lock_order lock_order,
-+ uint64_t dbwrap_flags)
- {
- struct db_context *result = NULL;
- #ifdef CLUSTER_SUPPORT
-diff --git a/source3/lib/dbwrap/dbwrap_open.h b/source3/lib/dbwrap/dbwrap_open.h
-index 51c7dfd..d14794e 100644
---- a/source3/lib/dbwrap/dbwrap_open.h
-+++ b/source3/lib/dbwrap/dbwrap_open.h
-@@ -39,6 +39,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
- const char *name,
- int hash_size, int tdb_flags,
- int open_flags, mode_t mode,
-- enum dbwrap_lock_order lock_order);
-+ enum dbwrap_lock_order lock_order,
-+ uint64_t dbwrap_flags);
-
- #endif /* __DBWRAP_OPEN_H__ */
-diff --git a/source3/lib/dbwrap/dbwrap_watch.c b/source3/lib/dbwrap/dbwrap_watch.c
-index 7bdcd99..5f3d17d 100644
---- a/source3/lib/dbwrap/dbwrap_watch.c
-+++ b/source3/lib/dbwrap/dbwrap_watch.c
-@@ -34,7 +34,8 @@ static struct db_context *dbwrap_record_watchers_db(void)
- watchers_db = db_open(
- NULL, lock_path("dbwrap_watchers.tdb"), 0,
- TDB_CLEAR_IF_FIRST | TDB_INCOMPATIBLE_HASH,
-- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3);
-+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3,
-+ DBWRAP_FLAG_NONE);
- }
- return watchers_db;
- }
-diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
-index 8c7a6c2..6813f06 100644
---- a/source3/lib/g_lock.c
-+++ b/source3/lib/g_lock.c
-@@ -61,7 +61,8 @@ struct g_lock_ctx *g_lock_ctx_init(TALLOC_CTX *mem_ctx,
- result->db = db_open(result, lock_path("g_lock.tdb"), 0,
- TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
- O_RDWR|O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_2);
-+ DBWRAP_LOCK_ORDER_2,
-+ DBWRAP_FLAG_NONE);
- if (result->db == NULL) {
- DEBUG(1, ("g_lock_init: Could not open g_lock.tdb\n"));
- TALLOC_FREE(result);
-diff --git a/source3/lib/serverid.c b/source3/lib/serverid.c
-index cb49520..4259887 100644
---- a/source3/lib/serverid.c
-+++ b/source3/lib/serverid.c
-@@ -77,7 +77,8 @@ static struct db_context *serverid_db(void)
- }
- db = db_open(NULL, lock_path("serverid.tdb"), 0,
- TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2);
-+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2,
-+ DBWRAP_FLAG_NONE);
- return db;
- }
-
-diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
-index c7a8e51..095c851 100644
---- a/source3/lib/sharesec.c
-+++ b/source3/lib/sharesec.c
-@@ -149,7 +149,7 @@ bool share_info_db_init(void)
-
- share_db = db_open(NULL, state_path("share_info.tdb"), 0,
- TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (share_db == NULL) {
- DEBUG(0,("Failed to open share info database %s (%s)\n",
- state_path("share_info.tdb"), strerror(errno) ));
-diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
-index 5d683dd..d88aa2d 100644
---- a/source3/locking/brlock.c
-+++ b/source3/locking/brlock.c
-@@ -292,7 +292,7 @@ void brl_init(bool read_only)
- brlock_db = db_open(NULL, lock_path("brlock.tdb"),
- lp_open_files_db_hash_size(), tdb_flags,
- read_only?O_RDONLY:(O_RDWR|O_CREAT), 0644,
-- DBWRAP_LOCK_ORDER_2);
-+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
- if (!brlock_db) {
- DEBUG(0,("Failed to open byte range locking database %s\n",
- lock_path("brlock.tdb")));
-diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
-index 4f049bd..22f8d9a 100644
---- a/source3/locking/share_mode_lock.c
-+++ b/source3/locking/share_mode_lock.c
-@@ -67,7 +67,7 @@ static bool locking_init_internal(bool read_only)
- lp_open_files_db_hash_size(),
- TDB_DEFAULT|TDB_VOLATILE|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
- read_only?O_RDONLY:O_RDWR|O_CREAT, 0644,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
-
- if (!lock_db) {
- DEBUG(0,("ERROR: Failed to initialise locking database\n"));
-diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
-index 80839e3..8ee4bd5 100644
---- a/source3/modules/vfs_acl_tdb.c
-+++ b/source3/modules/vfs_acl_tdb.c
-@@ -60,7 +60,7 @@ static bool acl_tdb_init(void)
-
- become_root();
- acl_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- unbecome_root();
-
- if (acl_db == NULL) {
-diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c
-index 43456cf..63a12fd 100644
---- a/source3/modules/vfs_xattr_tdb.c
-+++ b/source3/modules/vfs_xattr_tdb.c
-@@ -320,7 +320,7 @@ static bool xattr_tdb_init(int snum, TALLOC_CTX *mem_ctx, struct db_context **p_
-
- become_root();
- db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_2);
-+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
- unbecome_root();
-
- if (db == NULL) {
-diff --git a/source3/passdb/account_pol.c b/source3/passdb/account_pol.c
-index c94df29..09a2d20 100644
---- a/source3/passdb/account_pol.c
-+++ b/source3/passdb/account_pol.c
-@@ -220,13 +220,13 @@ bool init_account_policy(void)
- }
-
- db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
-- O_RDWR, 0600, DBWRAP_LOCK_ORDER_1);
-+ O_RDWR, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
-
- if (db == NULL) { /* the account policies files does not exist or open
- * failed, try to create a new one */
- db = db_open(NULL, state_path("account_policy.tdb"), 0,
- TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (db == NULL) {
- DEBUG(0,("Failed to open account policy database\n"));
- return False;
-diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
-index f256e6c..162083f 100644
---- a/source3/passdb/pdb_tdb.c
-+++ b/source3/passdb/pdb_tdb.c
-@@ -226,7 +226,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
-
- tmp_db = db_open(NULL, tmp_fname, 0,
- TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (tmp_db == NULL) {
- DEBUG(0, ("tdbsam_convert_backup: Failed to create backup TDB passwd "
- "[%s]\n", tmp_fname));
-@@ -293,7 +293,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
-
- orig_db = db_open(NULL, dbname, 0,
- TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (orig_db == NULL) {
- DEBUG(0, ("tdbsam_convert_backup: Failed to re-open "
- "converted passdb TDB [%s]\n", dbname));
-@@ -444,7 +444,7 @@ static bool tdbsam_open( const char *name )
- /* Try to open tdb passwd. Create a new one if necessary */
-
- db_sam = db_open(NULL, name, 0, TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (db_sam == NULL) {
- DEBUG(0, ("tdbsam_open: Failed to open/create TDB passwd "
- "[%s]\n", name));
-diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
-index 548b030..bff9a0d 100644
---- a/source3/passdb/secrets.c
-+++ b/source3/passdb/secrets.c
-@@ -79,7 +79,7 @@ bool secrets_init_path(const char *private_dir, bool use_ntdb)
-
- db_ctx = db_open(NULL, fname, 0,
- TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
-
- if (db_ctx == NULL) {
- DEBUG(0,("Failed to open %s\n", fname));
-diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c
-index 815f89f..9a9fa0b 100644
---- a/source3/printing/printer_list.c
-+++ b/source3/printing/printer_list.c
-@@ -40,7 +40,8 @@ static struct db_context *get_printer_list_db(void)
- }
- db = db_open(NULL, PL_DB_NAME(), 0,
- TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1);
-+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1,
-+ DBWRAP_FLAG_NONE);
- return db;
- }
-
-diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c
-index 3e561eb..fdaf576 100644
---- a/source3/registry/reg_backend_db.c
-+++ b/source3/registry/reg_backend_db.c
-@@ -732,11 +732,11 @@ WERROR regdb_init(void)
-
- regdb = db_open(NULL, state_path("registry.tdb"), 0,
- REG_TDB_FLAGS, O_RDWR, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (!regdb) {
- regdb = db_open(NULL, state_path("registry.tdb"), 0,
- REG_TDB_FLAGS, O_RDWR|O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (!regdb) {
- werr = ntstatus_to_werror(map_nt_error_from_unix(errno));
- DEBUG(1,("regdb_init: Failed to open registry %s (%s)\n",
-@@ -852,7 +852,7 @@ WERROR regdb_open( void )
-
- regdb = db_open(NULL, state_path("registry.tdb"), 0,
- REG_TDB_FLAGS, O_RDWR, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if ( !regdb ) {
- result = ntstatus_to_werror( map_nt_error_from_unix( errno ) );
- DEBUG(0,("regdb_open: Failed to open %s! (%s)\n",
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index b7b490f..9e3c1bd 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -69,7 +69,8 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
-
- global_db = db_open(talloc_autofree_context(), fname,
- 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
-+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
-+ DBWRAP_FLAG_NONE);
- if (global_db == NULL) {
- TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
-diff --git a/source3/smbd/notify_internal.c b/source3/smbd/notify_internal.c
-index 2dc8674..67d8774 100644
---- a/source3/smbd/notify_internal.c
-+++ b/source3/smbd/notify_internal.c
-@@ -145,7 +145,7 @@ struct notify_context *notify_init(TALLOC_CTX *mem_ctx,
- notify->db_index = db_open(
- notify, lock_path("notify_index.tdb"),
- 0, TDB_SEQNUM|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3);
-+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3, DBWRAP_FLAG_NONE);
- if (notify->db_index == NULL) {
- goto fail;
- }
-diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
-index 29c172c..830c7aa 100644
---- a/source3/smbd/smbXsrv_open.c
-+++ b/source3/smbd/smbXsrv_open.c
-@@ -64,7 +64,8 @@ NTSTATUS smbXsrv_open_global_init(void)
- TDB_CLEAR_IF_FIRST |
- TDB_INCOMPATIBLE_HASH,
- O_RDWR | O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1,
-+ DBWRAP_FLAG_NONE);
- if (db_ctx == NULL) {
- NTSTATUS status;
-
-diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
-index 017880c..a1ba52d 100644
---- a/source3/smbd/smbXsrv_session.c
-+++ b/source3/smbd/smbXsrv_session.c
-@@ -75,7 +75,8 @@ NTSTATUS smbXsrv_session_global_init(void)
- TDB_CLEAR_IF_FIRST |
- TDB_INCOMPATIBLE_HASH,
- O_RDWR | O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1,
-+ DBWRAP_FLAG_NONE);
- if (db_ctx == NULL) {
- NTSTATUS status;
-
-diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c
-index b6e2058..2cbd761 100644
---- a/source3/smbd/smbXsrv_tcon.c
-+++ b/source3/smbd/smbXsrv_tcon.c
-@@ -62,7 +62,8 @@ NTSTATUS smbXsrv_tcon_global_init(void)
- TDB_CLEAR_IF_FIRST |
- TDB_INCOMPATIBLE_HASH,
- O_RDWR | O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1,
-+ DBWRAP_FLAG_NONE);
- if (db_ctx == NULL) {
- NTSTATUS status;
-
-diff --git a/source3/smbd/smbXsrv_version.c b/source3/smbd/smbXsrv_version.c
-index 8ba5e1f..b24dae9 100644
---- a/source3/smbd/smbXsrv_version.c
-+++ b/source3/smbd/smbXsrv_version.c
-@@ -80,7 +80,8 @@ NTSTATUS smbXsrv_version_global_init(const struct server_id *server_id)
- TDB_CLEAR_IF_FIRST |
- TDB_INCOMPATIBLE_HASH,
- O_RDWR | O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1,
-+ DBWRAP_FLAG_NONE);
- if (db_ctx == NULL) {
- status = map_nt_error_from_unix_common(errno);
- DEBUG(0,("smbXsrv_version_global_init: "
-diff --git a/source3/torture/test_dbwrap_watch.c b/source3/torture/test_dbwrap_watch.c
-index 9c2a679..4e699fe 100644
---- a/source3/torture/test_dbwrap_watch.c
-+++ b/source3/torture/test_dbwrap_watch.c
-@@ -48,7 +48,8 @@ bool run_dbwrap_watch1(int dummy)
- goto fail;
- }
- db = db_open(msg, "test_watch.tdb", 0, TDB_DEFAULT,
-- O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1);
-+ O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1,
-+ DBWRAP_FLAG_NONE);
- if (db == NULL) {
- fprintf(stderr, "db_open failed: %s\n", strerror(errno));
- goto fail;
-diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
-index 6f5f3c5..f7262a2 100644
---- a/source3/torture/test_idmap_tdb_common.c
-+++ b/source3/torture/test_idmap_tdb_common.c
-@@ -86,7 +86,7 @@ static bool open_db(struct idmap_tdb_common_context *ctx)
-
- ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT,
- O_RDWR | O_CREAT, 0600,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
-
- if(!ctx->db) {
- DEBUG(0, ("Failed to open database: %s\n", strerror(errno)));
-diff --git a/source3/torture/torture.c b/source3/torture/torture.c
-index 2e66912..1dc3eaf 100644
---- a/source3/torture/torture.c
-+++ b/source3/torture/torture.c
-@@ -9011,7 +9011,8 @@ static bool run_local_dbtrans(int dummy)
- TDB_DATA value;
-
- db = db_open(talloc_tos(), "transtest.tdb", 0, TDB_DEFAULT,
-- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1);
-+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1,
-+ DBWRAP_FLAG_NONE);
- if (db == NULL) {
- printf("Could not open transtest.db\n");
- return false;
-diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
-index ffca6b6..b56e07a 100644
---- a/source3/utils/dbwrap_tool.c
-+++ b/source3/utils/dbwrap_tool.c
-@@ -588,7 +588,7 @@ int main(int argc, const char **argv)
- case OP_LISTKEYS:
- case OP_EXISTS:
- db = db_open(mem_ctx, dbname, 0, tdb_flags, O_RDWR | O_CREAT,
-- 0644, DBWRAP_LOCK_ORDER_1);
-+ 0644, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (db == NULL) {
- d_fprintf(stderr, "ERROR: could not open dbname\n");
- goto done;
-diff --git a/source3/utils/dbwrap_torture.c b/source3/utils/dbwrap_torture.c
-index 2741820..f748ac2 100644
---- a/source3/utils/dbwrap_torture.c
-+++ b/source3/utils/dbwrap_torture.c
-@@ -309,7 +309,7 @@ int main(int argc, const char *argv[])
- }
-
- db = db_open(mem_ctx, db_name, 0, tdb_flags, O_RDWR | O_CREAT, 0644,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
-
- if (db == NULL) {
- d_fprintf(stderr, "failed to open db '%s': %s\n", db_name,
-diff --git a/source3/utils/net_idmap.c b/source3/utils/net_idmap.c
-index fbeca3e..6fc07e7 100644
---- a/source3/utils/net_idmap.c
-+++ b/source3/utils/net_idmap.c
-@@ -210,7 +210,7 @@ static int net_idmap_dump(struct net_context *c, int argc, const char **argv)
- d_fprintf(stderr, _("dumping id mapping from %s\n"), dbfile);
-
- db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDONLY, 0,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (db == NULL) {
- d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
- dbfile, strerror(errno));
-@@ -336,7 +336,7 @@ static int net_idmap_restore(struct net_context *c, int argc, const char **argv)
- }
-
- db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (db == NULL) {
- d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
- dbfile, strerror(errno));
-@@ -546,7 +546,7 @@ static int net_idmap_delete(struct net_context *c, int argc, const char **argv)
- d_fprintf(stderr, _("deleting id mapping from %s\n"), dbfile);
-
- db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR, 0,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (db == NULL) {
- d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
- dbfile, strerror(errno));
-diff --git a/source3/utils/net_idmap_check.c b/source3/utils/net_idmap_check.c
-index e75c890..4b82871 100644
---- a/source3/utils/net_idmap_check.c
-+++ b/source3/utils/net_idmap_check.c
-@@ -790,7 +790,7 @@ static bool check_open_db(struct check_ctx* ctx, const char* name, int oflags)
- }
-
- ctx->db = db_open(ctx, name, 0, TDB_DEFAULT, oflags, 0,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (ctx->db == NULL) {
- d_fprintf(stderr,
- _("Could not open idmap db (%s) for writing: %s\n"),
-diff --git a/source3/utils/net_registry_check.c b/source3/utils/net_registry_check.c
-index 8cdb8fa..d57c2aa 100644
---- a/source3/utils/net_registry_check.c
-+++ b/source3/utils/net_registry_check.c
-@@ -338,7 +338,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
- }
-
- ctx->odb = db_open(ctx, ctx->opt.output, 0, TDB_DEFAULT, oflags, 0644,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (ctx->odb == NULL) {
- d_fprintf(stderr,
- _("Could not open db (%s) for writing: %s\n"),
-@@ -351,7 +351,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
-
- static bool check_ctx_open_input(struct check_ctx *ctx) {
- ctx->idb = db_open(ctx, ctx->fname, 0, TDB_DEFAULT, O_RDONLY, 0,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (ctx->idb == NULL) {
- d_fprintf(stderr,
- _("Could not open db (%s) for reading: %s\n"),
-diff --git a/source3/utils/status.c b/source3/utils/status.c
-index be7c52f..1ff0e36 100644
---- a/source3/utils/status.c
-+++ b/source3/utils/status.c
-@@ -508,7 +508,7 @@ static void print_notify_recs(const char *path,
- struct db_context *db;
- db = db_open(NULL, lock_path("locking.tdb"), 0,
- TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH, O_RDONLY, 0,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
-
- if (!db) {
- d_printf("%s not initialised\n",
-diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
-index 57d952e..0bd2938 100644
---- a/source3/winbindd/idmap_autorid.c
-+++ b/source3/winbindd/idmap_autorid.c
-@@ -728,7 +728,7 @@ static NTSTATUS idmap_autorid_db_init(void)
- /* Open idmap repository */
- autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
- TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
-
- if (!autorid_db) {
- DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
-diff --git a/source3/winbindd/idmap_tdb.c b/source3/winbindd/idmap_tdb.c
-index cc930ff..ebff347 100644
---- a/source3/winbindd/idmap_tdb.c
-+++ b/source3/winbindd/idmap_tdb.c
-@@ -321,7 +321,7 @@ static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
-
- /* Open idmap repository */
- db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (!db) {
- DEBUG(0, ("Unable to open idmap database\n"));
- ret = NT_STATUS_UNSUCCESSFUL;
-diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
-index 4a9c2fe..942490d 100644
---- a/source3/winbindd/idmap_tdb2.c
-+++ b/source3/winbindd/idmap_tdb2.c
-@@ -114,7 +114,7 @@ static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
-
- /* Open idmap repository */
- ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
-- DBWRAP_LOCK_ORDER_1);
-+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- TALLOC_FREE(db_path);
-
- if (ctx->db == NULL) {
---
-1.9.3
-
-
-From b904731a81df57b3d33fe0c35663bc47d061d744 Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Tue, 28 Jan 2014 12:53:24 +0100
-Subject: [PATCH 236/249] dbwrap: add a dbwrap_flags argument to db_open_ctdb()
-
-This is in preparation of directly supporting ctdb read only
-record copies when opening a ctdb database from samba.
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 6def1c3f6e145abcc81ea69505133bbe128eacac)
----
- source3/lib/dbwrap/dbwrap_ctdb.c | 6 ++++--
- source3/lib/dbwrap/dbwrap_ctdb.h | 3 ++-
- source3/lib/dbwrap/dbwrap_open.c | 2 +-
- source3/torture/test_dbwrap_ctdb.c | 2 +-
- 4 files changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
-index 5a473f9..af7a72f 100644
---- a/source3/lib/dbwrap/dbwrap_ctdb.c
-+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
-@@ -1498,7 +1498,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
- const char *name,
- int hash_size, int tdb_flags,
- int open_flags, mode_t mode,
-- enum dbwrap_lock_order lock_order)
-+ enum dbwrap_lock_order lock_order,
-+ uint64_t dbwrap_flags)
- {
- struct db_context *result;
- struct db_ctdb_ctx *db_ctdb;
-@@ -1624,7 +1625,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
- const char *name,
- int hash_size, int tdb_flags,
- int open_flags, mode_t mode,
-- enum dbwrap_lock_order lock_order)
-+ enum dbwrap_lock_order lock_order,
-+ uint64_t dbwrap_flags)
- {
- DEBUG(3, ("db_open_ctdb: no cluster support!\n"));
- errno = ENOSYS;
-diff --git a/source3/lib/dbwrap/dbwrap_ctdb.h b/source3/lib/dbwrap/dbwrap_ctdb.h
-index bfbe3bd..3196b91 100644
---- a/source3/lib/dbwrap/dbwrap_ctdb.h
-+++ b/source3/lib/dbwrap/dbwrap_ctdb.h
-@@ -31,6 +31,7 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
- const char *name,
- int hash_size, int tdb_flags,
- int open_flags, mode_t mode,
-- enum dbwrap_lock_order lock_order);
-+ enum dbwrap_lock_order lock_order,
-+ uint64_t dbwrap_flags);
-
- #endif /* __DBWRAP_CTDB_H__ */
-diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
-index 6c9280c..61324f7 100644
---- a/source3/lib/dbwrap/dbwrap_open.c
-+++ b/source3/lib/dbwrap/dbwrap_open.c
-@@ -104,7 +104,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
- if (lp_parm_bool(-1, "ctdb", partname, True)) {
- result = db_open_ctdb(mem_ctx, partname, hash_size,
- tdb_flags, open_flags, mode,
-- lock_order);
-+ lock_order, dbwrap_flags);
- if (result == NULL) {
- DEBUG(0,("failed to attach to ctdb %s\n",
- partname));
-diff --git a/source3/torture/test_dbwrap_ctdb.c b/source3/torture/test_dbwrap_ctdb.c
-index f7672ba..d7380b1 100644
---- a/source3/torture/test_dbwrap_ctdb.c
-+++ b/source3/torture/test_dbwrap_ctdb.c
-@@ -32,7 +32,7 @@ bool run_local_dbwrap_ctdb(int dummy)
- uint32_t val;
-
- db = db_open_ctdb(talloc_tos(), "torture.tdb", 0, TDB_DEFAULT,
-- O_RDWR, 0755, DBWRAP_LOCK_ORDER_1);
-+ O_RDWR, 0755, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
- if (db == NULL) {
- perror("db_open_ctdb failed");
- goto fail;
---
-1.9.3
-
-
-From 4f2d14112981d03000b533458e2e60a032d052de Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Tue, 28 Jan 2014 11:31:44 +0100
-Subject: [PATCH 237/249] dbwrap: add DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 56bd4040889dfe492ff820497b7a6d76624a6048)
----
- lib/dbwrap/dbwrap.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
-index 4064ba2..02b4405 100644
---- a/lib/dbwrap/dbwrap.h
-+++ b/lib/dbwrap/dbwrap.h
-@@ -33,6 +33,7 @@ enum dbwrap_lock_order {
- #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
-
- #define DBWRAP_FLAG_NONE 0x0000000000000000ULL
-+#define DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS 0x0000000000000001ULL
-
- /* The following definitions come from lib/dbwrap.c */
-
---
-1.9.3
-
-
-From a007f8f7f627c4347f48bd2446637aab137e0608 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 28 Jan 2014 21:24:22 +0100
-Subject: [PATCH 238/249] dbwrap_ctdb: implement
- DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
-
-For non-persistent databases we try to use CTDB_CONTROL_SET_DB_READONLY
-in order to make use of readonly records.
-
-Pair-Programmed-With: Michael Adam <obnox@samba.org>
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Michael Adam <obnox@samba.org>
-(cherry picked from commit a97b588b63f437d25c4344c76014326dbf0cbdb0)
----
- source3/lib/dbwrap/dbwrap_ctdb.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
-index af7a72f..3dc86d1 100644
---- a/source3/lib/dbwrap/dbwrap_ctdb.c
-+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
-@@ -1578,6 +1578,27 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-+#ifdef HAVE_CTDB_WANT_READONLY_DECL
-+ if (!result->persistent &&
-+ (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS))
-+ {
-+ TDB_DATA indata;
-+
-+ indata = make_tdb_data((uint8_t *)&db_ctdb->db_id,
-+ sizeof(db_ctdb->db_id));
-+
-+ status = ctdbd_control_local(
-+ conn, CTDB_CONTROL_SET_DB_READONLY, 0, 0, indata,
-+ NULL, NULL, &cstatus);
-+ if (!NT_STATUS_IS_OK(status) || (cstatus != 0)) {
-+ DEBUG(1, ("CTDB_CONTROL_SET_DB_READONLY failed: "
-+ "%s, %d\n", nt_errstr(status), cstatus));
-+ TALLOC_FREE(result);
-+ return NULL;
-+ }
-+ }
-+#endif
-+
- lp_ctx = loadparm_init_s3(db_path, loadparm_s3_helpers());
-
- db_ctdb->wtdb = tdb_wrap_open(db_ctdb, db_path, hash_size, tdb_flags,
---
-1.9.3
-
-
-From d1ea222d46a594d45422eacccbd655d7e488792a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 28 Jan 2014 21:31:17 +0100
-Subject: [PATCH 239/249] dbwrap_open: add 'dbwrap_optimize_readonly:* = yes'
- option
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
-(cherry picked from commit a20c977c7a58a0c09d01bfa046c00fcd3f1462de)
----
- source3/lib/dbwrap/dbwrap_open.c | 25 +++++++++++++++++++++++++
- 1 file changed, 25 insertions(+)
-
-diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
-index 61324f7..7f3cddf 100644
---- a/source3/lib/dbwrap/dbwrap_open.c
-+++ b/source3/lib/dbwrap/dbwrap_open.c
-@@ -81,6 +81,31 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-+ if (tdb_flags & TDB_CLEAR_IF_FIRST) {
-+ const char *base;
-+ bool try_readonly = false;
-+
-+ base = strrchr_m(name, '/');
-+ if (base != NULL) {
-+ base += 1;
-+ } else {
-+ base = name;
-+ }
-+
-+ if (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS) {
-+ try_readonly = true;
-+ }
-+
-+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", "*", try_readonly);
-+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", base, try_readonly);
-+
-+ if (try_readonly) {
-+ dbwrap_flags |= DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
-+ } else {
-+ dbwrap_flags &= ~DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
-+ }
-+ }
-+
- #ifdef CLUSTER_SUPPORT
- sockname = lp_ctdbd_socket();
-
---
-1.9.3
-
-
-From ce06399f9fab90623a2166d69f1bbfc46f124d73 Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Mon, 27 Jan 2014 16:21:14 +0100
-Subject: [PATCH 240/249] s3:rpc_client: optimize the netlogon_creds_cli.tdb
- for read-only access
-
-Usually a record in this DB will be written once and then read
-many times by winbindd processes on multiple nodes (when run in
-a cluster). In order not to introduce a big performance penalty
-with the increased correctness achieved by storing the netlogon
-creds, in a cluster setup, we should activate ctdb's read only
-record copies on this db.
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 020fab300d2f4f19301eff19ad810c71f77bbb78)
----
- source3/rpc_client/cli_netlogon.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 9e3c1bd..746c7b6 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -70,7 +70,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
- global_db = db_open(talloc_autofree_context(), fname,
- 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
-- DBWRAP_FLAG_NONE);
-+ DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS);
- if (global_db == NULL) {
- TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
---
-1.9.3
-
-
-From e39b8c0e22e609db117285d47cdbd1d854fe8d02 Mon Sep 17 00:00:00 2001
-From: Ira Cooper <ira@samba.org>
-Date: Thu, 13 Feb 2014 14:45:23 -0500
-Subject: [PATCH 241/249] libcli: Overflow array index read possible, in auth
- code.
-
-Changed the if condtion to detect when we'd improperly overflow.
-
-Coverity-Id: 1167990
-Signed-off-by: Ira Cooper <ira@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Ira Cooper <ira@samba.org>
-Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
-
-(cherry picked from commit 8cd8aa6686c21e8c43a6d14c0ae1a21954d6e8cd)
----
- libcli/auth/netlogon_creds_cli.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
-index 88893ad..e3cf91c 100644
---- a/libcli/auth/netlogon_creds_cli.c
-+++ b/libcli/auth/netlogon_creds_cli.c
-@@ -1769,7 +1769,7 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
- uint32_t ofs = 512 - len;
- uint8_t *p;
-
-- if (ofs < 12) {
-+ if (len > 500) {
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
- return tevent_req_post(req, ev);
- }
---
-1.9.3
-
-
-From 4e15aa86c44e906ca30cfa4589e4f45f23625953 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 15 Jul 2014 08:28:42 +0200
-Subject: [PATCH 242/249] s3-rpc_client: return info3 in
- rpccli_netlogon_password_logon().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/rpc_client/cli_netlogon.c | 103 +++++++++++++++++++++-----------------
- source3/rpc_client/cli_netlogon.h | 4 +-
- source3/rpcclient/cmd_netlogon.c | 5 +-
- 3 files changed, 64 insertions(+), 48 deletions(-)
-
-diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
-index 746c7b6..7063351 100644
---- a/source3/rpc_client/cli_netlogon.c
-+++ b/source3/rpc_client/cli_netlogon.c
-@@ -193,16 +193,65 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
- return NT_STATUS_OK;
- }
-
-+static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
-+ uint16_t validation_level,
-+ union netr_Validation *validation,
-+ struct netr_SamInfo3 **info3_p)
-+{
-+ struct netr_SamInfo3 *info3;
-+ NTSTATUS status;
-+
-+ if (validation == NULL) {
-+ return NT_STATUS_INVALID_PARAMETER;
-+ }
-+
-+ switch (validation_level) {
-+ case 3:
-+ if (validation->sam3 == NULL) {
-+ return NT_STATUS_INVALID_PARAMETER;
-+ }
-+
-+ info3 = talloc_move(mem_ctx, &validation->sam3);
-+ break;
-+ case 6:
-+ if (validation->sam6 == NULL) {
-+ return NT_STATUS_INVALID_PARAMETER;
-+ }
-+
-+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
-+ if (info3 == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(info3);
-+ return status;
-+ }
-+
-+ info3->sidcount = validation->sam6->sidcount;
-+ info3->sids = talloc_move(info3, &validation->sam6->sids);
-+ break;
-+ default:
-+ return NT_STATUS_BAD_VALIDATION_CLASS;
-+ }
-+
-+ *info3_p = info3;
-+
-+ return NT_STATUS_OK;
-+}
-+
- /* Logon domain user */
-
- NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
-+ TALLOC_CTX *mem_ctx,
- uint32_t logon_parameters,
- const char *domain,
- const char *username,
- const char *password,
- const char *workstation,
-- enum netr_LogonInfoClass logon_type)
-+ enum netr_LogonInfoClass logon_type,
-+ struct netr_SamInfo3 **info3)
- {
- TALLOC_CTX *frame = talloc_stackframe();
- NTSTATUS status;
-@@ -320,57 +369,19 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
- &validation,
- &authoritative,
- &flags);
-- TALLOC_FREE(frame);
- if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
- return status;
- }
-
-- return NT_STATUS_OK;
--}
--
--static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
-- uint16_t validation_level,
-- union netr_Validation *validation,
-- struct netr_SamInfo3 **info3_p)
--{
-- struct netr_SamInfo3 *info3;
-- NTSTATUS status;
--
-- if (validation == NULL) {
-- return NT_STATUS_INVALID_PARAMETER;
-- }
--
-- switch (validation_level) {
-- case 3:
-- if (validation->sam3 == NULL) {
-- return NT_STATUS_INVALID_PARAMETER;
-- }
--
-- info3 = talloc_move(mem_ctx, &validation->sam3);
-- break;
-- case 6:
-- if (validation->sam6 == NULL) {
-- return NT_STATUS_INVALID_PARAMETER;
-- }
--
-- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
-- if (info3 == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
-- status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
-- if (!NT_STATUS_IS_OK(status)) {
-- TALLOC_FREE(info3);
-- return status;
-- }
--
-- info3->sidcount = validation->sam6->sidcount;
-- info3->sids = talloc_move(info3, &validation->sam6->sids);
-- break;
-- default:
-- return NT_STATUS_BAD_VALIDATION_CLASS;
-+ status = map_validation_to_info3(mem_ctx,
-+ validation_level, validation,
-+ info3);
-+ TALLOC_FREE(frame);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
- }
-
-- *info3_p = info3;
-
- return NT_STATUS_OK;
- }
-diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
-index 61fed4a..fee0801 100644
---- a/source3/rpc_client/cli_netlogon.h
-+++ b/source3/rpc_client/cli_netlogon.h
-@@ -45,12 +45,14 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
- const struct samr_Password *previous_nt_hash);
- NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
-+ TALLOC_CTX *mem_ctx,
- uint32_t logon_parameters,
- const char *domain,
- const char *username,
- const char *password,
- const char *workstation,
-- enum netr_LogonInfoClass logon_type);
-+ enum netr_LogonInfoClass logon_type,
-+ struct netr_SamInfo3 **info3);
- NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
- TALLOC_CTX *mem_ctx,
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index b637b3e..2d1c351 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -778,6 +778,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
- const char *username, *password;
- uint32 logon_param = 0;
- const char *workstation = NULL;
-+ struct netr_SamInfo3 *info3 = NULL;
-
- /* Check arguments */
-
-@@ -803,12 +804,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
-
- result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
- cli->binding_handle,
-+ mem_ctx,
- logon_param,
- lp_workgroup(),
- username,
- password,
- workstation,
-- logon_type);
-+ logon_type,
-+ &info3);
- if (!NT_STATUS_IS_OK(result))
- goto done;
-
---
-1.9.3
-
-
-From 3459fada96951a57a787944aedc01caabe873c9d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 15 Jul 2014 08:29:55 +0200
-Subject: [PATCH 243/249] s3-winbindd: call interactive samlogon via
- rpccli_netlogon_password_logon.
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Conflicts:
- source3/winbindd/winbindd_pam.c
----
- source3/winbindd/winbindd_pam.c | 45 +++++++++++++++++++++++++++++------------
- 1 file changed, 32 insertions(+), 13 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index 3f3ec70..2a1b74a 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -1214,11 +1214,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
- uint32_t logon_parameters,
- const char *server,
- const char *username,
-+ const char *password,
- const char *domainname,
- const char *workstation,
- const uint8_t chal[8],
- DATA_BLOB lm_response,
- DATA_BLOB nt_response,
-+ bool interactive,
- struct netr_SamInfo3 **info3)
- {
- int attempts = 0;
-@@ -1278,19 +1280,32 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
- }
- netr_attempts = 0;
-
-- result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
-- netlogon_pipe->binding_handle,
-- mem_ctx,
-- logon_parameters,
-- username,
-- domainname,
-- workstation,
-- chal,
-- lm_response,
-- nt_response,
-- &authoritative,
-- &flags,
-- info3);
-+ if (interactive && username != NULL && password != NULL) {
-+ result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
-+ netlogon_pipe->binding_handle,
-+ mem_ctx,
-+ logon_parameters,
-+ domainname,
-+ username,
-+ password,
-+ workstation,
-+ NetlogonInteractiveInformation,
-+ info3);
-+ } else {
-+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
-+ netlogon_pipe->binding_handle,
-+ mem_ctx,
-+ logon_parameters,
-+ username,
-+ domainname,
-+ workstation,
-+ chal,
-+ lm_response,
-+ nt_response,
-+ &authoritative,
-+ &flags,
-+ info3);
-+ }
-
- /*
- * we increment this after the "feature negotiation"
-@@ -1433,11 +1448,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
- 0,
- domain->dcname,
- name_user,
-+ pass,
- name_domain,
- lp_netbios_name(),
- chal,
- lm_resp,
- nt_resp,
-+ true, /* interactive */
- &my_info3);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
-@@ -1856,12 +1873,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
- state->request->data.auth_crap.logon_parameters,
- domain->dcname,
- name_user,
-+ NULL, /* password */
- name_domain,
- /* Bug #3248 - found by Stefan Burkei. */
- workstation, /* We carefully set this above so use it... */
- state->request->data.auth_crap.chal,
- lm_resp,
- nt_resp,
-+ false, /* interactive */
- &info3);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
---
-1.9.3
-
-
-From ad27b750ea3766581e528a41c132bb57927cc64c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 7 Jul 2014 17:14:37 +0200
-Subject: [PATCH 244/249] s3-winbindd: add wcache_query_user_fullname().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This helper function is used to query the full name of a cached user object (for
-further gecos processing).
-
-Thanks to Matt Rogers <mrogers@redhat.com>.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
-
-Guenther
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++++++++
- source3/winbindd/winbindd_proto.h | 4 ++++
- 2 files changed, 38 insertions(+)
-
-diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
-index 59ce515..d1e10e6c 100644
---- a/source3/winbindd/winbindd_cache.c
-+++ b/source3/winbindd/winbindd_cache.c
-@@ -2309,6 +2309,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
- return status;
- }
-
-+
-+/**
-+* @brief Query a fullname from the username cache (for further gecos processing)
-+*
-+* @param domain A pointer to the winbindd_domain struct.
-+* @param mem_ctx The talloc context.
-+* @param user_sid The user sid.
-+* @param full_name A pointer to the full_name string.
-+*
-+* @return NTSTATUS code
-+*/
-+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
-+ TALLOC_CTX *mem_ctx,
-+ const struct dom_sid *user_sid,
-+ const char **full_name)
-+{
-+ NTSTATUS status;
-+ struct wbint_userinfo info;
-+
-+ status = wcache_query_user(domain, mem_ctx, user_sid, &info);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ if (info.full_name != NULL) {
-+ *full_name = talloc_strdup(mem_ctx, info.full_name);
-+ if (*full_name == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
- /* Lookup user information from a rid */
- static NTSTATUS query_user(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
-diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
-index cfc19d0..cfb7812 100644
---- a/source3/winbindd/winbindd_proto.h
-+++ b/source3/winbindd/winbindd_proto.h
-@@ -105,6 +105,10 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- const struct dom_sid *user_sid,
- struct wbint_userinfo *info);
-+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
-+ TALLOC_CTX *mem_ctx,
-+ const struct dom_sid *user_sid,
-+ const char **full_name);
- NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- uint32 num_sids, const struct dom_sid *sids,
---
-1.9.3
-
-
-From e89ca0b90887930a2f86dcaa4f6d3d05565f919c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 7 Jul 2014 17:16:32 +0200
-Subject: [PATCH 245/249] s3-winbindd: use wcache_query_user_fullname after
- inspecting samlogon cache.
-
-The reason for this followup query is that very often the samlogon cache only
-contains a info3 netlogon user structure that has been retrieved during a
-netlogon samlogon authentication using "network" logon level. With that logon
-level only a few info3 fields are filled in; the user's fullname is never filled
-in that case. This is problematic when the cache is used to fill in the user's
-gecos field (for NSS queries). When we have retrieved the user's fullname during
-other queries, reuse it from the other caches.
-
-Thanks to Matt Rogers <mrogers@redhat.com>.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
-
-Guenther
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/winbindd/winbindd_ads.c | 8 ++++++++
- source3/winbindd/winbindd_msrpc.c | 8 ++++++++
- source3/winbindd/winbindd_pam.c | 20 ++++++++++++++++++++
- 3 files changed, 36 insertions(+)
-
-diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
-index 4c26389..a20fba5 100644
---- a/source3/winbindd/winbindd_ads.c
-+++ b/source3/winbindd/winbindd_ads.c
-@@ -619,6 +619,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
-
- TALLOC_FREE(user);
-
-+ if (info->full_name == NULL) {
-+ /* this might fail so we dont check the return code */
-+ wcache_query_user_fullname(domain,
-+ mem_ctx,
-+ sid,
-+ &info->full_name);
-+ }
-+
- return NT_STATUS_OK;
- }
-
-diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
-index 426d64c..c097bf3 100644
---- a/source3/winbindd/winbindd_msrpc.c
-+++ b/source3/winbindd/winbindd_msrpc.c
-@@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
- user_info->full_name = talloc_strdup(user_info,
- user->base.full_name.string);
-
-+ if (user_info->full_name == NULL) {
-+ /* this might fail so we dont check the return code */
-+ wcache_query_user_fullname(domain,
-+ mem_ctx,
-+ user_sid,
-+ &user_info->full_name);
-+ }
-+
- status = NT_STATUS_OK;
- goto done;
- }
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index 2a1b74a..bf71d97 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -1720,6 +1720,26 @@ process_result:
- sid_compose(&user_sid, info3->base.domain_sid,
- info3->base.rid);
-
-+ if (info3->base.full_name.string == NULL) {
-+ struct netr_SamInfo3 *cached_info3;
-+
-+ cached_info3 = netsamlogon_cache_get(state->mem_ctx,
-+ &user_sid);
-+ if (cached_info3 != NULL &&
-+ cached_info3->base.full_name.string != NULL) {
-+ info3->base.full_name.string =
-+ talloc_strdup(info3,
-+ cached_info3->base.full_name.string);
-+ } else {
-+
-+ /* this might fail so we dont check the return code */
-+ wcache_query_user_fullname(domain,
-+ info3,
-+ &user_sid,
-+ &info3->base.full_name.string);
-+ }
-+ }
-+
- wcache_invalidate_samlogon(find_domain_from_name(name_domain),
- &user_sid);
- netsamlogon_cache_store(name_user, info3);
---
-1.9.3
-
-
-From aa042d490b2cccb7b6cc394e024004321a6c156c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 9 Jul 2014 13:36:06 +0200
-Subject: [PATCH 246/249] samlogon_cache: use a talloc_stackframe inside
- netsamlogon_cache_store.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/libsmb/samlogon_cache.c | 13 ++++---------
- 1 file changed, 4 insertions(+), 9 deletions(-)
-
-diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
-index b04cf0a..f7457ae 100644
---- a/source3/libsmb/samlogon_cache.c
-+++ b/source3/libsmb/samlogon_cache.c
-@@ -125,7 +125,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
- bool result = false;
- struct dom_sid user_sid;
- time_t t = time(NULL);
-- TALLOC_CTX *mem_ctx;
-+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
- DATA_BLOB blob;
- enum ndr_err_code ndr_err;
- struct netsamlogoncache_entry r;
-@@ -149,11 +149,6 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
-
- /* Prepare data */
-
-- if (!(mem_ctx = talloc( NULL, int))) {
-- DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
-- return false;
-- }
--
- /* only Samba fills in the username, not sure why NT doesn't */
- /* so we fill it in since winbindd_getpwnam() makes use of it */
-
-@@ -168,11 +163,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
- NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
- }
-
-- ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
-+ ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
- (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
-- TALLOC_FREE(mem_ctx);
-+ TALLOC_FREE(tmp_ctx);
- return false;
- }
-
-@@ -183,7 +178,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
- result = true;
- }
-
-- TALLOC_FREE(mem_ctx);
-+ TALLOC_FREE(tmp_ctx);
-
- return result;
- }
---
-1.9.3
-
-
-From 8283d1acec0c0afd17197339a4986975d05abf29 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 3 Jul 2014 16:17:46 +0200
-Subject: [PATCH 247/249] samlogon_cache: avoid overwriting
- info3->base.full_name.string.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This field servers as a source for the gecos field. We should not overwrite it
-when a info3 struct from a samlogon network level gets saved in which case this
-field is always NULL.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Tue Jul 15 18:25:28 CEST 2014 on sn-devel-104
----
- source3/libsmb/samlogon_cache.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
-index f7457ae..0a157d4 100644
---- a/source3/libsmb/samlogon_cache.c
-+++ b/source3/libsmb/samlogon_cache.c
-@@ -149,6 +149,20 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
-
- /* Prepare data */
-
-+ if (info3->base.full_name.string == NULL) {
-+ struct netr_SamInfo3 *cached_info3;
-+ const char *full_name = NULL;
-+
-+ cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
-+ if (cached_info3 != NULL) {
-+ full_name = cached_info3->base.full_name.string;
-+ }
-+
-+ if (full_name != NULL) {
-+ info3->base.full_name.string = talloc_strdup(info3, full_name);
-+ }
-+ }
-+
- /* only Samba fills in the username, not sure why NT doesn't */
- /* so we fill it in since winbindd_getpwnam() makes use of it */
-
---
-1.9.3
-
-
-From fe9d7458001a952d1df23dcd584a1835df5d43d1 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 3 Jul 2014 16:19:42 +0200
-Subject: [PATCH 248/249] s3-winbind: Don't set the gecos field to NULL.
-
-The value is loaded from the cache anyway. So it will be set to NULL if
-it is not available.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
----
- source3/winbindd/nss_info_template.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
-index 5fdfd9b..de93803 100644
---- a/source3/winbindd/nss_info_template.c
-+++ b/source3/winbindd/nss_info_template.c
-@@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
- username */
- *homedir = talloc_strdup( ctx, lp_template_homedir() );
- *shell = talloc_strdup( ctx, lp_template_shell() );
-- *gecos = NULL;
-
- if ( !*homedir || !*shell ) {
- return NT_STATUS_NO_MEMORY;
---
-1.9.3
-
-
-From d2f3347a264bb7b8b0335404348990f52320b672 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Jul 2014 18:22:26 +0200
-Subject: [PATCH 249/249] s3-winbindd: prefer "displayName" over "name" in ads
- user queries for the fullname.
-
-This makes use more consistent with security=domain as well where the gecos
-field is also filled using the displayName field.
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/winbindd/winbindd_ads.c | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
-index a20fba5..4b5b2fa 100644
---- a/source3/winbindd/winbindd_ads.c
-+++ b/source3/winbindd/winbindd_ads.c
-@@ -327,7 +327,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
- }
-
- info->acct_name = ads_pull_username(ads, mem_ctx, msg);
-- info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
-+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
-+ if (info->full_name == NULL) {
-+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
-+ }
- info->homedir = NULL;
- info->shell = NULL;
- info->primary_gid = (gid_t)-1;
-@@ -592,7 +595,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
- struct netr_SamInfo3 *user = NULL;
- gid_t gid = -1;
- int ret;
-- char *ads_name;
-+ char *full_name;
-
- DEBUG(3,("ads: query_user\n"));
-
-@@ -704,7 +707,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
- * nss_get_info_cached call. nss_get_info_cached might destroy
- * the ads struct, potentially invalidating the ldap message.
- */
-- ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
-+ full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
-+ if (full_name == NULL) {
-+ full_name = ads_pull_string(ads, mem_ctx, msg, "name");
-+ }
-
- ads_msgfree(ads, msg);
- msg = NULL;
-@@ -720,9 +726,9 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
- }
-
- if (info->full_name == NULL) {
-- info->full_name = ads_name;
-+ info->full_name = full_name;
- } else {
-- TALLOC_FREE(ads_name);
-+ TALLOC_FREE(full_name);
- }
-
- status = NT_STATUS_OK;
---
-1.9.3
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
deleted file mode 100644
index 7a7bdf5..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From f73c906237aa0c9d45900d69d31c9b39261f062a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 16 Sep 2014 18:02:30 +0200
-Subject: [PATCH 1/2] lib: Add daemon_status() to util library.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit 9f5f5fa8ebf845c53b7a92557d7aec56ed820320)
----
- lib/util/become_daemon.c | 11 +++++++++++
- lib/util/samba_util.h | 6 ++++++
- 2 files changed, 17 insertions(+)
-
-diff --git a/lib/util/become_daemon.c b/lib/util/become_daemon.c
-index 35c8b32..688bedd 100644
---- a/lib/util/become_daemon.c
-+++ b/lib/util/become_daemon.c
-@@ -135,3 +135,14 @@ _PUBLIC_ void daemon_ready(const char *daemon)
- #endif
- DEBUG(0, ("STATUS=daemon '%s' finished starting up and ready to serve connections", daemon));
- }
-+
-+_PUBLIC_ void daemon_status(const char *name, const char *msg)
-+{
-+ if (name == NULL) {
-+ name = "Samba";
-+ }
-+#ifdef HAVE_SYSTEMD
-+ sd_notifyf(0, "\nSTATUS=%s: %s", name, msg);
-+#endif
-+ DEBUG(0, ("STATUS=daemon '%s' : %s", name, msg));
-+}
-diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
-index e3fe6a6..f4216d8 100644
---- a/lib/util/samba_util.h
-+++ b/lib/util/samba_util.h
-@@ -853,6 +853,12 @@ _PUBLIC_ void exit_daemon(const char *msg, int error);
- **/
- _PUBLIC_ void daemon_ready(const char *daemon);
-
-+/*
-+ * Report the daemon status. For example if it is not ready to serve connections
-+ * and is waiting for some event to happen.
-+ */
-+_PUBLIC_ void daemon_status(const char *name, const char *msg);
-+
- /**
- * @brief Get a password from the console.
- *
---
-2.1.0
-
-
-From 7fcd74039961fa0fb02934bc87ce41fd98234f1a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 16 Sep 2014 18:03:51 +0200
-Subject: [PATCH 2/2] nmbd: Send waiting status to systemd.
-
-This tells the Administrator what's going on and we should log that IPv6
-is not supported.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Wed Sep 17 13:16:43 CEST 2014 on sn-devel-104
-
-(cherry picked from commit 2df601bff0d949e66c79366b8248b9d950c0b430)
----
- source3/nmbd/nmbd_subnetdb.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c
-index 311a240..6c483af 100644
---- a/source3/nmbd/nmbd_subnetdb.c
-+++ b/source3/nmbd/nmbd_subnetdb.c
-@@ -247,8 +247,11 @@ bool create_subnets(void)
-
- /* Only count IPv4, non-loopback interfaces. */
- if (iface_count_v4_nl() == 0) {
-- DEBUG(0,("create_subnets: No local IPv4 non-loopback interfaces !\n"));
-- DEBUG(0,("create_subnets: Waiting for an interface to appear ...\n"));
-+ daemon_status("nmbd",
-+ "No local IPv4 non-loopback interfaces "
-+ "available, waiting for interface ...");
-+ DEBUG(0,("NOTE: NetBIOS name resolution is not supported for "
-+ "Internet Protocol Version 6 (IPv6).\n"));
- }
-
- /* We only count IPv4, non-loopback interfaces here. */
---
-2.1.0
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
deleted file mode 100644
index 3215f2c..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 23dfa2e35bec9c0f6c3d579e7dc2e1d0ce636aa2 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 19 Sep 2014 13:33:10 +0200
-Subject: [PATCH] nsswitch: Skip groups we were not able to map.
-
-If we have configured the idmap_ad backend it is possible that the user
-is in a group without a gid set. This will result in (uid_t)-1 as the
-gid. We return this invalid gid to NSS which is wrong.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
-
-Autobuild-User(master): David Disseldorp <ddiss@samba.org>
-Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
-
-(cherry picked from commit 7f59711f076e98ece099f6b38ff6da8c80fa6d5e)
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- nsswitch/winbind_nss_linux.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/nsswitch/winbind_nss_linux.c b/nsswitch/winbind_nss_linux.c
-index 8d66a74..70ede3e 100644
---- a/nsswitch/winbind_nss_linux.c
-+++ b/nsswitch/winbind_nss_linux.c
-@@ -1101,6 +1101,11 @@ _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
- continue;
- }
-
-+ /* Skip groups without a mapping */
-+ if (gid_list[i] == (uid_t)-1) {
-+ continue;
-+ }
-+
- /* Filled buffer ? If so, resize. */
-
- if (*start == *size) {
---
-2.1.0
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
deleted file mode 100644
index 394a640..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From dc6b86b93c8f059b0cc96c364ffad05c88b7d92e Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Fri, 22 Aug 2014 09:15:59 -0700
-Subject: [PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child
-
-When authenticating users in a trusted domain, the idmap_ad module
-always connects to a local DC instead of one in the trusted domain.
-
-Fix this by passing the correct realm to connect to.
-
-Also Comment parameters passed to ads_cached_connection_connect
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit c203c722e7e22f9146f2ecf6f42452c0e82042e4)
----
- source3/winbindd/winbindd_ads.c | 11 +++++++++--
- 1 files changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
-index 4c26389..e47613e 100644
---- a/source3/winbindd/winbindd_ads.c
-+++ b/source3/winbindd/winbindd_ads.c
-@@ -187,8 +187,15 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
- }
- }
-
-- status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
-- password, realm, 0);
-+ status = ads_cached_connection_connect(
-+ adsp, /* Returns ads struct. */
-+ wb_dom->alt_name, /* realm to connect to. */
-+ dom_name, /* 'workgroup' name for ads_init */
-+ ldap_server, /* DNS name to connect to. */
-+ password, /* password for auth realm. */
-+ realm, /* realm used for krb5 ticket. */
-+ 0); /* renewable ticket time. */
-+
- SAFE_FREE(realm);
-
- return status;
---
-1.7.1
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
deleted file mode 100644
index a1b05b8..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 0aab8ae3c137e5900d22160555bcef57cd62ca21 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 17 Sep 2014 15:17:50 +0200
-Subject: [PATCH 2/2] libcli: Fix a segfault calling smbXcli_req_set_pending()
- on NULL.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10817
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Tue Sep 23 04:23:05 CEST 2014 on sn-devel-104
-
-(cherry picked from commit f92086f4a347dcc8fa948aa2614a2c12f1115e5a)
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- libcli/smb/smb1cli_echo.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/libcli/smb/smb1cli_echo.c b/libcli/smb/smb1cli_echo.c
-index 4fb7c60..10dff2d 100644
---- a/libcli/smb/smb1cli_echo.c
-+++ b/libcli/smb/smb1cli_echo.c
-@@ -96,7 +96,6 @@ static void smb1cli_echo_done(struct tevent_req *subreq)
- NULL, /* pbytes_offset */
- NULL, /* pinbuf */
- expected, ARRAY_SIZE(expected));
-- TALLOC_FREE(subreq);
- if (!NT_STATUS_IS_OK(status)) {
- tevent_req_nterror(req, status);
- return;
---
-2.1.0
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
deleted file mode 100644
index 35f4d8c..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From 579901faf787d8d787c978324bdec87c349e3d9b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 23 Sep 2014 14:09:41 +0200
-Subject: [PATCH] s3-libads: Improve service principle guessing.
-
-If the name passed to the net command with the -S options is the long
-hostname of the domaincontroller and not the 15 char NetBIOS name we
-should construct a FQDN with the realm to get a Kerberos ticket.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 83c62bd3f5945bbe295cbfbd153736d4c709b3a6)
----
- source3/libads/sasl.c | 124 +++++++++++++++++++++++++++-----------------------
- 1 file changed, 66 insertions(+), 58 deletions(-)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index 33f4e24..1450ff1 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -714,88 +714,96 @@ static void ads_free_service_principal(struct ads_service_principal *p)
- static ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
- char **returned_principal)
- {
-+ ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
- char *princ = NULL;
-+ TALLOC_CTX *frame;
-+ char *server = NULL;
-+ char *realm = NULL;
-+ int rc;
-
-- if (ads->server.realm && ads->server.ldap_server) {
-- char *server, *server_realm;
--
-- server = SMB_STRDUP(ads->server.ldap_server);
-- server_realm = SMB_STRDUP(ads->server.realm);
--
-- if (!server || !server_realm) {
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-- return ADS_ERROR(LDAP_NO_MEMORY);
-- }
-+ frame = talloc_stackframe();
-+ if (frame == NULL) {
-+ return ADS_ERROR(LDAP_NO_MEMORY);
-+ }
-
-- if (!strlower_m(server)) {
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-- return ADS_ERROR(LDAP_NO_MEMORY);
-+ if (ads->server.realm && ads->server.ldap_server) {
-+ server = strlower_talloc(frame, ads->server.ldap_server);
-+ if (server == NULL) {
-+ goto out;
- }
-
-- if (!strupper_m(server_realm)) {
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-- return ADS_ERROR(LDAP_NO_MEMORY);
-+ realm = strupper_talloc(frame, ads->server.realm);
-+ if (realm == NULL) {
-+ goto out;
- }
-
-- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-- return ADS_ERROR(LDAP_NO_MEMORY);
-- }
-+ /*
-+ * If we got a name which is bigger than a NetBIOS name,
-+ * but isn't a FQDN, create one.
-+ */
-+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
-+ char *dnsdomain;
-
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-+ dnsdomain = strlower_talloc(frame, ads->server.realm);
-+ if (dnsdomain == NULL) {
-+ goto out;
-+ }
-
-- if (!princ) {
-- return ADS_ERROR(LDAP_NO_MEMORY);
-+ server = talloc_asprintf(frame,
-+ "%s.%s",
-+ server, dnsdomain);
-+ if (server == NULL) {
-+ goto out;
-+ }
- }
- } else if (ads->config.realm && ads->config.ldap_server_name) {
-- char *server, *server_realm;
--
-- server = SMB_STRDUP(ads->config.ldap_server_name);
-- server_realm = SMB_STRDUP(ads->config.realm);
--
-- if (!server || !server_realm) {
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-- return ADS_ERROR(LDAP_NO_MEMORY);
-+ server = strlower_talloc(frame, ads->config.ldap_server_name);
-+ if (server == NULL) {
-+ goto out;
- }
-
-- if (!strlower_m(server)) {
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-- return ADS_ERROR(LDAP_NO_MEMORY);
-+ realm = strupper_talloc(frame, ads->config.realm);
-+ if (realm == NULL) {
-+ goto out;
- }
-
-- if (!strupper_m(server_realm)) {
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-- return ADS_ERROR(LDAP_NO_MEMORY);
-- }
-- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-- return ADS_ERROR(LDAP_NO_MEMORY);
-- }
-+ /*
-+ * If we got a name which is bigger than a NetBIOS name,
-+ * but isn't a FQDN, create one.
-+ */
-+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
-+ char *dnsdomain;
-
-- SAFE_FREE(server);
-- SAFE_FREE(server_realm);
-+ dnsdomain = strlower_talloc(frame, ads->server.realm);
-+ if (dnsdomain == NULL) {
-+ goto out;
-+ }
-
-- if (!princ) {
-- return ADS_ERROR(LDAP_NO_MEMORY);
-+ server = talloc_asprintf(frame,
-+ "%s.%s",
-+ server, dnsdomain);
-+ if (server == NULL) {
-+ goto out;
-+ }
- }
- }
-
-- if (!princ) {
-- return ADS_ERROR(LDAP_PARAM_ERROR);
-+ if (server == NULL || realm == NULL) {
-+ goto out;
-+ }
-+
-+ rc = asprintf(&princ, "ldap/%s@%s", server, realm);
-+ if (rc == -1 || princ == NULL) {
-+ status = ADS_ERROR(LDAP_PARAM_ERROR);
-+ goto out;
- }
-
- *returned_principal = princ;
-
-- return ADS_SUCCESS;
-+ status = ADS_SUCCESS;
-+out:
-+ TALLOC_FREE(frame);
-+ return status;
- }
-
- static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
---
-2.1.0
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
deleted file mode 100644
index 5d309f1..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
+++ /dev/null
@@ -1,329 +0,0 @@
-From 1925edc67e223d73d672af48c2ebd3e5865e01d9 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 24 Sep 2014 09:22:03 +0200
-Subject: [PATCH 1/4] s3-libads: Add a function to retrieve the SPNs of a
- computer account.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 4eaa4ccbdf279f1ff6d8218b36d92aeea0114cd8)
----
- source3/libads/ads_proto.h | 6 +++++
- source3/libads/ldap.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 66 insertions(+)
-
-diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
-index 17a84d1..6a22807 100644
---- a/source3/libads/ads_proto.h
-+++ b/source3/libads/ads_proto.h
-@@ -87,6 +87,12 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- const char *name, const char **vals);
- uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
- uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
-+
-+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
-+ ADS_STRUCT *ads,
-+ const char *machine_name,
-+ char ***spn_array,
-+ size_t *num_spns);
- ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
- ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
- const char *my_fqdn, const char *spn);
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index fb99132..51a0883 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -1927,6 +1927,66 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
- }
-
- /**
-+ * @brief This gets the service principal names of an existing computer account.
-+ *
-+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
-+ *
-+ * @param[in] ads The ADS context to use.
-+ *
-+ * @param[in] machine_name The NetBIOS name of the computer, which is used to
-+ * identify the computer account.
-+ *
-+ * @param[in] spn_array A pointer to store the array for SPNs.
-+ *
-+ * @param[in] num_spns The number of principals stored in the array.
-+ *
-+ * @return 0 on success, or a ADS error if a failure occured.
-+ */
-+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
-+ ADS_STRUCT *ads,
-+ const char *machine_name,
-+ char ***spn_array,
-+ size_t *num_spns)
-+{
-+ ADS_STATUS status;
-+ LDAPMessage *res = NULL;
-+ char *dn;
-+ int count;
-+
-+ status = ads_find_machine_acct(ads,
-+ &res,
-+ machine_name);
-+ if (!ADS_ERR_OK(status)) {
-+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
-+ machine_name));
-+ return status;
-+ }
-+
-+ count = ads_count_replies(ads, res);
-+ if (count != 1) {
-+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
-+ goto done;
-+ }
-+
-+ dn = ads_get_dn(ads, mem_ctx, res);
-+ if (dn == NULL) {
-+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-+ goto done;
-+ }
-+
-+ *spn_array = ads_pull_strings(ads,
-+ mem_ctx,
-+ res,
-+ "servicePrincipalName",
-+ num_spns);
-+
-+done:
-+ ads_msgfree(ads, res);
-+
-+ return status;
-+}
-+
-+/**
- * This adds a service principal name to an existing computer account
- * (found by hostname) in AD.
- * @param ads An initialized ADS_STRUCT
---
-2.1.0
-
-
-From ed3b6536e1027a26d7983942f62677aa2bc0e93c Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 24 Sep 2014 09:23:58 +0200
-Subject: [PATCH 2/4] s3-libads: Add function to search for an element in an
- array.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit e1ee4c8bc7018db7787dd9a0be6d3aa40a477ee2)
----
- source3/libads/ads_proto.h | 2 ++
- source3/libads/ldap.c | 31 +++++++++++++++++++++++++++++++
- 2 files changed, 33 insertions(+)
-
-diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
-index 6a22807..1e34247 100644
---- a/source3/libads/ads_proto.h
-+++ b/source3/libads/ads_proto.h
-@@ -88,6 +88,8 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
- uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
-
-+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el);
-+
- ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
- ADS_STRUCT *ads,
- const char *machine_name,
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index 51a0883..8d104c2 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -1927,6 +1927,37 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
- }
-
- /**
-+ * @brief Search for an element in a string array.
-+ *
-+ * @param[in] el_array The string array to search.
-+ *
-+ * @param[in] num_el The number of elements in the string array.
-+ *
-+ * @param[in] el The string to search.
-+ *
-+ * @return True if found, false if not.
-+ */
-+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
-+{
-+ size_t i;
-+
-+ if (el_array == NULL || num_el == 0 || el == NULL) {
-+ return false;
-+ }
-+
-+ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
-+ int cmp;
-+
-+ cmp = strcasecmp_m(el_array[i], el);
-+ if (cmp == 0) {
-+ return true;
-+ }
-+ }
-+
-+ return false;
-+}
-+
-+/**
- * @brief This gets the service principal names of an existing computer account.
- *
- * @param[in] mem_ctx The memory context to use to allocate the spn array.
---
-2.1.0
-
-
-From 11700f1398d6197a99c686f1a43b45d6305ceae8 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 26 Sep 2014 03:09:08 +0200
-Subject: [PATCH 3/4] s3-libnet: Add libnet_join_get_machine_spns().
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 7e0b8fcce5572c88d50993a1dbd90f65638ba90f)
----
- source3/libnet/libnet_join.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 1418385..3611cc7 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -358,6 +358,26 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
- return status;
- }
-
-+static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
-+ struct libnet_JoinCtx *r,
-+ char ***spn_array,
-+ size_t *num_spns)
-+{
-+ ADS_STATUS status;
-+
-+ if (r->in.machine_name == NULL) {
-+ return ADS_ERROR_SYSTEM(EINVAL);
-+ }
-+
-+ status = ads_get_service_principal_names(mem_ctx,
-+ r->in.ads,
-+ r->in.machine_name,
-+ spn_array,
-+ num_spns);
-+
-+ return status;
-+}
-+
- /****************************************************************
- Set a machines dNSHostName and servicePrincipalName attributes
- ****************************************************************/
---
-2.1.0
-
-
-From 472256e27ad5cb5e7657efaece71744269ca8d16 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 26 Sep 2014 03:35:43 +0200
-Subject: [PATCH 4/4] s3-libnet: Make sure we do not overwrite precreated SPNs.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Fri Sep 26 08:22:45 CEST 2014 on sn-devel-104
-
-(cherry picked from commit 0aacbe78bb40d76b65087c2a197c92b0101e625e)
----
- source3/libnet/libnet_join.c | 39 ++++++++++++++++++++++++++++++++++++---
- 1 file changed, 36 insertions(+), 3 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 3611cc7..aa7b5cb 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -388,8 +388,10 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
- ADS_STATUS status;
- ADS_MODLIST mods;
- fstring my_fqdn;
-- const char *spn_array[3] = {NULL, NULL, NULL};
-+ const char **spn_array = NULL;
-+ size_t num_spns = 0;
- char *spn = NULL;
-+ bool ok;
-
- /* Find our DN */
-
-@@ -398,6 +400,14 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
- return status;
- }
-
-+ status = libnet_join_get_machine_spns(mem_ctx,
-+ r,
-+ discard_const_p(char **, &spn_array),
-+ &num_spns);
-+ if (!ADS_ERR_OK(status)) {
-+ DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
-+ }
-+
- /* Windows only creates HOST/shortname & HOST/fqdn. */
-
- spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
-@@ -407,7 +417,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
- if (!strupper_m(spn)) {
- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
- }
-- spn_array[0] = spn;
-+
-+ ok = ads_element_in_array(spn_array, num_spns, spn);
-+ if (!ok) {
-+ ok = add_string_to_array(spn_array, spn,
-+ &spn_array, (int *)&num_spns);
-+ if (!ok) {
-+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-+ }
-+ }
-
- if (!name_to_fqdn(my_fqdn, r->in.machine_name)
- || (strchr(my_fqdn, '.') == NULL)) {
-@@ -424,8 +442,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
- if (!spn) {
- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
- }
-- spn_array[1] = spn;
-+
-+ ok = ads_element_in_array(spn_array, num_spns, spn);
-+ if (!ok) {
-+ ok = add_string_to_array(spn_array, spn,
-+ &spn_array, (int *)&num_spns);
-+ if (!ok) {
-+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-+ }
-+ }
-+ }
-+
-+ /* make sure to NULL terminate the array */
-+ spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
-+ if (spn_array == NULL) {
-+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
- }
-+ spn_array[num_spns] = NULL;
-
- mods = ads_init_mods(mem_ctx);
- if (!mods) {
---
-2.1.0
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
deleted file mode 100644
index 2174e15..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From 3516236ec6eb42f29eda42542b109fa10217e68c Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 24 Sep 2014 10:51:33 +0200
-Subject: [PATCH] s3-libads: Add all machine account principals to the keytab.
-
-This adds all SPNs defined in the DC for the computer account to the
-keytab using 'net ads keytab create -P'.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 5d58b92f8fcbc509f4fe2bd3617bcaeada1806b6)
----
- source3/libads/kerberos_keytab.c | 74 ++++++++++++++++++++++++++++------------
- 1 file changed, 52 insertions(+), 22 deletions(-)
-
-diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
-index 83df088..d13625b 100644
---- a/source3/libads/kerberos_keytab.c
-+++ b/source3/libads/kerberos_keytab.c
-@@ -507,20 +507,57 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
- krb5_kt_cursor cursor;
- krb5_keytab_entry kt_entry;
- krb5_kvno kvno;
-- int i, found = 0;
-+ size_t found = 0;
- char *sam_account_name, *upn;
- char **oldEntries = NULL, *princ_s[26];
-- TALLOC_CTX *tmpctx = NULL;
-+ TALLOC_CTX *frame;
- char *machine_name;
-+ char **spn_array;
-+ size_t num_spns;
-+ size_t i;
-+ ADS_STATUS status;
-
-- /* these are the main ones we need */
-- ret = ads_keytab_add_entry(ads, "host");
-- if (ret != 0) {
-- DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
-- "adding 'host' principal.\n"));
-- return ret;
-+ frame = talloc_stackframe();
-+ if (frame == NULL) {
-+ ret = -1;
-+ goto done;
-+ }
-+
-+ status = ads_get_service_principal_names(frame,
-+ ads,
-+ lp_netbios_name(),
-+ &spn_array,
-+ &num_spns);
-+ if (!ADS_ERR_OK(status)) {
-+ ret = -1;
-+ goto done;
- }
-
-+ for (i = 0; i < num_spns; i++) {
-+ char *srv_princ;
-+ char *p;
-+
-+ srv_princ = strlower_talloc(frame, spn_array[i]);
-+ if (srv_princ == NULL) {
-+ ret = -1;
-+ goto done;
-+ }
-+
-+ p = strchr_m(srv_princ, '/');
-+ if (p == NULL) {
-+ continue;
-+ }
-+ p[0] = '\0';
-+
-+ /* Add the SPNs found on the DC */
-+ ret = ads_keytab_add_entry(ads, srv_princ);
-+ if (ret != 0) {
-+ DEBUG(1, ("ads_keytab_add_entry failed while "
-+ "adding '%s' principal.\n",
-+ spn_array[i]));
-+ goto done;
-+ }
-+ }
-
- #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
- really needs them and we will fall back to verifying against
-@@ -543,24 +580,17 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
- if (ret) {
- DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
- error_message(ret)));
-- return ret;
-- }
--
-- tmpctx = talloc_init(__location__);
-- if (!tmpctx) {
-- DEBUG(0, (__location__ ": talloc_init() failed!\n"));
-- ret = -1;
- goto done;
- }
-
-- machine_name = talloc_strdup(tmpctx, lp_netbios_name());
-+ machine_name = talloc_strdup(frame, lp_netbios_name());
- if (!machine_name) {
- ret = -1;
- goto done;
- }
-
- /* now add the userPrincipalName and sAMAccountName entries */
-- sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
-+ sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
- if (!sam_account_name) {
- DEBUG(0, (__location__ ": unable to determine machine "
- "account's name in AD!\n"));
-@@ -584,7 +614,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
- }
-
- /* remember that not every machine account will have a upn */
-- upn = ads_get_upn(ads, tmpctx, machine_name);
-+ upn = ads_get_upn(ads, frame, machine_name);
- if (upn) {
- ret = ads_keytab_add_entry(ads, upn);
- if (ret != 0) {
-@@ -596,7 +626,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
-
- /* Now loop through the keytab and update any other existing entries */
- kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
-- if (kvno == -1) {
-+ if (kvno == (krb5_kvno)-1) {
- DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
- "determine the system's kvno.\n"));
- goto done;
-@@ -629,12 +659,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
- * have a race condition where someone else could add entries after
- * we've counted them. Re-open asap to minimise the race. JRA.
- */
-- DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
-+ DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
- if (!found) {
- goto done;
- }
-
-- oldEntries = talloc_array(tmpctx, char *, found);
-+ oldEntries = talloc_array(frame, char *, found);
- if (!oldEntries) {
- DEBUG(1, (__location__ ": Failed to allocate space to store "
- "the old keytab entries (talloc failed?).\n"));
-@@ -708,7 +738,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
-
- done:
- TALLOC_FREE(oldEntries);
-- TALLOC_FREE(tmpctx);
-+ TALLOC_FREE(frame);
-
- {
- krb5_keytab_entry zero_kt_entry;
---
-2.1.0
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
deleted file mode 100644
index a939e70..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
+++ /dev/null
@@ -1,988 +0,0 @@
-From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 24 Sep 2014 22:16:20 +0200
-Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}".
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 308 insertions(+)
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index 8b8e719..5f18bf4 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
- return net_run_function(c, argc, argv, "net ads kerberos", func);
- }
-
-+static int net_ads_enctype_lookup_account(struct net_context *c,
-+ ADS_STRUCT *ads,
-+ const char *account,
-+ LDAPMessage **res,
-+ const char **enctype_str)
-+{
-+ const char *filter;
-+ const char *attrs[] = {
-+ "msDS-SupportedEncryptionTypes",
-+ NULL
-+ };
-+ int count;
-+ int ret = -1;
-+ ADS_STATUS status;
-+
-+ filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
-+ account);
-+ if (filter == NULL) {
-+ goto done;
-+ }
-+
-+ status = ads_search(ads, res, filter, attrs);
-+ if (!ADS_ERR_OK(status)) {
-+ d_printf(_("no account found with filter: %s\n"), filter);
-+ goto done;
-+ }
-+
-+ count = ads_count_replies(ads, *res);
-+ switch (count) {
-+ case 1:
-+ break;
-+ case 0:
-+ d_printf(_("no account found with filter: %s\n"), filter);
-+ goto done;
-+ default:
-+ d_printf(_("multiple accounts found with filter: %s\n"), filter);
-+ goto done;
-+ }
-+
-+ if (enctype_str) {
-+ *enctype_str = ads_pull_string(ads, c, *res,
-+ "msDS-SupportedEncryptionTypes");
-+ if (*enctype_str == NULL) {
-+ d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
-+ goto done;
-+ }
-+ }
-+
-+ ret = 0;
-+ done:
-+ return ret;
-+}
-+
-+static void net_ads_enctype_dump_enctypes(const char *username,
-+ const char *enctype_str)
-+{
-+ int enctypes;
-+
-+ d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username);
-+
-+ enctypes = atoi(enctype_str);
-+
-+ printf("[%s] 0x%08x DES-CBC-CRC\n",
-+ enctypes & ENC_CRC32 ? "X" : " ",
-+ ENC_CRC32);
-+ printf("[%s] 0x%08x DES-CBC-MD5\n",
-+ enctypes & ENC_RSA_MD5 ? "X" : " ",
-+ ENC_RSA_MD5);
-+ printf("[%s] 0x%08x RC4-HMAC\n",
-+ enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
-+ ENC_RC4_HMAC_MD5);
-+ printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
-+ enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
-+ ENC_HMAC_SHA1_96_AES128);
-+ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
-+ enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
-+ ENC_HMAC_SHA1_96_AES256);
-+}
-+
-+static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
-+{
-+ int ret = -1;
-+ ADS_STATUS status;
-+ ADS_STRUCT *ads = NULL;
-+ LDAPMessage *res = NULL;
-+ const char *str = NULL;
-+
-+ if (c->display_usage || (argc < 1)) {
-+ d_printf( "%s\n"
-+ "net ads enctypes list\n"
-+ " %s\n",
-+ _("Usage:"),
-+ _("List supported enctypes"));
-+ return 0;
-+ }
-+
-+ status = ads_startup(c, false, &ads);
-+ if (!ADS_ERR_OK(status)) {
-+ printf("startup failed\n");
-+ return ret;
-+ }
-+
-+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
-+ if (ret) {
-+ goto done;
-+ }
-+
-+ net_ads_enctype_dump_enctypes(argv[0], str);
-+
-+ ret = 0;
-+ done:
-+ ads_msgfree(ads, res);
-+ ads_destroy(&ads);
-+
-+ return ret;
-+}
-+
-+static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
-+{
-+ int ret = -1;
-+ ADS_STATUS status;
-+ ADS_STRUCT *ads;
-+ LDAPMessage *res = NULL;
-+ const char *etype_list_str;
-+ const char *dn;
-+ ADS_MODLIST mods;
-+ uint32_t etype_list;
-+ const char *str;
-+
-+ if (c->display_usage || argc < 1) {
-+ d_printf( "%s\n"
-+ "net ads enctypes set <sAMAccountName> [enctypes]\n"
-+ " %s\n",
-+ _("Usage:"),
-+ _("Set supported enctypes"));
-+ return 0;
-+ }
-+
-+ status = ads_startup(c, false, &ads);
-+ if (!ADS_ERR_OK(status)) {
-+ printf("startup failed\n");
-+ return ret;
-+ }
-+
-+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
-+ if (ret) {
-+ goto done;
-+ }
-+
-+ dn = ads_get_dn(ads, c, res);
-+ if (dn == NULL) {
-+ goto done;
-+ }
-+
-+ etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
-+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-+ etype_list |= ENC_HMAC_SHA1_96_AES128;
-+#endif
-+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-+ etype_list |= ENC_HMAC_SHA1_96_AES256;
-+#endif
-+
-+ if (argv[1] != NULL) {
-+ sscanf(argv[1], "%i", &etype_list);
-+ }
-+
-+ etype_list_str = talloc_asprintf(c, "%d", etype_list);
-+ if (!etype_list_str) {
-+ goto done;
-+ }
-+
-+ mods = ads_init_mods(c);
-+ if (!mods) {
-+ goto done;
-+ }
-+
-+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes",
-+ etype_list_str);
-+ if (!ADS_ERR_OK(status)) {
-+ goto done;
-+ }
-+
-+ status = ads_gen_mod(ads, dn, mods);
-+ if (!ADS_ERR_OK(status)) {
-+ d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
-+ ads_errstr(status));
-+ goto done;
-+ }
-+
-+ ads_msgfree(ads, res);
-+
-+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
-+ if (ret) {
-+ goto done;
-+ }
-+
-+ net_ads_enctype_dump_enctypes(argv[0], str);
-+
-+ ret = 0;
-+ done:
-+ ads_msgfree(ads, res);
-+ ads_destroy(&ads);
-+
-+ return ret;
-+}
-+
-+static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
-+{
-+ int ret = -1;
-+ ADS_STATUS status;
-+ ADS_STRUCT *ads;
-+ LDAPMessage *res = NULL;
-+ const char *dn;
-+ ADS_MODLIST mods;
-+
-+ if (c->display_usage || argc < 1) {
-+ d_printf( "%s\n"
-+ "net ads enctypes delete <sAMAccountName>\n"
-+ " %s\n",
-+ _("Usage:"),
-+ _("Delete supported enctypes"));
-+ return 0;
-+ }
-+
-+ status = ads_startup(c, false, &ads);
-+ if (!ADS_ERR_OK(status)) {
-+ printf("startup failed\n");
-+ return ret;
-+ }
-+
-+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
-+ if (ret) {
-+ goto done;
-+ }
-+
-+ dn = ads_get_dn(ads, c, res);
-+ if (dn == NULL) {
-+ goto done;
-+ }
-+
-+ mods = ads_init_mods(c);
-+ if (!mods) {
-+ goto done;
-+ }
-+
-+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL);
-+ if (!ADS_ERR_OK(status)) {
-+ goto done;
-+ }
-+
-+ status = ads_gen_mod(ads, dn, mods);
-+ if (!ADS_ERR_OK(status)) {
-+ d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
-+ ads_errstr(status));
-+ goto done;
-+ }
-+
-+ ret = 0;
-+
-+ done:
-+ ads_msgfree(ads, res);
-+ ads_destroy(&ads);
-+ return ret;
-+}
-+
-+static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
-+{
-+ struct functable func[] = {
-+ {
-+ "list",
-+ net_ads_enctypes_list,
-+ NET_TRANSPORT_ADS,
-+ N_("List the supported encryption types"),
-+ N_("net ads enctypes list\n"
-+ " List the supported encryption types")
-+ },
-+ {
-+ "set",
-+ net_ads_enctypes_set,
-+ NET_TRANSPORT_ADS,
-+ N_("Set the supported encryption types"),
-+ N_("net ads enctypes set\n"
-+ " Set the supported encryption types")
-+ },
-+ {
-+ "delete",
-+ net_ads_enctypes_delete,
-+ NET_TRANSPORT_ADS,
-+ N_("Delete the supported encryption types"),
-+ N_("net ads enctypes delete\n"
-+ " Delete the supported encryption types")
-+ },
-+
-+ {NULL, NULL, 0, NULL, NULL}
-+ };
-+
-+ return net_run_function(c, argc, argv, "net ads enctypes", func);
-+}
-+
-+
- int net_ads(struct net_context *c, int argc, const char **argv)
- {
- struct functable func[] = {
-@@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv)
- N_("net ads kerberos\n"
- " Manage kerberos keytab")
- },
-+ {
-+ "enctypes",
-+ net_ads_enctypes,
-+ NET_TRANSPORT_ADS,
-+ N_("List/modify supported encryption types"),
-+ N_("net ads enctypes\n"
-+ " List/modify enctypes")
-+ },
- {NULL, NULL, 0, NULL, NULL}
- };
-
---
-1.9.3
-
-
-From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 24 Sep 2014 23:36:19 +0200
-Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes".
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 53 insertions(+)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index f39b420..9e982e3 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -1339,6 +1339,59 @@ to show in the result.
- </refsect2>
-
- <refsect2>
-+ <title>ADS ENCTYPES</title>
-+
-+<para>
-+ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
-+</para>
-+
-+<para>
-+ This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
-+</para>
-+
-+<para>0x00000001 DES-CBC-CRC</para>
-+<para>0x00000002 DES-CBC-MD5</para>
-+<para>0x00000004 RC4-HMAC</para>
-+<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
-+<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
-+
-+</refsect2>
-+
-+<refsect2>
-+ <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title>
-+
-+<para>
-+ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
-+</para>
-+
-+<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
-+
-+</refsect2>
-+
-+<refsect2>
-+ <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title>
-+
-+<para>
-+ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types.
-+</para>
-+
-+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
-+
-+</refsect2>
-+
-+<refsect2>
-+ <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title>
-+
-+<para>
-+ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
-+</para>
-+
-+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
-+
-+</refsect2>
-+
-+
-+<refsect2>
- <title>SAM CREATEBUILTINGROUP <NAME></title>
-
- <para>
---
-1.9.3
-
-
-From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 23 Nov 2012 12:34:27 +0100
-Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in
- AD >= 2008.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 65 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 381a59c..e70e11a 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
- /****************************************************************
- ****************************************************************/
-
-+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
-+ struct libnet_JoinCtx *r)
-+{
-+ ADS_STATUS status;
-+ ADS_MODLIST mods;
-+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
-+ const char *etype_list_str;
-+
-+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-+ etype_list |= ENC_HMAC_SHA1_96_AES128;
-+#endif
-+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-+ etype_list |= ENC_HMAC_SHA1_96_AES256;
-+#endif
-+
-+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
-+ if (!etype_list_str) {
-+ return ADS_ERROR(LDAP_NO_MEMORY);
-+ }
-+
-+ /* Find our DN */
-+
-+ status = libnet_join_find_machine_acct(mem_ctx, r);
-+ if (!ADS_ERR_OK(status)) {
-+ return status;
-+ }
-+
-+ /* now do the mods */
-+
-+ mods = ads_init_mods(mem_ctx);
-+ if (!mods) {
-+ return ADS_ERROR(LDAP_NO_MEMORY);
-+ }
-+
-+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
-+ etype_list_str);
-+ if (!ADS_ERR_OK(status)) {
-+ return status;
-+ }
-+
-+ return ads_gen_mod(r->in.ads, r->out.dn, mods);
-+}
-+
-+/****************************************************************
-+****************************************************************/
-+
- static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
- struct libnet_JoinCtx *r)
- {
-@@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
- struct libnet_JoinCtx *r)
- {
- ADS_STATUS status;
-+ uint32_t func_level = 0;
-
- if (!r->in.ads) {
- status = libnet_join_connect_ads(mem_ctx, r);
-@@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
- return status;
- }
-
-+ status = ads_domain_func_level(r->in.ads, &func_level);
-+ if (!ADS_ERR_OK(status)) {
-+ libnet_join_set_error_string(mem_ctx, r,
-+ "failed to query domain controller functional level: %s",
-+ ads_errstr(status));
-+ return status;
-+ }
-+
-+ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
-+ status = libnet_join_set_etypes(mem_ctx, r);
-+ if (!ADS_ERR_OK(status)) {
-+ libnet_join_set_error_string(mem_ctx, r,
-+ "failed to set machine kerberos encryption types: %s",
-+ ads_errstr(status));
-+ return status;
-+ }
-+ }
-+
- if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
- return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- }
---
-1.9.3
-
-
-From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 26 Sep 2014 21:06:38 +0200
-Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure
- hostname is lowercase.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found at MS interop event while working on AES kerberos key support.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
----
- source4/auth/kerberos/srv_keytab.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
-index d81e27d..3baba14 100644
---- a/source4/auth/kerberos/srv_keytab.c
-+++ b/source4/auth/kerberos/srv_keytab.c
-@@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
- return ENOMEM;
- }
-
-- machine_username = talloc_strdup(tmp_ctx, samAccountName);
-+ machine_username = strlower_talloc(tmp_ctx, samAccountName);
- if (!machine_username) {
- *error_string = "Cannot duplicate samAccountName";
- talloc_free(tmp_ctx);
---
-1.9.3
-
-From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 16 Jun 2014 22:49:29 -0700
-Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 *
- arguments of copy_netr_SamInfo3() and make_server_info_info3()
-
-Both functions only read from the struct netr_SamInfo3 * argument.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
-Reviewed-by: Simo Sorce <idra@samba.org>
-
-Conflicts:
- source3/auth/proto.h
- source3/auth/server_info.c
----
- source3/auth/auth_util.c | 2 +-
- source3/auth/proto.h | 4 ++--
- source3/auth/server_info.c | 2 +-
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index ceaa706..afa78ec 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
- const char *sent_nt_username,
- const char *domain,
- struct auth_serversupplied_info **server_info,
-- struct netr_SamInfo3 *info3)
-+ const struct netr_SamInfo3 *info3)
- {
- static const char zeros[16] = {0, };
-
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index 76661fc..6ec206e 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
- const char *sent_nt_username,
- const char *domain,
- struct auth_serversupplied_info **server_info,
-- struct netr_SamInfo3 *info3);
-+ const struct netr_SamInfo3 *info3);
- struct wbcAuthUserInfo;
- NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
- const char *sent_nt_username,
-@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
- const struct passwd *pwd,
- struct netr_SamInfo3 **pinfo3);
- struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
-- struct netr_SamInfo3 *orig);
-+ const struct netr_SamInfo3 *orig);
- struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- const struct wbcAuthUserInfo *info);
-
-diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
-index d2b7d6e..066b9a8 100644
---- a/source3/auth/server_info.c
-+++ b/source3/auth/server_info.c
-@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
- } } while(0)
-
- struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
-- struct netr_SamInfo3 *orig)
-+ const struct netr_SamInfo3 *orig)
- {
- struct netr_SamInfo3 *info3;
- unsigned int i;
---
-1.9.3
-
-
-From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 16 Jun 2014 22:54:45 -0700
-Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const
- struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
-
-make_server_info_info3() only reads from the info3 pointer.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
-Reviewed-by: Simo Sorce <idra@samba.org>
----
- source3/auth/auth_generic.c | 2 +-
- source3/auth/proto.h | 2 +-
- source3/auth/user_krb5.c | 8 ++++----
- 3 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
-index a2ba4e3..2880bc9 100644
---- a/source3/auth/auth_generic.c
-+++ b/source3/auth/auth_generic.c
-@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
-
- status = make_session_info_krb5(mem_ctx,
- ntuser, ntdomain, username, pw,
-- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
-+ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
- session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index 6ec206e..75d1097 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
- char *ntdomain,
- char *username,
- struct passwd *pw,
-- struct PAC_LOGON_INFO *logon_info,
-+ const struct netr_SamInfo3 *info3,
- bool mapped_to_guest, bool username_was_mapped,
- DATA_BLOB *session_key,
- struct auth_session_info **session_info);
-diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
-index 974a8aa..0a538b4 100644
---- a/source3/auth/user_krb5.c
-+++ b/source3/auth/user_krb5.c
-@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
- char *ntdomain,
- char *username,
- struct passwd *pw,
-- struct PAC_LOGON_INFO *logon_info,
-+ const struct netr_SamInfo3 *info3,
- bool mapped_to_guest, bool username_was_mapped,
- DATA_BLOB *session_key,
- struct auth_session_info **session_info)
-@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
- return status;
- }
-
-- } else if (logon_info) {
-+ } else if (info3) {
- /* pass the unmapped username here since map_username()
- will be called again in make_server_info_info3() */
-
- status = make_server_info_info3(mem_ctx,
- ntuser, ntdomain,
- &server_info,
-- &logon_info->info3);
-+ info3);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("make_server_info_info3 failed: %s!\n",
- nt_errstr(status)));
-@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
- char *ntdomain,
- char *username,
- struct passwd *pw,
-- struct PAC_LOGON_INFO *logon_info,
-+ const struct netr_SamInfo3 *info3,
- bool mapped_to_guest, bool username_was_mapped,
- DATA_BLOB *session_key,
- struct auth_session_info **session_info)
---
-1.9.3
-
-
-From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 16 Jun 2014 23:11:58 -0700
-Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to
- create a new info3 and merge resource group SIDs into it.
-
-Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
-Reviewed-by: Simo Sorce <idra@samba.org>
----
- source3/auth/proto.h | 3 ++
- source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 80 insertions(+)
-
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index 75d1097..cc51698 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
- struct netr_SamInfo3 *sam3);
- NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
- struct netr_SamInfo6 *sam6);
-+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
-+ const struct PAC_LOGON_INFO *logon_info,
-+ struct netr_SamInfo3 **pp_info3);
- NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
- struct samu *samu,
- const char *login_server,
-diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
-index 066b9a8..dc84794 100644
---- a/source3/auth/server_info.c
-+++ b/source3/auth/server_info.c
-@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
- return NT_STATUS_OK;
- }
-
-+/*
-+ * Merge resource SIDs, if any, into the passed in info3 structure.
-+ */
-+
-+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
-+ struct netr_SamInfo3 *info3)
-+{
-+ uint32_t i = 0;
-+
-+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
-+ return NT_STATUS_OK;
-+ }
-+
-+ /*
-+ * If there are any resource groups (SID Compression) add
-+ * them to the extra sids portion of the info3 in the PAC.
-+ *
-+ * This makes the info3 look like it would if we got the info
-+ * from the DC rather than the PAC.
-+ */
-+
-+ /*
-+ * Construct a SID for each RID in the list and then append it
-+ * to the info3.
-+ */
-+ for (i = 0; i < logon_info->res_groups.count; i++) {
-+ NTSTATUS status;
-+ struct dom_sid new_sid;
-+ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
-+
-+ sid_compose(&new_sid,
-+ logon_info->res_group_dom_sid,
-+ logon_info->res_groups.rids[i].rid);
-+
-+ DEBUG(10, ("Adding SID %s to extra SIDS\n",
-+ sid_string_dbg(&new_sid)));
-+
-+ status = append_netr_SidAttr(info3, &info3->sids,
-+ &info3->sidcount,
-+ &new_sid,
-+ attributes);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
-+ sid_string_dbg(&new_sid),
-+ nt_errstr(status)));
-+ return status;
-+ }
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
-+/*
-+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
-+ * then merge resource SIDs, if any, into it. If successful return
-+ * the created info3 struct.
-+ */
-+
-+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
-+ const struct PAC_LOGON_INFO *logon_info,
-+ struct netr_SamInfo3 **pp_info3)
-+{
-+ NTSTATUS status;
-+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
-+ &logon_info->info3);
-+ if (info3 == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ status = merge_resource_sids(logon_info, info3);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(info3);
-+ return status;
-+ }
-+ *pp_info3 = info3;
-+ return NT_STATUS_OK;
-+}
-+
- #define RET_NOMEM(ptr) do { \
- if (!ptr) { \
- TALLOC_FREE(info3); \
---
-1.9.3
-
-
-From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 16 Jun 2014 23:15:21 -0700
-Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use
- a copy of the info3 struct from the struct PAC_LOGON_INFO.
-
-Call create_info3_from_pac_logon_info() to add in any resource SIDs
-from the struct PAC_LOGON_INFO to the info3.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
-Reviewed-by: Simo Sorce <idra@samba.org>
----
- source3/auth/auth_generic.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
-index 2880bc9..f841f0c 100644
---- a/source3/auth/auth_generic.c
-+++ b/source3/auth/auth_generic.c
-@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
- {
- TALLOC_CTX *tmp_ctx;
- struct PAC_LOGON_INFO *logon_info = NULL;
-+ struct netr_SamInfo3 *info3_copy = NULL;
- bool is_mapped;
- bool is_guest;
- char *ntuser;
-@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
-
- /* save the PAC data if we have it */
- if (logon_info) {
-- netsamlogon_cache_store(ntuser, &logon_info->info3);
-+ status = create_info3_from_pac_logon_info(tmp_ctx,
-+ logon_info,
-+ &info3_copy);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ goto done;
-+ }
-+ netsamlogon_cache_store(ntuser, info3_copy);
- }
-
- /* setup the string used by %U */
-@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
-
- status = make_session_info_krb5(mem_ctx,
- ntuser, ntdomain, username, pw,
-- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
-+ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
- session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
---
-1.9.3
-
-
-From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 16 Jun 2014 23:27:35 -0700
-Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a
- new info3 and merge in resource groups from a trusted PAC.
-
-Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
-Reviewed-by: Simo Sorce <idra@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
----
- source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++--
- 1 file changed, 22 insertions(+), 2 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index c356686..0f1ca28 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
- struct winbindd_request *req = state->request;
- DATA_BLOB pac_blob;
- struct PAC_LOGON_INFO *logon_info = NULL;
-+ struct netr_SamInfo3 *info3_copy = NULL;
- NTSTATUS result;
-
- pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
-@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
-
- if (logon_info) {
- /* Signature verification succeeded, trust the PAC */
-- netsamlogon_cache_store(NULL, &logon_info->info3);
-+ result = create_info3_from_pac_logon_info(state->mem_ctx,
-+ logon_info,
-+ &info3_copy);
-+ if (!NT_STATUS_IS_OK(result)) {
-+ return result;
-+ }
-+ netsamlogon_cache_store(NULL, info3_copy);
-
- } else {
- /* Try without signature verification */
-@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
- nt_errstr(result)));
- return result;
- }
-+ if (logon_info) {
-+ /*
-+ * Don't strictly need to copy here,
-+ * but it makes it explicit we're
-+ * returning a copy talloc'ed off
-+ * the state->mem_ctx.
-+ */
-+ info3_copy = copy_netr_SamInfo3(state->mem_ctx,
-+ &logon_info->info3);
-+ if (info3_copy == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
- }
-
-- *info3 = &logon_info->info3;
-+ *info3 = info3_copy;
-
- return NT_STATUS_OK;
- }
---
-1.9.3
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
deleted file mode 100644
index 071069b..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 3bf805a38a1b901a55b08118ec04097d9787497c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 29 Sep 2014 17:16:15 +0200
-Subject: [PATCH] s3-net: Force libkrb5 locator to use the same KDC for join
- and DNS update.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
----
- source3/utils/net_ads.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index e96377f..efbc3d2 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -1566,6 +1566,27 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
- * If the dns update fails, we still consider the join
- * operation as succeeded if we came this far.
- */
-+
-+ if (r->out.dns_domain_name != NULL) {
-+
-+ /* Avoid potential libkrb5 issues finding a good KDC when we
-+ * already found one during the join. When the locator plugin is
-+ * installed (but winbind is not yet running) make sure we can
-+ * force libkrb5 to reuse that KDC. - gd */
-+
-+ char *env;
-+
-+ env = talloc_asprintf_strupper_m(r,
-+ "WINBINDD_LOCATOR_KDC_ADDRESS_%s",
-+ r->out.dns_domain_name);
-+ if (env == NULL) {
-+ return -1;
-+ }
-+
-+ setenv(env, r->in.ads->auth.kdc_server, 0);
-+ setenv("_NO_WINBINDD", "1", 0);
-+ }
-+
- _net_ads_join_dns_updates(c, ctx, r);
-
- TALLOC_FREE(r);
---
-1.9.3
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
deleted file mode 100644
index 9721afa..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From 170166b8a0076089c6a8505f53a22f5b72c15786 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 28 Oct 2014 11:55:30 -0700
-Subject: [PATCH] s3-nmbd: Fix netbios name truncation.
-
-Try and cope with truncation more intelligently.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10896
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 6adcc7bffd5e1474ecba04d2328955c0b208cabc)
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/nmbd/nmbd_nameregister.c | 76 +++++++++++++++++++++++++++++++++++-----
- 1 file changed, 68 insertions(+), 8 deletions(-)
-
-diff --git a/source3/nmbd/nmbd_nameregister.c b/source3/nmbd/nmbd_nameregister.c
-index 71c4751..8b078e6 100644
---- a/source3/nmbd/nmbd_nameregister.c
-+++ b/source3/nmbd/nmbd_nameregister.c
-@@ -482,17 +482,77 @@ void register_name(struct subnet_record *subrec,
- {
- struct nmb_name nmbname;
- nstring nname;
-+ size_t converted_size;
-
- errno = 0;
-- push_ascii_nstring(nname, name);
-- if (errno == E2BIG) {
-- unstring tname;
-- pull_ascii_nstring(tname, sizeof(tname), nname);
-- DEBUG(0,("register_name: NetBIOS name %s is too long. Truncating to %s\n",
-- name, tname));
-- make_nmb_name(&nmbname, tname, type);
-- } else {
-+ converted_size = push_ascii_nstring(nname, name);
-+ if (converted_size != (size_t)-1) {
-+ /* Success. */
- make_nmb_name(&nmbname, name, type);
-+ } else if (errno == E2BIG) {
-+ /*
-+ * Name converted to CH_DOS is too large.
-+ * try to truncate.
-+ */
-+ char *converted_str_dos = NULL;
-+ char *converted_str_unix = NULL;
-+ bool ok;
-+
-+ converted_size = 0;
-+
-+ ok = convert_string_talloc(talloc_tos(),
-+ CH_UNIX,
-+ CH_DOS,
-+ name,
-+ strlen(name)+1,
-+ &converted_str_dos,
-+ &converted_size);
-+ if (!ok) {
-+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
-+ "converted. Failing to register name.\n",
-+ name));
-+ return;
-+ }
-+
-+ /*
-+ * As it's now CH_DOS codepage
-+ * we truncate by writing '\0' at
-+ * MAX_NETBIOSNAME_LEN-1 and then
-+ * convert back to CH_UNIX which we
-+ * need for the make_nmb_name() call.
-+ */
-+ if (converted_size >= MAX_NETBIOSNAME_LEN) {
-+ converted_str_dos[MAX_NETBIOSNAME_LEN-1] = '\0';
-+ }
-+
-+ ok = convert_string_talloc(talloc_tos(),
-+ CH_DOS,
-+ CH_UNIX,
-+ converted_str_dos,
-+ strlen(converted_str_dos)+1,
-+ &converted_str_unix,
-+ &converted_size);
-+ if (!ok) {
-+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
-+ "converted back to CH_UNIX. "
-+ "Failing to register name.\n",
-+ converted_str_dos));
-+ TALLOC_FREE(converted_str_dos);
-+ return;
-+ }
-+
-+ make_nmb_name(&nmbname, converted_str_unix, type);
-+
-+ TALLOC_FREE(converted_str_dos);
-+ TALLOC_FREE(converted_str_unix);
-+ } else {
-+ /*
-+ * Generic conversion error. Fail to register.
-+ */
-+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
-+ "converted (%s). Failing to register name.\n",
-+ name, strerror(errno)));
-+ return;
- }
-
- /* Always set the NB_ACTIVE flag on the name we are
---
-2.1.2
-
-From 653a1c312e6b85f1d8113beec52a27e0ba71ef79 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 31 Oct 2014 11:01:26 -0700
-Subject: [PATCH] s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
-
-This screws up if the name is greater than MAX_NETBIOSNAME_LEN-1 in the
-unix charset, but less than or equal to MAX_NETBIOSNAME_LEN-1 in the DOS
-charset, but this is so old we have to live with that.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10920
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-(cherry picked from commit 7467f6e72cba214eeca75c34e9d9fba354c7ef31)
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/lib/util_names.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
-index cf54a0e..1392b48 100644
---- a/source3/lib/util_names.c
-+++ b/source3/lib/util_names.c
-@@ -60,7 +60,15 @@ static bool set_my_netbios_names(const char *name, int i)
- {
- SAFE_FREE(smb_my_netbios_names[i]);
-
-- smb_my_netbios_names[i] = SMB_STRDUP(name);
-+ /*
-+ * Don't include space for terminating '\0' in strndup,
-+ * it is automatically added. This screws up if the name
-+ * is greater than MAX_NETBIOSNAME_LEN-1 in the unix
-+ * charset, but less than or equal to MAX_NETBIOSNAME_LEN-1
-+ * in the DOS charset, but this is so old we have to live
-+ * with that.
-+ */
-+ smb_my_netbios_names[i] = SMB_STRNDUP(name, MAX_NETBIOSNAME_LEN-1);
- if (!smb_my_netbios_names[i])
- return False;
- return strupper_m(smb_my_netbios_names[i]);
---
-2.1.2
-
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
deleted file mode 100644
index 447e243..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Don't check xsltproc manpages
-
-Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
-
-diff -Nurp samba-4.1.12.orig/lib/ldb/wscript samba-4.1.12/lib/ldb/wscript
---- samba-4.1.12.orig/lib/ldb/wscript 2014-07-28 16:13:45.000000000 +0900
-+++ samba-4.1.12/lib/ldb/wscript 2015-04-23 17:08:45.277000225 +0900
-@@ -56,7 +56,7 @@ def configure(conf):
- conf.define('USING_SYSTEM_PYLDB_UTIL', 1)
-
- if conf.env.standalone_ldb:
-- conf.CHECK_XSLTPROC_MANPAGES()
-+ #conf.CHECK_XSLTPROC_MANPAGES()
-
- # we need this for the ldap backend
- if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
-diff -Nurp samba-4.1.12.orig/lib/ntdb/wscript samba-4.1.12/lib/ntdb/wscript
---- samba-4.1.12.orig/lib/ntdb/wscript 2013-12-05 18:16:48.000000000 +0900
-+++ samba-4.1.12/lib/ntdb/wscript 2015-04-23 17:09:17.680000274 +0900
-@@ -121,7 +121,7 @@ def configure(conf):
- Logs.warn('Disabling pyntdb as python devel libs not found')
- conf.env.disable_python = True
-
-- conf.CHECK_XSLTPROC_MANPAGES()
-+ #conf.CHECK_XSLTPROC_MANPAGES()
-
- # This make #include <ccan/...> work.
- conf.ADD_EXTRA_INCLUDES('''#lib''')
-diff -Nurp samba-4.1.12.orig/lib/talloc/wscript samba-4.1.12/lib/talloc/wscript
---- samba-4.1.12.orig/lib/talloc/wscript 2013-12-05 18:16:48.000000000 +0900
-+++ samba-4.1.12/lib/talloc/wscript 2015-04-23 17:08:21.781000339 +0900
-@@ -55,7 +55,7 @@ def configure(conf):
- if conf.env.standalone_talloc:
- conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
-
-- conf.CHECK_XSLTPROC_MANPAGES()
-+ #conf.CHECK_XSLTPROC_MANPAGES()
-
- if not conf.env.disable_python:
- # also disable if we don't have the python libs installed
-diff -Nurp samba-4.1.12.orig/lib/tdb/wscript samba-4.1.12/lib/tdb/wscript
---- samba-4.1.12.orig/lib/tdb/wscript 2013-12-05 18:16:48.000000000 +0900
-+++ samba-4.1.12/lib/tdb/wscript 2015-04-23 17:09:02.538000343 +0900
-@@ -43,7 +43,7 @@ def configure(conf):
-
- conf.env.disable_python = getattr(Options.options, 'disable_python', False)
-
-- conf.CHECK_XSLTPROC_MANPAGES()
-+ #conf.CHECK_XSLTPROC_MANPAGES()
-
- if not conf.env.disable_python:
- # also disable if we don't have the python libs installed
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
deleted file mode 100644
index 1a31e0d..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-samba: execute prog on target directly is impossible.
-
-Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
-
-diff -Nurp samba-4.1.12.orig/lib/ccan/wscript samba-4.1.12/lib/ccan/wscript
---- samba-4.1.12.orig/lib/ccan/wscript 2013-06-13 18:21:02.000000000 +0900
-+++ samba-4.1.12/lib/ccan/wscript 2015-04-27 14:26:25.123000238 +0900
-@@ -127,10 +127,10 @@ def configure(conf):
- # Only check for FILE_OFFSET_BITS=64 if off_t is normally small:
- # use raw routines because wrappers include previous _GNU_SOURCE
- # or _FILE_OFFSET_BITS defines.
-- conf.check(fragment="""#include <sys/types.h>
-- int main(void) { return !(sizeof(off_t) < 8); }""",
-- execute=True, msg='Checking for small off_t',
-- define_name='SMALL_OFF_T')
-+ conf.CHECK_CODE("""#include <sys/types.h>
-+ int main(void) { return !(sizeof(off_t) < 8); }""",
-+ link=True, execute=True, addmain=False, msg='Checking for small off_t',
-+ define='HAVE_SMALL_OFF_T')
- # Unreliable return value above, hence use define.
- if conf.CONFIG_SET('SMALL_OFF_T'):
- conf.check(fragment="""#include <sys/types.h>
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
deleted file mode 100644
index 83c42eb..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-waf trys to get package's configuration by native ncurses6-config.
-it will make native header files and library be used.
-
-Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
-
---- samba-4.1.12.orig/source3/wscript_configure_system_ncurses 2013-12-05 18:16:48.000000000 +0900
-+++ samba-4.1.12/source3/wscript_configure_system_ncurses 2015-04-29 16:12:22.619000250 +0900
-@@ -2,14 +2,6 @@ import Logs, Options, sys
-
- Logs.info("Looking for ncurses features")
-
--conf.find_program('ncurses5-config', var='NCURSES_CONFIG')
--if not conf.env.NCURSES_CONFIG:
-- conf.find_program('ncurses6-config', var='NCURSES_CONFIG')
--
--if conf.env.NCURSES_CONFIG:
-- conf.check_cfg(path=conf.env.NCURSES_CONFIG, args="--cflags --libs",
-- package="", uselib_store="NCURSES")
--
- conf.CHECK_HEADERS('ncurses.h menu.h panel.h form.h', lib='ncurses')
-
- conf.CHECK_FUNCS_IN('initscr', 'ncurses')
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
deleted file mode 100644
index 8c4e2ad..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-systemd-daemon is contained by libsystemd, so we just need link libsystemd to
-obtain the implementation of systemd-daemon's function.
-
-Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
-
-diff -Nurp samba-4.1.12.orig/lib/util/wscript_build samba-4.1.12/lib/util/wscript_build
---- samba-4.1.12.orig/lib/util/wscript_build 2014-09-08 18:26:14.000000000 +0900
-+++ samba-4.1.12/lib/util/wscript_build 2015-04-29 16:16:58.303000207 +0900
-@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-util',
- server_id.c dprintf.c parmlist.c bitmap.c pidfile.c
- tevent_debug.c util_process.c memcache.c''',
- deps='DYNCONFIG',
-- public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd-daemon',
-+ public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd',
- public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h',
- header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ],
- local_include=False,
-diff -Nurp samba-4.1.12.orig/wscript samba-4.1.12/wscript
---- samba-4.1.12.orig/wscript 2014-07-28 16:13:45.000000000 +0900
-+++ samba-4.1.12/wscript 2015-04-29 16:17:52.338000264 +0900
-@@ -183,16 +183,16 @@ def configure(conf):
- conf.env['ENABLE_PIE'] = True
-
- if Options.options.enable_systemd != False:
-- conf.check_cfg(package='libsystemd-daemon', args='--cflags --libs',
-- msg='Checking for libsystemd-daemon', uselib_store="SYSTEMD-DAEMON")
-- conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd-daemon')
-- conf.CHECK_LIB('systemd-daemon', shlib=True)
-+ conf.check_cfg(package='libsystemd', args='--cflags --libs',
-+ msg='Checking for libsystemd', uselib_store="SYSTEMD-DAEMON")
-+ conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd')
-+ conf.CHECK_LIB('systemd', shlib=True)
-
- if conf.CONFIG_SET('HAVE_SYSTEMD_SD_DAEMON_H'):
- conf.DEFINE('HAVE_SYSTEMD', '1')
- conf.env['ENABLE_SYSTEMD'] = True
- else:
-- conf.SET_TARGET_TYPE('systemd-daemon', 'EMPTY')
-+ conf.SET_TARGET_TYPE('systemd', 'EMPTY')
- conf.undefine('HAVE_SYSTEMD')
-
- conf.SAMBA_CONFIG_H('include/config.h')
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
deleted file mode 100644
index 4254e11..0000000
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- ./source4/auth/wscript_configure.orig 2015-11-19 19:53:11.022212181 +0100
-+++ ./source4/auth/wscript_configure 2015-11-19 19:53:17.466212205 +0100
-@@ -2,7 +2,3 @@
-
- conf.CHECK_HEADERS('security/pam_appl.h')
- conf.CHECK_FUNCS_IN('pam_start', 'pam', checklibc=True)
--
--if (conf.CHECK_HEADERS('sasl/sasl.h') and
-- conf.CHECK_FUNCS_IN('sasl_client_init', 'sasl2')):
-- conf.DEFINE('HAVE_SASL', 1)
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/00-fix-typos-in-man-pages.patch
similarity index 100%
rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch
rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/00-fix-typos-in-man-pages.patch
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0006-avoid-using-colon-in-the-checking-msg.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/0006-avoid-using-colon-in-the-checking-msg.patch
similarity index 100%
rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/0006-avoid-using-colon-in-the-checking-msg.patch
rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/0006-avoid-using-colon-in-the-checking-msg.patch
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
new file mode 100644
index 0000000..c37cfcd
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
@@ -0,0 +1,43 @@
+Don't check xsltproc manpages
+
+Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
+
+Index: samba-4.4.2/lib/ldb/wscript
+===================================================================
+--- samba-4.4.2.orig/lib/ldb/wscript
++++ samba-4.4.2/lib/ldb/wscript
+@@ -65,7 +65,7 @@ def configure(conf):
+ conf.define('USING_SYSTEM_LDB', 1)
+
+ if conf.env.standalone_ldb:
+- conf.CHECK_XSLTPROC_MANPAGES()
++ #conf.CHECK_XSLTPROC_MANPAGES()
+
+ # we need this for the ldap backend
+ if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
+Index: samba-4.4.2/lib/talloc/wscript
+===================================================================
+--- samba-4.4.2.orig/lib/talloc/wscript
++++ samba-4.4.2/lib/talloc/wscript
+@@ -56,7 +56,7 @@ def configure(conf):
+ if conf.env.standalone_talloc:
+ conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
+
+- conf.CHECK_XSLTPROC_MANPAGES()
++ #conf.CHECK_XSLTPROC_MANPAGES()
+
+ if not conf.env.disable_python:
+ # also disable if we don't have the python libs installed
+Index: samba-4.4.2/lib/tdb/wscript
+===================================================================
+--- samba-4.4.2.orig/lib/tdb/wscript
++++ samba-4.4.2/lib/tdb/wscript
+@@ -92,7 +92,7 @@ def configure(conf):
+ not conf.env.disable_tdb_mutex_locking):
+ conf.define('USE_TDB_MUTEX_LOCKING', 1)
+
+- conf.CHECK_XSLTPROC_MANPAGES()
++ #conf.CHECK_XSLTPROC_MANPAGES()
+
+ if not conf.env.disable_python:
+ # also disable if we don't have the python libs installed
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
old mode 100755
new mode 100644
similarity index 79%
rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
index 5c20d31..e112b3b
--- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
+++ b/meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
@@ -3,18 +3,19 @@ we just check whether does the module exist.
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
---- samba-4.1.12.orig/buildtools/wafsamba/samba_bundled.py 2013-06-13 17:21:02.000000000 +0800
-+++ samba-4.1.12/buildtools/wafsamba/samba_bundled.py 2015-07-16 16:57:06.649092158 +0800
-@@ -1,7 +1,7 @@
- # functions to support bundled libraries
+Index: samba-4.4.2/buildtools/wafsamba/samba_bundled.py
+===================================================================
+--- samba-4.4.2.orig/buildtools/wafsamba/samba_bundled.py
++++ samba-4.4.2/buildtools/wafsamba/samba_bundled.py
+@@ -2,6 +2,7 @@
+ import sys
+ import Build, Options, Logs
++import imp, os
from Configure import conf
--import sys, Logs
-+import sys, Logs, imp
- from samba_utils import *
+ from samba_utils import TO_LIST
- def PRIVATE_NAME(bld, name, private_extension, private_library):
-@@ -228,17 +228,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
+@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
# versions
minversion = minimum_library_version(conf, libname, minversion)
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-add-config-option-without-valgrind.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/21-add-config-option-without-valgrind.patch
similarity index 100%
rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/21-add-config-option-without-valgrind.patch
rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/21-add-config-option-without-valgrind.patch
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.1.12.bb b/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
similarity index 82%
rename from meta-networking/recipes-connectivity/samba/samba_4.1.12.bb
rename to meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
index ff58dae..585df9d 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.1.12.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
@@ -13,38 +13,14 @@ ${SAMBA_MIRROR} http://www.mirrorservice.org/sites/ftp.samba.org \n \
SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://00-fix-typos-in-man-pages.patch \
- file://01-fix-force-user-sec-ads.patch \
- file://02-fix-ipv6-join.patch \
- file://03-net-ads-kerberos-pac.patch \
- file://04-ipv6-workaround.patch \
- file://05-fix-gecos-field-with-samlogon.patch \
- file://06-fix-nmbd-systemd-status-update.patch \
- file://07-fix-idmap-ad-getgroups-without-gid.patch \
- file://08-fix-idmap-ad-sfu-with-trusted-domains.patch \
- file://09-fix-smbclient-echo-cmd-segfault.patch \
- file://10-improve-service-principal-guessing-in-net.patch \
- file://11-fix-overwriting-of-spns-during-net-ads-join.patch \
- file://12-add-precreated-spns-from-AD-during-keytab-generation.patch \
- file://13-fix-aes-enctype.patch \
- file://14-fix-dnsupdate.patch \
- file://15-fix-netbios-name-truncation.patch \
file://16-do-not-check-xsltproc-manpages.patch \
- file://17-execute-prog-by-qemu.patch \
- file://18-avoid-get-config-by-native-ncurses.patch \
- file://19-systemd-daemon-is-contained-by-libsystemd.patch \
file://20-do-not-import-target-module-while-cross-compile.patch \
file://21-add-config-option-without-valgrind.patch \
- file://0001-waf-sanitize-and-fix-added-cross-answer.patch \
- file://0002-Adds-a-new-mode-to-samba-cross-compiling.patch \
- file://0003-waf-improve-readability-of-cross-answers-generated-b.patch \
- file://0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch \
- file://0005-build-unify-and-fix-endian-tests.patch \
file://0006-avoid-using-colon-in-the-checking-msg.patch \
- file://0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch \
"
-SRC_URI[md5sum] = "232016d7581a1ba11e991ec2674553c4"
-SRC_URI[sha256sum] = "033604674936bf5c77d7df299b0626052b84a41505a6a6afe902f6274fc29898"
+SRC_URI[md5sum] = "03a65a3adf08ceb1636ad59d234d7f9d"
+SRC_URI[sha256sum] = "eaecd41a85ebb9507b8db9856ada2a949376e9d53cf75664b5493658f6e5926a"
inherit systemd waf-samba cpan-base perlnative
# remove default added RDEPENDS on perl
@@ -59,15 +35,15 @@ PACKAGECONFIG ??= "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '${SYSVINITTYPE}', '', d)} \
${@base_contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
${@base_contains('DISTRO_FEATURES', 'zeroconf', 'zeroconf', '', d)} \
- acl aio cups ldap \
+ acl cups ldap \
"
RDEPENDS_${PN}-base += "${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'lsb', '', d)}"
+RDEPENDS_${PN}-ctdb-tests += "bash"
PACKAGECONFIG[acl] = "--with-acl-support,--without-acl-support,acl"
-PACKAGECONFIG[aio] = "--with-aio-support,--without-aio-support,libaio"
PACKAGECONFIG[fam] = "--with-fam,--without-fam,gamin"
-PACKAGECONFIG[pam] = "--with-pam --with-pam_smbpass --with-pammodulesdir=${base_libdir}/security,--without-pam --without-pam_smbpass,libpam"
+PACKAGECONFIG[pam] = "--with-pam --with-pammodulesdir=${base_libdir}/security,--without-pam --without-pam_smbpass,libpam"
PACKAGECONFIG[lsb] = ",,lsb"
PACKAGECONFIG[sysv] = ",,sysvinit"
PACKAGECONFIG[cups] = "--enable-cups,--disable-cups,cups"
@@ -78,8 +54,6 @@ PACKAGECONFIG[dmapi] = "--with-dmapi,--without-dmapi,dmapi"
PACKAGECONFIG[zeroconf] = "--enable-avahi,--disable-avahi,avahi"
PACKAGECONFIG[valgrind] = ",--without-valgrind,valgrind,"
-SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'sasl', '', 'file://21-avoid-sasl-unless-wanted.patch', d)}"
-
SAMBA4_IDMAP_MODULES="idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2"
SAMBA4_PDB_MODULES="pdb_tdbsam,${@bb.utils.contains('PACKAGECONFIG', 'ldap', 'pdb_ldap,', '', d)}pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4"
SAMBA4_AUTH_MODULES="auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4"
@@ -87,15 +61,12 @@ SAMBA4_MODULES="${SAMBA4_IDMAP_MODULES},${SAMBA4_PDB_MODULES},${SAMBA4_AUTH_MODU
SAMBA4_LIBS="heimdal,!zlib,!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb"
-PERL_VERNDORLIB="${libdir}/perl5/vendor_perl/${PERLVERSION}"
-
EXTRA_OECONF += "--enable-fhs \
--with-piddir=/run \
--with-sockets-dir=/run/samba \
--with-modulesdir=${libdir}/samba \
--with-lockdir=${localstatedir}/lib/samba \
--with-cachedir=${localstatedir}/lib/samba \
- --with-perl-lib-install-dir=${PERL_VERNDORLIB} \
--disable-gnutls \
--disable-rpath-install \
--with-shared-modules=${SAMBA4_MODULES} \
@@ -104,7 +75,6 @@ EXTRA_OECONF += "--enable-fhs \
--without-ad-dc \
${@base_conditional('TARGET_ARCH', 'x86_64', '', '--disable-glusterfs', d)} \
--with-cluster-support \
- --enable-old-ctdb \
--with-profiling-data \
--with-libiconv=${STAGING_DIR_HOST}${prefix} \
"
@@ -113,13 +83,6 @@ DISABLE_STATIC = ""
LDFLAGS += "-Wl,-z,relro,-z,now"
do_install_append() {
- if [ -d "${D}/run" ]; then
- if [ -d "${D}/run/samba" ]; then
- rmdir --ignore-fail-on-non-empty "${D}/run/samba"
- fi
- rmdir --ignore-fail-on-non-empty "${D}/run"
- fi
-
if ${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'true', 'false', d)}; then
install -d ${D}${systemd_unitdir}/system
for i in nmb smb winbind; do
@@ -127,20 +90,20 @@ do_install_append() {
done
sed -i 's,\(ExecReload=\).*\(/kill\),\1${base_bindir}\2,' ${D}${systemd_unitdir}/system/*.service
- install -d ${D}${sysconfdir}/tmpfiles.d
+ install -d ${D}${sysconfdir}/tmpfiles.d
install -m644 packaging/systemd/samba.conf.tmp ${D}${sysconfdir}/tmpfiles.d/samba.conf
echo "d ${localstatedir}/log/samba 0755 root root -" \
>> ${D}${sysconfdir}/tmpfiles.d/samba.conf
elif ${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'true', 'false', d)}; then
- install -d ${D}${sysconfdir}/init.d
- install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
- update-rc.d -r ${D} samba.sh start 20 3 5 .
- update-rc.d -r ${D} samba.sh start 20 0 1 6 .
+ install -d ${D}${sysconfdir}/init.d
+ install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
+ update-rc.d -r ${D} samba.sh start 20 3 5 .
+ update-rc.d -r ${D} samba.sh start 20 0 1 6 .
elif ${@bb.utils.contains('PACKAGECONFIG', 'sysv', 'true', 'false', d)}; then
- install -d ${D}${sysconfdir}/init.d
- install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
- update-rc.d -r ${D} samba.sh start 20 3 5 .
- update-rc.d -r ${D} samba.sh start 20 0 1 6 .
+ install -d ${D}${sysconfdir}/init.d
+ install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
+ update-rc.d -r ${D} samba.sh start 20 3 5 .
+ update-rc.d -r ${D} samba.sh start 20 0 1 6 .
fi
install -d ${D}${sysconfdir}/samba
@@ -149,11 +112,13 @@ do_install_append() {
install -d ${D}${sysconfdir}/sysconfig/
install -m644 packaging/systemd/samba.sysconfig ${D}${sysconfdir}/sysconfig/samba
+
+ rm -rf ${D}/run ${D}${localstatedir}/run
}
PACKAGES += "${PN}-python ${PN}-python-dbg ${PN}-pidl libwinbind libwinbind-dbg libwinbind-krb5-locator"
PACKAGES =+ "libwbclient libnss-winbind winbind winbind-dbg libnetapi libsmbsharemodes \
- libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base"
+ libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base ${PN}-ctdb-tests"
RDEPENDS_${PN} += "${PN}-base"
@@ -166,6 +131,12 @@ FILES_${PN}-base = "${sbindir}/nmbd \
${localstatedir}/spool/samba \
"
+FILES_${PN}-ctdb-tests = "${bindir}/ctdb_run_tests \
+ ${libdir}/ctdb-tests \
+ ${datadir}/ctdb-tests \
+ /run/ctdb \
+ "
+
# figured out by
# FILES="tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/smbd tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/nmbd"
#
@@ -312,16 +283,20 @@ FILES_libwinbind-dbg = "${base_libdir}/security/.debug/pam_winbind.so"
FILES_libwinbind-krb5-locator = "${libdir}/winbind_krb5_locator.so"
FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.so \
+ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/_ldb_text.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.so \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.so \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/external/* \
+ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/kcc/* \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/netcmd/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/provision/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.so \
+ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/subunit/* \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/tests/* \
+ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/third_party/* \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/web_server/* \
"
@@ -332,4 +307,4 @@ FILES_${PN}-python-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.d
"
RDEPENDS_${PN}-pidl_append = " perl"
-FILES_${PN}-pidl = "${bindir}/pidl ${PERL_VERNDORLIB}/*"
+FILES_${PN}-pidl = "${bindir}/pidl ${datadir}/perl5/Parse"
--
1.9.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [meta-networking][PATCH 5/5] samba: Update to latest stable
2016-04-18 21:00 ` [meta-networking][PATCH 5/5] samba: " Joe MacDonald
@ 2016-04-19 9:15 ` Martin Jansa
2016-04-19 13:01 ` Joe MacDonald
0 siblings, 1 reply; 16+ messages in thread
From: Martin Jansa @ 2016-04-19 9:15 UTC (permalink / raw)
To: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 1368667 bytes --]
On Mon, Apr 18, 2016 at 05:00:53PM -0400, Joe MacDonald wrote:
> The previous version of Samba had many critical security updates that
> would've required significant backporting effort. Update to the latest
> stable release instead.
Does it fix floating dependency on libpam as well?
> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
> ---
> ...1-waf-sanitize-and-fix-added-cross-answer.patch | 60 -
> ...-Adds-a-new-mode-to-samba-cross-compiling.patch | 112 -
> ...-readability-of-cross-answers-generated-b.patch | 66 -
> ...wafsamba-CHECK_SIZEOF-cross-compile-frien.patch | 72 -
> .../0005-build-unify-and-fix-endian-tests.patch | 169 -
> ...sing-of-cross-answers-file-in-case-answer.patch | 36 -
> .../samba-4.1.12/01-fix-force-user-sec-ads.patch | 1448 -
> .../samba/samba-4.1.12/02-fix-ipv6-join.patch | 266 -
> .../samba-4.1.12/03-net-ads-kerberos-pac.patch | 962 -
> .../samba/samba-4.1.12/04-ipv6-workaround.patch | 211 -
> .../05-fix-gecos-field-with-samlogon.patch | 29894 -------------------
> .../06-fix-nmbd-systemd-status-update.patch | 97 -
> .../07-fix-idmap-ad-getgroups-without-gid.patch | 42 -
> .../08-fix-idmap-ad-sfu-with-trusted-domains.patch | 44 -
> .../09-fix-smbclient-echo-cmd-segfault.patch | 35 -
> ...improve-service-principal-guessing-in-net.patch | 180 -
> ...x-overwriting-of-spns-during-net-ads-join.patch | 329 -
> ...ted-spns-from-AD-during-keytab-generation.patch | 159 -
> .../samba/samba-4.1.12/13-fix-aes-enctype.patch | 988 -
> .../samba/samba-4.1.12/14-fix-dnsupdate.patch | 51 -
> .../15-fix-netbios-name-truncation.patch | 154 -
> .../16-do-not-check-xsltproc-manpages.patch | 52 -
> .../samba-4.1.12/17-execute-prog-by-qemu.patch | 22 -
> .../18-avoid-get-config-by-native-ncurses.patch | 22 -
> ...systemd-daemon-is-contained-by-libsystemd.patch | 42 -
> .../samba-4.1.12/21-avoid-sasl-unless-wanted.patch | 10 -
> .../00-fix-typos-in-man-pages.patch | 0
> ...006-avoid-using-colon-in-the-checking-msg.patch | 0
> .../16-do-not-check-xsltproc-manpages.patch | 43 +
> ...-import-target-module-while-cross-compile.patch | 19 +-
> .../21-add-config-option-without-valgrind.patch | 0
> .../samba/{samba_4.1.12.bb => samba_4.4.2.bb} | 81 +-
> 32 files changed, 81 insertions(+), 35585 deletions(-)
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/00-fix-typos-in-man-pages.patch (100%)
> rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/0006-avoid-using-colon-in-the-checking-msg.patch (100%)
> create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/20-do-not-import-target-module-while-cross-compile.patch (79%)
> mode change 100755 => 100644
> rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/21-add-config-option-without-valgrind.patch (100%)
> rename meta-networking/recipes-connectivity/samba/{samba_4.1.12.bb => samba_4.4.2.bb} (82%)
>
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> deleted file mode 100644
> index 69668c0..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> +++ /dev/null
> @@ -1,60 +0,0 @@
> -From 1b32c7d7f148bcf2598799b21dfa3ba1ed824d32 Mon Sep 17 00:00:00 2001
> -From: Uri Simchoni <urisimchoni@gmail.com>
> -Date: Mon, 18 May 2015 21:12:06 +0300
> -Subject: [PATCH 1/7] waf: sanitize and fix added cross answer
> -
> -When configuring samba for cross-compilation using the cross-answers
> -method, the function add_answer receives the standard output and exit code
> -of a configuration test and updates the cross-answers file accordingly.
> -
> -This patch sanitizes the standard output to conform to the cross-answers
> -file format - one line of output. It also adds a missing newline.
> -
> -(Note - at this point add_answer is only ever called with empty output
> -but this change is significant for the reminder of this patchset)
> -
> -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> -
> -Upstream-Status: Backport
> -
> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> ----
> - buildtools/wafsamba/samba_cross.py | 13 +++++++++++--
> - 1 file changed, 11 insertions(+), 2 deletions(-)
> -
> -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> -index 3838e34..fc1d78e 100644
> ---- a/buildtools/wafsamba/samba_cross.py
> -+++ b/buildtools/wafsamba/samba_cross.py
> -@@ -19,6 +19,16 @@ def add_answer(ca_file, msg, answer):
> - except:
> - Logs.error("Unable to open cross-answers file %s" % ca_file)
> - sys.exit(1)
> -+ (retcode, retstring) = answer
> -+ # if retstring is more than one line then we probably
> -+ # don't care about its actual content (the tests should
> -+ # yield one-line output in order to comply with the cross-answer
> -+ # format)
> -+ retstring = retstring.strip()
> -+ if len(retstring.split('\n')) > 1:
> -+ retstring = ''
> -+ answer = (retcode, retstring)
> -+
> - if answer == ANSWER_OK:
> - f.write('%s: OK\n' % msg)
> - elif answer == ANSWER_UNKNOWN:
> -@@ -26,8 +36,7 @@ def add_answer(ca_file, msg, answer):
> - elif answer == ANSWER_FAIL:
> - f.write('%s: FAIL\n' % msg)
> - else:
> -- (retcode, retstring) = answer
> -- f.write('%s: (%d, "%s")' % (msg, retcode, retstring))
> -+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
> - f.close()
> -
> -
> ---
> -1.9.1
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> deleted file mode 100644
> index fce3abc..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> +++ /dev/null
> @@ -1,112 +0,0 @@
> -From add52538b9a0ccf66ca87c7a691bf59901765849 Mon Sep 17 00:00:00 2001
> -From: Uri Simchoni <urisimchoni@gmail.com>
> -Date: Mon, 18 May 2015 21:15:19 +0300
> -Subject: [PATCH 2/7] Adds a new mode to samba cross-compiling.
> -
> -When both --cross-answers and --cross-execute are set, this means:
> -- Use cross-answers
> -- If answer is unknown, then instead of adding UNKNOWN to the cross-answers
> - file and failing configure, the new mode runs cross-execute to determine the
> - answer and adds that to the cross-answers file.
> -
> -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> -
> -Upstream-Status: Backport
> -
> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> ----
> - buildtools/wafsamba/samba_cross.py | 46 ++++++++++++++++++++++++++++----------
> - 1 file changed, 34 insertions(+), 12 deletions(-)
> -
> -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> -index fc1d78e..3f1ef12 100644
> ---- a/buildtools/wafsamba/samba_cross.py
> -+++ b/buildtools/wafsamba/samba_cross.py
> -@@ -45,7 +45,6 @@ def cross_answer(ca_file, msg):
> - try:
> - f = open(ca_file, 'r')
> - except:
> -- add_answer(ca_file, msg, ANSWER_UNKNOWN)
> - return ANSWER_UNKNOWN
> - for line in f:
> - line = line.strip()
> -@@ -78,7 +77,6 @@ def cross_answer(ca_file, msg):
> - else:
> - raise Utils.WafError("Bad answer format '%s' in %s" % (line, ca_file))
> - f.close()
> -- add_answer(ca_file, msg, ANSWER_UNKNOWN)
> - return ANSWER_UNKNOWN
> -
> -
> -@@ -86,24 +84,47 @@ class cross_Popen(Utils.pproc.Popen):
> - '''cross-compilation wrapper for Popen'''
> - def __init__(*k, **kw):
> - (obj, args) = k
> --
> -- if '--cross-execute' in args:
> -- # when --cross-execute is set, then change the arguments
> -- # to use the cross emulator
> -- i = args.index('--cross-execute')
> -- newargs = args[i+1].split()
> -- newargs.extend(args[0:i])
> -- args = newargs
> -- elif '--cross-answers' in args:
> -+ use_answers = False
> -+ ans = ANSWER_UNKNOWN
> -+
> -+ # Three possibilities:
> -+ # 1. Only cross-answers - try the cross-answers file, and if
> -+ # there's no corresponding answer, add to the file and mark
> -+ # the configure process as unfinished.
> -+ # 2. Only cross-execute - get the answer from cross-execute
> -+ # 3. Both - try the cross-answers file, and if there is no
> -+ # corresponding answer - use cross-execute to get an answer,
> -+ # and add that answer to the file.
> -+ if '--cross-answers' in args:
> - # when --cross-answers is set, then change the arguments
> - # to use the cross answers if available
> -+ use_answers = True
> - i = args.index('--cross-answers')
> - ca_file = args[i+1]
> - msg = args[i+2]
> - ans = cross_answer(ca_file, msg)
> -+
> -+ if '--cross-execute' in args and ans == ANSWER_UNKNOWN:
> -+ # when --cross-execute is set, then change the arguments
> -+ # to use the cross emulator
> -+ i = args.index('--cross-execute')
> -+ newargs = args[i+1].split()
> -+ newargs.extend(args[0:i])
> -+ if use_answers:
> -+ p = real_Popen(newargs,
> -+ stdout=Utils.pproc.PIPE,
> -+ stderr=Utils.pproc.PIPE)
> -+ ce_out, ce_err = p.communicate()
> -+ ans = (p.returncode, ce_out)
> -+ add_answer(ca_file, msg, ans)
> -+ else:
> -+ args = newargs
> -+
> -+ if use_answers:
> - if ans == ANSWER_UNKNOWN:
> - global cross_answers_incomplete
> - cross_answers_incomplete = True
> -+ add_answer(ca_file, msg, ans)
> - (retcode, retstring) = ans
> - args = ['/bin/sh', '-c', "echo -n '%s'; exit %d" % (retstring, retcode)]
> - real_Popen.__init__(*(obj, args), **kw)
> -@@ -124,7 +145,8 @@ def SAMBA_CROSS_ARGS(conf, msg=None):
> -
> - if conf.env.CROSS_EXECUTE:
> - ret.extend(['--cross-execute', conf.env.CROSS_EXECUTE])
> -- elif conf.env.CROSS_ANSWERS:
> -+
> -+ if conf.env.CROSS_ANSWERS:
> - if msg is None:
> - raise Utils.WafError("Cannot have NULL msg in cross-answers")
> - ret.extend(['--cross-answers', os.path.join(Options.launch_dir, conf.env.CROSS_ANSWERS), msg])
> ---
> -1.9.1
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> deleted file mode 100644
> index ec17d9d..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> +++ /dev/null
> @@ -1,66 +0,0 @@
> -From f7052d633396005563e44509428503f42c9faa97 Mon Sep 17 00:00:00 2001
> -From: Jackie Huang <jackie.huang@windriver.com>
> -Date: Thu, 12 Nov 2015 01:00:11 -0500
> -Subject: [PATCH 3/7] waf: improve readability of cross-answers generated by cross-execute
> -
> -When generating a result for cross-answers from the (retcode, retstring) tuple:
> -- (0, "output") indicated as "output"
> -- 1 is interpreted as generic fail code, instead of 255, because most
> - if not all tests fail with 1 as exit code rather than 255
> -- For failing test, use NO instead of FAIL, because that's not
> - necessarily a failure (it could mean that something is NOT
> - broken)
> -
> -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> -
> -Upstream-Status: Backport
> -
> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> ----
> - buildtools/wafsamba/samba_cross.py | 13 ++++++++-----
> - 1 file changed, 8 insertions(+), 5 deletions(-)
> -
> -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> -index 3f1ef12..d1e7006 100644
> ---- a/buildtools/wafsamba/samba_cross.py
> -+++ b/buildtools/wafsamba/samba_cross.py
> -@@ -6,7 +6,7 @@ from Configure import conf
> - real_Popen = None
> -
> - ANSWER_UNKNOWN = (254, "")
> --ANSWER_FAIL = (255, "")
> -+ANSWER_NO = (1, "")
> - ANSWER_OK = (0, "")
> -
> - cross_answers_incomplete = False
> -@@ -33,10 +33,13 @@ def add_answer(ca_file, msg, answer):
> - f.write('%s: OK\n' % msg)
> - elif answer == ANSWER_UNKNOWN:
> - f.write('%s: UNKNOWN\n' % msg)
> -- elif answer == ANSWER_FAIL:
> -- f.write('%s: FAIL\n' % msg)
> -+ elif answer == ANSWER_NO:
> -+ f.write('%s: NO\n' % msg)
> - else:
> -- f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
> -+ if retcode == 0:
> -+ f.write('%s: "%s"\n' % (msg, retstring))
> -+ else:
> -+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
> - f.close()
> -
> -
> -@@ -64,7 +67,7 @@ def cross_answer(ca_file, msg):
> - return ANSWER_UNKNOWN
> - elif ans == "FAIL" or ans == "NO":
> - f.close()
> -- return ANSWER_FAIL
> -+ return ANSWER_NO
> - elif ans[0] == '"':
> - return (0, ans.strip('"'))
> - elif ans[0] == "'":
> ---
> -1.9.1
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> deleted file mode 100644
> index 3fbb770..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> +++ /dev/null
> @@ -1,72 +0,0 @@
> -From 8ffb1892b5c42d8d29124d274aa4b5f1726d7e9f Mon Sep 17 00:00:00 2001
> -From: Gustavo Zacarias <gustavo@zacarias.com.ar>
> -Date: Mon, 21 Apr 2014 10:18:16 -0300
> -Subject: [PATCH 4/7] build: make wafsamba CHECK_SIZEOF cross-compile friendly
> -
> -Use the same trick as commit 0d9bb86293c9d39298786df095c73a6251b08b7e
> -We do the same array trick iteratively starting from 1 (byte) by powers
> -of 2 up to 32.
> -
> -The new 'critical' option is used to make the invocation die or not
> -according to each test.
> -The default is True since normally it's expected to find a proper
> -result and should error out if not.
> -
> -Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: David Disseldorp <ddiss@samba.org>
> -
> -Upstream-Status: Backport
> -
> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> ----
> - buildtools/wafsamba/samba_autoconf.py | 28 ++++++++++++++++------------
> - 1 file changed, 16 insertions(+), 12 deletions(-)
> -
> -diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
> -index fe110bd..59953d9 100644
> ---- a/buildtools/wafsamba/samba_autoconf.py
> -+++ b/buildtools/wafsamba/samba_autoconf.py
> -@@ -304,23 +304,27 @@ def CHECK_FUNCS(conf, list, link=True, lib=None, headers=None):
> -
> -
> - @conf
> --def CHECK_SIZEOF(conf, vars, headers=None, define=None):
> -+def CHECK_SIZEOF(conf, vars, headers=None, define=None, critical=True):
> - '''check the size of a type'''
> -- ret = True
> - for v in TO_LIST(vars):
> - v_define = define
> -+ ret = False
> - if v_define is None:
> - v_define = 'SIZEOF_%s' % v.upper().replace(' ', '_')
> -- if not CHECK_CODE(conf,
> -- 'printf("%%u", (unsigned)sizeof(%s))' % v,
> -- define=v_define,
> -- execute=True,
> -- define_ret=True,
> -- quote=False,
> -- headers=headers,
> -- local_include=False,
> -- msg="Checking size of %s" % v):
> -- ret = False
> -+ for size in list((1, 2, 4, 8, 16, 32)):
> -+ if CHECK_CODE(conf,
> -+ 'static int test_array[1 - 2 * !(((long int)(sizeof(%s))) <= %d)];' % (v, size),
> -+ define=v_define,
> -+ quote=False,
> -+ headers=headers,
> -+ local_include=False,
> -+ msg="Checking if size of %s == %d" % (v, size)):
> -+ conf.DEFINE(v_define, size)
> -+ ret = True
> -+ break
> -+ if not ret and critical:
> -+ Logs.error("Couldn't determine size of '%s'" % v)
> -+ sys.exit(1)
> - return ret
> -
> - @conf
> ---
> -1.9.1
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> deleted file mode 100644
> index 5546b6d..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> +++ /dev/null
> @@ -1,169 +0,0 @@
> -From 81379b6b14ea725c72953be2170b382403ed8728 Mon Sep 17 00:00:00 2001
> -From: Gustavo Zacarias <gustavo@zacarias.com.ar>
> -Date: Mon, 21 Apr 2014 10:18:15 -0300
> -Subject: [PATCH 5/7] build: unify and fix endian tests
> -
> -Unify the endian tests out of lib/ccan/wscript into wafsamba since
> -they're almost cross-compile friendly.
> -While at it fix them to be so by moving the preprocessor directives out
> -of main scope since that will fail.
> -And keep the WORDS_BIGENDIAN, HAVE_LITTLE_ENDIAN and HAVE_BIG_ENDIAN
> -defines separate because of different codebases.
> -
> -Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: David Disseldorp <ddiss@samba.org>
> -
> -Upstream-Status: Backport
> -
> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> ----
> - buildtools/wafsamba/wscript | 65 ++++++++++++++++++++++++++++++++++++++++++---
> - lib/ccan/wscript | 55 --------------------------------------
> - 2 files changed, 62 insertions(+), 58 deletions(-)
> -
> -diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
> -index 7984227..1a2cfe6 100755
> ---- a/buildtools/wafsamba/wscript
> -+++ b/buildtools/wafsamba/wscript
> -@@ -390,9 +390,68 @@ def configure(conf):
> - else:
> - conf.define('SHLIBEXT', "so", quote=True)
> -
> -- conf.CHECK_CODE('long one = 1; return ((char *)(&one))[0]',
> -- execute=True,
> -- define='WORDS_BIGENDIAN')
> -+ # First try a header check for cross-compile friendlyness
> -+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> -+ #define B __BYTE_ORDER
> -+ #elif defined(BYTE_ORDER)
> -+ #define B BYTE_ORDER
> -+ #endif
> -+
> -+ #ifdef __LITTLE_ENDIAN
> -+ #define LITTLE __LITTLE_ENDIAN
> -+ #elif defined(LITTLE_ENDIAN)
> -+ #define LITTLE LITTLE_ENDIAN
> -+ #endif
> -+
> -+ #if !defined(LITTLE) || !defined(B) || LITTLE != B
> -+ #error Not little endian.
> -+ #endif
> -+ int main(void) { return 0; }""",
> -+ addmain=False,
> -+ headers="endian.h sys/endian.h",
> -+ define="HAVE_LITTLE_ENDIAN")
> -+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> -+ #define B __BYTE_ORDER
> -+ #elif defined(BYTE_ORDER)
> -+ #define B BYTE_ORDER
> -+ #endif
> -+
> -+ #ifdef __BIG_ENDIAN
> -+ #define BIG __BIG_ENDIAN
> -+ #elif defined(BIG_ENDIAN)
> -+ #define BIG BIG_ENDIAN
> -+ #endif
> -+
> -+ #if !defined(BIG) || !defined(B) || BIG != B
> -+ #error Not big endian.
> -+ #endif
> -+ int main(void) { return 0; }""",
> -+ addmain=False,
> -+ headers="endian.h sys/endian.h",
> -+ define="HAVE_BIG_ENDIAN")
> -+
> -+ if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> -+ # That didn't work! Do runtime test.
> -+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> -+ u.i = 0x01020304;
> -+ return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
> -+ addmain=True, execute=True,
> -+ define='HAVE_LITTLE_ENDIAN',
> -+ msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
> -+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> -+ u.i = 0x01020304;
> -+ return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
> -+ addmain=True, execute=True,
> -+ define='HAVE_BIG_ENDIAN',
> -+ msg="Checking for HAVE_BIG_ENDIAN - runtime")
> -+
> -+ # Extra sanity check.
> -+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> -+ Logs.error("Failed endian determination. The PDP-11 is back?")
> -+ sys.exit(1)
> -+ else:
> -+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN"):
> -+ conf.DEFINE('WORDS_BIGENDIAN', 1)
> -
> - # check if signal() takes a void function
> - if conf.CHECK_CODE('return *(signal (0, 0)) (0) == 1',
> -diff --git a/lib/ccan/wscript b/lib/ccan/wscript
> -index a0b5406..5b3a910 100644
> ---- a/lib/ccan/wscript
> -+++ b/lib/ccan/wscript
> -@@ -25,61 +25,6 @@ def configure(conf):
> - conf.CHECK_CODE('int __attribute__((used)) func(int x) { return x; }',
> - addmain=False, link=False, cflags=conf.env['WERROR_CFLAGS'],
> - define='HAVE_ATTRIBUTE_USED')
> -- # We try to use headers for a compile-time test.
> -- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> -- #define B __BYTE_ORDER
> -- #elif defined(BYTE_ORDER)
> -- #define B BYTE_ORDER
> -- #endif
> --
> -- #ifdef __LITTLE_ENDIAN
> -- #define LITTLE __LITTLE_ENDIAN
> -- #elif defined(LITTLE_ENDIAN)
> -- #define LITTLE LITTLE_ENDIAN
> -- #endif
> --
> -- #if !defined(LITTLE) || !defined(B) || LITTLE != B
> -- #error Not little endian.
> -- #endif""",
> -- headers="endian.h sys/endian.h",
> -- define="HAVE_LITTLE_ENDIAN")
> -- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> -- #define B __BYTE_ORDER
> -- #elif defined(BYTE_ORDER)
> -- #define B BYTE_ORDER
> -- #endif
> --
> -- #ifdef __BIG_ENDIAN
> -- #define BIG __BIG_ENDIAN
> -- #elif defined(BIG_ENDIAN)
> -- #define BIG BIG_ENDIAN
> -- #endif
> --
> -- #if !defined(BIG) || !defined(B) || BIG != B
> -- #error Not big endian.
> -- #endif""",
> -- headers="endian.h sys/endian.h",
> -- define="HAVE_BIG_ENDIAN")
> --
> -- if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> -- # That didn't work! Do runtime test.
> -- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> -- u.i = 0x01020304;
> -- return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
> -- addmain=True, execute=True,
> -- define='HAVE_LITTLE_ENDIAN',
> -- msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
> -- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> -- u.i = 0x01020304;
> -- return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
> -- addmain=True, execute=True,
> -- define='HAVE_BIG_ENDIAN',
> -- msg="Checking for HAVE_BIG_ENDIAN - runtime")
> --
> -- # Extra sanity check.
> -- if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> -- Logs.error("Failed endian determination. The PDP-11 is back?")
> -- sys.exit(1)
> -
> - conf.CHECK_CODE('return __builtin_choose_expr(1, 0, "garbage");',
> - link=True,
> ---
> -1.9.1
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> deleted file mode 100644
> index de0d32c..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> +++ /dev/null
> @@ -1,36 +0,0 @@
> -From 649c731526dc1473bd1804d2903d7559e63616da Mon Sep 17 00:00:00 2001
> -From: Uri Simchoni <urisimchoni@gmail.com>
> -Date: Mon, 4 May 2015 09:12:45 +0300
> -Subject: [PATCH 7/7] waf: Fix parsing of cross-answers file in case answer includes a colon
> -
> -The answer provided in the cross-answers file may include a colon,
> -as in:
> -Checking uname version type: "#57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014"
> -
> -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> -
> -Upstream-Status: Backport
> -
> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> ----
> - buildtools/wafsamba/samba_cross.py | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> -index d1e7006..7961212 100644
> ---- a/buildtools/wafsamba/samba_cross.py
> -+++ b/buildtools/wafsamba/samba_cross.py
> -@@ -54,7 +54,7 @@ def cross_answer(ca_file, msg):
> - if line == '' or line[0] == '#':
> - continue
> - if line.find(':') != -1:
> -- a = line.split(':')
> -+ a = line.split(':', 1)
> - thismsg = a[0].strip()
> - if thismsg != msg:
> - continue
> ---
> -1.9.1
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> deleted file mode 100644
> index 6c08ccc..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> +++ /dev/null
> @@ -1,1448 +0,0 @@
> -From 80f3551d4f594438dcc93dd82a7953c4a913badd Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Mon, 16 Dec 2013 12:57:20 +0100
> -Subject: [PATCH 1/7] s3-lib: Add winbind_lookup_usersids().
> -
> -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> -Signed-off-by: Guenther Deschner <gd@samba.org>
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -
> -(cherry picked from commit 241e98d8ee099f9cc5feb835085b4abd2b1ee663)
> ----
> - source3/lib/winbind_util.c | 34 +++++
> - source3/lib/winbind_util.h | 4 +
> - source3/passdb/ABI/pdb-0.1.0.sigs | 311 ++++++++++++++++++++++++++++++++++++++
> - source3/wscript_build | 2 +-
> - 4 files changed, 350 insertions(+), 1 deletion(-)
> - create mode 100644 source3/passdb/ABI/pdb-0.1.0.sigs
> -
> -diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c
> -index b458ebe..f62682b 100644
> ---- a/source3/lib/winbind_util.c
> -+++ b/source3/lib/winbind_util.c
> -@@ -342,6 +342,40 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
> - return true;
> - }
> -
> -+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
> -+ const struct dom_sid *user_sid,
> -+ uint32_t *p_num_sids,
> -+ struct dom_sid **p_sids)
> -+{
> -+ wbcErr ret;
> -+ struct wbcDomainSid dom_sid;
> -+ struct wbcDomainSid *sid_list = NULL;
> -+ uint32_t num_sids;
> -+
> -+ memcpy(&dom_sid, user_sid, sizeof(dom_sid));
> -+
> -+ ret = wbcLookupUserSids(&dom_sid,
> -+ false,
> -+ &num_sids,
> -+ &sid_list);
> -+ if (ret != WBC_ERR_SUCCESS) {
> -+ return false;
> -+ }
> -+
> -+ *p_sids = talloc_array(mem_ctx, struct dom_sid, num_sids);
> -+ if (*p_sids == NULL) {
> -+ wbcFreeMemory(sid_list);
> -+ return false;
> -+ }
> -+
> -+ memcpy(*p_sids, sid_list, sizeof(dom_sid) * num_sids);
> -+
> -+ *p_num_sids = num_sids;
> -+ wbcFreeMemory(sid_list);
> -+
> -+ return true;
> -+}
> -+
> - #else /* WITH_WINBIND */
> -
> - struct passwd * winbind_getpwnam(const char * name)
> -diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h
> -index 541bb95..abbc5a9 100644
> ---- a/source3/lib/winbind_util.h
> -+++ b/source3/lib/winbind_util.h
> -@@ -58,5 +58,9 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
> - size_t num_members,
> - uint32_t **pp_alias_rids,
> - size_t *p_num_alias_rids);
> -+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
> -+ const struct dom_sid *user_sid,
> -+ uint32_t *p_num_sids,
> -+ struct dom_sid **p_sids);
> -
> - #endif /* __LIB__WINBIND_UTIL_H__ */
> -diff --git a/source3/passdb/ABI/pdb-0.1.0.sigs b/source3/passdb/ABI/pdb-0.1.0.sigs
> -new file mode 100644
> -index 0000000..f4de9c4
> ---- /dev/null
> -+++ b/source3/passdb/ABI/pdb-0.1.0.sigs
> -@@ -0,0 +1,311 @@
> -+PDB_secrets_clear_domain_protection: bool (const char *)
> -+PDB_secrets_fetch_domain_guid: bool (const char *, struct GUID *)
> -+PDB_secrets_fetch_domain_sid: bool (const char *, struct dom_sid *)
> -+PDB_secrets_mark_domain_protected: bool (const char *)
> -+PDB_secrets_store_domain_guid: bool (const char *, struct GUID *)
> -+PDB_secrets_store_domain_sid: bool (const char *, const struct dom_sid *)
> -+account_policy_get: bool (enum pdb_policy_type, uint32_t *)
> -+account_policy_get_default: bool (enum pdb_policy_type, uint32_t *)
> -+account_policy_get_desc: const char *(enum pdb_policy_type)
> -+account_policy_name_to_typenum: enum pdb_policy_type (const char *)
> -+account_policy_names_list: void (TALLOC_CTX *, const char ***, int *)
> -+account_policy_set: bool (enum pdb_policy_type, uint32_t)
> -+add_initial_entry: NTSTATUS (gid_t, const char *, enum lsa_SidType, const char *, const char *)
> -+algorithmic_pdb_gid_to_group_rid: uint32_t (gid_t)
> -+algorithmic_pdb_rid_is_user: bool (uint32_t)
> -+algorithmic_pdb_uid_to_user_rid: uint32_t (uid_t)
> -+algorithmic_pdb_user_rid_to_uid: uid_t (uint32_t)
> -+algorithmic_rid_base: int (void)
> -+builtin_domain_name: const char *(void)
> -+cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *)
> -+cache_account_policy_set: bool (enum pdb_policy_type, uint32_t)
> -+create_builtin_administrators: NTSTATUS (const struct dom_sid *)
> -+create_builtin_users: NTSTATUS (const struct dom_sid *)
> -+decode_account_policy_name: const char *(enum pdb_policy_type)
> -+get_account_pol_db: struct db_context *(void)
> -+get_account_policy_attr: const char *(enum pdb_policy_type)
> -+get_domain_group_from_sid: bool (struct dom_sid, GROUP_MAP *)
> -+get_primary_group_sid: NTSTATUS (TALLOC_CTX *, const char *, struct passwd **, struct dom_sid **)
> -+get_privileges_for_sid_as_set: NTSTATUS (TALLOC_CTX *, PRIVILEGE_SET **, struct dom_sid *)
> -+get_privileges_for_sids: bool (uint64_t *, struct dom_sid *, int)
> -+get_trust_pw_clear: bool (const char *, char **, const char **, enum netr_SchannelType *)
> -+get_trust_pw_hash: bool (const char *, uint8_t *, const char **, enum netr_SchannelType *)
> -+gid_to_sid: void (struct dom_sid *, gid_t)
> -+gid_to_unix_groups_sid: void (gid_t, struct dom_sid *)
> -+grab_named_mutex: struct named_mutex *(TALLOC_CTX *, const char *, int)
> -+grant_all_privileges: bool (const struct dom_sid *)
> -+grant_privilege_by_name: bool (const struct dom_sid *, const char *)
> -+grant_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
> -+groupdb_tdb_init: const struct mapping_backend *(void)
> -+init_account_policy: bool (void)
> -+init_buffer_from_samu: uint32_t (uint8_t **, struct samu *, bool)
> -+init_samu_from_buffer: bool (struct samu *, uint32_t, uint8_t *, uint32_t)
> -+initialize_password_db: bool (bool, struct tevent_context *)
> -+is_dc_trusted_domain_situation: bool (const char *)
> -+is_privileged_sid: bool (const struct dom_sid *)
> -+local_password_change: NTSTATUS (const char *, int, const char *, char **, char **)
> -+login_cache_delentry: bool (const struct samu *)
> -+login_cache_init: bool (void)
> -+login_cache_read: bool (struct samu *, struct login_cache *)
> -+login_cache_shutdown: bool (void)
> -+login_cache_write: bool (const struct samu *, const struct login_cache *)
> -+lookup_builtin_name: bool (const char *, uint32_t *)
> -+lookup_builtin_rid: bool (TALLOC_CTX *, uint32_t, const char **)
> -+lookup_global_sam_name: bool (const char *, int, uint32_t *, enum lsa_SidType *)
> -+lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
> -+lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
> -+lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
> -+lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **)
> -+lookup_unix_group_name: bool (const char *, struct dom_sid *)
> -+lookup_unix_user_name: bool (const char *, struct dom_sid *)
> -+lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **)
> -+lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **)
> -+make_pdb_method: NTSTATUS (struct pdb_methods **)
> -+make_pdb_method_name: NTSTATUS (struct pdb_methods **, const char *)
> -+max_algorithmic_gid: gid_t (void)
> -+max_algorithmic_uid: uid_t (void)
> -+my_sam_name: const char *(void)
> -+pdb_add_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
> -+pdb_add_group_mapping_entry: NTSTATUS (GROUP_MAP *)
> -+pdb_add_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
> -+pdb_add_sam_account: NTSTATUS (struct samu *)
> -+pdb_build_fields_present: uint32_t (struct samu *)
> -+pdb_capabilities: uint32_t (void)
> -+pdb_copy_sam_account: bool (struct samu *, struct samu *)
> -+pdb_create_alias: NTSTATUS (const char *, uint32_t *)
> -+pdb_create_builtin: NTSTATUS (uint32_t)
> -+pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t)
> -+pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *)
> -+pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *)
> -+pdb_decode_acct_ctrl: uint32_t (const char *)
> -+pdb_default_add_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
> -+pdb_default_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> -+pdb_default_alias_memberships: NTSTATUS (struct pdb_methods *, TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
> -+pdb_default_create_alias: NTSTATUS (struct pdb_methods *, const char *, uint32_t *)
> -+pdb_default_del_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
> -+pdb_default_delete_alias: NTSTATUS (struct pdb_methods *, const struct dom_sid *)
> -+pdb_default_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
> -+pdb_default_enum_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
> -+pdb_default_enum_group_mapping: NTSTATUS (struct pdb_methods *, const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
> -+pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
> -+pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
> -+pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
> -+pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
> -+pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
> -+pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> -+pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
> -+pdb_del_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
> -+pdb_del_trusted_domain: NTSTATUS (const char *)
> -+pdb_del_trusteddom_pw: bool (const char *)
> -+pdb_delete_alias: NTSTATUS (const struct dom_sid *)
> -+pdb_delete_dom_group: NTSTATUS (TALLOC_CTX *, uint32_t)
> -+pdb_delete_group_mapping_entry: NTSTATUS (struct dom_sid)
> -+pdb_delete_sam_account: NTSTATUS (struct samu *)
> -+pdb_delete_secret: NTSTATUS (const char *)
> -+pdb_delete_user: NTSTATUS (TALLOC_CTX *, struct samu *)
> -+pdb_element_is_changed: bool (const struct samu *, enum pdb_elements)
> -+pdb_element_is_set_or_changed: bool (const struct samu *, enum pdb_elements)
> -+pdb_encode_acct_ctrl: char *(uint32_t, size_t)
> -+pdb_enum_alias_memberships: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
> -+pdb_enum_aliasmem: NTSTATUS (const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
> -+pdb_enum_group_mapping: bool (const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
> -+pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t **, size_t *)
> -+pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *)
> -+pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***)
> -+pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
> -+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***)
> -+pdb_find_backend_entry: struct pdb_init_function_entry *(const char *)
> -+pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *)
> -+pdb_get_acct_ctrl: uint32_t (const struct samu *)
> -+pdb_get_acct_desc: const char *(const struct samu *)
> -+pdb_get_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
> -+pdb_get_backend_private_data: void *(const struct samu *, const struct pdb_methods *)
> -+pdb_get_backends: const struct pdb_init_function_entry *(void)
> -+pdb_get_bad_password_count: uint16_t (const struct samu *)
> -+pdb_get_bad_password_time: time_t (const struct samu *)
> -+pdb_get_code_page: uint16_t (const struct samu *)
> -+pdb_get_comment: const char *(const struct samu *)
> -+pdb_get_country_code: uint16_t (const struct samu *)
> -+pdb_get_dir_drive: const char *(const struct samu *)
> -+pdb_get_domain: const char *(const struct samu *)
> -+pdb_get_domain_info: struct pdb_domain_info *(TALLOC_CTX *)
> -+pdb_get_fullname: const char *(const struct samu *)
> -+pdb_get_group_rid: uint32_t (struct samu *)
> -+pdb_get_group_sid: const struct dom_sid *(struct samu *)
> -+pdb_get_homedir: const char *(const struct samu *)
> -+pdb_get_hours: const uint8_t *(const struct samu *)
> -+pdb_get_hours_len: uint32_t (const struct samu *)
> -+pdb_get_init_flags: enum pdb_value_state (const struct samu *, enum pdb_elements)
> -+pdb_get_kickoff_time: time_t (const struct samu *)
> -+pdb_get_lanman_passwd: const uint8_t *(const struct samu *)
> -+pdb_get_logoff_time: time_t (const struct samu *)
> -+pdb_get_logon_count: uint16_t (const struct samu *)
> -+pdb_get_logon_divs: uint16_t (const struct samu *)
> -+pdb_get_logon_script: const char *(const struct samu *)
> -+pdb_get_logon_time: time_t (const struct samu *)
> -+pdb_get_munged_dial: const char *(const struct samu *)
> -+pdb_get_nt_passwd: const uint8_t *(const struct samu *)
> -+pdb_get_nt_username: const char *(const struct samu *)
> -+pdb_get_pass_can_change: bool (const struct samu *)
> -+pdb_get_pass_can_change_time: time_t (const struct samu *)
> -+pdb_get_pass_can_change_time_noncalc: time_t (const struct samu *)
> -+pdb_get_pass_last_set_time: time_t (const struct samu *)
> -+pdb_get_pass_must_change_time: time_t (const struct samu *)
> -+pdb_get_plaintext_passwd: const char *(const struct samu *)
> -+pdb_get_profile_path: const char *(const struct samu *)
> -+pdb_get_pw_history: const uint8_t *(const struct samu *, uint32_t *)
> -+pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *, DATA_BLOB *, NTTIME *, struct security_descriptor **)
> -+pdb_get_seq_num: bool (time_t *)
> -+pdb_get_tevent_context: struct tevent_context *(void)
> -+pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **)
> -+pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **)
> -+pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *)
> -+pdb_get_unknown_6: uint32_t (const struct samu *)
> -+pdb_get_user_rid: uint32_t (const struct samu *)
> -+pdb_get_user_sid: const struct dom_sid *(const struct samu *)
> -+pdb_get_username: const char *(const struct samu *)
> -+pdb_get_workstations: const char *(const struct samu *)
> -+pdb_getgrgid: bool (GROUP_MAP *, gid_t)
> -+pdb_getgrnam: bool (GROUP_MAP *, const char *)
> -+pdb_getgrsid: bool (GROUP_MAP *, struct dom_sid)
> -+pdb_gethexhours: bool (const char *, unsigned char *)
> -+pdb_gethexpwd: bool (const char *, unsigned char *)
> -+pdb_getsampwnam: bool (struct samu *, const char *)
> -+pdb_getsampwsid: bool (struct samu *, const struct dom_sid *)
> -+pdb_gid_to_sid: bool (gid_t, struct dom_sid *)
> -+pdb_group_rid_to_gid: gid_t (uint32_t)
> -+pdb_increment_bad_password_count: bool (struct samu *)
> -+pdb_is_password_change_time_max: bool (time_t)
> -+pdb_is_responsible_for_builtin: bool (void)
> -+pdb_is_responsible_for_our_sam: bool (void)
> -+pdb_is_responsible_for_unix_groups: bool (void)
> -+pdb_is_responsible_for_unix_users: bool (void)
> -+pdb_is_responsible_for_wellknown: bool (void)
> -+pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char **, enum lsa_SidType *)
> -+pdb_new_rid: bool (uint32_t *)
> -+pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> -+pdb_nop_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
> -+pdb_nop_enum_group_mapping: NTSTATUS (struct pdb_methods *, enum lsa_SidType, GROUP_MAP **, size_t *, bool)
> -+pdb_nop_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
> -+pdb_nop_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
> -+pdb_nop_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
> -+pdb_nop_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> -+pdb_rename_sam_account: NTSTATUS (struct samu *, const char *)
> -+pdb_search_aliases: struct pdb_search *(TALLOC_CTX *, const struct dom_sid *)
> -+pdb_search_entries: uint32_t (struct pdb_search *, uint32_t, uint32_t, struct samr_displayentry **)
> -+pdb_search_groups: struct pdb_search *(TALLOC_CTX *)
> -+pdb_search_init: struct pdb_search *(TALLOC_CTX *, enum pdb_search_type)
> -+pdb_search_users: struct pdb_search *(TALLOC_CTX *, uint32_t)
> -+pdb_set_account_policy: bool (enum pdb_policy_type, uint32_t)
> -+pdb_set_acct_ctrl: bool (struct samu *, uint32_t, enum pdb_value_state)
> -+pdb_set_acct_desc: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
> -+pdb_set_backend_private_data: bool (struct samu *, void *, void (*)(void **), const struct pdb_methods *, enum pdb_value_state)
> -+pdb_set_bad_password_count: bool (struct samu *, uint16_t, enum pdb_value_state)
> -+pdb_set_bad_password_time: bool (struct samu *, time_t, enum pdb_value_state)
> -+pdb_set_code_page: bool (struct samu *, uint16_t, enum pdb_value_state)
> -+pdb_set_comment: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_country_code: bool (struct samu *, uint16_t, enum pdb_value_state)
> -+pdb_set_dir_drive: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_domain: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_fullname: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_group_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
> -+pdb_set_group_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
> -+pdb_set_homedir: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_hours: bool (struct samu *, const uint8_t *, int, enum pdb_value_state)
> -+pdb_set_hours_len: bool (struct samu *, uint32_t, enum pdb_value_state)
> -+pdb_set_init_flags: bool (struct samu *, enum pdb_elements, enum pdb_value_state)
> -+pdb_set_kickoff_time: bool (struct samu *, time_t, enum pdb_value_state)
> -+pdb_set_lanman_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
> -+pdb_set_logoff_time: bool (struct samu *, time_t, enum pdb_value_state)
> -+pdb_set_logon_count: bool (struct samu *, uint16_t, enum pdb_value_state)
> -+pdb_set_logon_divs: bool (struct samu *, uint16_t, enum pdb_value_state)
> -+pdb_set_logon_script: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_logon_time: bool (struct samu *, time_t, enum pdb_value_state)
> -+pdb_set_munged_dial: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_nt_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
> -+pdb_set_nt_username: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_pass_can_change: bool (struct samu *, bool)
> -+pdb_set_pass_can_change_time: bool (struct samu *, time_t, enum pdb_value_state)
> -+pdb_set_pass_last_set_time: bool (struct samu *, time_t, enum pdb_value_state)
> -+pdb_set_plaintext_passwd: bool (struct samu *, const char *)
> -+pdb_set_plaintext_pw_only: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_profile_path: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_pw_history: bool (struct samu *, const uint8_t *, uint32_t, enum pdb_value_state)
> -+pdb_set_secret: NTSTATUS (const char *, DATA_BLOB *, DATA_BLOB *, struct security_descriptor *)
> -+pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain *)
> -+pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *)
> -+pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *)
> -+pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state)
> -+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **)
> -+pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
> -+pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
> -+pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_username: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_set_workstations: bool (struct samu *, const char *, enum pdb_value_state)
> -+pdb_sethexhours: void (char *, const unsigned char *)
> -+pdb_sethexpwd: void (char *, const unsigned char *, uint32_t)
> -+pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *)
> -+pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *)
> -+pdb_uid_to_sid: bool (uid_t, struct dom_sid *)
> -+pdb_update_autolock_flag: bool (struct samu *, bool *)
> -+pdb_update_bad_password_count: bool (struct samu *, bool *)
> -+pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *)
> -+pdb_update_login_attempts: NTSTATUS (struct samu *, bool)
> -+pdb_update_sam_account: NTSTATUS (struct samu *)
> -+privilege_create_account: NTSTATUS (const struct dom_sid *)
> -+privilege_delete_account: NTSTATUS (const struct dom_sid *)
> -+privilege_enum_sids: NTSTATUS (enum sec_privilege, TALLOC_CTX *, struct dom_sid **, int *)
> -+privilege_enumerate_accounts: NTSTATUS (struct dom_sid **, int *)
> -+revoke_all_privileges: bool (const struct dom_sid *)
> -+revoke_privilege_by_name: bool (const struct dom_sid *, const char *)
> -+revoke_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
> -+samu_alloc_rid_unix: NTSTATUS (struct pdb_methods *, struct samu *, const struct passwd *)
> -+samu_new: struct samu *(TALLOC_CTX *)
> -+samu_set_unix: NTSTATUS (struct samu *, const struct passwd *)
> -+secrets_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
> -+sid_check_is_builtin: bool (const struct dom_sid *)
> -+sid_check_is_for_passdb: bool (const struct dom_sid *)
> -+sid_check_is_in_builtin: bool (const struct dom_sid *)
> -+sid_check_is_in_unix_groups: bool (const struct dom_sid *)
> -+sid_check_is_in_unix_users: bool (const struct dom_sid *)
> -+sid_check_is_in_wellknown_domain: bool (const struct dom_sid *)
> -+sid_check_is_unix_groups: bool (const struct dom_sid *)
> -+sid_check_is_unix_users: bool (const struct dom_sid *)
> -+sid_check_is_wellknown_builtin: bool (const struct dom_sid *)
> -+sid_check_is_wellknown_domain: bool (const struct dom_sid *, const char **)
> -+sid_check_object_is_for_passdb: bool (const struct dom_sid *)
> -+sid_to_gid: bool (const struct dom_sid *, gid_t *)
> -+sid_to_uid: bool (const struct dom_sid *, uid_t *)
> -+sids_to_unixids: bool (const struct dom_sid *, uint32_t, struct unixid *)
> -+smb_add_user_group: int (const char *, const char *)
> -+smb_create_group: int (const char *, gid_t *)
> -+smb_delete_group: int (const char *)
> -+smb_delete_user_group: int (const char *, const char *)
> -+smb_nscd_flush_group_cache: void (void)
> -+smb_nscd_flush_user_cache: void (void)
> -+smb_register_passdb: NTSTATUS (int, const char *, pdb_init_function)
> -+smb_set_primary_group: int (const char *, const char *)
> -+uid_to_sid: void (struct dom_sid *, uid_t)
> -+uid_to_unix_users_sid: void (uid_t, struct dom_sid *)
> -+unix_groups_domain_name: const char *(void)
> -+unix_users_domain_name: const char *(void)
> -+unixid_from_both: void (struct unixid *, uint32_t)
> -+unixid_from_gid: void (struct unixid *, uint32_t)
> -+unixid_from_uid: void (struct unixid *, uint32_t)
> -+wb_is_trusted_domain: wbcErr (const char *)
> -+winbind_allocate_gid: bool (gid_t *)
> -+winbind_allocate_uid: bool (uid_t *)
> -+winbind_get_groups: bool (TALLOC_CTX *, const char *, uint32_t *, gid_t **)
> -+winbind_get_sid_aliases: bool (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
> -+winbind_getpwnam: struct passwd *(const char *)
> -+winbind_getpwsid: struct passwd *(const struct dom_sid *)
> -+winbind_gid_to_sid: bool (struct dom_sid *, gid_t)
> -+winbind_lookup_name: bool (const char *, const char *, struct dom_sid *, enum lsa_SidType *)
> -+winbind_lookup_rids: bool (TALLOC_CTX *, const struct dom_sid *, int, uint32_t *, const char **, const char ***, enum lsa_SidType **)
> -+winbind_lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
> -+winbind_lookup_usersids: bool (TALLOC_CTX *, const struct dom_sid *, uint32_t *, struct dom_sid **)
> -+winbind_ping: bool (void)
> -+winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *)
> -+winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *)
> -+winbind_uid_to_sid: bool (struct dom_sid *, uid_t)
> -diff --git a/source3/wscript_build b/source3/wscript_build
> -index e0432bf..6d6b6aa 100755
> ---- a/source3/wscript_build
> -+++ b/source3/wscript_build
> -@@ -736,7 +736,7 @@ bld.SAMBA3_LIBRARY('pdb',
> - passdb/lookup_sid.h''',
> - abi_match=private_pdb_match,
> - abi_directory='passdb/ABI',
> -- vnum='0',
> -+ vnum='0.1.0',
> - vars=locals())
> -
> - bld.SAMBA3_LIBRARY('smbldaphelper',
> ---
> -1.8.5.2
> -
> -
> -From 91debcafd196a9e821efddce0a9d75c48f8e168d Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Fri, 13 Dec 2013 19:08:34 +0100
> -Subject: [PATCH 2/7] s3-auth: Add passwd_to_SamInfo3().
> -
> -First this function tries to contacts winbind if the user is a domain
> -user to get valid information about it. If winbind isn't running it will
> -try to create everything from the passwd struct. This is not always
> -reliable but works in most cases. It improves the current situation
> -which doesn't talk to winbind at all.
> -
> -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> -Signed-off-by: Guenther Deschner <gd@samba.org>
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 1bb11c7744df6928cb8a096373ab920366b38770)
> ----
> - source3/auth/proto.h | 4 ++
> - source3/auth/server_info.c | 116 +++++++++++++++++++++++++++++++++++++++++++++
> - 2 files changed, 120 insertions(+)
> -
> -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> -index 76661fc..8385e66 100644
> ---- a/source3/auth/proto.h
> -+++ b/source3/auth/proto.h
> -@@ -286,6 +286,10 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> - const char *login_server,
> - struct netr_SamInfo3 **_info3,
> - struct extra_auth_info *extra);
> -+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
> -+ const char *unix_username,
> -+ const struct passwd *pwd,
> -+ struct netr_SamInfo3 **pinfo3);
> - struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> - struct netr_SamInfo3 *orig);
> - struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> -index d2b7d6e..46d8178 100644
> ---- a/source3/auth/server_info.c
> -+++ b/source3/auth/server_info.c
> -@@ -24,6 +24,7 @@
> - #include "../libcli/security/security.h"
> - #include "rpc_client/util_netlogon.h"
> - #include "nsswitch/libwbclient/wbclient.h"
> -+#include "lib/winbind_util.h"
> - #include "passdb.h"
> -
> - #undef DBGC_CLASS
> -@@ -436,6 +437,121 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> - return NT_STATUS_OK;
> - }
> -
> -+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
> -+ const char *unix_username,
> -+ const struct passwd *pwd,
> -+ struct netr_SamInfo3 **pinfo3)
> -+{
> -+ struct netr_SamInfo3 *info3;
> -+ NTSTATUS status;
> -+ TALLOC_CTX *tmp_ctx;
> -+ const char *domain_name = NULL;
> -+ const char *user_name = NULL;
> -+ struct dom_sid domain_sid;
> -+ struct dom_sid user_sid;
> -+ struct dom_sid group_sid;
> -+ enum lsa_SidType type;
> -+ uint32_t num_sids = 0;
> -+ struct dom_sid *user_sids = NULL;
> -+ bool ok;
> -+
> -+ tmp_ctx = talloc_stackframe();
> -+
> -+ ok = lookup_name_smbconf(tmp_ctx,
> -+ unix_username,
> -+ LOOKUP_NAME_ALL,
> -+ &domain_name,
> -+ &user_name,
> -+ &user_sid,
> -+ &type);
> -+ if (!ok) {
> -+ status = NT_STATUS_NO_SUCH_USER;
> -+ goto done;
> -+ }
> -+
> -+ if (type != SID_NAME_USER) {
> -+ status = NT_STATUS_NO_SUCH_USER;
> -+ goto done;
> -+ }
> -+
> -+ ok = winbind_lookup_usersids(tmp_ctx,
> -+ &user_sid,
> -+ &num_sids,
> -+ &user_sids);
> -+ /* Check if winbind is running */
> -+ if (ok) {
> -+ /*
> -+ * Winbind is running and the first element of the user_sids
> -+ * is the primary group.
> -+ */
> -+ if (num_sids > 0) {
> -+ group_sid = user_sids[0];
> -+ }
> -+ } else {
> -+ /*
> -+ * Winbind is not running, create the group_sid from the
> -+ * group id.
> -+ */
> -+ gid_to_sid(&group_sid, pwd->pw_gid);
> -+ }
> -+
> -+ /* Make sure we have a valid group sid */
> -+ ok = !is_null_sid(&group_sid);
> -+ if (!ok) {
> -+ status = NT_STATUS_NO_SUCH_USER;
> -+ goto done;
> -+ }
> -+
> -+ /* Construct a netr_SamInfo3 from the information we have */
> -+ info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3);
> -+ if (!info3) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ goto done;
> -+ }
> -+
> -+ info3->base.account_name.string = talloc_strdup(info3, unix_username);
> -+ if (info3->base.account_name.string == NULL) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ goto done;
> -+ }
> -+
> -+ ZERO_STRUCT(domain_sid);
> -+
> -+ sid_copy(&domain_sid, &user_sid);
> -+ sid_split_rid(&domain_sid, &info3->base.rid);
> -+ info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
> -+
> -+ ok = sid_peek_check_rid(&domain_sid, &group_sid,
> -+ &info3->base.primary_gid);
> -+ if (!ok) {
> -+ DEBUG(1, ("The primary group domain sid(%s) does not "
> -+ "match the domain sid(%s) for %s(%s)\n",
> -+ sid_string_dbg(&group_sid),
> -+ sid_string_dbg(&domain_sid),
> -+ unix_username,
> -+ sid_string_dbg(&user_sid)));
> -+ status = NT_STATUS_INVALID_SID;
> -+ goto done;
> -+ }
> -+
> -+ info3->base.acct_flags = ACB_NORMAL;
> -+
> -+ if (num_sids) {
> -+ status = group_sids_to_info3(info3, user_sids, num_sids);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ goto done;
> -+ }
> -+ }
> -+
> -+ *pinfo3 = talloc_steal(mem_ctx, info3);
> -+
> -+ status = NT_STATUS_OK;
> -+done:
> -+ talloc_free(tmp_ctx);
> -+
> -+ return status;
> -+}
> -+
> - #undef RET_NOMEM
> -
> - #define RET_NOMEM(ptr) do { \
> ---
> -1.8.5.2
> -
> -
> -From c7b7670dc5cd8dbf727258666b6417d67afafb33 Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Fri, 13 Dec 2013 19:11:01 +0100
> -Subject: [PATCH 3/7] s3-auth: Pass talloc context to make_server_info_pw().
> -
> -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> -Signed-off-by: Guenther Deschner <gd@samba.org>
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 1b59c9743cf3fbd66b0b8b52162b2cc8d922e5cf)
> ----
> - source3/auth/auth_unix.c | 7 +++++--
> - source3/auth/auth_util.c | 52 +++++++++++++++++++++++++++++-------------------
> - source3/auth/proto.h | 7 ++++---
> - source3/auth/user_krb5.c | 5 +----
> - 4 files changed, 42 insertions(+), 29 deletions(-)
> -
> -diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
> -index c8b5435..7b483a2 100644
> ---- a/source3/auth/auth_unix.c
> -+++ b/source3/auth/auth_unix.c
> -@@ -67,8 +67,11 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
> - unbecome_root();
> -
> - if (NT_STATUS_IS_OK(nt_status)) {
> -- if (pass) {
> -- make_server_info_pw(server_info, pass->pw_name, pass);
> -+ if (pass != NULL) {
> -+ nt_status = make_server_info_pw(mem_ctx,
> -+ pass->pw_name,
> -+ pass,
> -+ server_info);
> - } else {
> - /* we need to do somthing more useful here */
> - nt_status = NT_STATUS_NO_SUCH_USER;
> -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> -index ceaa706..b225b0d 100644
> ---- a/source3/auth/auth_util.c
> -+++ b/source3/auth/auth_util.c
> -@@ -639,14 +639,15 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
> - to a struct samu
> - ***************************************************************************/
> -
> --NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> -- char *unix_username,
> -- struct passwd *pwd)
> -+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
> -+ const char *unix_username,
> -+ const struct passwd *pwd,
> -+ struct auth_serversupplied_info **server_info)
> - {
> - NTSTATUS status;
> - struct samu *sampass = NULL;
> - char *qualified_name = NULL;
> -- TALLOC_CTX *mem_ctx = NULL;
> -+ TALLOC_CTX *tmp_ctx;
> - struct dom_sid u_sid;
> - enum lsa_SidType type;
> - struct auth_serversupplied_info *result;
> -@@ -664,27 +665,27 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> - * plaintext passwords were used with no SAM backend.
> - */
> -
> -- mem_ctx = talloc_init("make_server_info_pw_tmp");
> -- if (!mem_ctx) {
> -+ tmp_ctx = talloc_stackframe();
> -+ if (tmp_ctx == NULL) {
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
> -+ qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
> - unix_users_domain_name(),
> - unix_username );
> - if (!qualified_name) {
> -- TALLOC_FREE(mem_ctx);
> -+ TALLOC_FREE(tmp_ctx);
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
> -+ if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
> - NULL, NULL,
> - &u_sid, &type)) {
> -- TALLOC_FREE(mem_ctx);
> -+ TALLOC_FREE(tmp_ctx);
> - return NT_STATUS_NO_SUCH_USER;
> - }
> -
> -- TALLOC_FREE(mem_ctx);
> -+ TALLOC_FREE(tmp_ctx);
> -
> - if (type != SID_NAME_USER) {
> - return NT_STATUS_NO_SUCH_USER;
> -@@ -707,7 +708,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> - /* set the user sid to be the calculated u_sid */
> - pdb_set_user_sid(sampass, &u_sid, PDB_SET);
> -
> -- result = make_server_info(NULL);
> -+ result = make_server_info(mem_ctx);
> - if (result == NULL) {
> - TALLOC_FREE(sampass);
> - return NT_STATUS_NO_MEMORY;
> -@@ -992,25 +993,36 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
> - struct passwd *pwd;
> - NTSTATUS status;
> - struct auth_serversupplied_info *result;
> -+ TALLOC_CTX *tmp_ctx;
> -
> -- pwd = Get_Pwnam_alloc(talloc_tos(), username);
> -- if (pwd == NULL) {
> -- return NT_STATUS_NO_SUCH_USER;
> -+ tmp_ctx = talloc_stackframe();
> -+ if (tmp_ctx == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> - }
> -
> -- status = make_server_info_pw(&result, pwd->pw_name, pwd);
> -+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
> -+ if (pwd == NULL) {
> -+ status = NT_STATUS_NO_SUCH_USER;
> -+ goto done;
> -+ }
> -
> -+ status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -+ goto done;
> - }
> -
> - result->nss_token = true;
> - result->guest = is_guest;
> -
> - /* Now turn the server_info into a session_info with the full token etc */
> -- status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
> -- TALLOC_FREE(result);
> -- TALLOC_FREE(pwd);
> -+ status = create_local_token(mem_ctx,
> -+ result,
> -+ NULL,
> -+ pwd->pw_name,
> -+ session_info);
> -+
> -+done:
> -+ talloc_free(tmp_ctx);
> -
> - return status;
> - }
> -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> -index 8385e66..7abca07 100644
> ---- a/source3/auth/proto.h
> -+++ b/source3/auth/proto.h
> -@@ -206,9 +206,10 @@ bool user_in_group_sid(const char *username, const struct dom_sid *group_sid);
> - bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid);
> - bool user_in_group(const char *username, const char *groupname);
> - struct passwd;
> --NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> -- char *unix_username,
> -- struct passwd *pwd);
> -+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
> -+ const char *unix_username,
> -+ const struct passwd *pwd,
> -+ struct auth_serversupplied_info **server_info);
> - NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
> - const char *username,
> - bool is_guest,
> -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
> -index 974a8aa..7d44285 100644
> ---- a/source3/auth/user_krb5.c
> -+++ b/source3/auth/user_krb5.c
> -@@ -242,7 +242,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> - */
> - DEBUG(10, ("didn't find user %s in passdb, calling "
> - "make_server_info_pw\n", username));
> -- status = make_server_info_pw(&tmp, username, pw);
> -+ status = make_server_info_pw(mem_ctx, username, pw, &tmp);
> - }
> -
> - TALLOC_FREE(sampass);
> -@@ -253,9 +253,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> - return status;
> - }
> -
> -- /* Steal tmp server info into the server_info pointer. */
> -- server_info = talloc_move(mem_ctx, &tmp);
> --
> - /* make_server_info_pw does not set the domain. Without this
> - * we end up with the local netbios name in substitutions for
> - * %D. */
> ---
> -1.8.5.2
> -
> -
> -From 4fbd13598e8bdc6acf41329f71de806de4265f36 Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Fri, 13 Dec 2013 19:19:02 +0100
> -Subject: [PATCH 4/7] s3-auth: Add passwd_to_SamInfo3().
> -
> -Correctly lookup users which come from smb.conf. passwd_to_SamInfo3()
> -tries to contact winbind if the user is a domain user to get
> -valid information about it. If winbind isn't running it will try to
> -create everything from the passwd struct. This is not always reliable
> -but works in most cases. It improves the current situation which doesn't
> -talk to winbind at all.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
> -
> -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -
> -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> -Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104
> -
> -(cherry picked from commit 40e6456b5896e934fcd581c2cac2389984256e09)
> ----
> - source3/auth/auth_util.c | 87 +++++++++-------------------------------------
> - source3/auth/server_info.c | 22 ++++++++++--
> - 2 files changed, 36 insertions(+), 73 deletions(-)
> -
> -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> -index b225b0d..24190af 100644
> ---- a/source3/auth/auth_util.c
> -+++ b/source3/auth/auth_util.c
> -@@ -645,98 +645,43 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
> - struct auth_serversupplied_info **server_info)
> - {
> - NTSTATUS status;
> -- struct samu *sampass = NULL;
> -- char *qualified_name = NULL;
> -- TALLOC_CTX *tmp_ctx;
> -- struct dom_sid u_sid;
> -- enum lsa_SidType type;
> -+ TALLOC_CTX *tmp_ctx = NULL;
> - struct auth_serversupplied_info *result;
> -
> -- /*
> -- * The SID returned in server_info->sam_account is based
> -- * on our SAM sid even though for a pure UNIX account this should
> -- * not be the case as it doesn't really exist in the SAM db.
> -- * This causes lookups on "[in]valid users" to fail as they
> -- * will lookup this name as a "Unix User" SID to check against
> -- * the user token. Fix this by adding the "Unix User"\unix_username
> -- * SID to the sid array. The correct fix should probably be
> -- * changing the server_info->sam_account user SID to be a
> -- * S-1-22 Unix SID, but this might break old configs where
> -- * plaintext passwords were used with no SAM backend.
> -- */
> --
> - tmp_ctx = talloc_stackframe();
> - if (tmp_ctx == NULL) {
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
> -- unix_users_domain_name(),
> -- unix_username );
> -- if (!qualified_name) {
> -- TALLOC_FREE(tmp_ctx);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
> -- NULL, NULL,
> -- &u_sid, &type)) {
> -- TALLOC_FREE(tmp_ctx);
> -- return NT_STATUS_NO_SUCH_USER;
> -- }
> --
> -- TALLOC_FREE(tmp_ctx);
> --
> -- if (type != SID_NAME_USER) {
> -- return NT_STATUS_NO_SUCH_USER;
> -- }
> --
> -- if ( !(sampass = samu_new( NULL )) ) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- status = samu_set_unix( sampass, pwd );
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- /* In pathological cases the above call can set the account
> -- * name to the DOMAIN\username form. Reset the account name
> -- * using unix_username */
> -- pdb_set_username(sampass, unix_username, PDB_SET);
> --
> -- /* set the user sid to be the calculated u_sid */
> -- pdb_set_user_sid(sampass, &u_sid, PDB_SET);
> --
> -- result = make_server_info(mem_ctx);
> -+ result = make_server_info(tmp_ctx);
> - if (result == NULL) {
> -- TALLOC_FREE(sampass);
> -- return NT_STATUS_NO_MEMORY;
> -+ status = NT_STATUS_NO_MEMORY;
> -+ goto done;
> - }
> -
> -- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
> -- &result->info3, &result->extra);
> -- TALLOC_FREE(sampass);
> -+ status = passwd_to_SamInfo3(result,
> -+ unix_username,
> -+ pwd,
> -+ &result->info3);
> - if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(10, ("Failed to convert samu to info3: %s\n",
> -- nt_errstr(status)));
> -- TALLOC_FREE(result);
> -- return status;
> -+ goto done;
> - }
> -
> - result->unix_name = talloc_strdup(result, unix_username);
> --
> - if (result->unix_name == NULL) {
> -- TALLOC_FREE(result);
> -- return NT_STATUS_NO_MEMORY;
> -+ status = NT_STATUS_NO_MEMORY;
> -+ goto done;
> - }
> -
> - result->utok.uid = pwd->pw_uid;
> - result->utok.gid = pwd->pw_gid;
> -
> -- *server_info = result;
> -+ *server_info = talloc_steal(mem_ctx, result);
> -+ status = NT_STATUS_OK;
> -+done:
> -+ talloc_free(tmp_ctx);
> -
> -- return NT_STATUS_OK;
> -+ return status;
> - }
> -
> - static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
> -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> -index 46d8178..43711d5 100644
> ---- a/source3/auth/server_info.c
> -+++ b/source3/auth/server_info.c
> -@@ -489,10 +489,28 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
> - }
> - } else {
> - /*
> -- * Winbind is not running, create the group_sid from the
> -- * group id.
> -+ * Winbind is not running, try to create the group_sid from the
> -+ * passwd group id.
> -+ */
> -+
> -+ /*
> -+ * This can lead to a primary group of S-1-22-2-XX which
> -+ * will be rejected by other Samba code.
> - */
> - gid_to_sid(&group_sid, pwd->pw_gid);
> -+
> -+ ZERO_STRUCT(domain_sid);
> -+
> -+ /*
> -+ * If we are a unix group, set the group_sid to the
> -+ * 'Domain Users' RID of 513 which will always resolve to a
> -+ * name.
> -+ */
> -+ if (sid_check_is_in_unix_groups(&group_sid)) {
> -+ sid_compose(&group_sid,
> -+ get_global_sam_sid(),
> -+ DOMAIN_RID_USERS);
> -+ }
> - }
> -
> - /* Make sure we have a valid group sid */
> ---
> -1.8.5.2
> -
> -
> -From 76bb5e0888f4131ab773d90160051a51c401c90d Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Tue, 18 Feb 2014 10:02:57 +0100
> -Subject: [PATCH 5/7] s3-auth: Pass mem_ctx to make_server_info_sam().
> -
> -Coverity-Id: 1168009
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -
> -Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3dc72266005e87a291f5bf9847257e8c54314d39)
> ----
> - source3/auth/check_samsec.c | 2 +-
> - source3/auth/proto.h | 5 ++--
> - source3/auth/server_info_sam.c | 56 +++++++++++++++++++++++++++---------------
> - source3/auth/user_krb5.c | 12 +++++----
> - 4 files changed, 47 insertions(+), 28 deletions(-)
> -
> -diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
> -index 7ed8cc2..b6cac60 100644
> ---- a/source3/auth/check_samsec.c
> -+++ b/source3/auth/check_samsec.c
> -@@ -482,7 +482,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
> - }
> -
> - become_root();
> -- nt_status = make_server_info_sam(server_info, sampass);
> -+ nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
> - unbecome_root();
> -
> - TALLOC_FREE(sampass);
> -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> -index 7abca07..eac3e54 100644
> ---- a/source3/auth/proto.h
> -+++ b/source3/auth/proto.h
> -@@ -190,8 +190,9 @@ bool make_user_info_guest(const struct tsocket_address *remote_address,
> - struct auth_usersupplied_info **user_info);
> -
> - struct samu;
> --NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
> -- struct samu *sampass);
> -+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
> -+ struct samu *sampass,
> -+ struct auth_serversupplied_info **pserver_info);
> - NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
> - const struct auth_serversupplied_info *server_info,
> - DATA_BLOB *session_key,
> -diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c
> -index 5d657f9..47087b1 100644
> ---- a/source3/auth/server_info_sam.c
> -+++ b/source3/auth/server_info_sam.c
> -@@ -58,39 +58,51 @@ static bool is_our_machine_account(const char *username)
> - Make (and fill) a user_info struct from a struct samu
> - ***************************************************************************/
> -
> --NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
> -- struct samu *sampass)
> -+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
> -+ struct samu *sampass,
> -+ struct auth_serversupplied_info **pserver_info)
> - {
> - struct passwd *pwd;
> -- struct auth_serversupplied_info *result;
> -+ struct auth_serversupplied_info *server_info;
> - const char *username = pdb_get_username(sampass);
> -+ TALLOC_CTX *tmp_ctx;
> - NTSTATUS status;
> -
> -- if ( !(result = make_server_info(NULL)) ) {
> -+ tmp_ctx = talloc_stackframe();
> -+ if (tmp_ctx == NULL) {
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- if ( !(pwd = Get_Pwnam_alloc(result, username)) ) {
> -+ server_info = make_server_info(tmp_ctx);
> -+ if (server_info == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
> -+ if (pwd == NULL) {
> - DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
> - pdb_get_username(sampass)));
> -- TALLOC_FREE(result);
> -- return NT_STATUS_NO_SUCH_USER;
> -+ status = NT_STATUS_NO_SUCH_USER;
> -+ goto out;
> - }
> -
> -- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
> -- &result->info3, &result->extra);
> -+ status = samu_to_SamInfo3(server_info,
> -+ sampass,
> -+ lp_netbios_name(),
> -+ &server_info->info3,
> -+ &server_info->extra);
> - if (!NT_STATUS_IS_OK(status)) {
> -- TALLOC_FREE(result);
> -- return status;
> -+ goto out;
> - }
> -
> -- result->unix_name = pwd->pw_name;
> -- /* Ensure that we keep pwd->pw_name, because we will free pwd below */
> -- talloc_steal(result, pwd->pw_name);
> -- result->utok.gid = pwd->pw_gid;
> -- result->utok.uid = pwd->pw_uid;
> -+ server_info->unix_name = talloc_strdup(server_info, pwd->pw_name);
> -+ if (server_info->unix_name == NULL) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ goto out;
> -+ }
> -
> -- TALLOC_FREE(pwd);
> -+ server_info->utok.gid = pwd->pw_gid;
> -+ server_info->utok.uid = pwd->pw_uid;
> -
> - if (IS_DC && is_our_machine_account(username)) {
> - /*
> -@@ -110,9 +122,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
> - }
> -
> - DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
> -- pdb_get_username(sampass), result->unix_name));
> -+ pdb_get_username(sampass), server_info->unix_name));
> -+
> -+ *pserver_info = talloc_steal(mem_ctx, server_info);
> -
> -- *server_info = result;
> -+ status = NT_STATUS_OK;
> -+out:
> -+ talloc_free(tmp_ctx);
> -
> -- return NT_STATUS_OK;
> -+ return status;
> - }
> -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
> -index 7d44285..e40c8ac 100644
> ---- a/source3/auth/user_krb5.c
> -+++ b/source3/auth/user_krb5.c
> -@@ -223,9 +223,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> - * SID consistency with ntlmssp session setup
> - */
> - struct samu *sampass;
> -- /* The stupid make_server_info_XX functions here
> -- don't take a talloc context. */
> -- struct auth_serversupplied_info *tmp = NULL;
> -
> - sampass = samu_new(talloc_tos());
> - if (sampass == NULL) {
> -@@ -235,14 +232,19 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> - if (pdb_getsampwnam(sampass, username)) {
> - DEBUG(10, ("found user %s in passdb, calling "
> - "make_server_info_sam\n", username));
> -- status = make_server_info_sam(&tmp, sampass);
> -+ status = make_server_info_sam(mem_ctx,
> -+ sampass,
> -+ &server_info);
> - } else {
> - /*
> - * User not in passdb, make it up artificially
> - */
> - DEBUG(10, ("didn't find user %s in passdb, calling "
> - "make_server_info_pw\n", username));
> -- status = make_server_info_pw(mem_ctx, username, pw, &tmp);
> -+ status = make_server_info_pw(mem_ctx,
> -+ username,
> -+ pw,
> -+ &server_info);
> - }
> -
> - TALLOC_FREE(sampass);
> ---
> -1.8.5.2
> -
> -
> -From f9c0adb6237c6e60c33ee6af21f55c0cdefa132c Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Tue, 18 Feb 2014 10:19:57 +0100
> -Subject: [PATCH 6/7] s3-auth: Pass mem_ctx to auth_check_ntlm_password().
> -
> -Coverity-Id: 1168009
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -
> -Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 4d792db03f18aa164b565c7fdc7b446c174fba28)
> ----
> - source3/auth/auth.c | 50 ++++++++++++++++++-----------
> - source3/auth/auth_ntlmssp.c | 6 ++--
> - source3/auth/proto.h | 8 +++--
> - source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++--
> - source3/torture/pdbtest.c | 5 ++-
> - 5 files changed, 48 insertions(+), 27 deletions(-)
> -
> -diff --git a/source3/auth/auth.c b/source3/auth/auth.c
> -index c3797cf..dc9af02 100644
> ---- a/source3/auth/auth.c
> -+++ b/source3/auth/auth.c
> -@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain)
> - *
> - **/
> -
> --NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> -- const struct auth_usersupplied_info *user_info,
> -- struct auth_serversupplied_info **server_info)
> -+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
> -+ const struct auth_context *auth_context,
> -+ const struct auth_usersupplied_info *user_info,
> -+ struct auth_serversupplied_info **pserver_info)
> - {
> - /* if all the modules say 'not for me' this is reasonable */
> - NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
> - const char *unix_username;
> - auth_methods *auth_method;
> -- TALLOC_CTX *mem_ctx;
> -
> -- if (!user_info || !auth_context || !server_info)
> -+ if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
> - return NT_STATUS_LOGON_FAILURE;
> -+ }
> -
> - DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
> - user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
> -@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> - return NT_STATUS_LOGON_FAILURE;
> -
> - for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
> -+ struct auth_serversupplied_info *server_info;
> -+ TALLOC_CTX *tmp_ctx;
> - NTSTATUS result;
> -
> -- mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
> -- user_info->mapped.domain_name, user_info->client.account_name);
> -+ tmp_ctx = talloc_named(mem_ctx,
> -+ 0,
> -+ "%s authentication for user %s\\%s",
> -+ auth_method->name,
> -+ user_info->mapped.domain_name,
> -+ user_info->client.account_name);
> -
> -- result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
> -+ result = auth_method->auth(auth_context,
> -+ auth_method->private_data,
> -+ tmp_ctx,
> -+ user_info,
> -+ &server_info);
> -
> - /* check if the module did anything */
> - if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
> - DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
> -- talloc_destroy(mem_ctx);
> -+ TALLOC_FREE(tmp_ctx);
> - continue;
> - }
> -
> -@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> - auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
> - }
> -
> -- talloc_destroy(mem_ctx);
> --
> -- if ( NT_STATUS_IS_OK(nt_status))
> -- {
> -- break;
> -+ if (NT_STATUS_IS_OK(nt_status)) {
> -+ *pserver_info = talloc_steal(mem_ctx, server_info);
> -+ TALLOC_FREE(tmp_ctx);
> -+ break;
> - }
> -+
> -+ TALLOC_FREE(tmp_ctx);
> - }
> -
> - /* successful authentication */
> -
> - if (NT_STATUS_IS_OK(nt_status)) {
> -- unix_username = (*server_info)->unix_name;
> -- if (!(*server_info)->guest) {
> -+ unix_username = (*pserver_info)->unix_name;
> -+ if (!(*pserver_info)->guest) {
> - const char *rhost;
> -
> - if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
> -@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> - }
> -
> - if (NT_STATUS_IS_OK(nt_status)) {
> -- DEBUG((*server_info)->guest ? 5 : 2,
> -+ DEBUG((*pserver_info)->guest ? 5 : 2,
> - ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
> -- (*server_info)->guest ? "guest " : "",
> -+ (*pserver_info)->guest ? "guest " : "",
> - user_info->client.account_name,
> - user_info->mapped.account_name,
> - unix_username));
> -@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> - DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
> - user_info->client.account_name, user_info->mapped.account_name,
> - nt_errstr(nt_status)));
> -- ZERO_STRUCTP(server_info);
> -+ ZERO_STRUCTP(pserver_info);
> -
> - return nt_status;
> - }
> -diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
> -index f99bd44..cb7726c 100644
> ---- a/source3/auth/auth_ntlmssp.c
> -+++ b/source3/auth/auth_ntlmssp.c
> -@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
> -
> - mapped_user_info->flags = user_info->flags;
> -
> -- nt_status = auth_check_ntlm_password(auth_context,
> -- mapped_user_info, &server_info);
> -+ nt_status = auth_check_ntlm_password(mem_ctx,
> -+ auth_context,
> -+ mapped_user_info,
> -+ &server_info);
> -
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
> -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> -index eac3e54..15b1ba0 100644
> ---- a/source3/auth/proto.h
> -+++ b/source3/auth/proto.h
> -@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
> - * struct. When the return is other than NT_STATUS_OK the contents
> - * of that structure is undefined.
> - *
> -+ * @param mem_ctx The memory context to use to allocate server_info
> -+ *
> - * @param user_info Contains the user supplied components, including the passwords.
> - * Must be created with make_user_info() or one of its wrappers.
> - *
> -@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
> - * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
> - *
> - **/
> --
> --NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> -- const struct auth_usersupplied_info *user_info,
> -+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
> -+ const struct auth_context *auth_context,
> -+ const struct auth_usersupplied_info *user_info,
> - struct auth_serversupplied_info **server_info);
> -
> - /* The following definitions come from auth/auth_builtin.c */
> -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
> -index e5ca474..0c8c9a5 100644
> ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
> -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
> -@@ -1650,8 +1650,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> - } /* end switch */
> -
> - if ( NT_STATUS_IS_OK(status) ) {
> -- status = auth_check_ntlm_password(auth_context,
> -- user_info, &server_info);
> -+ status = auth_check_ntlm_password(p->mem_ctx,
> -+ auth_context,
> -+ user_info,
> -+ &server_info);
> - }
> -
> - TALLOC_FREE(auth_context);
> -diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
> -index 17da455..14d58b9 100644
> ---- a/source3/torture/pdbtest.c
> -+++ b/source3/torture/pdbtest.c
> -@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
> - return False;
> - }
> -
> -- status = auth_check_ntlm_password(auth_context, user_info, &server_info);
> -+ status = auth_check_ntlm_password(mem_ctx,
> -+ auth_context,
> -+ user_info,
> -+ &server_info);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
> ---
> -1.8.5.2
> -
> -
> -From a48bcd84c59b5b2cb8c3e0f5d68b35065bed81d7 Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Tue, 18 Feb 2014 13:52:49 +0100
> -Subject: [PATCH 7/7] s3-auth: Pass mem_ctx to do_map_to_guest_server_info().
> -
> -Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -
> -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> -Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
> -
> -(cherry picked from commit 79e2725f339e7c5336b4053348c4266268de6ca3)
> ----
> - source3/auth/auth_ntlmssp.c | 7 ++++---
> - source3/auth/auth_util.c | 12 +++++++-----
> - source3/auth/proto.h | 8 +++++---
> - 3 files changed, 16 insertions(+), 11 deletions(-)
> -
> -diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
> -index cb7726c..d4fe901 100644
> ---- a/source3/auth/auth_ntlmssp.c
> -+++ b/source3/auth/auth_ntlmssp.c
> -@@ -151,10 +151,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
> - free_user_info(&mapped_user_info);
> -
> - if (!NT_STATUS_IS_OK(nt_status)) {
> -- nt_status = do_map_to_guest_server_info(nt_status,
> -- &server_info,
> -+ nt_status = do_map_to_guest_server_info(mem_ctx,
> -+ nt_status,
> - user_info->client.account_name,
> -- user_info->client.domain_name);
> -+ user_info->client.domain_name,
> -+ &server_info);
> - *server_returned_info = talloc_steal(mem_ctx, server_info);
> - return nt_status;
> - }
> -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> -index 24190af..8cf5cb7 100644
> ---- a/source3/auth/auth_util.c
> -+++ b/source3/auth/auth_util.c
> -@@ -1536,9 +1536,11 @@ bool is_trusted_domain(const char* dom_name)
> - on a logon error possibly map the error to success if "map to guest"
> - is set approriately
> - */
> --NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
> -- struct auth_serversupplied_info **server_info,
> -- const char *user, const char *domain)
> -+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
> -+ NTSTATUS status,
> -+ const char *user,
> -+ const char *domain,
> -+ struct auth_serversupplied_info **server_info)
> - {
> - user = user ? user : "";
> - domain = domain ? domain : "";
> -@@ -1548,13 +1550,13 @@ NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
> - (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
> - DEBUG(3,("No such user %s [%s] - using guest account\n",
> - user, domain));
> -- return make_server_info_guest(NULL, server_info);
> -+ return make_server_info_guest(mem_ctx, server_info);
> - }
> - } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
> - if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
> - DEBUG(3,("Registered username %s for guest access\n",
> - user));
> -- return make_server_info_guest(NULL, server_info);
> -+ return make_server_info_guest(mem_ctx, server_info);
> - }
> - }
> -
> -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> -index 15b1ba0..7b8959f 100644
> ---- a/source3/auth/proto.h
> -+++ b/source3/auth/proto.h
> -@@ -264,9 +264,11 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
> - enum auth_password_state password_state);
> - void free_user_info(struct auth_usersupplied_info **user_info);
> -
> --NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
> -- struct auth_serversupplied_info **server_info,
> -- const char *user, const char *domain);
> -+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
> -+ NTSTATUS status,
> -+ const char *user,
> -+ const char *domain,
> -+ struct auth_serversupplied_info **server_info);
> -
> - /* The following definitions come from auth/auth_winbind.c */
> -
> ---
> -1.8.5.2
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> deleted file mode 100644
> index daa283e..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> +++ /dev/null
> @@ -1,266 +0,0 @@
> -From 168627e1877317db86471a4b0360dccd9f469aaa Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Mon, 13 Jan 2014 15:59:26 +0100
> -Subject: [PATCH 1/2] s3-kerberos: remove print_kdc_line() completely.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Just calling print_canonical_sockaddr() is sufficient, as it already deals with
> -ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
> -removed as well. It was pointless because it always derived the port number from
> -the provided address which was either a SMB (usually port 445) or LDAP
> -connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
> -Finally, the kerberos libraries that we support and build with, can deal with
> -ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
> -resolving the DC name on the kerberos library anymore.
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/libads/kerberos.c | 73 ++++-------------------------------------------
> - 1 file changed, 5 insertions(+), 68 deletions(-)
> -
> -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> -index b026e09..ea14350 100644
> ---- a/source3/libads/kerberos.c
> -+++ b/source3/libads/kerberos.c
> -@@ -592,70 +592,6 @@ int kerberos_kinit_password(const char *principal,
> - /************************************************************************
> - ************************************************************************/
> -
> --static char *print_kdc_line(char *mem_ctx,
> -- const char *prev_line,
> -- const struct sockaddr_storage *pss,
> -- const char *kdc_name)
> --{
> -- char addr[INET6_ADDRSTRLEN];
> -- uint16_t port = get_sockaddr_port(pss);
> --
> -- if (pss->ss_family == AF_INET) {
> -- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> -- prev_line,
> -- print_canonical_sockaddr(mem_ctx, pss));
> -- }
> --
> -- /*
> -- * IPv6 starts here
> -- */
> --
> -- DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
> -- kdc_name, port));
> --
> -- if (port != 0 && port != DEFAULT_KRB5_PORT) {
> -- /* Currently for IPv6 we can't specify a non-default
> -- krb5 port with an address, as this requires a ':'.
> -- Resolve to a name. */
> -- char hostname[MAX_DNS_NAME_LENGTH];
> -- int ret = sys_getnameinfo((const struct sockaddr *)pss,
> -- sizeof(*pss),
> -- hostname, sizeof(hostname),
> -- NULL, 0,
> -- NI_NAMEREQD);
> -- if (ret) {
> -- DEBUG(0,("print_kdc_line: can't resolve name "
> -- "for kdc with non-default port %s. "
> -- "Error %s\n.",
> -- print_canonical_sockaddr(mem_ctx, pss),
> -- gai_strerror(ret)));
> -- return NULL;
> -- }
> -- /* Success, use host:port */
> -- return talloc_asprintf(mem_ctx,
> -- "%s\tkdc = %s:%u\n",
> -- prev_line,
> -- hostname,
> -- (unsigned int)port);
> -- }
> --
> -- /* no krb5 lib currently supports "kdc = ipv6 address"
> -- * at all, so just fill in just the kdc_name if we have
> -- * it and let the krb5 lib figure out the appropriate
> -- * ipv6 address - gd */
> --
> -- if (kdc_name) {
> -- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> -- prev_line, kdc_name);
> -- }
> --
> -- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> -- prev_line,
> -- print_sockaddr(addr,
> -- sizeof(addr),
> -- pss));
> --}
> --
> - /************************************************************************
> - Create a string list of available kdc's, possibly searching by sitename.
> - Does DNS queries.
> -@@ -698,7 +634,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
> - char *result = NULL;
> - struct netlogon_samlogon_response **responses = NULL;
> - NTSTATUS status;
> -- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
> -+ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
> -+ print_canonical_sockaddr(mem_ctx, pss));
> -
> - if (kdc_str == NULL) {
> - TALLOC_FREE(frame);
> -@@ -788,9 +725,9 @@ static char *get_kdc_ip_string(char *mem_ctx,
> - }
> -
> - /* Append to the string - inefficient but not done often. */
> -- new_kdc_str = print_kdc_line(mem_ctx, kdc_str,
> -- &dc_addrs[i],
> -- kdc_name);
> -+ new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> -+ kdc_str,
> -+ print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
> - if (new_kdc_str == NULL) {
> - goto fail;
> - }
> ---
> -1.8.5.3
> -
> -
> -From 3edb3d4084548960f03356cf4c44a6892e6efb84 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 7 Mar 2014 14:47:31 +0100
> -Subject: [PATCH 2/2] s3-kerberos: remove unused kdc_name from
> - create_local_private_krb5_conf_for_domain().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/libads/kerberos.c | 10 ++++------
> - source3/libads/kerberos_proto.h | 3 +--
> - source3/libnet/libnet_join.c | 3 +--
> - source3/libsmb/namequery_dc.c | 6 ++----
> - source3/winbindd/winbindd_cm.c | 6 ++----
> - 5 files changed, 10 insertions(+), 18 deletions(-)
> -
> -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> -index ea14350..649e568 100644
> ---- a/source3/libads/kerberos.c
> -+++ b/source3/libads/kerberos.c
> -@@ -618,8 +618,7 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
> - static char *get_kdc_ip_string(char *mem_ctx,
> - const char *realm,
> - const char *sitename,
> -- const struct sockaddr_storage *pss,
> -- const char *kdc_name)
> -+ const struct sockaddr_storage *pss)
> - {
> - TALLOC_CTX *frame = talloc_stackframe();
> - int i;
> -@@ -756,8 +755,7 @@ fail:
> - bool create_local_private_krb5_conf_for_domain(const char *realm,
> - const char *domain,
> - const char *sitename,
> -- const struct sockaddr_storage *pss,
> -- const char *kdc_name)
> -+ const struct sockaddr_storage *pss)
> - {
> - char *dname;
> - char *tmpname = NULL;
> -@@ -782,7 +780,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> - return false;
> - }
> -
> -- if (domain == NULL || pss == NULL || kdc_name == NULL) {
> -+ if (domain == NULL || pss == NULL) {
> - return false;
> - }
> -
> -@@ -815,7 +813,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> - goto done;
> - }
> -
> -- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
> -+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
> - if (!kdc_ip_string) {
> - goto done;
> - }
> -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> -index f7470d2..2559634 100644
> ---- a/source3/libads/kerberos_proto.h
> -+++ b/source3/libads/kerberos_proto.h
> -@@ -62,8 +62,7 @@ int kerberos_kinit_password(const char *principal,
> - bool create_local_private_krb5_conf_for_domain(const char *realm,
> - const char *domain,
> - const char *sitename,
> -- const struct sockaddr_storage *pss,
> -- const char *kdc_name);
> -+ const struct sockaddr_storage *pss);
> -
> - /* The following definitions come from libads/authdata.c */
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index a87eb38..68884cd 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -2152,8 +2152,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
> -
> - create_local_private_krb5_conf_for_domain(
> - r->out.dns_domain_name, r->out.netbios_domain_name,
> -- NULL, smbXcli_conn_remote_sockaddr(cli->conn),
> -- smbXcli_conn_remote_name(cli->conn));
> -+ NULL, smbXcli_conn_remote_sockaddr(cli->conn));
> -
> - if (r->out.domain_is_ad && r->in.account_ou &&
> - !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
> -diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
> -index 3cfae79..eb34741 100644
> ---- a/source3/libsmb/namequery_dc.c
> -+++ b/source3/libsmb/namequery_dc.c
> -@@ -112,14 +112,12 @@ static bool ads_dc_name(const char *domain,
> - create_local_private_krb5_conf_for_domain(realm,
> - domain,
> - sitename,
> -- &ads->ldap.ss,
> -- ads->config.ldap_server_name);
> -+ &ads->ldap.ss);
> - } else {
> - create_local_private_krb5_conf_for_domain(realm,
> - domain,
> - NULL,
> -- &ads->ldap.ss,
> -- ads->config.ldap_server_name);
> -+ &ads->ldap.ss);
> - }
> - }
> - #endif
> -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> -index 669a43e..be13a57 100644
> ---- a/source3/winbindd/winbindd_cm.c
> -+++ b/source3/winbindd/winbindd_cm.c
> -@@ -1233,8 +1233,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
> - create_local_private_krb5_conf_for_domain(domain->alt_name,
> - domain->name,
> - sitename,
> -- pss,
> -- *name);
> -+ pss);
> -
> - SAFE_FREE(sitename);
> - } else {
> -@@ -1242,8 +1241,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
> - create_local_private_krb5_conf_for_domain(domain->alt_name,
> - domain->name,
> - NULL,
> -- pss,
> -- *name);
> -+ pss);
> - }
> - winbindd_set_locator_kdc_envs(domain);
> -
> ---
> -1.8.5.3
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> deleted file mode 100644
> index 26a4caf..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> +++ /dev/null
> @@ -1,962 +0,0 @@
> -From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 17 Jan 2014 14:29:03 +0100
> -Subject: [PATCH 1/8] s3-libads: pass down local_service to
> - kerberos_return_pac().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/libads/authdata.c | 6 +-----
> - source3/libads/kerberos_proto.h | 1 +
> - source3/utils/net_ads.c | 8 ++++++++
> - source3/winbindd/winbindd_pam.c | 9 +++++++++
> - 4 files changed, 19 insertions(+), 5 deletions(-)
> -
> -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> -index 801e551..dd80dc2 100644
> ---- a/source3/libads/authdata.c
> -+++ b/source3/libads/authdata.c
> -@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - bool add_netbios_addr,
> - time_t renewable_time,
> - const char *impersonate_princ_s,
> -+ const char *local_service,
> - struct PAC_LOGON_INFO **_logon_info)
> - {
> - krb5_error_code ret;
> - NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
> - DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
> - const char *auth_princ = NULL;
> -- const char *local_service = NULL;
> - const char *cc = "MEMORY:kerberos_return_pac";
> - struct auth_session_info *session_info;
> - struct gensec_security *gensec_server_context;
> -@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - }
> - NT_STATUS_HAVE_NO_MEMORY(auth_princ);
> -
> -- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> -- lp_netbios_name(), lp_realm());
> -- NT_STATUS_HAVE_NO_MEMORY(local_service);
> --
> - ret = kerberos_kinit_password_ext(auth_princ,
> - pass,
> - time_offset,
> -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> -index 2559634..1151d66 100644
> ---- a/source3/libads/kerberos_proto.h
> -+++ b/source3/libads/kerberos_proto.h
> -@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - bool add_netbios_addr,
> - time_t renewable_time,
> - const char *impersonate_princ_s,
> -+ const char *local_service,
> - struct PAC_LOGON_INFO **logon_info);
> -
> - /* The following definitions come from libads/krb5_setpw.c */
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index 89eebf3..5a073b1 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - NTSTATUS status;
> - int ret = -1;
> - const char *impersonate_princ_s = NULL;
> -+ const char *local_service = NULL;
> -
> - if (c->display_usage) {
> - d_printf( "%s\n"
> -@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - impersonate_princ_s = argv[0];
> - }
> -
> -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> -+ lp_netbios_name(), lp_realm());
> -+ if (local_service == NULL) {
> -+ goto out;
> -+ }
> -+
> - c->opt_password = net_prompt_pass(c, c->opt_user_name);
> -
> - status = kerberos_return_pac(mem_ctx,
> -@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - true,
> - 2592000, /* one month */
> - impersonate_princ_s,
> -+ local_service,
> - &info);
> - if (!NT_STATUS_IS_OK(status)) {
> - d_printf(_("failed to query kerberos PAC: %s\n"),
> -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> -index 3f3ec70..61e2cef 100644
> ---- a/source3/winbindd/winbindd_pam.c
> -+++ b/source3/winbindd/winbindd_pam.c
> -@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> - time_t time_offset = 0;
> - const char *user_ccache_file;
> - struct PAC_LOGON_INFO *logon_info = NULL;
> -+ const char *local_service;
> -
> - *info3 = NULL;
> -
> -@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> -+ lp_netbios_name(), lp_realm());
> -+ if (local_service == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+
> - /* if this is a user ccache, we need to act as the user to let the krb5
> - * library handle the chown, etc. */
> -
> -@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> - true,
> - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
> - NULL,
> -+ local_service,
> - &logon_info);
> - if (user_ccache_file != NULL) {
> - gain_root_privilege();
> ---
> -1.8.5.3
> -
> -
> -From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Mon, 3 Mar 2014 12:14:51 +0100
> -Subject: [PATCH 2/8] auth/kerberos: fix a typo.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - auth/kerberos/kerberos_pac.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
> -index 81f7f21..8f55c8f 100644
> ---- a/auth/kerberos/kerberos_pac.c
> -+++ b/auth/kerberos/kerberos_pac.c
> -@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
> - }
> -
> - /**
> --* @brief Decode a blob containing a NDR envoded PAC structure
> -+* @brief Decode a blob containing a NDR encoded PAC structure
> - *
> - * @param mem_ctx - The memory context
> - * @param pac_data_blob - The data blob containing the NDR encoded data
> ---
> -1.8.5.3
> -
> -
> -From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Mon, 10 Mar 2014 15:11:18 +0100
> -Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used
> - in "net ads kerberos pac".
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/utils/net_ads.c | 14 ++++++++++----
> - 1 file changed, 10 insertions(+), 4 deletions(-)
> -
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index 5a073b1..ac6346f 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - int ret = -1;
> - const char *impersonate_princ_s = NULL;
> - const char *local_service = NULL;
> -+ int i;
> -
> - if (c->display_usage) {
> - d_printf( "%s\n"
> -@@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - return 0;
> - }
> -
> -+ for (i=0; i<argc; i++) {
> -+ if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
> -+ impersonate_princ_s = get_string_param(argv[i]);
> -+ if (impersonate_princ_s == NULL) {
> -+ return -1;
> -+ }
> -+ }
> -+ }
> -+
> - mem_ctx = talloc_init("net_ads_kerberos_pac");
> - if (!mem_ctx) {
> - goto out;
> - }
> -
> -- if (argc > 0) {
> -- impersonate_princ_s = argv[0];
> -- }
> --
> - local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> - lp_netbios_name(), lp_realm());
> - if (local_service == NULL) {
> ---
> -1.8.5.3
> -
> -
> -From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Tue, 11 Mar 2014 16:34:36 +0100
> -Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads
> - kerberos pac".
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/utils/net_ads.c | 14 +++++++++++---
> - 1 file changed, 11 insertions(+), 3 deletions(-)
> -
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index ac6346f..c53c8c6 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - return -1;
> - }
> - }
> -+ if (strnequal(argv[i], "local_service", strlen("local_service"))) {
> -+ local_service = get_string_param(argv[i]);
> -+ if (local_service == NULL) {
> -+ return -1;
> -+ }
> -+ }
> - }
> -
> - mem_ctx = talloc_init("net_ads_kerberos_pac");
> -@@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - goto out;
> - }
> -
> -- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> -- lp_netbios_name(), lp_realm());
> - if (local_service == NULL) {
> -- goto out;
> -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> -+ lp_netbios_name(), lp_realm());
> -+ if (local_service == NULL) {
> -+ goto out;
> -+ }
> - }
> -
> - c->opt_password = net_prompt_pass(c, c->opt_user_name);
> ---
> -1.8.5.3
> -
> -
> -From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 21 Feb 2014 18:56:04 +0100
> -Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/libads/authdata.c | 28 +++++++++++++++++-----------
> - source3/libads/kerberos_proto.h | 4 ++--
> - source3/utils/net_ads.c | 17 ++++++++++++++++-
> - source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++-
> - 4 files changed, 56 insertions(+), 15 deletions(-)
> -
> -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> -index dd80dc2..53e40ef 100644
> ---- a/source3/libads/authdata.c
> -+++ b/source3/libads/authdata.c
> -@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> - struct auth_session_info **session_info)
> - {
> - TALLOC_CTX *tmp_ctx;
> -- struct PAC_LOGON_INFO *logon_info = NULL;
> -+ struct PAC_DATA *pac_data = NULL;
> - NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
> -
> - tmp_ctx = talloc_new(mem_ctx);
> -@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> - }
> -
> - if (pac_blob) {
> -- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
> -- NULL, NULL, 0, &logon_info);
> -+ status = kerberos_decode_pac(tmp_ctx,
> -+ *pac_blob,
> -+ NULL,
> -+ NULL,
> -+ NULL,
> -+ NULL,
> -+ 0,
> -+ &pac_data);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto done;
> - }
> - }
> -
> -- talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
> -+ talloc_set_name_const(pac_data, "struct PAC_DATA");
> -
> -- auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
> -+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
> - *session_info = talloc_zero(mem_ctx, struct auth_session_info);
> - if (!*session_info) {
> - status = NT_STATUS_NO_MEMORY;
> -@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - time_t renewable_time,
> - const char *impersonate_princ_s,
> - const char *local_service,
> -- struct PAC_LOGON_INFO **_logon_info)
> -+ struct PAC_DATA **_pac_data)
> - {
> - krb5_error_code ret;
> - NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
> -@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - size_t idx = 0;
> - struct auth4_context *auth_context;
> - struct loadparm_context *lp_ctx;
> -- struct PAC_LOGON_INFO *logon_info = NULL;
> -+ struct PAC_DATA *pac_data = NULL;
> -
> - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
> - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
> -@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - goto out;
> - }
> -
> -- logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> -- struct PAC_LOGON_INFO);
> -- if (logon_info == NULL) {
> -+ pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> -+ struct PAC_DATA);
> -+ if (pac_data == NULL) {
> - DEBUG(1,("no PAC\n"));
> - status = NT_STATUS_INVALID_PARAMETER;
> - goto out;
> - }
> -
> -- *_logon_info = talloc_move(mem_ctx, &logon_info);
> -+ *_pac_data = talloc_move(mem_ctx, &pac_data);
> -
> - out:
> - talloc_free(tmp_ctx);
> -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> -index 1151d66..b2f7486 100644
> ---- a/source3/libads/kerberos_proto.h
> -+++ b/source3/libads/kerberos_proto.h
> -@@ -32,7 +32,7 @@
> -
> - #include "system/kerberos.h"
> -
> --struct PAC_LOGON_INFO;
> -+struct PAC_DATA;
> -
> - #include "libads/ads_status.h"
> -
> -@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - time_t renewable_time,
> - const char *impersonate_princ_s,
> - const char *local_service,
> -- struct PAC_LOGON_INFO **logon_info);
> -+ struct PAC_DATA **pac_data);
> -
> - /* The following definitions come from libads/krb5_setpw.c */
> -
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index c53c8c6..19da6da 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
> - static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> - {
> - struct PAC_LOGON_INFO *info = NULL;
> -+ struct PAC_DATA *pac_data = NULL;
> - TALLOC_CTX *mem_ctx = NULL;
> - NTSTATUS status;
> - int ret = -1;
> -@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - 2592000, /* one month */
> - impersonate_princ_s,
> - local_service,
> -- &info);
> -+ &pac_data);
> - if (!NT_STATUS_IS_OK(status)) {
> - d_printf(_("failed to query kerberos PAC: %s\n"),
> - nt_errstr(status));
> - goto out;
> - }
> -
> -+ for (i=0; i < pac_data->num_buffers; i++) {
> -+
> -+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> -+ continue;
> -+ }
> -+
> -+ info = pac_data->buffers[i].info->logon_info.info;
> -+ if (!info) {
> -+ goto out;
> -+ }
> -+
> -+ break;
> -+ }
> -+
> - if (info) {
> - const char *s;
> - s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
> -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> -index 61e2cef..a8daae51 100644
> ---- a/source3/winbindd/winbindd_pam.c
> -+++ b/source3/winbindd/winbindd_pam.c
> -@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> - time_t time_offset = 0;
> - const char *user_ccache_file;
> - struct PAC_LOGON_INFO *logon_info = NULL;
> -+ struct PAC_DATA *pac_data = NULL;
> - const char *local_service;
> -+ int i;
> -
> - *info3 = NULL;
> -
> -@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
> - NULL,
> - local_service,
> -- &logon_info);
> -+ &pac_data);
> - if (user_ccache_file != NULL) {
> - gain_root_privilege();
> - }
> -@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> - goto failed;
> - }
> -
> -+ if (pac_data == NULL) {
> -+ goto failed;
> -+ }
> -+
> -+ for (i=0; i < pac_data->num_buffers; i++) {
> -+
> -+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> -+ continue;
> -+ }
> -+
> -+ logon_info = pac_data->buffers[i].info->logon_info.info;
> -+ if (!logon_info) {
> -+ return NT_STATUS_INVALID_PARAMETER;
> -+ }
> -+
> -+ break;
> -+ }
> -+
> - *info3 = &logon_info->info3;
> -
> - DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
> ---
> -1.8.5.3
> -
> -
> -From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Tue, 11 Mar 2014 18:07:11 +0100
> -Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC
> - container.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/libads/authdata.c | 29 +++++++++++++++++++++--------
> - source3/libads/kerberos_proto.h | 7 ++++++-
> - source3/utils/net_ads.c | 5 ++++-
> - source3/winbindd/winbindd_pam.c | 8 +++++++-
> - 4 files changed, 38 insertions(+), 11 deletions(-)
> -
> -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> -index 53e40ef..276408d 100644
> ---- a/source3/libads/authdata.c
> -+++ b/source3/libads/authdata.c
> -@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> - {
> - TALLOC_CTX *tmp_ctx;
> - struct PAC_DATA *pac_data = NULL;
> -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> - NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
> -
> - tmp_ctx = talloc_new(mem_ctx);
> -@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> - }
> - }
> -
> -- talloc_set_name_const(pac_data, "struct PAC_DATA");
> -+ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
> -+ if (pac_data_ctr == NULL) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ goto done;
> -+ }
> -+
> -+ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
> -+
> -+ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
> -+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
> -+ pac_blob->data,
> -+ pac_blob->length);
> -+
> -+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
> -
> -- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
> - *session_info = talloc_zero(mem_ctx, struct auth_session_info);
> - if (!*session_info) {
> - status = NT_STATUS_NO_MEMORY;
> -@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - time_t renewable_time,
> - const char *impersonate_princ_s,
> - const char *local_service,
> -- struct PAC_DATA **_pac_data)
> -+ struct PAC_DATA_CTR **_pac_data_ctr)
> - {
> - krb5_error_code ret;
> - NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
> -@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - size_t idx = 0;
> - struct auth4_context *auth_context;
> - struct loadparm_context *lp_ctx;
> -- struct PAC_DATA *pac_data = NULL;
> -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> -
> - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
> - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
> -@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - goto out;
> - }
> -
> -- pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> -- struct PAC_DATA);
> -- if (pac_data == NULL) {
> -+ pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> -+ struct PAC_DATA_CTR);
> -+ if (pac_data_ctr == NULL) {
> - DEBUG(1,("no PAC\n"));
> - status = NT_STATUS_INVALID_PARAMETER;
> - goto out;
> - }
> -
> -- *_pac_data = talloc_move(mem_ctx, &pac_data);
> -+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
> -
> - out:
> - talloc_free(tmp_ctx);
> -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> -index b2f7486..3d0ad4b 100644
> ---- a/source3/libads/kerberos_proto.h
> -+++ b/source3/libads/kerberos_proto.h
> -@@ -34,6 +34,11 @@
> -
> - struct PAC_DATA;
> -
> -+struct PAC_DATA_CTR {
> -+ DATA_BLOB pac_blob;
> -+ struct PAC_DATA *pac_data;
> -+};
> -+
> - #include "libads/ads_status.h"
> -
> - /* The following definitions come from libads/kerberos.c */
> -@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - time_t renewable_time,
> - const char *impersonate_princ_s,
> - const char *local_service,
> -- struct PAC_DATA **pac_data);
> -+ struct PAC_DATA_CTR **pac_data_ctr);
> -
> - /* The following definitions come from libads/krb5_setpw.c */
> -
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index 19da6da..19c28b1 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - {
> - struct PAC_LOGON_INFO *info = NULL;
> - struct PAC_DATA *pac_data = NULL;
> -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> - TALLOC_CTX *mem_ctx = NULL;
> - NTSTATUS status;
> - int ret = -1;
> -@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - 2592000, /* one month */
> - impersonate_princ_s,
> - local_service,
> -- &pac_data);
> -+ &pac_data_ctr);
> - if (!NT_STATUS_IS_OK(status)) {
> - d_printf(_("failed to query kerberos PAC: %s\n"),
> - nt_errstr(status));
> - goto out;
> - }
> -
> -+ pac_data = pac_data_ctr->pac_data;
> -+
> - for (i=0; i < pac_data->num_buffers; i++) {
> -
> - if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> -index a8daae51..b41291e 100644
> ---- a/source3/winbindd/winbindd_pam.c
> -+++ b/source3/winbindd/winbindd_pam.c
> -@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> - const char *user_ccache_file;
> - struct PAC_LOGON_INFO *logon_info = NULL;
> - struct PAC_DATA *pac_data = NULL;
> -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> - const char *local_service;
> - int i;
> -
> -@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
> - NULL,
> - local_service,
> -- &pac_data);
> -+ &pac_data_ctr);
> - if (user_ccache_file != NULL) {
> - gain_root_privilege();
> - }
> -@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> - goto failed;
> - }
> -
> -+ if (pac_data_ctr == NULL) {
> -+ goto failed;
> -+ }
> -+
> -+ pac_data = pac_data_ctr->pac_data;
> - if (pac_data == NULL) {
> - goto failed;
> - }
> ---
> -1.8.5.3
> -
> -
> -From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Tue, 11 Mar 2014 18:14:39 +0100
> -Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac"
> - command.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow
> -dumping of individial pac buffer types. Ommitting type= or using type=0 will
> -dump the whole PAC structure on stdout.
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++----------------
> - 1 file changed, 77 insertions(+), 38 deletions(-)
> -
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index 19c28b1..f54cf23 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
> - return ret;
> - }
> -
> --static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> -+static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv,
> -+ struct PAC_DATA_CTR **pac_data_ctr)
> - {
> -- struct PAC_LOGON_INFO *info = NULL;
> -- struct PAC_DATA *pac_data = NULL;
> -- struct PAC_DATA_CTR *pac_data_ctr = NULL;
> -- TALLOC_CTX *mem_ctx = NULL;
> - NTSTATUS status;
> - int ret = -1;
> - const char *impersonate_princ_s = NULL;
> - const char *local_service = NULL;
> - int i;
> -
> -- if (c->display_usage) {
> -- d_printf( "%s\n"
> -- "net ads kerberos pac [impersonation_principal]\n"
> -- " %s\n",
> -- _("Usage:"),
> -- _("Dump the Kerberos PAC"));
> -- return 0;
> -- }
> --
> - for (i=0; i<argc; i++) {
> - if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
> - impersonate_princ_s = get_string_param(argv[i]);
> -@@ -2633,13 +2621,8 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - }
> - }
> -
> -- mem_ctx = talloc_init("net_ads_kerberos_pac");
> -- if (!mem_ctx) {
> -- goto out;
> -- }
> --
> - if (local_service == NULL) {
> -- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> -+ local_service = talloc_asprintf(c, "%s$@%s",
> - lp_netbios_name(), lp_realm());
> - if (local_service == NULL) {
> - goto out;
> -@@ -2648,7 +2631,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> -
> - c->opt_password = net_prompt_pass(c, c->opt_user_name);
> -
> -- status = kerberos_return_pac(mem_ctx,
> -+ status = kerberos_return_pac(c,
> - c->opt_user_name,
> - c->opt_password,
> - 0,
> -@@ -2660,39 +2643,95 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - 2592000, /* one month */
> - impersonate_princ_s,
> - local_service,
> -- &pac_data_ctr);
> -+ pac_data_ctr);
> - if (!NT_STATUS_IS_OK(status)) {
> - d_printf(_("failed to query kerberos PAC: %s\n"),
> - nt_errstr(status));
> - goto out;
> - }
> -
> -- pac_data = pac_data_ctr->pac_data;
> -+ ret = 0;
> -+ out:
> -+ return ret;
> -+}
> -
> -- for (i=0; i < pac_data->num_buffers; i++) {
> -+static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv)
> -+{
> -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> -+ int i;
> -+ int ret = -1;
> -+ enum PAC_TYPE type = 0;
> -
> -- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> -- continue;
> -+ if (c->display_usage) {
> -+ d_printf( "%s\n"
> -+ "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n"
> -+ " %s\n",
> -+ _("Usage:"),
> -+ _("Dump the Kerberos PAC"));
> -+ return -1;
> -+ }
> -+
> -+ for (i=0; i<argc; i++) {
> -+ if (strnequal(argv[i], "pac_buffer_type", strlen("pac_buffer_type"))) {
> -+ type = get_int_param(argv[i]);
> - }
> -+ }
> -
> -- info = pac_data->buffers[i].info->logon_info.info;
> -- if (!info) {
> -- goto out;
> -+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
> -+ if (ret) {
> -+ return ret;
> -+ }
> -+
> -+ if (type == 0) {
> -+
> -+ char *s = NULL;
> -+
> -+ s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA,
> -+ pac_data_ctr->pac_data);
> -+ if (s != NULL) {
> -+ d_printf(_("The Pac: %s\n"), s);
> -+ talloc_free(s);
> - }
> -
> -- break;
> -+ return 0;
> - }
> -
> -- if (info) {
> -- const char *s;
> -- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
> -- d_printf(_("The Pac: %s\n"), s);
> -+ for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) {
> -+
> -+ char *s = NULL;
> -+
> -+ if (pac_data_ctr->pac_data->buffers[i].type != type) {
> -+ continue;
> -+ }
> -+
> -+ s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type,
> -+ pac_data_ctr->pac_data->buffers[i].info);
> -+ if (s != NULL) {
> -+ d_printf(_("The Pac: %s\n"), s);
> -+ talloc_free(s);
> -+ }
> -+ break;
> - }
> -
> -- ret = 0;
> -- out:
> -- TALLOC_FREE(mem_ctx);
> -- return ret;
> -+ return 0;
> -+}
> -+
> -+static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> -+{
> -+ struct functable func[] = {
> -+ {
> -+ "dump",
> -+ net_ads_kerberos_pac_dump,
> -+ NET_TRANSPORT_ADS,
> -+ N_("Dump Kerberos PAC"),
> -+ N_("net ads kerberos pac dump\n"
> -+ " Dump a Kerberos PAC to stdout")
> -+ },
> -+
> -+ {NULL, NULL, 0, NULL, NULL}
> -+ };
> -+
> -+ return net_run_function(c, argc, argv, "net ads kerberos pac", func);
> - }
> -
> - static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
> ---
> -1.8.5.3
> -
> -
> -From 91ceace4ee8fd141cac5dbe5282bed141c38bee7 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Tue, 11 Mar 2014 18:16:40 +0100
> -Subject: [PATCH 8/8] s3-net: add a new "net ads kerberos pac save" tool.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Use "filename=string" to define a file where to save the unencrypted PAC to.
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/utils/net_ads.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
> - 1 file changed, 52 insertions(+)
> -
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index f54cf23..8b8e719 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -2716,6 +2716,50 @@ static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char
> - return 0;
> - }
> -
> -+static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv)
> -+{
> -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> -+ char *filename = NULL;
> -+ int ret = -1;
> -+ int i;
> -+
> -+ if (c->display_usage) {
> -+ d_printf( "%s\n"
> -+ "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n"
> -+ " %s\n",
> -+ _("Usage:"),
> -+ _("Save the Kerberos PAC"));
> -+ return -1;
> -+ }
> -+
> -+ for (i=0; i<argc; i++) {
> -+ if (strnequal(argv[i], "filename", strlen("filename"))) {
> -+ filename = get_string_param(argv[i]);
> -+ if (filename == NULL) {
> -+ return -1;
> -+ }
> -+ }
> -+ }
> -+
> -+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
> -+ if (ret) {
> -+ return ret;
> -+ }
> -+
> -+ if (filename == NULL) {
> -+ d_printf(_("please define \"filename=<filename>\" to save the PAC\n"));
> -+ return -1;
> -+ }
> -+
> -+ /* save the raw format */
> -+ if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) {
> -+ d_printf(_("failed to save PAC in %s\n"), filename);
> -+ return -1;
> -+ }
> -+
> -+ return 0;
> -+}
> -+
> - static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> - {
> - struct functable func[] = {
> -@@ -2727,6 +2771,14 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> - N_("net ads kerberos pac dump\n"
> - " Dump a Kerberos PAC to stdout")
> - },
> -+ {
> -+ "save",
> -+ net_ads_kerberos_pac_save,
> -+ NET_TRANSPORT_ADS,
> -+ N_("Save Kerberos PAC"),
> -+ N_("net ads kerberos pac save\n"
> -+ " Save a Kerberos PAC in a file")
> -+ },
> -
> - {NULL, NULL, 0, NULL, NULL}
> - };
> ---
> -1.8.5.3
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> deleted file mode 100644
> index a2058f1..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> +++ /dev/null
> @@ -1,211 +0,0 @@
> -From 942dedb71437cd89932a7f39ca73d65c09aa59be Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 2 Apr 2014 19:37:34 +0200
> -Subject: [PATCH] s3-kerberos: make ipv6 support for generated krb5 config
> - files more robust.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Older MIT Kerberos libraries will add any secondary ipv6 address as
> -ipv4 address, defining the (default) krb5 port 88 circumvents that.
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> ----
> - source3/libads/kerberos.c | 29 +++++++++++++++++++++++++++--
> - 1 file changed, 27 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> -index 649e568..f3c23ea 100644
> ---- a/source3/libads/kerberos.c
> -+++ b/source3/libads/kerberos.c
> -@@ -615,6 +615,31 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
> - *num_addrs += 1;
> - }
> -
> -+/* print_canonical_sockaddr prints an ipv6 addr in the form of
> -+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not
> -+* always properly dealt with by some older krb5 libraries. Adding the hard-coded
> -+* portnumber workarounds the issue. - gd */
> -+
> -+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
> -+ const struct sockaddr_storage *pss)
> -+{
> -+ char *str = NULL;
> -+
> -+ str = print_canonical_sockaddr(mem_ctx, pss);
> -+ if (str == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ if (pss->ss_family != AF_INET6) {
> -+ return str;
> -+ }
> -+
> -+#if defined(HAVE_IPV6)
> -+ str = talloc_asprintf_append(str, ":88");
> -+#endif
> -+ return str;
> -+}
> -+
> - static char *get_kdc_ip_string(char *mem_ctx,
> - const char *realm,
> - const char *sitename,
> -@@ -634,7 +659,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
> - struct netlogon_samlogon_response **responses = NULL;
> - NTSTATUS status;
> - char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
> -- print_canonical_sockaddr(mem_ctx, pss));
> -+ print_canonical_sockaddr_with_port(mem_ctx, pss));
> -
> - if (kdc_str == NULL) {
> - TALLOC_FREE(frame);
> -@@ -726,7 +751,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
> - /* Append to the string - inefficient but not done often. */
> - new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> - kdc_str,
> -- print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
> -+ print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
> - if (new_kdc_str == NULL) {
> - goto fail;
> - }
> ---
> -1.9.0
> -
> -From 60db71015f84dd242be889576d85ccd5c6a1f73b Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 16 Apr 2014 16:07:14 +0200
> -Subject: [PATCH] s3-libads: allow ads_try_connect() to re-use a resolved ip
> - address.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Pass down a struct sockaddr_storage to ads_try_connect.
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -
> -Autobuild-User(master): Günther Deschner <gd@samba.org>
> -Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
> ----
> - source3/libads/ldap.c | 44 ++++++++++++++++++++++++++------------------
> - 1 file changed, 26 insertions(+), 18 deletions(-)
> -
> -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
> -index d9bb8e2..8fed8fd 100644
> ---- a/source3/libads/ldap.c
> -+++ b/source3/libads/ldap.c
> -@@ -228,33 +228,27 @@ bool ads_closest_dc(ADS_STRUCT *ads)
> - try a connection to a given ldap server, returning True and setting the servers IP
> - in the ads struct if successful
> - */
> --static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
> -+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
> -+ struct sockaddr_storage *ss)
> - {
> - struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
> - TALLOC_CTX *frame = talloc_stackframe();
> - bool ret = false;
> -- struct sockaddr_storage ss;
> - char addr[INET6_ADDRSTRLEN];
> -
> -- if (!server || !*server) {
> -+ if (ss == NULL) {
> - TALLOC_FREE(frame);
> - return False;
> - }
> -
> -- if (!resolve_name(server, &ss, 0x20, true)) {
> -- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
> -- server ));
> -- TALLOC_FREE(frame);
> -- return false;
> -- }
> -- print_sockaddr(addr, sizeof(addr), &ss);
> -+ print_sockaddr(addr, sizeof(addr), ss);
> -
> - DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
> - addr, ads->server.realm));
> -
> - ZERO_STRUCT( cldap_reply );
> -
> -- if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
> -+ if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {
> - DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
> - ret = false;
> - goto out;
> -@@ -298,7 +292,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
> - ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
> -
> - ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
> -- ads->ldap.ss = ss;
> -+ ads->ldap.ss = *ss;
> -
> - /* Store our site name. */
> - sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
> -@@ -330,6 +324,7 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
> - bool use_own_domain = False;
> - char *sitename;
> - NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
> -+ bool ok = false;
> -
> - /* if the realm and workgroup are both empty, assume they are ours */
> -
> -@@ -384,12 +379,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
> - DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
> - (got_realm ? "realm" : "domain"), realm));
> -
> -- if (get_dc_name(domain, realm, srv_name, &ip_out)) {
> -+ ok = get_dc_name(domain, realm, srv_name, &ip_out);
> -+ if (ok) {
> - /*
> - * we call ads_try_connect() to fill in the
> - * ads->config details
> - */
> -- if (ads_try_connect(ads, srv_name, false)) {
> -+ ok = ads_try_connect(ads, false, &ip_out);
> -+ if (ok) {
> - return NT_STATUS_OK;
> - }
> - }
> -@@ -445,7 +442,8 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
> - }
> - }
> -
> -- if ( ads_try_connect(ads, server, false) ) {
> -+ ok = ads_try_connect(ads, false, &ip_list[i].ss);
> -+ if (ok) {
> - SAFE_FREE(ip_list);
> - SAFE_FREE(sitename);
> - return NT_STATUS_OK;
> -@@ -630,9 +628,19 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
> - TALLOC_FREE(s);
> - }
> -
> -- if (ads->server.ldap_server)
> -- {
> -- if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
> -+ if (ads->server.ldap_server) {
> -+ bool ok = false;
> -+ struct sockaddr_storage ss;
> -+
> -+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
> -+ if (!ok) {
> -+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
> -+ ads->server.ldap_server));
> -+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
> -+ goto out;
> -+ }
> -+ ok = ads_try_connect(ads, ads->server.gc, &ss);
> -+ if (ok) {
> - goto got_connection;
> - }
> -
> ---
> -1.9.0
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> deleted file mode 100644
> index c1dfc06..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> +++ /dev/null
> @@ -1,29894 +0,0 @@
> -From 538f62edb2cc4c17204620d8a9b3075c7453422b Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Thu, 4 Sep 2014 12:55:53 +0200
> -Subject: [PATCH 002/249] selftest: Fix selftest where pid is used
> - uninitialized.
> -
> -On my system this gets evaluated to 0 so in the end we detect samba to
> -be running cause $childpid is set to 0.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10793
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -
> -Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
> -Autobuild-Date(master): Thu Sep 4 17:09:17 CEST 2014 on sn-devel-104
> -
> -(cherry picked from commit 6d2f56dbaf84203b351f33179cc3feaf557e0683)
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -
> -Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
> -Autobuild-Date(v4-1-test): Mon Sep 8 23:19:29 CEST 2014 on sn-devel-104
> ----
> - selftest/target/Samba.pm | 7 ++++++-
> - 1 file changed, 6 insertions(+), 1 deletion(-)
> -
> -diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> -index ab3851f..b0817fd 100644
> ---- a/selftest/target/Samba.pm
> -+++ b/selftest/target/Samba.pm
> -@@ -188,7 +188,12 @@ sub get_interface($)
> - sub cleanup_child($$)
> - {
> - my ($pid, $name) = @_;
> -- my $childpid = waitpid($pid, WNOHANG);
> -+ my $childpid = -1;
> -+
> -+ if (defined($pid)) {
> -+ $childpid = waitpid($pid, WNOHANG);
> -+ }
> -+
> - if ($childpid == 0) {
> - } elsif ($childpid < 0) {
> - printf STDERR "%s child process %d isn't here any more\n",
> ---
> -1.9.3
> -
> -
> -From a14c0878c232dcf674008444f80dc0e5d8aada09 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 12:33:25 +0200
> -Subject: [PATCH 003/249] auth/credentials: remove pointless talloc_reference()
> - from cli_credentials_get_unparsed_name()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 953502925863377b5e566edff4ac68c63e8d151f)
> ----
> - auth/credentials/credentials.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> -index e636123..e597809 100644
> ---- a/auth/credentials/credentials.c
> -+++ b/auth/credentials/credentials.c
> -@@ -669,7 +669,7 @@ _PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *c
> - const char *name;
> -
> - if (bind_dn) {
> -- name = talloc_reference(mem_ctx, bind_dn);
> -+ name = talloc_strdup(mem_ctx, bind_dn);
> - } else {
> - cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
> - if (domain && domain[0]) {
> ---
> -1.9.3
> -
> -
> -From a9bbf2e55d56b9d2cec944ee32a127fc72e6ce6a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 12:33:25 +0200
> -Subject: [PATCH 004/249] auth/credentials: remove pointless talloc_reference()
> - from cli_credentials_get_principal_and_obtained()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit b8f09226458dc13cf901f481ede89d8a6bb94ba7)
> ----
> - auth/credentials/credentials.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> -index e597809..7a4b081 100644
> ---- a/auth/credentials/credentials.c
> -+++ b/auth/credentials/credentials.c
> -@@ -267,7 +267,7 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
> - }
> - }
> - *obtained = cred->principal_obtained;
> -- return talloc_reference(mem_ctx, cred->principal);
> -+ return talloc_strdup(mem_ctx, cred->principal);
> - }
> -
> - /**
> ---
> -1.9.3
> -
> -
> -From 5df785eba8389be9129984c6c5a1e59487685938 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 12:52:17 +0200
> -Subject: [PATCH 005/249] auth/credentials: add
> - cli_credentials_[set_]callback_data*
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 6ff6778bdc60f1cd4d52cba83bd47d3398fe5a20)
> ----
> - auth/credentials/credentials.c | 11 +++++++++++
> - auth/credentials/credentials.h | 8 ++++++++
> - 2 files changed, 19 insertions(+)
> -
> -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> -index 7a4b081..e6a4710 100644
> ---- a/auth/credentials/credentials.c
> -+++ b/auth/credentials/credentials.c
> -@@ -114,6 +114,17 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
> - return cred;
> - }
> -
> -+_PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
> -+ void *callback_data)
> -+{
> -+ cred->priv_data = callback_data;
> -+}
> -+
> -+_PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
> -+{
> -+ return cred->priv_data;
> -+}
> -+
> - /**
> - * Create a new anonymous credential
> - * @param mem_ctx TALLOC_CTX parent for credentials structure
> -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> -index dbc014f..0f498ad 100644
> ---- a/auth/credentials/credentials.h
> -+++ b/auth/credentials/credentials.h
> -@@ -332,6 +332,14 @@ bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
> - bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
> - const char *(*workstation_cb) (struct cli_credentials *));
> -
> -+void cli_credentials_set_callback_data(struct cli_credentials *cred,
> -+ void *callback_data);
> -+void *_cli_credentials_callback_data(struct cli_credentials *cred);
> -+#define cli_credentials_callback_data(_cred, _type) \
> -+ talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
> -+#define cli_credentials_callback_data_void(_cred) \
> -+ _cli_credentials_callback_data(_cred)
> -+
> - /**
> - * Return attached NETLOGON credentials
> - */
> ---
> -1.9.3
> -
> -
> -From 8fd0244ac8fe4998a0931bc9d51b9dfbb182a2e1 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 13:21:14 +0200
> -Subject: [PATCH 006/249] auth/credentials: add cli_credentials_shallow_copy()
> -
> -This is useful for testing.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit b3cd44d50cff99fa77611679d68d2d57434fefa4)
> ----
> - auth/credentials/credentials.c | 15 +++++++++++++++
> - auth/credentials/credentials.h | 3 +++
> - 2 files changed, 18 insertions(+)
> -
> -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> -index e6a4710..c1c6993 100644
> ---- a/auth/credentials/credentials.c
> -+++ b/auth/credentials/credentials.c
> -@@ -125,6 +125,21 @@ _PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
> - return cred->priv_data;
> - }
> -
> -+_PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
> -+ struct cli_credentials *src)
> -+{
> -+ struct cli_credentials *dst;
> -+
> -+ dst = talloc(mem_ctx, struct cli_credentials);
> -+ if (dst == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ *dst = *src;
> -+
> -+ return dst;
> -+}
> -+
> - /**
> - * Create a new anonymous credential
> - * @param mem_ctx TALLOC_CTX parent for credentials structure
> -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> -index 0f498ad..1377bfa 100644
> ---- a/auth/credentials/credentials.h
> -+++ b/auth/credentials/credentials.h
> -@@ -340,6 +340,9 @@ void *_cli_credentials_callback_data(struct cli_credentials *cred);
> - #define cli_credentials_callback_data_void(_cred) \
> - _cli_credentials_callback_data(_cred)
> -
> -+struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
> -+ struct cli_credentials *src);
> -+
> - /**
> - * Return attached NETLOGON credentials
> - */
> ---
> -1.9.3
> -
> -
> -From 52e4028da5db90ce3ee410997ea3464374fec46b Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 13:20:13 +0200
> -Subject: [PATCH 007/249] s3:ntlm_auth: remove pointless credentials->priv_data
> - = NULL;
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit cfeeb3ce3de5d1df07299fb83327ae258da0bf8d)
> ----
> - source3/utils/ntlm_auth.c | 1 -
> - 1 file changed, 1 deletion(-)
> -
> -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> -index b3bbaa4..a5e0cd2 100644
> ---- a/source3/utils/ntlm_auth.c
> -+++ b/source3/utils/ntlm_auth.c
> -@@ -228,7 +228,6 @@ static const char *get_password(struct cli_credentials *credentials)
> -
> - /* Ask for a password */
> - x_fprintf(x_stdout, "PW\n");
> -- credentials->priv_data = NULL;
> -
> - manage_squid_request(NUM_HELPER_MODES /* bogus */, NULL, NULL, manage_gensec_get_pw_request, (void **)&password);
> - talloc_steal(credentials, password);
> ---
> -1.9.3
> -
> -
> -From bdfb13b91ce8961caeb98b01a75893895e8d484a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 13:22:10 +0200
> -Subject: [PATCH 008/249] s4:torture/shell: simplify
> - cli_credentials_set_password() call
> -
> -All we want is to avoid a possible callback...
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 36b3c9506c1ac5549a38140e7ffd57644290069f)
> ----
> - source4/torture/shell.c | 5 +----
> - 1 file changed, 1 insertion(+), 4 deletions(-)
> -
> -diff --git a/source4/torture/shell.c b/source4/torture/shell.c
> -index d6cc94c..aa85da3 100644
> ---- a/source4/torture/shell.c
> -+++ b/source4/torture/shell.c
> -@@ -110,10 +110,7 @@ void torture_shell(struct torture_context *tctx)
> - * stops the credentials system prompting when we use the "auth"
> - * command to display the current auth parameters.
> - */
> -- if (cmdline_credentials->password_obtained != CRED_SPECIFIED) {
> -- cli_credentials_set_password(cmdline_credentials, "",
> -- CRED_SPECIFIED);
> -- }
> -+ cli_credentials_set_password(cmdline_credentials, "", CRED_GUESS_ENV);
> -
> - while (1) {
> - cline = smb_readline("torture> ", NULL, NULL);
> ---
> -1.9.3
> -
> -
> -From 91c0d6a26823f3057357c6b31bf1f686e5ed0f5e Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 13:23:08 +0200
> -Subject: [PATCH 009/249] s4:torture/gentest: make use of
> - cli_credentials_get_username()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit d36fcaa5f3c4d1ad54d767f4a7c5fa6c8d69c00e)
> ----
> - source4/torture/gentest.c | 3 ++-
> - 1 file changed, 2 insertions(+), 1 deletion(-)
> -
> -diff --git a/source4/torture/gentest.c b/source4/torture/gentest.c
> -index 91b60e2..586a25b 100644
> ---- a/source4/torture/gentest.c
> -+++ b/source4/torture/gentest.c
> -@@ -221,7 +221,8 @@ static bool connect_servers(struct tevent_context *ev,
> -
> - printf("Connecting to \\\\%s\\%s as %s - instance %d\n",
> - servers[i].server_name, servers[i].share_name,
> -- servers[i].credentials->username, j);
> -+ cli_credentials_get_username(servers[i].credentials),
> -+ j);
> -
> - cli_credentials_set_workstation(servers[i].credentials,
> - "gentest", CRED_SPECIFIED);
> ---
> -1.9.3
> -
> -
> -From 9687534ac54b732f73c3f4758055a278eaa0cbb2 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 13:23:41 +0200
> -Subject: [PATCH 010/249] s4:torture/rpc: make use of
> - cli_credentials_set_netlogon_creds()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit d47bf469b8a9064f4f7033918b1fe519adfa0c26)
> ----
> - source4/torture/rpc/schannel.c | 36 ++++++++++++++++--------------------
> - 1 file changed, 16 insertions(+), 20 deletions(-)
> -
> -diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
> -index e0862d2..8203749 100644
> ---- a/source4/torture/rpc/schannel.c
> -+++ b/source4/torture/rpc/schannel.c
> -@@ -604,9 +604,9 @@ bool torture_rpc_schannel2(struct torture_context *torture)
> - torture_assert(torture, join_ctx != NULL,
> - "Failed to join domain with acct_flags=ACB_WSTRUST");
> -
> -- credentials2 = (struct cli_credentials *)talloc_memdup(torture, credentials1, sizeof(*credentials1));
> -- credentials1->netlogon_creds = NULL;
> -- credentials2->netlogon_creds = NULL;
> -+ credentials2 = cli_credentials_shallow_copy(torture, credentials1);
> -+ cli_credentials_set_netlogon_creds(credentials1, NULL);
> -+ cli_credentials_set_netlogon_creds(credentials2, NULL);
> -
> - status = dcerpc_parse_binding(torture, binding, &b);
> - torture_assert_ntstatus_ok(torture, status, "Bad binding string");
> -@@ -624,8 +624,8 @@ bool torture_rpc_schannel2(struct torture_context *torture)
> - credentials2, torture->ev, torture->lp_ctx);
> - torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
> -
> -- credentials1->netlogon_creds = NULL;
> -- credentials2->netlogon_creds = NULL;
> -+ cli_credentials_set_netlogon_creds(credentials1, NULL);
> -+ cli_credentials_set_netlogon_creds(credentials2, NULL);
> -
> - torture_comment(torture, "Testing logon on pipe1\n");
> - if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
> -@@ -827,16 +827,12 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
> - s->nprocs = torture_setting_int(torture, "nprocs", 4);
> - s->conns = talloc_zero_array(s, struct torture_schannel_bench_conn, s->nprocs);
> -
> -- s->user1_creds = (struct cli_credentials *)talloc_memdup(s,
> -- cmdline_credentials,
> -- sizeof(*s->user1_creds));
> -+ s->user1_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
> - tmp = torture_setting_string(s->tctx, "extra_user1", NULL);
> - if (tmp) {
> - cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
> - }
> -- s->user2_creds = (struct cli_credentials *)talloc_memdup(s,
> -- cmdline_credentials,
> -- sizeof(*s->user1_creds));
> -+ s->user2_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
> - tmp = torture_setting_string(s->tctx, "extra_user2", NULL);
> - if (tmp) {
> - cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
> -@@ -855,15 +851,16 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
> - cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
> -
> - for (i=0; i < s->nprocs; i++) {
> -- s->conns[i].s = s;
> -- s->conns[i].index = i;
> -- s->conns[i].wks_creds = (struct cli_credentials *)talloc_memdup(
> -- s->conns, s->wks_creds1,sizeof(*s->wks_creds1));
> -+ struct cli_credentials *wks = s->wks_creds1;
> -+
> - if ((i % 2) && (torture_setting_bool(torture, "multijoin", false))) {
> -- memcpy(s->conns[i].wks_creds, s->wks_creds2,
> -- talloc_get_size(s->conns[i].wks_creds));
> -+ wks = s->wks_creds2;
> - }
> -- s->conns[i].wks_creds->netlogon_creds = NULL;
> -+
> -+ s->conns[i].s = s;
> -+ s->conns[i].index = i;
> -+ s->conns[i].wks_creds = cli_credentials_shallow_copy(s->conns, wks);
> -+ cli_credentials_set_netlogon_creds(s->conns[i].wks_creds, NULL);
> - }
> -
> - status = dcerpc_parse_binding(s, binding, &s->b);
> -@@ -962,8 +959,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
> -
> - /* Just as a test, connect with the new creds */
> -
> -- talloc_free(s->wks_creds1->netlogon_creds);
> -- s->wks_creds1->netlogon_creds = NULL;
> -+ cli_credentials_set_netlogon_creds(s->wks_creds1, NULL);
> -
> - status = dcerpc_pipe_connect_b(s, &net_pipe, s->b,
> - &ndr_table_netlogon,
> ---
> -1.9.3
> -
> -
> -From de6c67e98d94d003f36fef5472b8133c578b3c01 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 13:24:21 +0200
> -Subject: [PATCH 011/249] s4:ntlm_auth: make use of
> - cli_credentials_[set_]callback_data*
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit bbd63dd8a17468d3e332969a30c06e2b2f1540fc)
> ----
> - source4/utils/ntlm_auth.c | 10 ++++++----
> - 1 file changed, 6 insertions(+), 4 deletions(-)
> -
> -diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
> -index c363c9d..136e238 100644
> ---- a/source4/utils/ntlm_auth.c
> -+++ b/source4/utils/ntlm_auth.c
> -@@ -299,10 +299,11 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod
> - static const char *get_password(struct cli_credentials *credentials)
> - {
> - char *password = NULL;
> --
> -+ void *cb = cli_credentials_callback_data_void(credentials);
> -+
> - /* Ask for a password */
> -- mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n");
> -- credentials->priv_data = NULL;
> -+ mux_printf((unsigned int)(uintptr_t)cb, "PW\n");
> -+ cli_credentials_set_callback_data(credentials, NULL);
> -
> - manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
> - return password;
> -@@ -505,8 +506,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
> - if (state->set_password) {
> - cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
> - } else {
> -+ void *cb = (void*)(uintptr_t)mux_id;
> -+ cli_credentials_set_callback_data(creds, cb);
> - cli_credentials_set_password_callback(creds, get_password);
> -- creds->priv_data = (void*)(uintptr_t)mux_id;
> - }
> - if (opt_workstation) {
> - cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
> ---
> -1.9.3
> -
> -
> -From 80c611a2b424e4e4a7e6de7ed6b9368bff0d9afb Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 12:41:40 +0200
> -Subject: [PATCH 012/249] auth/credentials: keep cli_credentials private
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 9325bd9cb6bb942ea989f4e32799c76ea8af3d3e)
> ----
> - auth/credentials/credentials.c | 1 +
> - auth/credentials/credentials.h | 101 +++-------------------------
> - auth/credentials/credentials_internal.h | 114 ++++++++++++++++++++++++++++++++
> - auth/credentials/credentials_krb5.c | 1 +
> - auth/credentials/credentials_ntlm.c | 1 +
> - auth/credentials/credentials_secrets.c | 1 +
> - 6 files changed, 126 insertions(+), 93 deletions(-)
> - create mode 100644 auth/credentials/credentials_internal.h
> -
> -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> -index c1c6993..f334465 100644
> ---- a/auth/credentials/credentials.c
> -+++ b/auth/credentials/credentials.c
> -@@ -24,6 +24,7 @@
> - #include "includes.h"
> - #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
> - #include "auth/credentials/credentials.h"
> -+#include "auth/credentials/credentials_internal.h"
> - #include "libcli/auth/libcli_auth.h"
> - #include "tevent.h"
> - #include "param/param.h"
> -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> -index 1377bfa..cb09dc3 100644
> ---- a/auth/credentials/credentials.h
> -+++ b/auth/credentials/credentials.h
> -@@ -25,9 +25,17 @@
> - #include "../lib/util/data_blob.h"
> - #include "librpc/gen_ndr/misc.h"
> -
> -+struct cli_credentials;
> - struct ccache_container;
> - struct tevent_context;
> - struct netlogon_creds_CredentialState;
> -+struct ldb_context;
> -+struct ldb_message;
> -+struct loadparm_context;
> -+struct ccache_container;
> -+struct gssapi_creds_container;
> -+struct smb_krb5_context;
> -+struct keytab_container;
> -
> - /* In order of priority */
> - enum credentials_obtained {
> -@@ -57,99 +65,6 @@ enum credentials_krb_forwardable {
> - #define CLI_CRED_NTLM_AUTH 0x08
> - #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
> -
> --struct cli_credentials {
> -- enum credentials_obtained workstation_obtained;
> -- enum credentials_obtained username_obtained;
> -- enum credentials_obtained password_obtained;
> -- enum credentials_obtained domain_obtained;
> -- enum credentials_obtained realm_obtained;
> -- enum credentials_obtained ccache_obtained;
> -- enum credentials_obtained client_gss_creds_obtained;
> -- enum credentials_obtained principal_obtained;
> -- enum credentials_obtained keytab_obtained;
> -- enum credentials_obtained server_gss_creds_obtained;
> --
> -- /* Threshold values (essentially a MAX() over a number of the
> -- * above) for the ccache and GSS credentials, to ensure we
> -- * regenerate/pick correctly */
> --
> -- enum credentials_obtained ccache_threshold;
> -- enum credentials_obtained client_gss_creds_threshold;
> --
> -- const char *workstation;
> -- const char *username;
> -- const char *password;
> -- const char *old_password;
> -- const char *domain;
> -- const char *realm;
> -- const char *principal;
> -- char *salt_principal;
> -- char *impersonate_principal;
> -- char *self_service;
> -- char *target_service;
> --
> -- const char *bind_dn;
> --
> -- /* Allows authentication from a keytab or similar */
> -- struct samr_Password *nt_hash;
> --
> -- /* Allows NTLM pass-though authentication */
> -- DATA_BLOB lm_response;
> -- DATA_BLOB nt_response;
> --
> -- struct ccache_container *ccache;
> -- struct gssapi_creds_container *client_gss_creds;
> -- struct keytab_container *keytab;
> -- struct gssapi_creds_container *server_gss_creds;
> --
> -- const char *(*workstation_cb) (struct cli_credentials *);
> -- const char *(*password_cb) (struct cli_credentials *);
> -- const char *(*username_cb) (struct cli_credentials *);
> -- const char *(*domain_cb) (struct cli_credentials *);
> -- const char *(*realm_cb) (struct cli_credentials *);
> -- const char *(*principal_cb) (struct cli_credentials *);
> --
> -- /* Private handle for the callback routines to use */
> -- void *priv_data;
> --
> -- struct netlogon_creds_CredentialState *netlogon_creds;
> -- enum netr_SchannelType secure_channel_type;
> -- int kvno;
> -- time_t password_last_changed_time;
> --
> -- struct smb_krb5_context *smb_krb5_context;
> --
> -- /* We are flagged to get machine account details from the
> -- * secrets.ldb when we are asked for a username or password */
> -- bool machine_account_pending;
> -- struct loadparm_context *machine_account_pending_lp_ctx;
> --
> -- /* Is this a machine account? */
> -- bool machine_account;
> --
> -- /* Should we be trying to use kerberos? */
> -- enum credentials_use_kerberos use_kerberos;
> --
> -- /* Should we get a forwardable ticket? */
> -- enum credentials_krb_forwardable krb_forwardable;
> --
> -- /* gensec features which should be used for connections */
> -- uint32_t gensec_features;
> --
> -- /* Number of retries left before bailing out */
> -- int tries;
> --
> -- /* Whether any callback is currently running */
> -- bool callback_running;
> --};
> --
> --struct ldb_context;
> --struct ldb_message;
> --struct loadparm_context;
> --struct ccache_container;
> --
> --struct gssapi_creds_container;
> --
> - const char *cli_credentials_get_workstation(struct cli_credentials *cred);
> - bool cli_credentials_set_workstation(struct cli_credentials *cred,
> - const char *val,
> -diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
> -new file mode 100644
> -index 0000000..5a3655b
> ---- /dev/null
> -+++ b/auth/credentials/credentials_internal.h
> -@@ -0,0 +1,114 @@
> -+/*
> -+ samba -- Unix SMB/CIFS implementation.
> -+
> -+ Client credentials structure
> -+
> -+ Copyright (C) Jelmer Vernooij 2004-2006
> -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
> -+
> -+ This program is free software; you can redistribute it and/or modify
> -+ it under the terms of the GNU General Public License as published by
> -+ the Free Software Foundation; either version 3 of the License, or
> -+ (at your option) any later version.
> -+
> -+ This program is distributed in the hope that it will be useful,
> -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -+ GNU General Public License for more details.
> -+
> -+ You should have received a copy of the GNU General Public License
> -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> -+*/
> -+#ifndef __CREDENTIALS_INTERNAL_H__
> -+#define __CREDENTIALS_INTERNAL_H__
> -+
> -+#include "../lib/util/data_blob.h"
> -+#include "librpc/gen_ndr/misc.h"
> -+
> -+struct cli_credentials {
> -+ enum credentials_obtained workstation_obtained;
> -+ enum credentials_obtained username_obtained;
> -+ enum credentials_obtained password_obtained;
> -+ enum credentials_obtained domain_obtained;
> -+ enum credentials_obtained realm_obtained;
> -+ enum credentials_obtained ccache_obtained;
> -+ enum credentials_obtained client_gss_creds_obtained;
> -+ enum credentials_obtained principal_obtained;
> -+ enum credentials_obtained keytab_obtained;
> -+ enum credentials_obtained server_gss_creds_obtained;
> -+
> -+ /* Threshold values (essentially a MAX() over a number of the
> -+ * above) for the ccache and GSS credentials, to ensure we
> -+ * regenerate/pick correctly */
> -+
> -+ enum credentials_obtained ccache_threshold;
> -+ enum credentials_obtained client_gss_creds_threshold;
> -+
> -+ const char *workstation;
> -+ const char *username;
> -+ const char *password;
> -+ const char *old_password;
> -+ const char *domain;
> -+ const char *realm;
> -+ const char *principal;
> -+ char *salt_principal;
> -+ char *impersonate_principal;
> -+ char *self_service;
> -+ char *target_service;
> -+
> -+ const char *bind_dn;
> -+
> -+ /* Allows authentication from a keytab or similar */
> -+ struct samr_Password *nt_hash;
> -+
> -+ /* Allows NTLM pass-though authentication */
> -+ DATA_BLOB lm_response;
> -+ DATA_BLOB nt_response;
> -+
> -+ struct ccache_container *ccache;
> -+ struct gssapi_creds_container *client_gss_creds;
> -+ struct keytab_container *keytab;
> -+ struct gssapi_creds_container *server_gss_creds;
> -+
> -+ const char *(*workstation_cb) (struct cli_credentials *);
> -+ const char *(*password_cb) (struct cli_credentials *);
> -+ const char *(*username_cb) (struct cli_credentials *);
> -+ const char *(*domain_cb) (struct cli_credentials *);
> -+ const char *(*realm_cb) (struct cli_credentials *);
> -+ const char *(*principal_cb) (struct cli_credentials *);
> -+
> -+ /* Private handle for the callback routines to use */
> -+ void *priv_data;
> -+
> -+ struct netlogon_creds_CredentialState *netlogon_creds;
> -+ enum netr_SchannelType secure_channel_type;
> -+ int kvno;
> -+ time_t password_last_changed_time;
> -+
> -+ struct smb_krb5_context *smb_krb5_context;
> -+
> -+ /* We are flagged to get machine account details from the
> -+ * secrets.ldb when we are asked for a username or password */
> -+ bool machine_account_pending;
> -+ struct loadparm_context *machine_account_pending_lp_ctx;
> -+
> -+ /* Is this a machine account? */
> -+ bool machine_account;
> -+
> -+ /* Should we be trying to use kerberos? */
> -+ enum credentials_use_kerberos use_kerberos;
> -+
> -+ /* Should we get a forwardable ticket? */
> -+ enum credentials_krb_forwardable krb_forwardable;
> -+
> -+ /* gensec features which should be used for connections */
> -+ uint32_t gensec_features;
> -+
> -+ /* Number of retries left before bailing out */
> -+ int tries;
> -+
> -+ /* Whether any callback is currently running */
> -+ bool callback_running;
> -+};
> -+
> -+#endif /* __CREDENTIALS_INTERNAL_H__ */
> -diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
> -index ec6a695..489a959 100644
> ---- a/auth/credentials/credentials_krb5.c
> -+++ b/auth/credentials/credentials_krb5.c
> -@@ -26,6 +26,7 @@
> - #include "system/gssapi.h"
> - #include "auth/kerberos/kerberos.h"
> - #include "auth/credentials/credentials.h"
> -+#include "auth/credentials/credentials_internal.h"
> - #include "auth/credentials/credentials_proto.h"
> - #include "auth/credentials/credentials_krb5.h"
> - #include "auth/kerberos/kerberos_credentials.h"
> -diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
> -index 8f143bf..8c6be39 100644
> ---- a/auth/credentials/credentials_ntlm.c
> -+++ b/auth/credentials/credentials_ntlm.c
> -@@ -26,6 +26,7 @@
> - #include "../lib/crypto/crypto.h"
> - #include "libcli/auth/libcli_auth.h"
> - #include "auth/credentials/credentials.h"
> -+#include "auth/credentials/credentials_internal.h"
> -
> - _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
> - int *flags,
> -diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
> -index 27ee607..678d167 100644
> ---- a/auth/credentials/credentials_secrets.c
> -+++ b/auth/credentials/credentials_secrets.c
> -@@ -28,6 +28,7 @@
> - #include "param/secrets.h"
> - #include "system/filesys.h"
> - #include "auth/credentials/credentials.h"
> -+#include "auth/credentials/credentials_internal.h"
> - #include "auth/credentials/credentials_proto.h"
> - #include "auth/credentials/credentials_krb5.h"
> - #include "auth/kerberos/kerberos_util.h"
> ---
> -1.9.3
> -
> -
> -From 96ea01159cfee1e384dbd5966c7eb512d495e322 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 13:39:17 +0200
> -Subject: [PATCH 013/249] auth/credentials: get the old password from
> - secrets.tdb
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 26a7420c1c4307023b22676cd85d95010ecbf603)
> ----
> - auth/credentials/credentials_secrets.c | 11 +++++++++++
> - 1 file changed, 11 insertions(+)
> -
> -diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
> -index 678d167..6c1cded 100644
> ---- a/auth/credentials/credentials_secrets.c
> -+++ b/auth/credentials/credentials_secrets.c
> -@@ -238,6 +238,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
> - bool secrets_tdb_password_more_recent;
> - time_t secrets_tdb_lct = 0;
> - char *secrets_tdb_password = NULL;
> -+ char *secrets_tdb_old_password = NULL;
> - char *keystr;
> - char *keystr_upper = NULL;
> - char *secrets_tdb;
> -@@ -285,6 +286,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
> - if (NT_STATUS_IS_OK(status)) {
> - secrets_tdb_password = (char *)dbuf.dptr;
> - }
> -+ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
> -+ SECRETS_MACHINE_PASSWORD_PREV,
> -+ domain);
> -+ keystr_upper = strupper_talloc(tmp_ctx, keystr);
> -+ status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
> -+ &dbuf);
> -+ if (NT_STATUS_IS_OK(status)) {
> -+ secrets_tdb_old_password = (char *)dbuf.dptr;
> -+ }
> - }
> -
> - filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
> -@@ -308,6 +318,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
> - if (secrets_tdb_password_more_recent) {
> - char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
> - cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
> -+ cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
> - cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
> - cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
> - } else if (!NT_STATUS_IS_OK(status)) {
> ---
> -1.9.3
> -
> -
> -From 74f5c14921f53b95b64dbcbf0352a89d50b20af1 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 14:25:54 +0200
> -Subject: [PATCH 014/249] auth/credentials: simplify password_tries state
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 8ea36a8e58d499aa7bf342b365ca00cb39f295b6)
> ----
> - auth/credentials/credentials.c | 19 ++++++++++++++-----
> - auth/credentials/credentials_internal.h | 2 +-
> - 2 files changed, 15 insertions(+), 6 deletions(-)
> -
> -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> -index f334465..4ac5356 100644
> ---- a/auth/credentials/credentials.c
> -+++ b/auth/credentials/credentials.c
> -@@ -104,7 +104,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
> -
> - cred->machine_account = false;
> -
> -- cred->tries = 3;
> -+ cred->password_tries = 0;
> -
> - cred->callback_running = false;
> -
> -@@ -397,6 +397,7 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
> - enum credentials_obtained obtained)
> - {
> - if (obtained >= cred->password_obtained) {
> -+ cred->password_tries = 0;
> - cred->password = talloc_strdup(cred, val);
> - if (cred->password) {
> - /* Don't print the actual password in talloc memory dumps */
> -@@ -418,6 +419,7 @@ _PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred
> - const char *(*password_cb) (struct cli_credentials *))
> - {
> - if (cred->password_obtained < CRED_CALLBACK) {
> -+ cred->password_tries = 3;
> - cred->password_cb = password_cb;
> - cred->password_obtained = CRED_CALLBACK;
> - cli_credentials_invalidate_ccache(cred, cred->password_obtained);
> -@@ -897,12 +899,19 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
> - if (cred->password_obtained != CRED_CALLBACK_RESULT) {
> - return false;
> - }
> --
> -- cred->password_obtained = CRED_CALLBACK;
> -
> -- cred->tries--;
> -+ if (cred->password_tries == 0) {
> -+ return false;
> -+ }
> -+
> -+ cred->password_tries--;
> -
> -- return (cred->tries > 0);
> -+ if (cred->password_tries == 0) {
> -+ return false;
> -+ }
> -+
> -+ cred->password_obtained = CRED_CALLBACK;
> -+ return true;
> - }
> -
> - _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
> -diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
> -index 5a3655b..f2f79b9 100644
> ---- a/auth/credentials/credentials_internal.h
> -+++ b/auth/credentials/credentials_internal.h
> -@@ -105,7 +105,7 @@ struct cli_credentials {
> - uint32_t gensec_features;
> -
> - /* Number of retries left before bailing out */
> -- int tries;
> -+ uint32_t password_tries;
> -
> - /* Whether any callback is currently running */
> - bool callback_running;
> ---
> -1.9.3
> -
> -
> -From 8d2c51caeecebc0b7d16fb7cf7b7fe2f2b5d8edd Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 31 Jul 2013 14:32:36 +0200
> -Subject: [PATCH 015/249] auth/credentials: use CRED_CALLBACK_RESULT after a
> - callback
> -
> -We only do this if it's still CRED_CALLBACK after the callback,
> -this allowes the callback to overwrite it.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -
> -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> -Autobuild-Date(master): Mon Aug 5 09:36:05 CEST 2013 on sn-devel-104
> -(cherry picked from commit b699d404bb5d4385a757b5aa5d0e792cf9d5de59)
> ----
> - auth/credentials/credentials.c | 34 +++++++++++++++++++++++-----------
> - 1 file changed, 23 insertions(+), 11 deletions(-)
> -
> -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> -index 4ac5356..be497bc 100644
> ---- a/auth/credentials/credentials.c
> -+++ b/auth/credentials/credentials.c
> -@@ -206,8 +206,10 @@ _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
> - cred->callback_running = true;
> - cred->username = cred->username_cb(cred);
> - cred->callback_running = false;
> -- cred->username_obtained = CRED_SPECIFIED;
> -- cli_credentials_invalidate_ccache(cred, cred->username_obtained);
> -+ if (cred->username_obtained == CRED_CALLBACK) {
> -+ cred->username_obtained = CRED_CALLBACK_RESULT;
> -+ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
> -+ }
> - }
> -
> - return cred->username;
> -@@ -275,8 +277,10 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
> - cred->callback_running = true;
> - cred->principal = cred->principal_cb(cred);
> - cred->callback_running = false;
> -- cred->principal_obtained = CRED_SPECIFIED;
> -- cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
> -+ if (cred->principal_obtained == CRED_CALLBACK) {
> -+ cred->principal_obtained = CRED_CALLBACK_RESULT;
> -+ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
> -+ }
> - }
> -
> - if (cred->principal_obtained < cred->username_obtained
> -@@ -382,8 +386,10 @@ _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
> - cred->callback_running = true;
> - cred->password = cred->password_cb(cred);
> - cred->callback_running = false;
> -- cred->password_obtained = CRED_CALLBACK_RESULT;
> -- cli_credentials_invalidate_ccache(cred, cred->password_obtained);
> -+ if (cred->password_obtained == CRED_CALLBACK) {
> -+ cred->password_obtained = CRED_CALLBACK_RESULT;
> -+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
> -+ }
> - }
> -
> - return cred->password;
> -@@ -502,8 +508,10 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
> - cred->callback_running = true;
> - cred->domain = cred->domain_cb(cred);
> - cred->callback_running = false;
> -- cred->domain_obtained = CRED_SPECIFIED;
> -- cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
> -+ if (cred->domain_obtained == CRED_CALLBACK) {
> -+ cred->domain_obtained = CRED_CALLBACK_RESULT;
> -+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
> -+ }
> - }
> -
> - return cred->domain;
> -@@ -561,8 +569,10 @@ _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
> - cred->callback_running = true;
> - cred->realm = cred->realm_cb(cred);
> - cred->callback_running = false;
> -- cred->realm_obtained = CRED_SPECIFIED;
> -- cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
> -+ if (cred->realm_obtained == CRED_CALLBACK) {
> -+ cred->realm_obtained = CRED_CALLBACK_RESULT;
> -+ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
> -+ }
> - }
> -
> - return cred->realm;
> -@@ -612,7 +622,9 @@ _PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cre
> - cred->callback_running = true;
> - cred->workstation = cred->workstation_cb(cred);
> - cred->callback_running = false;
> -- cred->workstation_obtained = CRED_SPECIFIED;
> -+ if (cred->workstation_obtained == CRED_CALLBACK) {
> -+ cred->workstation_obtained = CRED_CALLBACK_RESULT;
> -+ }
> - }
> -
> - return cred->workstation;
> ---
> -1.9.3
> -
> -
> -From a498324b38326a874616b0bab1e5a9cd29b664ce Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 17 May 2013 16:02:59 +0200
> -Subject: [PATCH 016/249] s3-net: pass down ndr_interface_table to
> - connect_dst_pipe().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 93e92faca9c99cd91878c2f48fb244233b16aa0f)
> ----
> - source3/utils/net_proto.h | 2 +-
> - source3/utils/net_rpc.c | 4 ++--
> - source3/utils/net_rpc_printer.c | 10 +++++-----
> - source3/utils/net_util.c | 4 ++--
> - 4 files changed, 10 insertions(+), 10 deletions(-)
> -
> -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> -index 3f99e14..03fb312 100644
> ---- a/source3/utils/net_proto.h
> -+++ b/source3/utils/net_proto.h
> -@@ -416,7 +416,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
> - const char *server_name);
> - NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> - struct rpc_pipe_client **pp_pipe_hnd,
> -- const struct ndr_syntax_id *interface);
> -+ const struct ndr_interface_table *table);
> - int net_use_krb_machine_account(struct net_context *c);
> - int net_use_machine_account(struct net_context *c);
> - bool net_find_server(struct net_context *c,
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index c5c4d6c..4503f59 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -3654,7 +3654,7 @@ static NTSTATUS rpc_share_migrate_shares_internals(struct net_context *c,
> -
> - /* connect destination PI_SRVSVC */
> - nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
> -- &ndr_table_srvsvc.syntax_id);
> -+ &ndr_table_srvsvc);
> - if (!NT_STATUS_IS_OK(nt_status))
> - return nt_status;
> -
> -@@ -4140,7 +4140,7 @@ static NTSTATUS rpc_share_migrate_security_internals(struct net_context *c,
> -
> - /* connect destination PI_SRVSVC */
> - nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
> -- &ndr_table_srvsvc.syntax_id);
> -+ &ndr_table_srvsvc);
> - if (!NT_STATUS_IS_OK(nt_status))
> - return nt_status;
> -
> -diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c
> -index ba34de1..1e42e6f 100644
> ---- a/source3/utils/net_rpc_printer.c
> -+++ b/source3/utils/net_rpc_printer.c
> -@@ -1578,7 +1578,7 @@ NTSTATUS rpc_printer_migrate_security_internals(struct net_context *c,
> -
> - /* connect destination PI_SPOOLSS */
> - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> -- &ndr_table_spoolss.syntax_id);
> -+ &ndr_table_spoolss);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - return nt_status;
> - }
> -@@ -1730,7 +1730,7 @@ NTSTATUS rpc_printer_migrate_forms_internals(struct net_context *c,
> -
> - /* connect destination PI_SPOOLSS */
> - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> -- &ndr_table_spoolss.syntax_id);
> -+ &ndr_table_spoolss);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - return nt_status;
> - }
> -@@ -1907,7 +1907,7 @@ NTSTATUS rpc_printer_migrate_drivers_internals(struct net_context *c,
> - DEBUG(3,("copying printer-drivers\n"));
> -
> - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> -- &ndr_table_spoolss.syntax_id);
> -+ &ndr_table_spoolss);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - return nt_status;
> - }
> -@@ -2126,7 +2126,7 @@ NTSTATUS rpc_printer_migrate_printers_internals(struct net_context *c,
> -
> - /* connect destination PI_SPOOLSS */
> - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> -- &ndr_table_spoolss.syntax_id);
> -+ &ndr_table_spoolss);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - return nt_status;
> - }
> -@@ -2301,7 +2301,7 @@ NTSTATUS rpc_printer_migrate_settings_internals(struct net_context *c,
> -
> - /* connect destination PI_SPOOLSS */
> - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> -- &ndr_table_spoolss.syntax_id);
> -+ &ndr_table_spoolss);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - return nt_status;
> - }
> -diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
> -index 9c4a77e..a4282ec 100644
> ---- a/source3/utils/net_util.c
> -+++ b/source3/utils/net_util.c
> -@@ -231,7 +231,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
> - **/
> - NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> - struct rpc_pipe_client **pp_pipe_hnd,
> -- const struct ndr_syntax_id *interface)
> -+ const struct ndr_interface_table *table)
> - {
> - NTSTATUS nt_status;
> - char *server_name = SMB_STRDUP("127.0.0.1");
> -@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> - return nt_status;
> - }
> -
> -- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, interface,
> -+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(0, ("couldn't not initialize pipe\n"));
> ---
> -1.9.3
> -
> -
> -From d5273069a42d7234daaf3dd043d0a6e455348385 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 17 May 2013 16:24:42 +0200
> -Subject: [PATCH 017/249] s3-rpc_cli: remove prototype of nonexisting
> - cli_rpc_pipe_open_krb5().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit a1368ca6ef8ab4f158c8b303ad058835f1bbf441)
> ----
> - source3/rpc_client/cli_pipe.h | 9 ---------
> - 1 file changed, 9 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index bf785fb..34ae542 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -131,15 +131,6 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> - const char *domain,
> - struct rpc_pipe_client **presult);
> -
> --NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
> -- const struct ndr_syntax_id *interface,
> -- enum dcerpc_transport_t transport,
> -- enum dcerpc_AuthLevel auth_level,
> -- const char *service_princ,
> -- const char *username,
> -- const char *password,
> -- struct rpc_pipe_client **presult);
> --
> - NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> - struct rpc_pipe_client *cli,
> - DATA_BLOB *session_key);
> ---
> -1.9.3
> -
> -
> -From 1a6c1ddb44aac3f201bbe2cabab10e409ffd042b Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 17 May 2013 16:08:16 +0200
> -Subject: [PATCH 018/249] s3-libnetapi: pass down ndr_interface_table to
> - libnetapi_get_binding_handle().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit fa37bbd9d06865d265bf554a3c49920f956f2185)
> ----
> - source3/lib/netapi/cm.c | 4 ++--
> - source3/lib/netapi/file.c | 6 +++---
> - source3/lib/netapi/getdc.c | 6 +++---
> - source3/lib/netapi/netapi_private.h | 3 ++-
> - source3/lib/netapi/netlogon.c | 4 ++--
> - source3/lib/netapi/serverinfo.c | 6 +++---
> - source3/lib/netapi/share.c | 10 +++++-----
> - source3/lib/netapi/shutdown.c | 4 ++--
> - 8 files changed, 22 insertions(+), 21 deletions(-)
> -
> -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> -index da3d2e1..c3ae19f 100644
> ---- a/source3/lib/netapi/cm.c
> -+++ b/source3/lib/netapi/cm.c
> -@@ -269,7 +269,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> -
> - WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> - const char *server_name,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct dcerpc_binding_handle **binding_handle)
> - {
> - struct rpc_pipe_client *pipe_cli;
> -@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> -
> - *binding_handle = NULL;
> -
> -- result = libnetapi_open_pipe(ctx, server_name, interface, &pipe_cli);
> -+ result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
> - if (!W_ERROR_IS_OK(result)) {
> - return result;
> - }
> -diff --git a/source3/lib/netapi/file.c b/source3/lib/netapi/file.c
> -index 1e406d2..551f9ff 100644
> ---- a/source3/lib/netapi/file.c
> -+++ b/source3/lib/netapi/file.c
> -@@ -36,7 +36,7 @@ WERROR NetFileClose_r(struct libnetapi_ctx *ctx,
> - struct dcerpc_binding_handle *b;
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -130,7 +130,7 @@ WERROR NetFileGetInfo_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -201,7 +201,7 @@ WERROR NetFileEnum_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -diff --git a/source3/lib/netapi/getdc.c b/source3/lib/netapi/getdc.c
> -index 3b26d46..ae976f1 100644
> ---- a/source3/lib/netapi/getdc.c
> -+++ b/source3/lib/netapi/getdc.c
> -@@ -47,7 +47,7 @@ WERROR NetGetDCName_r(struct libnetapi_ctx *ctx,
> - void *buffer;
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_netlogon.syntax_id,
> -+ &ndr_table_netlogon,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -101,7 +101,7 @@ WERROR NetGetAnyDCName_r(struct libnetapi_ctx *ctx,
> - void *buffer;
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_netlogon.syntax_id,
> -+ &ndr_table_netlogon,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -173,7 +173,7 @@ WERROR DsGetDcName_r(struct libnetapi_ctx *ctx,
> - struct dcerpc_binding_handle *b;
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_netlogon.syntax_id,
> -+ &ndr_table_netlogon,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
> -index 349287b..62aa7ef 100644
> ---- a/source3/lib/netapi/netapi_private.h
> -+++ b/source3/lib/netapi/netapi_private.h
> -@@ -30,6 +30,7 @@
> - return fn ## _r(ctx, r);
> -
> - struct dcerpc_binding_handle;
> -+struct ndr_interface_table;
> -
> - struct libnetapi_private_ctx {
> - struct {
> -@@ -64,7 +65,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> - struct rpc_pipe_client **presult);
> - WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> - const char *server_name,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct dcerpc_binding_handle **binding_handle);
> - WERROR libnetapi_samr_open_domain(struct libnetapi_ctx *mem_ctx,
> - struct rpc_pipe_client *pipe_cli,
> -diff --git a/source3/lib/netapi/netlogon.c b/source3/lib/netapi/netlogon.c
> -index a046fb7..136cb48 100644
> ---- a/source3/lib/netapi/netlogon.c
> -+++ b/source3/lib/netapi/netlogon.c
> -@@ -133,7 +133,7 @@ WERROR I_NetLogonControl_r(struct libnetapi_ctx *ctx,
> - struct dcerpc_binding_handle *b;
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_netlogon.syntax_id,
> -+ &ndr_table_netlogon,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -190,7 +190,7 @@ WERROR I_NetLogonControl2_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_netlogon.syntax_id,
> -+ &ndr_table_netlogon,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
> -index 046b693..b2a84d1 100644
> ---- a/source3/lib/netapi/serverinfo.c
> -+++ b/source3/lib/netapi/serverinfo.c
> -@@ -503,7 +503,7 @@ WERROR NetServerGetInfo_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -616,7 +616,7 @@ WERROR NetServerSetInfo_r(struct libnetapi_ctx *ctx,
> - struct dcerpc_binding_handle *b;
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -658,7 +658,7 @@ WERROR NetRemoteTOD_r(struct libnetapi_ctx *ctx,
> - struct dcerpc_binding_handle *b;
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -diff --git a/source3/lib/netapi/share.c b/source3/lib/netapi/share.c
> -index d12fa1c..090e1a9 100644
> ---- a/source3/lib/netapi/share.c
> -+++ b/source3/lib/netapi/share.c
> -@@ -200,7 +200,7 @@ WERROR NetShareAdd_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -258,7 +258,7 @@ WERROR NetShareDel_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -321,7 +321,7 @@ WERROR NetShareEnum_r(struct libnetapi_ctx *ctx,
> - ZERO_STRUCT(info_ctr);
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -428,7 +428,7 @@ WERROR NetShareGetInfo_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -502,7 +502,7 @@ WERROR NetShareSetInfo_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -diff --git a/source3/lib/netapi/shutdown.c b/source3/lib/netapi/shutdown.c
> -index 78bc2fc..9e1e8e1 100644
> ---- a/source3/lib/netapi/shutdown.c
> -+++ b/source3/lib/netapi/shutdown.c
> -@@ -38,7 +38,7 @@ WERROR NetShutdownInit_r(struct libnetapi_ctx *ctx,
> - struct dcerpc_binding_handle *b;
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_initshutdown.syntax_id,
> -+ &ndr_table_initshutdown,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -82,7 +82,7 @@ WERROR NetShutdownAbort_r(struct libnetapi_ctx *ctx,
> - struct dcerpc_binding_handle *b;
> -
> - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> -- &ndr_table_initshutdown.syntax_id,
> -+ &ndr_table_initshutdown,
> - &b);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> ---
> -1.9.3
> -
> -
> -From e25e7bfe15bdb89a9680708c27b50e14a8a86ca3 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 17 May 2013 16:10:13 +0200
> -Subject: [PATCH 019/249] s3-libnetapi: pass down ndr_interface_table to
> - libnetapi_open_pipe().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 77f7f2a976e5b95f3bd9f542b92926adee4f5fa6)
> ----
> - source3/lib/netapi/cm.c | 8 ++++----
> - source3/lib/netapi/group.c | 18 +++++++++---------
> - source3/lib/netapi/joindomain.c | 10 +++++-----
> - source3/lib/netapi/localgroup.c | 14 +++++++-------
> - source3/lib/netapi/netapi_private.h | 2 +-
> - source3/lib/netapi/user.c | 22 +++++++++++-----------
> - 6 files changed, 37 insertions(+), 37 deletions(-)
> -
> -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> -index c3ae19f..dd1f1e3 100644
> ---- a/source3/lib/netapi/cm.c
> -+++ b/source3/lib/netapi/cm.c
> -@@ -234,7 +234,7 @@ static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
> -
> - WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> - const char *server_name,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - struct rpc_pipe_client *result = NULL;
> -@@ -251,10 +251,10 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> - return werr;
> - }
> -
> -- status = pipe_cm_open(ctx, ipc, interface, &result);
> -+ status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> - libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
> -- get_pipe_name_from_syntax(talloc_tos(), interface),
> -+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> - get_friendly_nt_error_msg(status));
> - return WERR_DEST_NOT_FOUND;
> - }
> -@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> -
> - *binding_handle = NULL;
> -
> -- result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
> -+ result = libnetapi_open_pipe(ctx, server_name, table, &pipe_cli);
> - if (!W_ERROR_IS_OK(result)) {
> - return result;
> - }
> -diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
> -index b806fc4..6d9b248 100644
> ---- a/source3/lib/netapi/group.c
> -+++ b/source3/lib/netapi/group.c
> -@@ -76,7 +76,7 @@ WERROR NetGroupAdd_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -272,7 +272,7 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -492,7 +492,7 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -770,7 +770,7 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -918,7 +918,7 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -1078,7 +1078,7 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -1397,7 +1397,7 @@ WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -1544,7 +1544,7 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
> -
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -1736,7 +1736,7 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
> -index b6fb57a..d8e624f 100644
> ---- a/source3/lib/netapi/joindomain.c
> -+++ b/source3/lib/netapi/joindomain.c
> -@@ -116,7 +116,7 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
> - DATA_BLOB session_key;
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server,
> -- &ndr_table_wkssvc.syntax_id,
> -+ &ndr_table_wkssvc,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -257,7 +257,7 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
> - DATA_BLOB session_key;
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_wkssvc.syntax_id,
> -+ &ndr_table_wkssvc,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -313,7 +313,7 @@ WERROR NetGetJoinInformation_r(struct libnetapi_ctx *ctx,
> - struct dcerpc_binding_handle *b;
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_wkssvc.syntax_id,
> -+ &ndr_table_wkssvc,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -455,7 +455,7 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
> - DATA_BLOB session_key;
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_wkssvc.syntax_id,
> -+ &ndr_table_wkssvc,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -508,7 +508,7 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
> - DATA_BLOB session_key;
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_wkssvc.syntax_id,
> -+ &ndr_table_wkssvc,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
> -index 17cab68..241970d 100644
> ---- a/source3/lib/netapi/localgroup.c
> -+++ b/source3/lib/netapi/localgroup.c
> -@@ -185,7 +185,7 @@ WERROR NetLocalGroupAdd_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -319,7 +319,7 @@ WERROR NetLocalGroupDel_r(struct libnetapi_ctx *ctx,
> - ZERO_STRUCT(alias_handle);
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -499,7 +499,7 @@ WERROR NetLocalGroupGetInfo_r(struct libnetapi_ctx *ctx,
> - ZERO_STRUCT(alias_handle);
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -678,7 +678,7 @@ WERROR NetLocalGroupSetInfo_r(struct libnetapi_ctx *ctx,
> - ZERO_STRUCT(alias_handle);
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -828,7 +828,7 @@ WERROR NetLocalGroupEnum_r(struct libnetapi_ctx *ctx,
> - ZERO_STRUCT(alias_handle);
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -1141,7 +1141,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
> -
> - if (r->in.level == 3) {
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_lsarpc.syntax_id,
> -+ &ndr_table_lsarpc,
> - &lsa_pipe);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -1160,7 +1160,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
> -index 62aa7ef..897cf3d 100644
> ---- a/source3/lib/netapi/netapi_private.h
> -+++ b/source3/lib/netapi/netapi_private.h
> -@@ -61,7 +61,7 @@ NET_API_STATUS libnetapi_get_debuglevel(struct libnetapi_ctx *ctx, char **debugl
> - WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx);
> - WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> - const char *server_name,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult);
> - WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> - const char *server_name,
> -diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
> -index a971e2d..4a39f69 100644
> ---- a/source3/lib/netapi/user.c
> -+++ b/source3/lib/netapi/user.c
> -@@ -400,7 +400,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -552,7 +552,7 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
> - ZERO_STRUCT(user_handle);
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> -
> - if (!W_ERROR_IS_OK(werr)) {
> -@@ -1322,7 +1322,7 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -1630,7 +1630,7 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -1764,7 +1764,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -1936,7 +1936,7 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -2395,7 +2395,7 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -2880,7 +2880,7 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -3015,7 +3015,7 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -3206,7 +3206,7 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> -@@ -3547,7 +3547,7 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
> - }
> -
> - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &pipe_cli);
> - if (!W_ERROR_IS_OK(werr)) {
> - goto done;
> ---
> -1.9.3
> -
> -
> -From 4157ba43258373cd995b2ee74dcd4d65782dc2ea Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 17 May 2013 16:13:26 +0200
> -Subject: [PATCH 020/249] s3-libnetapi: pass down ndr_interface_table to
> - pipe_cm() and friends.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 0ce2178f2ffeaee324c7e8fef7c87727def7bd77)
> ----
> - source3/lib/netapi/cm.c | 16 ++++++++--------
> - 1 file changed, 8 insertions(+), 8 deletions(-)
> -
> -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> -index dd1f1e3..8551521 100644
> ---- a/source3/lib/netapi/cm.c
> -+++ b/source3/lib/netapi/cm.c
> -@@ -161,7 +161,7 @@ WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx)
> - ********************************************************************/
> -
> - static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - struct client_pipe_connection *p;
> -@@ -177,7 +177,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
> -
> - if (strequal(ipc_remote_name, p->pipe->desthost)
> - && ndr_syntax_id_equal(&p->pipe->abstract_syntax,
> -- interface)) {
> -+ &table->syntax_id)) {
> - *presult = p->pipe;
> - return NT_STATUS_OK;
> - }
> -@@ -191,7 +191,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
> -
> - static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> - struct client_ipc_connection *ipc,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - struct client_pipe_connection *p;
> -@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- status = cli_rpc_pipe_open_noauth(ipc->cli, interface, &p->pipe);
> -+ status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - TALLOC_FREE(p);
> - return status;
> -@@ -219,14 +219,14 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> -
> - static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
> - struct client_ipc_connection *ipc,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> -- if (NT_STATUS_IS_OK(pipe_cm_find(ipc, interface, presult))) {
> -+ if (NT_STATUS_IS_OK(pipe_cm_find(ipc, table, presult))) {
> - return NT_STATUS_OK;
> - }
> -
> -- return pipe_cm_connect(ctx, ipc, interface, presult);
> -+ return pipe_cm_connect(ctx, ipc, table, presult);
> - }
> -
> - /********************************************************************
> -@@ -251,7 +251,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> - return werr;
> - }
> -
> -- status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
> -+ status = pipe_cm_open(ctx, ipc, table, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> - libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
> - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> ---
> -1.9.3
> -
> -
> -From ec8ba2a371ce4c4cc14d04e852034dcd92862542 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 17 May 2013 16:16:59 +0200
> -Subject: [PATCH 021/249] s3-rpc_cli: pass down ndr_interface_table to
> - rpc_pipe_open_ncalrpc().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 9b4fb5b074b035eaef98c4a463c9d68006ed52da)
> ----
> - source3/librpc/rpc/dcerpc_ep.c | 2 +-
> - source3/rpc_client/cli_pipe.c | 4 ++--
> - source3/rpc_client/cli_pipe.h | 2 +-
> - 3 files changed, 4 insertions(+), 4 deletions(-)
> -
> -diff --git a/source3/librpc/rpc/dcerpc_ep.c b/source3/librpc/rpc/dcerpc_ep.c
> -index bb080c5..410caa7 100644
> ---- a/source3/librpc/rpc/dcerpc_ep.c
> -+++ b/source3/librpc/rpc/dcerpc_ep.c
> -@@ -365,7 +365,7 @@ static NTSTATUS ep_register(TALLOC_CTX *mem_ctx,
> -
> - status = rpc_pipe_open_ncalrpc(tmp_ctx,
> - ncalrpc_sock,
> -- &ndr_table_epmapper.syntax_id,
> -+ &ndr_table_epmapper,
> - &cli);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto done;
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 385ae25..427b628 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2682,7 +2682,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> - Create a rpc pipe client struct, connecting to a unix domain socket
> - ********************************************************************/
> - NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> -- const struct ndr_syntax_id *abstract_syntax,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - struct rpc_pipe_client *result;
> -@@ -2696,7 +2696,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- result->abstract_syntax = *abstract_syntax;
> -+ result->abstract_syntax = table->syntax_id;
> - result->transfer_syntax = ndr_transfer_syntax_ndr;
> -
> - result->desthost = get_myname(result);
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index 34ae542..3415db0 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -71,7 +71,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
> - struct rpc_pipe_client **presult);
> -
> - NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> -- const struct ndr_syntax_id *abstract_syntax,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult);
> -
> - struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
> ---
> -1.9.3
> -
> -
> -From 816b7983c2342ea500e7467f2ab6c04dff89308f Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 17 May 2013 16:44:05 +0200
> -Subject: [PATCH 022/249] s3-rpc_cli: pass down ndr_interface_table to
> - rpc_pipe_open_interface().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 6886cff0a7e97864e9094af936cbef08a3c8f6f4)
> ----
> - source3/printing/nt_printing_migrate_internal.c | 2 +-
> - source3/printing/printspoolss.c | 4 +--
> - source3/rpc_server/rpc_ncacn_np.c | 8 +++---
> - source3/rpc_server/rpc_ncacn_np.h | 2 +-
> - source3/smbd/lanman.c | 34 ++++++++++++-------------
> - source3/smbd/reply.c | 2 +-
> - 6 files changed, 26 insertions(+), 26 deletions(-)
> -
> -diff --git a/source3/printing/nt_printing_migrate_internal.c b/source3/printing/nt_printing_migrate_internal.c
> -index 200db07f..6bc7ea2 100644
> ---- a/source3/printing/nt_printing_migrate_internal.c
> -+++ b/source3/printing/nt_printing_migrate_internal.c
> -@@ -211,7 +211,7 @@ bool nt_printing_tdb_migrate(struct messaging_context *msg_ctx)
> - }
> -
> - status = rpc_pipe_open_interface(tmp_ctx,
> -- &ndr_table_winreg.syntax_id,
> -+ &ndr_table_winreg,
> - session_info,
> - NULL,
> - msg_ctx,
> -diff --git a/source3/printing/printspoolss.c b/source3/printing/printspoolss.c
> -index fc1e9c1..0507e83 100644
> ---- a/source3/printing/printspoolss.c
> -+++ b/source3/printing/printspoolss.c
> -@@ -154,7 +154,7 @@ NTSTATUS print_spool_open(files_struct *fsp,
> - * a job id */
> -
> - status = rpc_pipe_open_interface(fsp->conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - fsp->conn->session_info,
> - fsp->conn->sconn->remote_address,
> - fsp->conn->sconn->msg_ctx,
> -@@ -343,7 +343,7 @@ void print_spool_terminate(struct connection_struct *conn,
> - rap_jobid_delete(print_file->svcname, print_file->jobid);
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
> -index b4602a9..7389b3e 100644
> ---- a/source3/rpc_server/rpc_ncacn_np.c
> -+++ b/source3/rpc_server/rpc_ncacn_np.c
> -@@ -758,7 +758,7 @@ done:
> - */
> -
> - NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> -- const struct ndr_syntax_id *syntax,
> -+ const struct ndr_interface_table *table,
> - const struct auth_session_info *session_info,
> - const struct tsocket_address *remote_address,
> - struct messaging_context *msg_ctx,
> -@@ -783,7 +783,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- pipe_name = get_pipe_name_from_syntax(tmp_ctx, syntax);
> -+ pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
> - if (pipe_name == NULL) {
> - status = NT_STATUS_INVALID_PARAMETER;
> - goto done;
> -@@ -800,7 +800,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> - switch (pipe_mode) {
> - case RPC_SERVICE_MODE_EMBEDDED:
> - status = rpc_pipe_open_internal(tmp_ctx,
> -- syntax, session_info,
> -+ &table->syntax_id, session_info,
> - remote_address, msg_ctx,
> - &cli);
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -813,7 +813,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> - * to spoolssd. */
> -
> - status = rpc_pipe_open_external(tmp_ctx,
> -- pipe_name, syntax,
> -+ pipe_name, &table->syntax_id,
> - session_info,
> - &cli);
> - if (!NT_STATUS_IS_OK(status)) {
> -diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h
> -index 586d61b..67cd8a1 100644
> ---- a/source3/rpc_server/rpc_ncacn_np.h
> -+++ b/source3/rpc_server/rpc_ncacn_np.h
> -@@ -50,7 +50,7 @@ NTSTATUS rpcint_binding_handle(TALLOC_CTX *mem_ctx,
> - struct messaging_context *msg_ctx,
> - struct dcerpc_binding_handle **binding_handle);
> - NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> -- const struct ndr_syntax_id *syntax,
> -+ const struct ndr_interface_table *table,
> - const struct auth_session_info *session_info,
> - const struct tsocket_address *remote_address,
> - struct messaging_context *msg_ctx,
> -diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
> -index d0dae36..3c488ec 100644
> ---- a/source3/smbd/lanman.c
> -+++ b/source3/smbd/lanman.c
> -@@ -832,7 +832,7 @@ static bool api_DosPrintQGetInfo(struct smbd_server_connection *sconn,
> - }
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -1029,7 +1029,7 @@ static bool api_DosPrintQEnum(struct smbd_server_connection *sconn,
> - }
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -2256,7 +2256,7 @@ static bool api_RNetShareAdd(struct smbd_server_connection *sconn,
> - return false;
> - }
> -
> -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
> -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -2368,7 +2368,7 @@ static bool api_RNetGroupEnum(struct smbd_server_connection *sconn,
> - }
> -
> - status = rpc_pipe_open_interface(
> -- talloc_tos(), &ndr_table_samr.syntax_id,
> -+ talloc_tos(), &ndr_table_samr,
> - conn->session_info, conn->sconn->remote_address,
> - conn->sconn->msg_ctx, &samr_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -2574,7 +2574,7 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn,
> - endp = *rdata + *rdata_len;
> -
> - status = rpc_pipe_open_interface(
> -- talloc_tos(), &ndr_table_samr.syntax_id,
> -+ talloc_tos(), &ndr_table_samr,
> - conn->session_info, conn->sconn->remote_address,
> - conn->sconn->msg_ctx, &samr_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -2774,7 +2774,7 @@ static bool api_RNetUserEnum(struct smbd_server_connection *sconn,
> - endp = *rdata + *rdata_len;
> -
> - status = rpc_pipe_open_interface(
> -- talloc_tos(), &ndr_table_samr.syntax_id,
> -+ talloc_tos(), &ndr_table_samr,
> - conn->session_info, conn->sconn->remote_address,
> - conn->sconn->msg_ctx, &samr_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -3037,7 +3037,7 @@ static bool api_SamOEMChangePassword(struct smbd_server_connection *sconn,
> - memcpy(password.data, data, 516);
> - memcpy(hash.hash, data+516, 16);
> -
> -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
> -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -3134,7 +3134,7 @@ static bool api_RDosPrintJobDel(struct smbd_server_connection *sconn,
> - ZERO_STRUCT(handle);
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -3262,7 +3262,7 @@ static bool api_WPrintQueueCtrl(struct smbd_server_connection *sconn,
> - ZERO_STRUCT(handle);
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -3444,7 +3444,7 @@ static bool api_PrintJobInfo(struct smbd_server_connection *sconn,
> - ZERO_STRUCT(handle);
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -3621,7 +3621,7 @@ static bool api_RNetServerGetInfo(struct smbd_server_connection *sconn,
> - p = *rdata;
> - p2 = p + struct_len;
> -
> -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
> -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -4052,7 +4052,7 @@ static bool api_RNetUserGetInfo(struct smbd_server_connection *sconn,
> - ZERO_STRUCT(domain_handle);
> - ZERO_STRUCT(user_handle);
> -
> -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
> -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -4581,7 +4581,7 @@ static bool api_WPrintJobGetInfo(struct smbd_server_connection *sconn,
> - ZERO_STRUCT(handle);
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -4723,7 +4723,7 @@ static bool api_WPrintJobEnumerate(struct smbd_server_connection *sconn,
> - ZERO_STRUCT(handle);
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -4923,7 +4923,7 @@ static bool api_WPrintDestGetInfo(struct smbd_server_connection *sconn,
> - ZERO_STRUCT(handle);
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -5055,7 +5055,7 @@ static bool api_WPrintDestEnum(struct smbd_server_connection *sconn,
> - queuecnt = 0;
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -@@ -5366,7 +5366,7 @@ static bool api_RNetSessionEnum(struct smbd_server_connection *sconn,
> - }
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_srvsvc.syntax_id,
> -+ &ndr_table_srvsvc,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> -diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
> -index 3f5b950..eace557 100644
> ---- a/source3/smbd/reply.c
> -+++ b/source3/smbd/reply.c
> -@@ -5637,7 +5637,7 @@ void reply_printqueue(struct smb_request *req)
> - ZERO_STRUCT(handle);
> -
> - status = rpc_pipe_open_interface(conn,
> -- &ndr_table_spoolss.syntax_id,
> -+ &ndr_table_spoolss,
> - conn->session_info,
> - conn->sconn->remote_address,
> - conn->sconn->msg_ctx,
> ---
> -1.9.3
> -
> -
> -From 3dc2d438f0b440f34b7cdd9eeac429a15f679460 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:03:23 +0200
> -Subject: [PATCH 023/249] s3-rpc_cli: pass down ndr_interface_table to
> - cli_rpc_pipe_open_schannel().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit f6d61b571d79ebf1df58513ec728057d00b95f3e)
> ----
> - source3/auth/auth_domain.c | 2 +-
> - source3/rpc_client/cli_pipe.h | 2 +-
> - source3/rpc_client/cli_pipe_schannel.c | 4 ++--
> - source3/rpcclient/rpcclient.c | 2 +-
> - source3/utils/net_rpc.c | 2 +-
> - 5 files changed, 6 insertions(+), 6 deletions(-)
> -
> -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> -index 286c75c..a375f11 100644
> ---- a/source3/auth/auth_domain.c
> -+++ b/source3/auth/auth_domain.c
> -@@ -115,7 +115,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> - if (lp_client_schannel()) {
> - /* We also setup the creds chain in the open_schannel call. */
> - result = cli_rpc_pipe_open_schannel(
> -- *cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> -+ *cli, &ndr_table_netlogon, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> - } else {
> - result = cli_rpc_pipe_open_noauth(
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index 3415db0..d17322a 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -125,7 +125,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> - struct rpc_pipe_client **presult);
> -
> - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index c275720..8bc01a5 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -169,7 +169,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> - ****************************************************************************/
> -
> - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> - }
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> -- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
> -+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> - &result);
> -
> - /* Now we've bound using the session key we can close the netlog pipe. */
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index d204d7f..6b6478e 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -734,7 +734,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - break;
> - case DCERPC_AUTH_TYPE_SCHANNEL:
> - ntresult = cli_rpc_pipe_open_schannel(
> -- cli, &cmd_entry->table->syntax_id,
> -+ cli, cmd_entry->table,
> - default_transport,
> - pipe_default_auth_level,
> - get_cmdline_auth_info_domain(auth_info),
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index 4503f59..dab9fcd 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -191,7 +191,7 @@ int run_rpc_command(struct net_context *c,
> - &ndr_table_netlogon.syntax_id))) {
> - /* Always try and create an schannel netlogon pipe. */
> - nt_status = cli_rpc_pipe_open_schannel(
> -- cli, &table->syntax_id, NCACN_NP,
> -+ cli, table, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> ---
> -1.9.3
> -
> -
> -From 428596faf89f424c83edb86d45c5a1322e3fb6b5 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:08:33 +0200
> -Subject: [PATCH 024/249] s3-rpc_cli: pass down ndr_interface_table to
> - cli_rpc_pipe_open_ntlmssp_auth_schannel().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 7f169474fc86479abe09a5716b8029c6febcfaa9)
> ----
> - source3/rpc_client/cli_pipe.h | 2 +-
> - source3/rpc_client/cli_pipe_schannel.c | 4 ++--
> - 2 files changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index d17322a..7026692 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -116,7 +116,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - struct rpc_pipe_client **presult);
> -
> - NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index 8bc01a5..261a768 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -128,7 +128,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
> - ****************************************************************************/
> -
> - NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> - }
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> -- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
> -+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> - &result);
> -
> - /* Now we've bound using the session key we can close the netlog pipe. */
> ---
> -1.9.3
> -
> -
> -From cda31f4e490942ffc89513f000fa147f535a2713 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:17:24 +0200
> -Subject: [PATCH 025/249] s3-rpc_cli: pass down ndr_interface_table to
> - cli_rpc_pipe_open_schannel_with_key().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 3dc3a6c8483a8de22b483ecf164c81232d4a8d65)
> ----
> - source3/libnet/libnet_join.c | 2 +-
> - source3/rpc_client/cli_pipe.c | 6 +++---
> - source3/rpc_client/cli_pipe.h | 2 +-
> - source3/rpc_client/cli_pipe_schannel.c | 4 ++--
> - source3/utils/net_rpc_join.c | 4 ++--
> - source3/winbindd/winbindd_cm.c | 8 ++++----
> - 6 files changed, 13 insertions(+), 13 deletions(-)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index 1418385..9f47f3b 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -1287,7 +1287,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> - }
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> -- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> -+ cli, &ndr_table_netlogon, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY,
> - netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 427b628..34cef32 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -3022,7 +3022,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> - ****************************************************************************/
> -
> - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -@@ -3033,7 +3033,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - struct pipe_auth_data *auth;
> - NTSTATUS status;
> -
> -- status = cli_rpc_pipe_open(cli, transport, interface, &result);
> -+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -@@ -3070,7 +3070,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> -
> - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> - "for domain %s and bound using schannel.\n",
> -- get_pipe_name_from_syntax(talloc_tos(), interface),
> -+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> - result->desthost, domain));
> -
> - *presult = result;
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index 7026692..65bfbc8 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -108,7 +108,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> - struct rpc_pipe_client **presult);
> -
> - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index 261a768..784e63f 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> - }
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> -- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> -+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> - &result);
> -
> - /* Now we've bound using the session key we can close the netlog pipe. */
> -@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> - }
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> -- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> -+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> - &result);
> -
> - /* Now we've bound using the session key we can close the netlog pipe. */
> -diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
> -index 56799cd..4b43769 100644
> ---- a/source3/utils/net_rpc_join.c
> -+++ b/source3/utils/net_rpc_join.c
> -@@ -137,7 +137,7 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
> - }
> -
> - ntret = cli_rpc_pipe_open_schannel_with_key(
> -- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> -+ cli, &ndr_table_netlogon, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY,
> - domain, &netlogon_pipe->dc, &pipe_hnd);
> -
> -@@ -497,7 +497,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> - struct rpc_pipe_client *netlogon_schannel_pipe;
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> -- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> -+ cli, &ndr_table_netlogon, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY, domain, &pipe_hnd->dc,
> - &netlogon_schannel_pipe);
> -
> -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> -index 61917db..f17fc68 100644
> ---- a/source3/winbindd/winbindd_cm.c
> -+++ b/source3/winbindd/winbindd_cm.c
> -@@ -2415,7 +2415,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - goto anonymous;
> - }
> - status = cli_rpc_pipe_open_schannel_with_key
> -- (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
> -+ (conn->cli, &ndr_table_samr, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY,
> - domain->name, &p_creds, &conn->samr_pipe);
> -
> -@@ -2547,7 +2547,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> - }
> -
> - status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
> -- &ndr_table_lsarpc.syntax_id,
> -+ &ndr_table_lsarpc,
> - NCACN_IP_TCP,
> - DCERPC_AUTH_LEVEL_PRIVACY,
> - domain->name,
> -@@ -2646,7 +2646,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - goto anonymous;
> - }
> - result = cli_rpc_pipe_open_schannel_with_key
> -- (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
> -+ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY,
> - domain->name, &p_creds, &conn->lsa_pipe);
> -
> -@@ -2831,7 +2831,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> - */
> -
> - result = cli_rpc_pipe_open_schannel_with_key(
> -- conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> -+ conn->cli, &ndr_table_netlogon, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
> - &conn->netlogon_pipe);
> -
> ---
> -1.9.3
> -
> -
> -From 9b569e91cd22806eedae76d3fb60cdbd7548e4c2 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:29:28 +0200
> -Subject: [PATCH 026/249] s3-rpc_cli: pass down ndr_interface_table to
> - cli_rpc_pipe_open_noauth().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 9813fe2b04a5b4abaa95ea1d893b3803edbede4d)
> ----
> - source3/auth/auth_domain.c | 2 +-
> - source3/client/client.c | 2 +-
> - source3/lib/netapi/cm.c | 2 +-
> - source3/libnet/libnet_join.c | 8 ++++----
> - source3/libsmb/libsmb_dir.c | 2 +-
> - source3/libsmb/libsmb_server.c | 2 +-
> - source3/libsmb/passchange.c | 4 ++--
> - source3/libsmb/trustdom_cache.c | 2 +-
> - source3/libsmb/trusts_util.c | 2 +-
> - source3/rpc_client/cli_pipe.c | 4 ++--
> - source3/rpc_client/cli_pipe.h | 2 +-
> - source3/rpc_client/cli_pipe_schannel.c | 2 +-
> - source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
> - source3/rpcclient/cmd_spoolss.c | 2 +-
> - source3/rpcclient/cmd_test.c | 4 ++--
> - source3/rpcclient/rpcclient.c | 2 +-
> - source3/torture/test_async_echo.c | 2 +-
> - source3/utils/net_ads.c | 2 +-
> - source3/utils/net_rpc.c | 20 ++++++++++----------
> - source3/utils/net_rpc_join.c | 6 +++---
> - source3/utils/net_rpc_shell.c | 2 +-
> - source3/utils/net_rpc_trust.c | 2 +-
> - source3/utils/net_util.c | 8 ++++----
> - source3/utils/netlookup.c | 2 +-
> - source3/utils/smbcacls.c | 7 +++----
> - source3/utils/smbcquotas.c | 2 +-
> - source3/utils/smbtree.c | 2 +-
> - source3/winbindd/winbindd_cm.c | 10 +++++-----
> - 28 files changed, 54 insertions(+), 55 deletions(-)
> -
> -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> -index a375f11..54ee5a1 100644
> ---- a/source3/auth/auth_domain.c
> -+++ b/source3/auth/auth_domain.c
> -@@ -119,7 +119,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> - DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> - } else {
> - result = cli_rpc_pipe_open_noauth(
> -- *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
> -+ *cli, &ndr_table_netlogon, &netlogon_pipe);
> - }
> -
> - if (!NT_STATUS_IS_OK(result)) {
> -diff --git a/source3/client/client.c b/source3/client/client.c
> -index ab46cb8..dafc5f0 100644
> ---- a/source3/client/client.c
> -+++ b/source3/client/client.c
> -@@ -4227,7 +4227,7 @@ static bool browse_host_rpc(bool sort)
> - int i;
> - struct dcerpc_binding_handle *b;
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
> - &pipe_hnd);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> -index 8551521..1cfdccf 100644
> ---- a/source3/lib/netapi/cm.c
> -+++ b/source3/lib/netapi/cm.c
> -@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
> -+ status = cli_rpc_pipe_open_noauth(ipc->cli, table, &p->pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - TALLOC_FREE(p);
> - return status;
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index 9f47f3b..324c8f3 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -749,7 +749,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
> - goto done;
> - }
> -
> -- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
> -@@ -819,7 +819,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> - fstring trust_passwd;
> - NTSTATUS status;
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> -@@ -908,7 +908,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
> -
> - /* Open the domain */
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
> -@@ -1377,7 +1377,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
> -
> - /* Open the domain */
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
> -diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
> -index 87e10d8..3a07f11 100644
> ---- a/source3/libsmb/libsmb_dir.c
> -+++ b/source3/libsmb/libsmb_dir.c
> -@@ -277,7 +277,7 @@ net_share_enum_rpc(struct cli_state *cli,
> - struct dcerpc_binding_handle *b;
> -
> - /* Open the server service pipe */
> -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
> -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(1, ("net_share_enum_rpc pipe open fail!\n"));
> -diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
> -index d4254da..dff0062 100644
> ---- a/source3/libsmb/libsmb_server.c
> -+++ b/source3/libsmb/libsmb_server.c
> -@@ -802,7 +802,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
> - ipc_srv->cli = ipc_cli;
> -
> - nt_status = cli_rpc_pipe_open_noauth(
> -- ipc_srv->cli, &ndr_table_lsarpc.syntax_id, &pipe_hnd);
> -+ ipc_srv->cli, &ndr_table_lsarpc, &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(1, ("cli_nt_session_open fail!\n"));
> - errno = ENOTSUP;
> -diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
> -index 3933833..9736ada 100644
> ---- a/source3/libsmb/passchange.c
> -+++ b/source3/libsmb/passchange.c
> -@@ -169,7 +169,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
> - * way.
> - */
> - result = cli_rpc_pipe_open_noauth(
> -- cli, &ndr_table_samr.syntax_id, &pipe_hnd);
> -+ cli, &ndr_table_samr, &pipe_hnd);
> - }
> -
> - if (!NT_STATUS_IS_OK(result)) {
> -@@ -230,7 +230,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
> - result = NT_STATUS_UNSUCCESSFUL;
> -
> - /* OK, this is ugly, but... try an anonymous pipe. */
> -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> -+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> - &pipe_hnd);
> -
> - if ( NT_STATUS_IS_OK(result) &&
> -diff --git a/source3/libsmb/trustdom_cache.c b/source3/libsmb/trustdom_cache.c
> -index 8789d30..dadc751 100644
> ---- a/source3/libsmb/trustdom_cache.c
> -+++ b/source3/libsmb/trustdom_cache.c
> -@@ -289,7 +289,7 @@ static bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
> -
> - /* open the LSARPC_PIPE */
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &lsa_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto done;
> -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> -index 0d039bc..6156ba0 100644
> ---- a/source3/libsmb/trusts_util.c
> -+++ b/source3/libsmb/trusts_util.c
> -@@ -182,7 +182,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
> - /* Shouldn't we open this with schannel ? JRA. */
> -
> - nt_status = cli_rpc_pipe_open_noauth(
> -- cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
> -+ cli, &ndr_table_netlogon, &netlogon_pipe);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
> - dc_name, nt_errstr(nt_status)));
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 34cef32..1137abd 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2948,11 +2948,11 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> - ****************************************************************************/
> -
> - NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
> -- interface, presult);
> -+ &table->syntax_id, presult);
> - }
> -
> - /****************************************************************************
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index 65bfbc8..9aae61a 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -77,7 +77,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> - struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
> -
> - NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult);
> -
> - NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index 784e63f..bc672ef 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -217,7 +217,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli,
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> - NTSTATUS status;
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> - &netlogon_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> -diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> -index 335647b..c12cd05 100644
> ---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
> -+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> -@@ -2504,7 +2504,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
> - * Now start the NT Domain stuff :-).
> - */
> -
> -- ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss.syntax_id, pp_pipe);
> -+ ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss, pp_pipe);
> - if (!NT_STATUS_IS_OK(ret)) {
> - DEBUG(2,("spoolss_connect_to_client: unable to open the spoolss pipe on machine %s. Error was : %s.\n",
> - remote_machine, nt_errstr(ret)));
> -diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
> -index 5c499d4..fb011f8 100644
> ---- a/source3/rpcclient/cmd_spoolss.c
> -+++ b/source3/rpcclient/cmd_spoolss.c
> -@@ -3453,7 +3453,7 @@ static WERROR cmd_spoolss_printercmp(struct rpc_pipe_client *cli,
> - if ( !NT_STATUS_IS_OK(nt_status) )
> - return WERR_GENERAL_FAILURE;
> -
> -- nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss.syntax_id,
> -+ nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss,
> - &cli2);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - printf("failed to open spoolss pipe on server %s (%s)\n",
> -diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c
> -index 591ae8c..367dc71 100644
> ---- a/source3/rpcclient/cmd_test.c
> -+++ b/source3/rpcclient/cmd_test.c
> -@@ -36,14 +36,14 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
> - d_printf("testme\n");
> -
> - status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
> -- &ndr_table_lsarpc.syntax_id,
> -+ &ndr_table_lsarpc,
> - &lsa_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto done;
> - }
> -
> - status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
> -- &ndr_table_samr.syntax_id,
> -+ &ndr_table_samr,
> - &samr_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto done;
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index 6b6478e..e3b35bb 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -167,7 +167,7 @@ static void fetch_machine_sid(struct cli_state *cli)
> - goto error;
> - }
> -
> -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &lsapipe);
> - if (!NT_STATUS_IS_OK(result)) {
> - fprintf(stderr, "could not initialise lsa pipe. Error was %s\n", nt_errstr(result) );
> -diff --git a/source3/torture/test_async_echo.c b/source3/torture/test_async_echo.c
> -index 6df95dd..f21daa4 100644
> ---- a/source3/torture/test_async_echo.c
> -+++ b/source3/torture/test_async_echo.c
> -@@ -82,7 +82,7 @@ bool run_async_echo(int dummy)
> - printf("torture_open_connection failed\n");
> - goto fail;
> - }
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho,
> - &p);
> - if (!NT_STATUS_IS_OK(status)) {
> - printf("Could not open echo pipe: %s\n", nt_errstr(status));
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index 5699943..89eebf3 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -1957,7 +1957,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
> - SAFE_FREE(srv_cn_escaped);
> - SAFE_FREE(printername_escaped);
> -
> -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
> -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss, &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
> - servername);
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index dab9fcd..69ff14d 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -82,7 +82,7 @@ NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
> - union lsa_PolicyInformation *info = NULL;
> - struct dcerpc_binding_handle *b;
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &lsa_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
> -@@ -212,7 +212,7 @@ int run_rpc_command(struct net_context *c,
> - c->opt_password, &pipe_hnd);
> - } else {
> - nt_status = cli_rpc_pipe_open_noauth(
> -- cli, &table->syntax_id,
> -+ cli, table,
> - &pipe_hnd);
> - }
> - if (!NT_STATUS_IS_OK(nt_status)) {
> -@@ -348,7 +348,7 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
> - NTSTATUS result;
> - enum netr_SchannelType sec_channel_type;
> -
> -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> -+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(result)) {
> - DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
> -@@ -1966,7 +1966,7 @@ static NTSTATUS get_sid_from_name(struct cli_state *cli,
> - NTSTATUS status, result;
> - struct dcerpc_binding_handle *b;
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto done;
> -@@ -2980,7 +2980,7 @@ static NTSTATUS rpc_list_alias_members(struct net_context *c,
> - }
> -
> - result = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(pipe_hnd),
> -- &ndr_table_lsarpc.syntax_id,
> -+ &ndr_table_lsarpc,
> - &lsa_pipe);
> - if (!NT_STATUS_IS_OK(result)) {
> - d_fprintf(stderr, _("Couldn't open LSA pipe. Error was %s\n"),
> -@@ -6232,7 +6232,7 @@ static NTSTATUS rpc_trustdom_get_pdc(struct net_context *c,
> -
> - /* Try netr_GetDcName */
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> - &netr);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> -@@ -6379,7 +6379,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
> - * Call LsaOpenPolicy and LsaQueryInfo
> - */
> -
> -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
> -@@ -6656,7 +6656,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc,
> - return -1;
> - };
> -
> -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
> -@@ -6834,7 +6834,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
> - return -1;
> - };
> -
> -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
> -@@ -6950,7 +6950,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
> - /*
> - * Open \PIPE\samr and get needed policy handles
> - */
> -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
> -diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
> -index 4b43769..aabbe54 100644
> ---- a/source3/utils/net_rpc_join.c
> -+++ b/source3/utils/net_rpc_join.c
> -@@ -245,7 +245,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> -
> - /* Fetch domain sid */
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
> -@@ -280,7 +280,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> - }
> -
> - /* Create domain user */
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
> -@@ -456,7 +456,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> -
> - /* Now check the whole process from top-to-bottom */
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
> -diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c
> -index 6086066..120cfa6 100644
> ---- a/source3/utils/net_rpc_shell.c
> -+++ b/source3/utils/net_rpc_shell.c
> -@@ -85,7 +85,7 @@ static NTSTATUS net_sh_run(struct net_context *c,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- status = cli_rpc_pipe_open_noauth(ctx->cli, &cmd->table->syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(ctx->cli, cmd->table,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - d_fprintf(stderr, _("Could not open pipe: %s\n"),
> -diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
> -index 9060700..5e58103 100644
> ---- a/source3/utils/net_rpc_trust.c
> -+++ b/source3/utils/net_rpc_trust.c
> -@@ -210,7 +210,7 @@ static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx,
> - return status;
> - }
> -
> -- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id, pipe_hnd);
> -+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc, pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("Failed to initialise lsa pipe with error [%s]\n",
> - nt_errstr(status)));
> -diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
> -index a4282ec..13a0ef1 100644
> ---- a/source3/utils/net_util.c
> -+++ b/source3/utils/net_util.c
> -@@ -45,7 +45,7 @@ NTSTATUS net_rpc_lookup_name(struct net_context *c,
> -
> - ZERO_STRUCT(pol);
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &lsa_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
> -@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> - return nt_status;
> - }
> -
> -- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
> -+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, table,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(0, ("couldn't not initialize pipe\n"));
> -@@ -571,7 +571,7 @@ static NTSTATUS net_scan_dc_noad(struct net_context *c,
> - ZERO_STRUCTP(dc_info);
> - ZERO_STRUCT(pol);
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &pipe_hnd);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> -@@ -634,7 +634,7 @@ NTSTATUS net_scan_dc(struct net_context *c,
> -
> - ZERO_STRUCTP(dc_info);
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup,
> - &dssetup_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(10,("net_scan_dc: failed to open dssetup pipe with %s, "
> -diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c
> -index b66c34e..56d3bfe 100644
> ---- a/source3/utils/netlookup.c
> -+++ b/source3/utils/netlookup.c
> -@@ -122,7 +122,7 @@ static struct con_struct *create_cs(struct net_context *c,
> - }
> -
> - nt_status = cli_rpc_pipe_open_noauth(cs->cli,
> -- &ndr_table_lsarpc.syntax_id,
> -+ &ndr_table_lsarpc,
> - &cs->lsapipe);
> -
> - if (!NT_STATUS_IS_OK(nt_status)) {
> -diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
> -index 23a1192..f092839 100644
> ---- a/source3/utils/smbcacls.c
> -+++ b/source3/utils/smbcacls.c
> -@@ -96,7 +96,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
> - goto tcon_fail;
> - }
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &p);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto fail;
> -@@ -146,7 +146,7 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
> - goto tcon_fail;
> - }
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> - &p);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto fail;
> -@@ -187,14 +187,13 @@ static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
> - struct policy_handle handle;
> - NTSTATUS status, result;
> - TALLOC_CTX *frame = talloc_stackframe();
> -- const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id;
> -
> - status = cli_tree_connect(cli, "IPC$", "?????", "", 0);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto done;
> - }
> -
> -- status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe);
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto tdis;
> - }
> -diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
> -index bf1f95c..2791b93 100644
> ---- a/source3/utils/smbcquotas.c
> -+++ b/source3/utils/smbcquotas.c
> -@@ -58,7 +58,7 @@ static bool cli_open_policy_hnd(void)
> - NTSTATUS ret;
> - cli_ipc = connect_one("IPC$");
> - ret = cli_rpc_pipe_open_noauth(cli_ipc,
> -- &ndr_table_lsarpc.syntax_id,
> -+ &ndr_table_lsarpc,
> - &global_pipe_hnd);
> - if (!NT_STATUS_IS_OK(ret)) {
> - return False;
> -diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
> -index 40b1f09..5c07b12 100644
> ---- a/source3/utils/smbtree.c
> -+++ b/source3/utils/smbtree.c
> -@@ -177,7 +177,7 @@ static bool get_rpc_shares(struct cli_state *cli,
> - return False;
> - }
> -
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
> - &pipe_hnd);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> -index f17fc68..facef64 100644
> ---- a/source3/winbindd/winbindd_cm.c
> -+++ b/source3/winbindd/winbindd_cm.c
> -@@ -2078,7 +2078,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
> - DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
> -
> - status = cli_rpc_pipe_open_noauth(domain->conn.cli,
> -- &ndr_table_dssetup.syntax_id,
> -+ &ndr_table_dssetup,
> - &cli);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -2129,7 +2129,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
> -
> - no_dssetup:
> - status = cli_rpc_pipe_open_noauth(domain->conn.cli,
> -- &ndr_table_lsarpc.syntax_id, &cli);
> -+ &ndr_table_lsarpc, &cli);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
> -@@ -2447,7 +2447,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - anonymous:
> -
> - /* Finally fall back to anonymous. */
> -- status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
> -+ status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
> - &conn->samr_pipe);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -2674,7 +2674,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - anonymous:
> -
> - result = cli_rpc_pipe_open_noauth(conn->cli,
> -- &ndr_table_lsarpc.syntax_id,
> -+ &ndr_table_lsarpc,
> - &conn->lsa_pipe);
> - if (!NT_STATUS_IS_OK(result)) {
> - result = NT_STATUS_PIPE_NOT_AVAILABLE;
> -@@ -2765,7 +2765,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> - TALLOC_FREE(conn->netlogon_pipe);
> -
> - result = cli_rpc_pipe_open_noauth(conn->cli,
> -- &ndr_table_netlogon.syntax_id,
> -+ &ndr_table_netlogon,
> - &netlogon_pipe);
> - if (!NT_STATUS_IS_OK(result)) {
> - return result;
> ---
> -1.9.3
> -
> -
> -From fce35e003f655b3564ee4df5ebfe7f3e6ff6d188 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:33:03 +0200
> -Subject: [PATCH 027/249] s3-rpc_cli: pass down ndr_interface_table to
> - cli_rpc_pipe_open_noauth_transport().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 9aa99c3cfb0ff7a290dd4df472a4ff30d0efcb76)
> ----
> - source3/rpc_client/cli_pipe.c | 13 +++++++------
> - source3/rpc_client/cli_pipe.h | 2 +-
> - source3/rpcclient/rpcclient.c | 2 +-
> - 3 files changed, 9 insertions(+), 8 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 1137abd..4523ab7 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2865,14 +2865,14 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> -
> - NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> - enum dcerpc_transport_t transport,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - struct rpc_pipe_client *result;
> - struct pipe_auth_data *auth;
> - NTSTATUS status;
> -
> -- status = cli_rpc_pipe_open(cli, transport, interface, &result);
> -+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -@@ -2921,7 +2921,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> - status = rpc_pipe_bind(result, auth);
> - if (!NT_STATUS_IS_OK(status)) {
> - int lvl = 0;
> -- if (ndr_syntax_id_equal(interface,
> -+ if (ndr_syntax_id_equal(&table->syntax_id,
> - &ndr_table_dssetup.syntax_id)) {
> - /* non AD domains just don't have this pipe, avoid
> - * level 0 statement in that case - gd */
> -@@ -2929,7 +2929,8 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> - }
> - DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
> - "%s failed with error %s\n",
> -- get_pipe_name_from_syntax(talloc_tos(), interface),
> -+ get_pipe_name_from_syntax(talloc_tos(),
> -+ &table->syntax_id),
> - nt_errstr(status) ));
> - TALLOC_FREE(result);
> - return status;
> -@@ -2937,7 +2938,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> -
> - DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
> - "%s and bound anonymously.\n",
> -- get_pipe_name_from_syntax(talloc_tos(), interface),
> -+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> - result->desthost));
> -
> - *presult = result;
> -@@ -2952,7 +2953,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> - struct rpc_pipe_client **presult)
> - {
> - return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
> -- &table->syntax_id, presult);
> -+ table, presult);
> - }
> -
> - /****************************************************************************
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index 9aae61a..f37f8a9 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -82,7 +82,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> -
> - NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> - enum dcerpc_transport_t transport,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult);
> -
> - NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index e3b35bb..c23ff2d 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -690,7 +690,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - case DCERPC_AUTH_TYPE_NONE:
> - ntresult = cli_rpc_pipe_open_noauth_transport(
> - cli, default_transport,
> -- &cmd_entry->table->syntax_id,
> -+ cmd_entry->table,
> - &cmd_entry->rpc_pipe);
> - break;
> - case DCERPC_AUTH_TYPE_SPNEGO:
> ---
> -1.9.3
> -
> -
> -From 0d85042853b635486912688102253b2f358b5056 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:38:01 +0200
> -Subject: [PATCH 028/249] s3-rpc_cli: pass down ndr_interface_table to
> - cli_rpc_pipe_open().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 34cc4b409558f229fba24f59e81ef9100a851d24)
> ----
> - source3/rpc_client/cli_pipe.c | 14 +++++++-------
> - 1 file changed, 7 insertions(+), 7 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 4523ab7..4dc7345 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2843,7 +2843,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> -
> - static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> - enum dcerpc_transport_t transport,
> -- const struct ndr_syntax_id *interface,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - switch (transport) {
> -@@ -2851,9 +2851,9 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> - return rpc_pipe_open_tcp(NULL,
> - smbXcli_conn_remote_name(cli->conn),
> - smbXcli_conn_remote_sockaddr(cli->conn),
> -- interface, presult);
> -+ &table->syntax_id, presult);
> - case NCACN_NP:
> -- return rpc_pipe_open_np(cli, interface, presult);
> -+ return rpc_pipe_open_np(cli, &table->syntax_id, presult);
> - default:
> - return NT_STATUS_NOT_IMPLEMENTED;
> - }
> -@@ -2872,7 +2872,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> - struct pipe_auth_data *auth;
> - NTSTATUS status;
> -
> -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -@@ -2977,7 +2977,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> -
> - NTSTATUS status;
> -
> -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -@@ -3034,7 +3034,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - struct pipe_auth_data *auth;
> - NTSTATUS status;
> -
> -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -@@ -3104,7 +3104,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> - return NT_STATUS_INVALID_PARAMETER;
> - }
> -
> -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> ---
> -1.9.3
> -
> -
> -From d5e312185a7adc8429f8caba29a9808ab7954a27 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:40:45 +0200
> -Subject: [PATCH 029/249] s3-rpc_cli: pass down ndr_interface_table to
> - rpc_pipe_open_np().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 8cd3a060514ddcc178c938100edfb0b177c00c8c)
> ----
> - source3/rpc_client/cli_pipe.c | 8 ++++----
> - 1 file changed, 4 insertions(+), 4 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 4dc7345..0347d76 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2775,7 +2775,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r
> - ****************************************************************************/
> -
> - static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> -- const struct ndr_syntax_id *abstract_syntax,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - struct rpc_pipe_client *result;
> -@@ -2793,7 +2793,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- result->abstract_syntax = *abstract_syntax;
> -+ result->abstract_syntax = table->syntax_id;
> - result->transfer_syntax = ndr_transfer_syntax_ndr;
> - result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
> - result->srv_name_slash = talloc_asprintf_strupper_m(
> -@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- status = rpc_transport_np_init(result, cli, abstract_syntax,
> -+ status = rpc_transport_np_init(result, cli, &table->syntax_id,
> - &result->transport);
> - if (!NT_STATUS_IS_OK(status)) {
> - TALLOC_FREE(result);
> -@@ -2853,7 +2853,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> - smbXcli_conn_remote_sockaddr(cli->conn),
> - &table->syntax_id, presult);
> - case NCACN_NP:
> -- return rpc_pipe_open_np(cli, &table->syntax_id, presult);
> -+ return rpc_pipe_open_np(cli, table, presult);
> - default:
> - return NT_STATUS_NOT_IMPLEMENTED;
> - }
> ---
> -1.9.3
> -
> -
> -From f1fa7838cb933fd0d390a56d823272f8528eb63c Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:44:00 +0200
> -Subject: [PATCH 030/249] s3-rpc_cli: pass down ndr_interface_table to
> - rpc_pipe_open_tcp().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 5c5cff0a722a0925ae75ea7aa11ede0d82d5b92d)
> ----
> - source3/rpc_client/cli_pipe.c | 8 ++++----
> - source3/rpc_client/cli_pipe.h | 2 +-
> - source3/torture/rpc_open_tcp.c | 2 +-
> - 3 files changed, 6 insertions(+), 6 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 0347d76..46adf69 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2663,19 +2663,19 @@ done:
> - */
> - NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> - const struct sockaddr_storage *addr,
> -- const struct ndr_syntax_id *abstract_syntax,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - NTSTATUS status;
> - uint16_t port = 0;
> -
> -- status = rpc_pipe_get_tcp_port(host, addr, abstract_syntax, &port);
> -+ status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -
> - return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
> -- abstract_syntax, presult);
> -+ &table->syntax_id, presult);
> - }
> -
> - /********************************************************************
> -@@ -2851,7 +2851,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> - return rpc_pipe_open_tcp(NULL,
> - smbXcli_conn_remote_name(cli->conn),
> - smbXcli_conn_remote_sockaddr(cli->conn),
> -- &table->syntax_id, presult);
> -+ table, presult);
> - case NCACN_NP:
> - return rpc_pipe_open_np(cli, table, presult);
> - default:
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index f37f8a9..6fcc587 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -67,7 +67,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> - NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
> - const char *host,
> - const struct sockaddr_storage *ss_addr,
> -- const struct ndr_syntax_id *abstract_syntax,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult);
> -
> - NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> -diff --git a/source3/torture/rpc_open_tcp.c b/source3/torture/rpc_open_tcp.c
> -index d29f4cf..cd27b5f 100644
> ---- a/source3/torture/rpc_open_tcp.c
> -+++ b/source3/torture/rpc_open_tcp.c
> -@@ -95,7 +95,7 @@ int main(int argc, const char **argv)
> - }
> -
> - status = rpc_pipe_open_tcp(mem_ctx, argv[2], NULL,
> -- &((*table)->syntax_id),
> -+ *table,
> - &rpc_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - d_printf("ERROR calling rpc_pipe_open_tcp(): %s\n",
> ---
> -1.9.3
> -
> -
> -From 67c01c15af1bbb98916e75f7cad61edcc13c2e2f Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:46:07 +0200
> -Subject: [PATCH 031/249] s3-rpc_cli: pass down ndr_interface_table to
> - rpc_pipe_get_tcp_port().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 0ff8c2d508949f732716e24047694cecf38597df)
> ----
> - source3/rpc_client/cli_pipe.c | 10 +++++-----
> - 1 file changed, 5 insertions(+), 5 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 46adf69..15e77db 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2518,7 +2518,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
> - */
> - static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> - const struct sockaddr_storage *addr,
> -- const struct ndr_syntax_id *abstract_syntax,
> -+ const struct ndr_interface_table *table,
> - uint16_t *pport)
> - {
> - NTSTATUS status;
> -@@ -2541,7 +2541,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> - goto done;
> - }
> -
> -- if (ndr_syntax_id_equal(abstract_syntax,
> -+ if (ndr_syntax_id_equal(&table->syntax_id,
> - &ndr_table_epmapper.syntax_id)) {
> - *pport = 135;
> - return NT_STATUS_OK;
> -@@ -2576,7 +2576,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> - }
> -
> - map_binding->transport = NCACN_IP_TCP;
> -- map_binding->object = *abstract_syntax;
> -+ map_binding->object = table->syntax_id;
> - map_binding->host = host; /* needed? */
> - map_binding->endpoint = "0"; /* correct? needed? */
> -
> -@@ -2612,7 +2612,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> - status = dcerpc_epm_Map(epm_handle,
> - tmp_ctx,
> - discard_const_p(struct GUID,
> -- &(abstract_syntax->uuid)),
> -+ &(table->syntax_id.uuid)),
> - map_tower,
> - entry_handle,
> - max_towers,
> -@@ -2669,7 +2669,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> - NTSTATUS status;
> - uint16_t port = 0;
> -
> -- status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
> -+ status = rpc_pipe_get_tcp_port(host, addr, table, &port);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> ---
> -1.9.3
> -
> -
> -From a032ff8c89e479792947af4315ed6eb59a69f8f5 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:47:16 +0200
> -Subject: [PATCH 032/249] s3-rpc_cli: pass down ndr_interface_table to
> - rpc_pipe_open_tcp_port().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 7bdcfcb37c5b96ee6aa0cecffd89c6d17291fe62)
> ----
> - source3/rpc_client/cli_pipe.c | 8 ++++----
> - 1 file changed, 4 insertions(+), 4 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 15e77db..1b2955f 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2447,7 +2447,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
> - static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
> - const struct sockaddr_storage *ss_addr,
> - uint16_t port,
> -- const struct ndr_syntax_id *abstract_syntax,
> -+ const struct ndr_interface_table *table,
> - struct rpc_pipe_client **presult)
> - {
> - struct rpc_pipe_client *result;
> -@@ -2460,7 +2460,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- result->abstract_syntax = *abstract_syntax;
> -+ result->abstract_syntax = table->syntax_id;
> - result->transfer_syntax = ndr_transfer_syntax_ndr;
> -
> - result->desthost = talloc_strdup(result, host);
> -@@ -2549,7 +2549,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> -
> - /* open the connection to the endpoint mapper */
> - status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
> -- &ndr_table_epmapper.syntax_id,
> -+ &ndr_table_epmapper,
> - &epm_pipe);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -2675,7 +2675,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> - }
> -
> - return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
> -- &table->syntax_id, presult);
> -+ table, presult);
> - }
> -
> - /********************************************************************
> ---
> -1.9.3
> -
> -
> -From 0b4ae5ec146e35c364f01c033d6c22efb99b7314 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:52:05 +0200
> -Subject: [PATCH 033/249] s3-rpc_cli: pass down ndr_interface_table to
> - rpc_transport_np_init().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit c41b6e5c5e7fcdbd98c1eb2bea08378b47d343d4)
> ----
> - source3/rpc_client/cli_pipe.c | 2 +-
> - source3/rpc_client/rpc_transport.h | 2 +-
> - source3/rpc_client/rpc_transport_np.c | 4 ++--
> - 3 files changed, 4 insertions(+), 4 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 1b2955f..1fa8d91 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- status = rpc_transport_np_init(result, cli, &table->syntax_id,
> -+ status = rpc_transport_np_init(result, cli, table,
> - &result->transport);
> - if (!NT_STATUS_IS_OK(status)) {
> - TALLOC_FREE(result);
> -diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
> -index bc115dd..2b4a323 100644
> ---- a/source3/rpc_client/rpc_transport.h
> -+++ b/source3/rpc_client/rpc_transport.h
> -@@ -89,7 +89,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
> - TALLOC_CTX *mem_ctx,
> - struct rpc_cli_transport **presult);
> - NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> -- const struct ndr_syntax_id *abstract_syntax,
> -+ const struct ndr_interface_table *table,
> - struct rpc_cli_transport **presult);
> -
> - /* The following definitions come from rpc_client/rpc_transport_sock.c */
> -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
> -index f0696ad..7bd1ca3 100644
> ---- a/source3/rpc_client/rpc_transport_np.c
> -+++ b/source3/rpc_client/rpc_transport_np.c
> -@@ -152,7 +152,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
> - }
> -
> - NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> -- const struct ndr_syntax_id *abstract_syntax,
> -+ const struct ndr_interface_table *table,
> - struct rpc_cli_transport **presult)
> - {
> - TALLOC_CTX *frame = talloc_stackframe();
> -@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> - goto fail;
> - }
> -
> -- req = rpc_transport_np_init_send(frame, ev, cli, abstract_syntax);
> -+ req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
> - if (req == NULL) {
> - status = NT_STATUS_NO_MEMORY;
> - goto fail;
> ---
> -1.9.3
> -
> -
> -From 739d05d91f23c4c6e17078c84192f30911cbdfcd Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 24 May 2013 13:56:53 +0200
> -Subject: [PATCH 034/249] s3-rpc_cli: pass down ndr_interface_table to
> - rpc_transport_np_init_send().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit b19e7e6638a5dd53e3c6e6701f78bf31184ed493)
> ----
> - source3/rpc_client/rpc_transport.h | 2 +-
> - source3/rpc_client/rpc_transport_np.c | 6 +++---
> - 2 files changed, 4 insertions(+), 4 deletions(-)
> -
> -diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
> -index 2b4a323..72e7609 100644
> ---- a/source3/rpc_client/rpc_transport.h
> -+++ b/source3/rpc_client/rpc_transport.h
> -@@ -84,7 +84,7 @@ struct cli_state;
> - struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> - struct tevent_context *ev,
> - struct cli_state *cli,
> -- const struct ndr_syntax_id *abstract_syntax);
> -+ const struct ndr_interface_table *table);
> - NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
> - TALLOC_CTX *mem_ctx,
> - struct rpc_cli_transport **presult);
> -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
> -index 7bd1ca3..c0f313e 100644
> ---- a/source3/rpc_client/rpc_transport_np.c
> -+++ b/source3/rpc_client/rpc_transport_np.c
> -@@ -40,7 +40,7 @@ static void rpc_transport_np_init_pipe_open(struct tevent_req *subreq);
> - struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> - struct tevent_context *ev,
> - struct cli_state *cli,
> -- const struct ndr_syntax_id *abstract_syntax)
> -+ const struct ndr_interface_table *table)
> - {
> - struct tevent_req *req;
> - struct rpc_transport_np_init_state *state;
> -@@ -55,7 +55,7 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> - state->ev = ev;
> - state->cli = cli;
> - state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
> -- state->pipe_name = get_pipe_name_from_syntax(state, abstract_syntax);
> -+ state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
> - if (tevent_req_nomem(state->pipe_name, req)) {
> - return tevent_req_post(req, ev);
> - }
> -@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> - goto fail;
> - }
> -
> -- req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
> -+ req = rpc_transport_np_init_send(frame, ev, cli, table);
> - if (req == NULL) {
> - status = NT_STATUS_NO_MEMORY;
> - goto fail;
> ---
> -1.9.3
> -
> -
> -From c5529ee9045c44114ab1716b05d3408baa1b4e42 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 24 Sep 2008 11:04:42 +0200
> -Subject: [PATCH 035/249] s3: libnet_join: add admin_domain.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit c11a79c5a054e862f61c97093fa2ce5e5040f111)
> ----
> - source3/librpc/idl/libnet_join.idl | 2 ++
> - 1 file changed, 2 insertions(+)
> -
> -diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
> -index 4f28bb6..ac0a350 100644
> ---- a/source3/librpc/idl/libnet_join.idl
> -+++ b/source3/librpc/idl/libnet_join.idl
> -@@ -21,6 +21,7 @@ interface libnetjoin
> - [in,ref] string *domain_name,
> - [in] string account_ou,
> - [in] string admin_account,
> -+ [in] string admin_domain,
> - [in,noprint] string admin_password,
> - [in] string machine_password,
> - [in] wkssvc_joinflags join_flags,
> -@@ -51,6 +52,7 @@ interface libnetjoin
> - [in] string domain_name,
> - [in] string account_ou,
> - [in] string admin_account,
> -+ [in] string admin_domain,
> - [in,noprint] string admin_password,
> - [in] string machine_password,
> - [in] wkssvc_joinflags unjoin_flags,
> ---
> -1.9.3
> -
> -
> -From a0d8f42ac44d279ae7bc599792cd1d564925dcbf Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 24 Sep 2008 11:05:37 +0200
> -Subject: [PATCH 036/249] s3: libnet_join: use admin_domain in libnetjoin.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit cc0cbd4fdc6e07538d67cc41ca07bad1eaebf493)
> ----
> - source3/libnet/libnet_join.c | 27 ++++++++++++++++++++++++++-
> - 1 file changed, 26 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index 324c8f3..2253079 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -701,6 +701,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
> -
> - static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
> - const char *user,
> -+ const char *domain,
> - const char *pass,
> - bool use_kerberos,
> - struct cli_state **cli)
> -@@ -720,7 +721,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
> - NULL, 0,
> - "IPC$", "IPC",
> - user,
> -- NULL,
> -+ domain,
> - pass,
> - flags,
> - SMB_SIGNING_DEFAULT);
> -@@ -742,6 +743,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
> -
> - status = libnet_join_connect_dc_ipc(r->in.dc_name,
> - r->in.admin_account,
> -+ r->in.admin_domain,
> - r->in.admin_password,
> - r->in.use_kerberos,
> - cli);
> -@@ -1368,6 +1370,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
> -
> - status = libnet_join_connect_dc_ipc(r->in.dc_name,
> - r->in.admin_account,
> -+ r->in.admin_domain,
> - r->in.admin_password,
> - r->in.use_kerberos,
> - &cli);
> -@@ -1755,6 +1758,17 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
> - return WERR_SETUP_DOMAIN_CONTROLLER;
> - }
> -
> -+ if (!r->in.admin_domain) {
> -+ char *admin_domain = NULL;
> -+ char *admin_account = NULL;
> -+ split_domain_user(mem_ctx,
> -+ r->in.admin_account,
> -+ &admin_domain,
> -+ &admin_account);
> -+ r->in.admin_domain = admin_domain;
> -+ r->in.admin_account = admin_account;
> -+ }
> -+
> - if (!secrets_init()) {
> - libnet_join_set_error_string(mem_ctx, r,
> - "Unable to open secrets database");
> -@@ -2316,6 +2330,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
> - return WERR_SETUP_DOMAIN_CONTROLLER;
> - }
> -
> -+ if (!r->in.admin_domain) {
> -+ char *admin_domain = NULL;
> -+ char *admin_account = NULL;
> -+ split_domain_user(mem_ctx,
> -+ r->in.admin_account,
> -+ &admin_domain,
> -+ &admin_account);
> -+ r->in.admin_domain = admin_domain;
> -+ r->in.admin_account = admin_account;
> -+ }
> -+
> - if (!secrets_init()) {
> - libnet_unjoin_set_error_string(mem_ctx, r,
> - "Unable to open secrets database");
> ---
> -1.9.3
> -
> -
> -From 46f8496292a12b7acdd045d126b61fa9d8afee74 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Thu, 6 Nov 2008 11:40:03 +0100
> -Subject: [PATCH 037/249] s3-libnetjoin: add machine_name length check.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit c4d6d75cf48aed7b17728e283581366143fa4233)
> ----
> - source3/libnet/libnet_join.c | 9 +++++++++
> - 1 file changed, 9 insertions(+)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index 2253079..b731d9b 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -1746,6 +1746,15 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
> - return WERR_INVALID_PARAM;
> - }
> -
> -+ if (strlen(r->in.machine_name) > 15) {
> -+ libnet_join_set_error_string(mem_ctx, r,
> -+ "Our netbios name can be at most 15 chars long, "
> -+ "\"%s\" is %u chars long\n",
> -+ r->in.machine_name,
> -+ (unsigned int)strlen(r->in.machine_name));
> -+ return WERR_INVALID_PARAM;
> -+ }
> -+
> - if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
> - &r->in.domain_name,
> - &r->in.dc_name)) {
> ---
> -1.9.3
> -
> -
> -From a60cf7ddd4e2d41d92cdd35ab05f2d6a30b055c9 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Thu, 6 Nov 2008 13:37:45 +0100
> -Subject: [PATCH 038/249] s3-libnetjoin: move "net rpc oldjoin" to use
> - libnetjoin.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit d398a12f7907866189c1b253ca6a40e5454f42a1)
> ----
> - source3/utils/net_rpc.c | 182 ++++++++++++++++++++++--------------------------
> - 1 file changed, 84 insertions(+), 98 deletions(-)
> -
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index 69ff14d..720e9d2 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -37,6 +37,8 @@
> - #include "secrets.h"
> - #include "lib/netapi/netapi.h"
> - #include "lib/netapi/netapi_net.h"
> -+#include "librpc/gen_ndr/libnet_join.h"
> -+#include "libnet/libnet_join.h"
> - #include "rpc_client/init_lsa.h"
> - #include "../libcli/security/security.h"
> - #include "libsmb/libsmb.h"
> -@@ -314,48 +316,46 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
> - }
> -
> - /**
> -- * Join a domain, the old way.
> -+ * Join a domain, the old way. This function exists to allow
> -+ * the message to be displayed when oldjoin was explicitly
> -+ * requested, but not when it was implied by "net rpc join".
> - *
> - * This uses 'machinename' as the inital password, and changes it.
> - *
> - * The password should be created with 'server manager' or equiv first.
> - *
> -- * All parameters are provided by the run_rpc_command function, except for
> -- * argc, argv which are passed through.
> -- *
> -- * @param domain_sid The domain sid acquired from the remote server.
> -- * @param cli A cli_state connected to the server.
> -- * @param mem_ctx Talloc context, destroyed on completion of the function.
> - * @param argc Standard main() style argc.
> - * @param argv Standard main() style argv. Initial components are already
> - * stripped.
> - *
> -- * @return Normal NTSTATUS return.
> -+ * @return A shell status integer (0 for success).
> - **/
> -
> --static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
> -- const struct dom_sid *domain_sid,
> -- const char *domain_name,
> -- struct cli_state *cli,
> -- struct rpc_pipe_client *pipe_hnd,
> -- TALLOC_CTX *mem_ctx,
> -- int argc,
> -- const char **argv)
> -+static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
> - {
> -+ struct libnet_JoinCtx *r = NULL;
> -+ TALLOC_CTX *mem_ctx;
> -+ WERROR werr;
> -+ const char *domain = lp_workgroup(); /* FIXME */
> -+ bool modify_config = lp_config_backend_is_registry();
> -+ enum netr_SchannelType sec_chan_type;
> -+ char *pw = NULL;
> -
> -- fstring trust_passwd;
> -- unsigned char orig_trust_passwd_hash[16];
> -- NTSTATUS result;
> -- enum netr_SchannelType sec_channel_type;
> -+ if (c->display_usage) {
> -+ d_printf("Usage:\n"
> -+ "net rpc oldjoin\n"
> -+ " Join a domain the old way\n");
> -+ return 0;
> -+ }
> -
> -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> -- &pipe_hnd);
> -- if (!NT_STATUS_IS_OK(result)) {
> -- DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
> -- "error was %s\n",
> -- smbXcli_conn_remote_name(cli->conn),
> -- nt_errstr(result) ));
> -- return result;
> -+ mem_ctx = talloc_init("net_rpc_oldjoin");
> -+ if (!mem_ctx) {
> -+ return -1;
> -+ }
> -+
> -+ werr = libnet_init_JoinCtx(mem_ctx, &r);
> -+ if (!W_ERROR_IS_OK(werr)) {
> -+ goto fail;
> - }
> -
> - /*
> -@@ -363,92 +363,78 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
> - a BDC, the server must agree that we are a BDC.
> - */
> - if (argc >= 0) {
> -- sec_channel_type = get_sec_channel_type(argv[0]);
> -+ sec_chan_type = get_sec_channel_type(argv[0]);
> - } else {
> -- sec_channel_type = get_sec_channel_type(NULL);
> -+ sec_chan_type = get_sec_channel_type(NULL);
> - }
> -
> -- fstrcpy(trust_passwd, lp_netbios_name());
> -- if (!strlower_m(trust_passwd)) {
> -- return NT_STATUS_UNSUCCESSFUL;
> -+ if (!c->msg_ctx) {
> -+ d_fprintf(stderr, _("Could not initialise message context. "
> -+ "Try running as root\n"));
> -+ werr = WERR_ACCESS_DENIED;
> -+ goto fail;
> - }
> -
> -- /*
> -- * Machine names can be 15 characters, but the max length on
> -- * a password is 14. --jerry
> -- */
> --
> -- trust_passwd[14] = '\0';
> --
> -- E_md4hash(trust_passwd, orig_trust_passwd_hash);
> --
> -- result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup,
> -- lp_netbios_name(),
> -- orig_trust_passwd_hash,
> -- sec_channel_type);
> --
> -- if (NT_STATUS_IS_OK(result))
> -- printf(_("Joined domain %s.\n"), c->opt_target_workgroup);
> -+ pw = talloc_strndup(r, lp_netbios_name(), 14);
> -+ if (pw == NULL) {
> -+ werr = WERR_NOMEM;
> -+ goto fail;
> -+ }
> -
> -+ r->in.msg_ctx = c->msg_ctx;
> -+ r->in.domain_name = domain;
> -+ r->in.secure_channel_type = sec_chan_type;
> -+ r->in.dc_name = c->opt_host;
> -+ r->in.admin_account = "";
> -+ r->in.admin_password = strlower_talloc(r, pw);
> -+ if (r->in.admin_password == NULL) {
> -+ werr = WERR_NOMEM;
> -+ goto fail;
> -+ }
> -+ r->in.debug = true;
> -+ r->in.modify_config = modify_config;
> -+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
> -+ WKSSVC_JOIN_FLAGS_JOIN_UNSECURE |
> -+ WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED;
> -
> -- if (!secrets_store_domain_sid(c->opt_target_workgroup, domain_sid)) {
> -- DEBUG(0, ("error storing domain sid for %s\n", c->opt_target_workgroup));
> -- result = NT_STATUS_UNSUCCESSFUL;
> -+ werr = libnet_Join(mem_ctx, r);
> -+ if (!W_ERROR_IS_OK(werr)) {
> -+ goto fail;
> - }
> -
> -- return result;
> --}
> -+ /* Check the short name of the domain */
> -
> --/**
> -- * Join a domain, the old way.
> -- *
> -- * @param argc Standard main() style argc.
> -- * @param argv Standard main() style argv. Initial components are already
> -- * stripped.
> -- *
> -- * @return A shell status integer (0 for success).
> -- **/
> -+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
> -+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
> -+ d_printf("domain name obtained from the server.\n");
> -+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
> -+ d_printf("You should set \"workgroup = %s\" in %s.\n",
> -+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
> -+ }
> -
> --static int net_rpc_perform_oldjoin(struct net_context *c, int argc, const char **argv)
> --{
> -- return run_rpc_command(c, NULL, &ndr_table_netlogon,
> -- NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
> -- rpc_oldjoin_internals,
> -- argc, argv);
> --}
> -+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
> -
> --/**
> -- * Join a domain, the old way. This function exists to allow
> -- * the message to be displayed when oldjoin was explicitly
> -- * requested, but not when it was implied by "net rpc join".
> -- *
> -- * @param argc Standard main() style argc.
> -- * @param argv Standard main() style argv. Initial components are already
> -- * stripped.
> -- *
> -- * @return A shell status integer (0 for success).
> -- **/
> -+ if (r->out.dns_domain_name) {
> -+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
> -+ r->out.dns_domain_name);
> -+ } else {
> -+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
> -+ r->out.netbios_domain_name);
> -+ }
> -
> --static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
> --{
> -- int rc = -1;
> -+ TALLOC_FREE(mem_ctx);
> -
> -- if (c->display_usage) {
> -- d_printf( "%s\n"
> -- "net rpc oldjoin\n"
> -- " %s\n",
> -- _("Usage:"),
> -- _("Join a domain the old way"));
> -- return 0;
> -- }
> -+ return 0;
> -
> -- rc = net_rpc_perform_oldjoin(c, argc, argv);
> -+fail:
> -+ /* issue an overall failure message at the end. */
> -+ d_fprintf(stderr, _("Failed to join domain: %s\n"),
> -+ r && r->out.error_string ? r->out.error_string :
> -+ get_friendly_werror_msg(werr));
> -
> -- if (rc) {
> -- d_fprintf(stderr, _("Failed to join domain\n"));
> -- }
> -+ TALLOC_FREE(mem_ctx);
> -
> -- return rc;
> -+ return -1;
> - }
> -
> - /**
> -@@ -492,7 +478,7 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
> - return -1;
> - }
> -
> -- if ((net_rpc_perform_oldjoin(c, argc, argv) == 0))
> -+ if ((net_rpc_oldjoin(c, argc, argv) == 0))
> - return 0;
> -
> - return net_rpc_join_newstyle(c, argc, argv);
> ---
> -1.9.3
> -
> -
> -From 3185251186366984b5ec06322c75cfda71dccdbc Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 13 Jun 2013 19:12:27 +0200
> -Subject: [PATCH 039/249] s3:libnet: let the caller truncate the pw in
> - libnet_join_joindomain_rpc_unsecure()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 1242ab0cb3bf575b695b39313604af9d0a7f1b3a)
> ----
> - source3/libnet/libnet_join.c | 15 +--------------
> - 1 file changed, 1 insertion(+), 14 deletions(-)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index b731d9b..d8ec235 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -818,7 +818,6 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> - struct rpc_pipe_client *pipe_hnd = NULL;
> - unsigned char orig_trust_passwd_hash[16];
> - unsigned char new_trust_passwd_hash[16];
> -- fstring trust_passwd;
> - NTSTATUS status;
> -
> - status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> -@@ -837,19 +836,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> - E_md4hash(r->in.machine_password, new_trust_passwd_hash);
> -
> - /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
> -- fstrcpy(trust_passwd, r->in.admin_password);
> -- if (!strlower_m(trust_passwd)) {
> -- return NT_STATUS_INVALID_PARAMETER;
> -- }
> --
> -- /*
> -- * Machine names can be 15 characters, but the max length on
> -- * a password is 14. --jerry
> -- */
> --
> -- trust_passwd[14] = '\0';
> --
> -- E_md4hash(trust_passwd, orig_trust_passwd_hash);
> -+ E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
> -
> - status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
> - r->in.machine_name,
> ---
> -1.9.3
> -
> -
> -From e1e15a73a9a5215866f6471c5e583457c516b47e Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Tue, 3 Feb 2009 20:10:05 +0100
> -Subject: [PATCH 040/249] s3-net: use libnetjoin for "net rpc testjoin".
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 9cfa6251600ddea0e821f2bd3fd359c28eb1b7f9)
> ----
> - source3/utils/net_proto.h | 2 +-
> - source3/utils/net_rpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++
> - source3/utils/net_rpc_join.c | 29 -------------------
> - 3 files changed, 67 insertions(+), 30 deletions(-)
> -
> -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> -index 03fb312..d791708 100644
> ---- a/source3/utils/net_proto.h
> -+++ b/source3/utils/net_proto.h
> -@@ -145,6 +145,7 @@ int run_rpc_command(struct net_context *c,
> - int argc,
> - const char **argv);
> - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
> -+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> - int net_rpc_join(struct net_context *c, int argc, const char **argv);
> - NTSTATUS rpc_info_internals(struct net_context *c,
> - const struct dom_sid *domain_sid,
> -@@ -205,7 +206,6 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
> - const char *server,
> - const struct sockaddr_storage *server_ss);
> - int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> --int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> -
> - /* The following definitions come from utils/net_rpc_printer.c */
> -
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index 720e9d2..592be44 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -438,6 +438,72 @@ fail:
> - }
> -
> - /**
> -+ * check that a join is OK
> -+ *
> -+ * @return A shell status integer (0 for success)
> -+ *
> -+ **/
> -+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> -+{
> -+ NTSTATUS status;
> -+ TALLOC_CTX *mem_ctx;
> -+ const char *domain = c->opt_target_workgroup;
> -+ const char *dc = c->opt_host;
> -+
> -+ if (c->display_usage) {
> -+ d_printf("Usage\n"
> -+ "net rpc testjoin\n"
> -+ " Test if a join is OK\n");
> -+ return 0;
> -+ }
> -+
> -+ mem_ctx = talloc_init("net_rpc_testjoin");
> -+ if (!mem_ctx) {
> -+ return -1;
> -+ }
> -+
> -+ if (!dc) {
> -+ struct netr_DsRGetDCNameInfo *info;
> -+
> -+ if (!c->msg_ctx) {
> -+ d_fprintf(stderr, _("Could not initialise message context. "
> -+ "Try running as root\n"));
> -+ talloc_destroy(mem_ctx);
> -+ return -1;
> -+ }
> -+
> -+ status = dsgetdcname(mem_ctx,
> -+ c->msg_ctx,
> -+ domain,
> -+ NULL,
> -+ NULL,
> -+ DS_RETURN_DNS_NAME,
> -+ &info);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ talloc_destroy(mem_ctx);
> -+ return -1;
> -+ }
> -+
> -+ dc = strip_hostname(info->dc_unc);
> -+ }
> -+
> -+ /* Display success or failure */
> -+ status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
> -+ c->opt_kerberos);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
> -+ domain, nt_errstr(status));
> -+ talloc_destroy(mem_ctx);
> -+ return -1;
> -+ }
> -+
> -+ printf("Join to '%s' is OK\n",domain);
> -+ talloc_destroy(mem_ctx);
> -+
> -+ return 0;
> -+}
> -+
> -+/**
> - * 'net rpc join' entrypoint.
> - * @param argc Standard main() style argc.
> - * @param argv Standard main() style argv. Initial components are already
> -diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
> -index aabbe54..ee39a5c 100644
> ---- a/source3/utils/net_rpc_join.c
> -+++ b/source3/utils/net_rpc_join.c
> -@@ -561,32 +561,3 @@ done:
> -
> - return retval;
> - }
> --
> --/**
> -- * check that a join is OK
> -- *
> -- * @return A shell status integer (0 for success)
> -- *
> -- **/
> --int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> --{
> -- NTSTATUS nt_status;
> --
> -- if (c->display_usage) {
> -- d_printf(_("Usage\n"
> -- "net rpc testjoin\n"
> -- " Test if a join is OK\n"));
> -- return 0;
> -- }
> --
> -- /* Display success or failure */
> -- nt_status = net_rpc_join_ok(c, c->opt_target_workgroup, NULL, NULL);
> -- if (!NT_STATUS_IS_OK(nt_status)) {
> -- fprintf(stderr, _("Join to domain '%s' is not valid: %s\n"),
> -- c->opt_target_workgroup, nt_errstr(nt_status));
> -- return -1;
> -- }
> --
> -- printf(_("Join to '%s' is OK\n"), c->opt_target_workgroup);
> -- return 0;
> --}
> ---
> -1.9.3
> -
> -
> -From a0474baa59c0991c2b2d8e3f425c9a6845162f45 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Tue, 3 Feb 2009 20:21:05 +0100
> -Subject: [PATCH 041/249] s3-net: use libnetjoin for "net rpc join" newstyle.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 3e4ded48bbeacdcd128f3c667cbdd12a3efca312)
> ----
> - source3/utils/net_proto.h | 8 +---
> - source3/utils/net_rpc.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++
> - source3/wscript_build | 2 +-
> - 3 files changed, 108 insertions(+), 8 deletions(-)
> -
> -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> -index d791708..1809ba9 100644
> ---- a/source3/utils/net_proto.h
> -+++ b/source3/utils/net_proto.h
> -@@ -146,6 +146,7 @@ int run_rpc_command(struct net_context *c,
> - const char **argv);
> - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
> - int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> -+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> - int net_rpc_join(struct net_context *c, int argc, const char **argv);
> - NTSTATUS rpc_info_internals(struct net_context *c,
> - const struct dom_sid *domain_sid,
> -@@ -200,13 +201,6 @@ int net_rpc(struct net_context *c, int argc, const char **argv);
> -
> - int net_rpc_audit(struct net_context *c, int argc, const char **argv);
> -
> --/* The following definitions come from utils/net_rpc_join.c */
> --
> --NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
> -- const char *server,
> -- const struct sockaddr_storage *server_ss);
> --int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> --
> - /* The following definitions come from utils/net_rpc_printer.c */
> -
> - NTSTATUS net_copy_fileattr(struct net_context *c,
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index 592be44..6358460 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -504,6 +504,112 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> - }
> -
> - /**
> -+ * Join a domain using the administrator username and password
> -+ *
> -+ * @param argc Standard main() style argc
> -+ * @param argc Standard main() style argv. Initial components are already
> -+ * stripped. Currently not used.
> -+ * @return A shell status integer (0 for success)
> -+ *
> -+ **/
> -+
> -+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> -+{
> -+ struct libnet_JoinCtx *r = NULL;
> -+ TALLOC_CTX *mem_ctx;
> -+ WERROR werr;
> -+ const char *domain = lp_workgroup(); /* FIXME */
> -+ bool modify_config = lp_config_backend_is_registry();
> -+ enum netr_SchannelType sec_chan_type;
> -+
> -+ if (c->display_usage) {
> -+ d_printf("Usage:\n"
> -+ "net rpc join\n"
> -+ " Join a domain the new way\n");
> -+ return 0;
> -+ }
> -+
> -+ mem_ctx = talloc_init("net_rpc_join_newstyle");
> -+ if (!mem_ctx) {
> -+ return -1;
> -+ }
> -+
> -+ werr = libnet_init_JoinCtx(mem_ctx, &r);
> -+ if (!W_ERROR_IS_OK(werr)) {
> -+ goto fail;
> -+ }
> -+
> -+ /*
> -+ check what type of join - if the user want's to join as
> -+ a BDC, the server must agree that we are a BDC.
> -+ */
> -+ if (argc >= 0) {
> -+ sec_chan_type = get_sec_channel_type(argv[0]);
> -+ } else {
> -+ sec_chan_type = get_sec_channel_type(NULL);
> -+ }
> -+
> -+ if (!c->msg_ctx) {
> -+ d_fprintf(stderr, _("Could not initialise message context. "
> -+ "Try running as root\n"));
> -+ werr = WERR_ACCESS_DENIED;
> -+ goto fail;
> -+ }
> -+
> -+ r->in.msg_ctx = c->msg_ctx;
> -+ r->in.domain_name = domain;
> -+ r->in.secure_channel_type = sec_chan_type;
> -+ r->in.dc_name = c->opt_host;
> -+ r->in.admin_account = c->opt_user_name;
> -+ r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
> -+ r->in.debug = true;
> -+ r->in.use_kerberos = c->opt_kerberos;
> -+ r->in.modify_config = modify_config;
> -+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
> -+ WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
> -+ WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
> -+
> -+ werr = libnet_Join(mem_ctx, r);
> -+ if (!W_ERROR_IS_OK(werr)) {
> -+ goto fail;
> -+ }
> -+
> -+ /* Check the short name of the domain */
> -+
> -+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
> -+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
> -+ d_printf("domain name obtained from the server.\n");
> -+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
> -+ d_printf("You should set \"workgroup = %s\" in %s.\n",
> -+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
> -+ }
> -+
> -+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
> -+
> -+ if (r->out.dns_domain_name) {
> -+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
> -+ r->out.dns_domain_name);
> -+ } else {
> -+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
> -+ r->out.netbios_domain_name);
> -+ }
> -+
> -+ TALLOC_FREE(mem_ctx);
> -+
> -+ return 0;
> -+
> -+fail:
> -+ /* issue an overall failure message at the end. */
> -+ d_printf("Failed to join domain: %s\n",
> -+ r && r->out.error_string ? r->out.error_string :
> -+ get_friendly_werror_msg(werr));
> -+
> -+ TALLOC_FREE(mem_ctx);
> -+
> -+ return -1;
> -+}
> -+
> -+/**
> - * 'net rpc join' entrypoint.
> - * @param argc Standard main() style argc.
> - * @param argv Standard main() style argv. Initial components are already
> -diff --git a/source3/wscript_build b/source3/wscript_build
> -index 9461b05..0bf84e2 100755
> ---- a/source3/wscript_build
> -+++ b/source3/wscript_build
> -@@ -507,7 +507,7 @@ LIBNET_SAMSYNC_SRC = '''libnet/libnet_samsync.c
> -
> - NET_SRC1 = '''utils/net.c utils/net_ads.c utils/net_help.c
> - utils/net_rap.c utils/net_rpc.c utils/net_rpc_samsync.c
> -- utils/net_rpc_join.c utils/net_time.c utils/net_lookup.c
> -+ utils/net_time.c utils/net_lookup.c
> - utils/net_cache.c utils/net_groupmap.c
> - utils/net_idmap.c utils/net_idmap_check.c
> - utils/interact.c
> ---
> -1.9.3
> -
> -
> -From b2aad96d2ffd5545c250cce605dfdb7f0852806c Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 15 Jul 2013 13:28:34 +0200
> -Subject: [PATCH 042/249] s3-net: avoid confusing output in net_rpc_oldjoin()
> - if NET_FLAGS_EXPECT_FALLBACK is passed
> -
> -"net rpc join" tries net_rpc_oldjoin() first and falls back to
> -net_rpc_join_newstyle(). We should not print the join failed
> -if just net_rpc_oldjoin() failed.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 05d9b4165af9e7f03d3fbeb64db4fc305fcec4df)
> ----
> - source3/utils/net.h | 1 +
> - source3/utils/net_proto.h | 1 -
> - source3/utils/net_rpc.c | 15 +++++++++++++--
> - 3 files changed, 14 insertions(+), 3 deletions(-)
> -
> -diff --git a/source3/utils/net.h b/source3/utils/net.h
> -index 2056d89..e97734a 100644
> ---- a/source3/utils/net.h
> -+++ b/source3/utils/net.h
> -@@ -182,6 +182,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD };
> - #define NET_FLAGS_SIGN 0x00000040 /* sign RPC connection */
> - #define NET_FLAGS_SEAL 0x00000080 /* seal RPC connection */
> - #define NET_FLAGS_TCP 0x00000100 /* use ncacn_ip_tcp */
> -+#define NET_FLAGS_EXPECT_FALLBACK 0x00000200 /* the caller will fallback */
> -
> - /* net share operation modes */
> - #define NET_MODE_SHARE_MIGRATE 1
> -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> -index 1809ba9..25e9db2 100644
> ---- a/source3/utils/net_proto.h
> -+++ b/source3/utils/net_proto.h
> -@@ -146,7 +146,6 @@ int run_rpc_command(struct net_context *c,
> - const char **argv);
> - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
> - int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> --int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> - int net_rpc_join(struct net_context *c, int argc, const char **argv);
> - NTSTATUS rpc_info_internals(struct net_context *c,
> - const struct dom_sid *domain_sid,
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index 6358460..dff8801 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -427,11 +427,16 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
> - return 0;
> -
> - fail:
> -+ if (c->opt_flags & NET_FLAGS_EXPECT_FALLBACK) {
> -+ goto cleanup;
> -+ }
> -+
> - /* issue an overall failure message at the end. */
> - d_fprintf(stderr, _("Failed to join domain: %s\n"),
> - r && r->out.error_string ? r->out.error_string :
> - get_friendly_werror_msg(werr));
> -
> -+cleanup:
> - TALLOC_FREE(mem_ctx);
> -
> - return -1;
> -@@ -513,7 +518,7 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> - *
> - **/
> -
> --int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> -+static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> - {
> - struct libnet_JoinCtx *r = NULL;
> - TALLOC_CTX *mem_ctx;
> -@@ -623,6 +628,8 @@ fail:
> -
> - int net_rpc_join(struct net_context *c, int argc, const char **argv)
> - {
> -+ int ret;
> -+
> - if (c->display_usage) {
> - d_printf("%s\n%s",
> - _("Usage:"),
> -@@ -650,8 +657,12 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
> - return -1;
> - }
> -
> -- if ((net_rpc_oldjoin(c, argc, argv) == 0))
> -+ c->opt_flags |= NET_FLAGS_EXPECT_FALLBACK;
> -+ ret = net_rpc_oldjoin(c, argc, argv);
> -+ c->opt_flags &= ~NET_FLAGS_EXPECT_FALLBACK;
> -+ if (ret == 0) {
> - return 0;
> -+ }
> -
> - return net_rpc_join_newstyle(c, argc, argv);
> - }
> ---
> -1.9.3
> -
> -
> -From 8e8a2602d1c793f9a46e5219dea91a46e34d24ca Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 16 Jul 2013 10:07:30 +0200
> -Subject: [PATCH 043/249] s4:librpc: fix netlogon connections against servers
> - without AES support
> -
> -LogonGetCapabilities() only works on the credential chain if
> -the server supports AES, so we need to work on a temporary copy
> -until we know the server replied a valid return authenticator.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 34fa7946993506fde2c6b30e4a41bea27390a814)
> ----
> - source4/librpc/rpc/dcerpc_schannel.c | 8 ++++++--
> - 1 file changed, 6 insertions(+), 2 deletions(-)
> -
> -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
> -index 1480486..130ebeb 100644
> ---- a/source4/librpc/rpc/dcerpc_schannel.c
> -+++ b/source4/librpc/rpc/dcerpc_schannel.c
> -@@ -385,6 +385,7 @@ struct auth_schannel_state {
> - struct loadparm_context *lp_ctx;
> - uint8_t auth_level;
> - struct netlogon_creds_CredentialState *creds_state;
> -+ struct netlogon_creds_CredentialState save_creds_state;
> - struct netr_Authenticator auth;
> - struct netr_Authenticator return_auth;
> - union netr_Capabilities capabilities;
> -@@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx)
> - s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
> - if (composite_nomem(s->creds_state, c)) return;
> -
> -- netlogon_creds_client_authenticator(s->creds_state, &s->auth);
> -+ s->save_creds_state = *s->creds_state;
> -+ netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
> -
> - s->c.in.server_name = talloc_asprintf(c,
> - "\\\\%s",
> -@@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq)
> - }
> -
> - /* verify credentials */
> -- if (!netlogon_creds_client_check(s->creds_state,
> -+ if (!netlogon_creds_client_check(&s->save_creds_state,
> - &s->c.out.return_authenticator->cred)) {
> - composite_error(c, NT_STATUS_UNSUCCESSFUL);
> - return;
> - }
> -
> -+ *s->creds_state = s->save_creds_state;
> -+
> - if (!NT_STATUS_IS_OK(s->c.out.result)) {
> - composite_error(c, s->c.out.result);
> - return;
> ---
> -1.9.3
> -
> -
> -From 300fb415d5a6a60702b0c8464e0e76cf0e11fdeb Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 22 Mar 2013 15:07:10 +0100
> -Subject: [PATCH 044/249] s3:rpcclient: use talloc_stackframe() in do_cmd()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit d54c908ff5bef774f5cca038741558089ff6baeb)
> ----
> - source3/rpcclient/rpcclient.c | 8 ++++++--
> - 1 file changed, 6 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index c23ff2d..9bf296e 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -678,7 +678,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> -
> - /* Create mem_ctx */
> -
> -- if (!(mem_ctx = talloc_init("do_cmd"))) {
> -+ if (!(mem_ctx = talloc_stackframe())) {
> - DEBUG(0, ("talloc_init() failed\n"));
> - return NT_STATUS_NO_MEMORY;
> - }
> -@@ -745,12 +745,14 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - "auth type %u\n",
> - cmd_entry->table->name,
> - pipe_default_auth_type ));
> -+ talloc_free(mem_ctx);
> - return NT_STATUS_UNSUCCESSFUL;
> - }
> - if (!NT_STATUS_IS_OK(ntresult)) {
> - DEBUG(0, ("Could not initialise %s. Error was %s\n",
> - cmd_entry->table->name,
> - nt_errstr(ntresult) ));
> -+ talloc_free(mem_ctx);
> - return ntresult;
> - }
> -
> -@@ -765,6 +767,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - trust_password, &machine_account,
> - &sec_channel_type))
> - {
> -+ talloc_free(mem_ctx);
> - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - }
> -
> -@@ -780,6 +783,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - if (!NT_STATUS_IS_OK(ntresult)) {
> - DEBUG(0, ("Could not initialise credentials for %s.\n",
> - cmd_entry->table->name));
> -+ talloc_free(mem_ctx);
> - return ntresult;
> - }
> - }
> -@@ -803,7 +807,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> -
> - /* Cleanup */
> -
> -- talloc_destroy(mem_ctx);
> -+ talloc_free(mem_ctx);
> -
> - return ntresult;
> - }
> ---
> -1.9.3
> -
> -
> -From 95972ec54aafcf8a66e0164cd1fb478b6f4c58f6 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 24 Apr 2013 12:36:04 +0200
> -Subject: [PATCH 045/249] libcli/auth: make
> - netlogon_creds_crypt_samlogon_validation more robust
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 39fedd27182d9e1985418ea79b86aef69999dd57)
> ----
> - libcli/auth/credentials.c | 6 +++++-
> - 1 file changed, 5 insertions(+), 1 deletion(-)
> -
> -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> -index fb77ede..5c8b25b 100644
> ---- a/libcli/auth/credentials.c
> -+++ b/libcli/auth/credentials.c
> -@@ -493,8 +493,12 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> - bool encrypt)
> - {
> - static const char zeros[16];
> --
> - struct netr_SamBaseInfo *base = NULL;
> -+
> -+ if (validation == NULL) {
> -+ return;
> -+ }
> -+
> - switch (validation_level) {
> - case 2:
> - if (validation->sam2) {
> ---
> -1.9.3
> -
> -
> -From ac092a319c388cc2577bcbd87e16522ba37dc2d0 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 14 Jun 2013 09:47:50 +0200
> -Subject: [PATCH 046/249] libcli/auth: fix shadowed declaration in
> - netlogon_creds_crypt_samlogon_validation()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 291f6a1e031dc9db7d03b3ca924c4309b313cae5)
> ----
> - libcli/auth/credentials.c | 8 ++++----
> - 1 file changed, 4 insertions(+), 4 deletions(-)
> -
> -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> -index 5c8b25b..2e9c87e 100644
> ---- a/libcli/auth/credentials.c
> -+++ b/libcli/auth/credentials.c
> -@@ -490,7 +490,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
> - static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
> - uint16_t validation_level,
> - union netr_Validation *validation,
> -- bool encrypt)
> -+ bool do_encrypt)
> - {
> - static const char zeros[16];
> - struct netr_SamBaseInfo *base = NULL;
> -@@ -531,7 +531,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
> - if (memcmp(base->key.key, zeros,
> - sizeof(base->key.key)) != 0) {
> -- if (encrypt) {
> -+ if (do_encrypt) {
> - netlogon_creds_aes_encrypt(creds,
> - base->key.key,
> - sizeof(base->key.key));
> -@@ -544,7 +544,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> -
> - if (memcmp(base->LMSessKey.key, zeros,
> - sizeof(base->LMSessKey.key)) != 0) {
> -- if (encrypt) {
> -+ if (do_encrypt) {
> - netlogon_creds_aes_encrypt(creds,
> - base->LMSessKey.key,
> - sizeof(base->LMSessKey.key));
> -@@ -574,7 +574,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
> - if (memcmp(base->LMSessKey.key, zeros,
> - sizeof(base->LMSessKey.key)) != 0) {
> -- if (encrypt) {
> -+ if (do_encrypt) {
> - netlogon_creds_des_encrypt_LMKey(creds,
> - &base->LMSessKey);
> - } else {
> ---
> -1.9.3
> -
> -
> -From c535bfb9ead2175ae68b9d18a1692218a0fcf800 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 25 Apr 2013 17:01:00 +0200
> -Subject: [PATCH 047/249] libcli/auth: add
> - netlogon_creds_[de|en]crypt_samlogon_logon()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit c7319fce604d5f89a89094b6b18ef459a347aef8)
> ----
> - libcli/auth/credentials.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++
> - libcli/auth/proto.h | 6 +++
> - 2 files changed, 124 insertions(+)
> -
> -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> -index 2e9c87e..78a8d7a 100644
> ---- a/libcli/auth/credentials.c
> -+++ b/libcli/auth/credentials.c
> -@@ -601,6 +601,124 @@ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_Credential
> - validation, true);
> - }
> -
> -+static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> -+ enum netr_LogonInfoClass level,
> -+ union netr_LogonLevel *logon,
> -+ bool encrypt)
> -+{
> -+ static const char zeros[16];
> -+
> -+ if (logon == NULL) {
> -+ return;
> -+ }
> -+
> -+ switch (level) {
> -+ case NetlogonInteractiveInformation:
> -+ case NetlogonInteractiveTransitiveInformation:
> -+ case NetlogonServiceInformation:
> -+ case NetlogonServiceTransitiveInformation:
> -+ if (logon->password == NULL) {
> -+ return;
> -+ }
> -+
> -+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ uint8_t *h;
> -+
> -+ h = logon->password->lmpassword.hash;
> -+ if (memcmp(h, zeros, 16) != 0) {
> -+ if (encrypt) {
> -+ netlogon_creds_aes_encrypt(creds, h, 16);
> -+ } else {
> -+ netlogon_creds_aes_decrypt(creds, h, 16);
> -+ }
> -+ }
> -+
> -+ h = logon->password->ntpassword.hash;
> -+ if (memcmp(h, zeros, 16) != 0) {
> -+ if (encrypt) {
> -+ netlogon_creds_aes_encrypt(creds, h, 16);
> -+ } else {
> -+ netlogon_creds_aes_decrypt(creds, h, 16);
> -+ }
> -+ }
> -+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> -+ uint8_t *h;
> -+
> -+ h = logon->password->lmpassword.hash;
> -+ if (memcmp(h, zeros, 16) != 0) {
> -+ netlogon_creds_arcfour_crypt(creds, h, 16);
> -+ }
> -+
> -+ h = logon->password->ntpassword.hash;
> -+ if (memcmp(h, zeros, 16) != 0) {
> -+ netlogon_creds_arcfour_crypt(creds, h, 16);
> -+ }
> -+ } else {
> -+ struct samr_Password *p;
> -+
> -+ p = &logon->password->lmpassword;
> -+ if (memcmp(p->hash, zeros, 16) != 0) {
> -+ if (encrypt) {
> -+ netlogon_creds_des_encrypt(creds, p);
> -+ } else {
> -+ netlogon_creds_des_decrypt(creds, p);
> -+ }
> -+ }
> -+ p = &logon->password->ntpassword;
> -+ if (memcmp(p->hash, zeros, 16) != 0) {
> -+ if (encrypt) {
> -+ netlogon_creds_des_encrypt(creds, p);
> -+ } else {
> -+ netlogon_creds_des_decrypt(creds, p);
> -+ }
> -+ }
> -+ }
> -+ break;
> -+
> -+ case NetlogonNetworkInformation:
> -+ case NetlogonNetworkTransitiveInformation:
> -+ break;
> -+
> -+ case NetlogonGenericInformation:
> -+ if (logon->generic == NULL) {
> -+ return;
> -+ }
> -+
> -+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ if (encrypt) {
> -+ netlogon_creds_aes_encrypt(creds,
> -+ logon->generic->data,
> -+ logon->generic->length);
> -+ } else {
> -+ netlogon_creds_aes_decrypt(creds,
> -+ logon->generic->data,
> -+ logon->generic->length);
> -+ }
> -+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> -+ netlogon_creds_arcfour_crypt(creds,
> -+ logon->generic->data,
> -+ logon->generic->length);
> -+ } else {
> -+ /* Using DES to verify kerberos tickets makes no sense */
> -+ }
> -+ break;
> -+ }
> -+}
> -+
> -+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> -+ enum netr_LogonInfoClass level,
> -+ union netr_LogonLevel *logon)
> -+{
> -+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, false);
> -+}
> -+
> -+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> -+ enum netr_LogonInfoClass level,
> -+ union netr_LogonLevel *logon)
> -+{
> -+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
> -+}
> -+
> - /*
> - copy a netlogon_creds_CredentialState struct
> - */
> -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
> -index 6bc18d7..110e039 100644
> ---- a/libcli/auth/proto.h
> -+++ b/libcli/auth/proto.h
> -@@ -64,6 +64,12 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
> - void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
> - uint16_t validation_level,
> - union netr_Validation *validation);
> -+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> -+ enum netr_LogonInfoClass level,
> -+ union netr_LogonLevel *logon);
> -+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> -+ enum netr_LogonInfoClass level,
> -+ union netr_LogonLevel *logon);
> -
> - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
> -
> ---
> -1.9.3
> -
> -
> -From d4f36f187d7c87c8daae3f94cdba52225faa19b8 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 24 Apr 2013 12:53:27 +0200
> -Subject: [PATCH 048/249] libcli/auth: add netlogon_creds_shallow_copy_logon()
> -
> -This can be used before netlogon_creds_encrypt_samlogon_logon()
> -in order to keep the provided buffers unchanged.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 2ea749a1a43a6539b01d36dbe0402a99619444e1)
> ----
> - libcli/auth/credentials.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++
> - libcli/auth/proto.h | 3 ++
> - 2 files changed, 76 insertions(+)
> -
> -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> -index 78a8d7a..1f664d3 100644
> ---- a/libcli/auth/credentials.c
> -+++ b/libcli/auth/credentials.c
> -@@ -719,6 +719,79 @@ void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState
> - netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
> - }
> -
> -+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
> -+ enum netr_LogonInfoClass level,
> -+ const union netr_LogonLevel *in)
> -+{
> -+ union netr_LogonLevel *out;
> -+
> -+ if (in == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ out = talloc(mem_ctx, union netr_LogonLevel);
> -+ if (out == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ *out = *in;
> -+
> -+ switch (level) {
> -+ case NetlogonInteractiveInformation:
> -+ case NetlogonInteractiveTransitiveInformation:
> -+ case NetlogonServiceInformation:
> -+ case NetlogonServiceTransitiveInformation:
> -+ if (in->password == NULL) {
> -+ return out;
> -+ }
> -+
> -+ out->password = talloc(out, struct netr_PasswordInfo);
> -+ if (out->password == NULL) {
> -+ talloc_free(out);
> -+ return NULL;
> -+ }
> -+ *out->password = *in->password;
> -+
> -+ return out;
> -+
> -+ case NetlogonNetworkInformation:
> -+ case NetlogonNetworkTransitiveInformation:
> -+ break;
> -+
> -+ case NetlogonGenericInformation:
> -+ if (in->generic == NULL) {
> -+ return out;
> -+ }
> -+
> -+ out->generic = talloc(out, struct netr_GenericInfo);
> -+ if (out->generic == NULL) {
> -+ talloc_free(out);
> -+ return NULL;
> -+ }
> -+ *out->generic = *in->generic;
> -+
> -+ if (in->generic->data == NULL) {
> -+ return out;
> -+ }
> -+
> -+ if (in->generic->length == 0) {
> -+ return out;
> -+ }
> -+
> -+ out->generic->data = talloc_memdup(out->generic,
> -+ in->generic->data,
> -+ in->generic->length);
> -+ if (out->generic->data == NULL) {
> -+ talloc_free(out);
> -+ return NULL;
> -+ }
> -+
> -+ return out;
> -+ }
> -+
> -+ return out;
> -+}
> -+
> - /*
> - copy a netlogon_creds_CredentialState struct
> - */
> -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
> -index 110e039..0c319d3 100644
> ---- a/libcli/auth/proto.h
> -+++ b/libcli/auth/proto.h
> -@@ -70,6 +70,9 @@ void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState
> - void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> - enum netr_LogonInfoClass level,
> - union netr_LogonLevel *logon);
> -+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
> -+ enum netr_LogonInfoClass level,
> -+ const union netr_LogonLevel *in);
> -
> - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
> -
> ---
> -1.9.3
> -
> -
> -From 8cf11ba846fc31ce26020aabcf463817b56580a7 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 24 Apr 2013 16:00:18 +0200
> -Subject: [PATCH 049/249] s4:netlogon: make use of
> - netlogon_creds_decrypt_samlogon_logon()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 9d548318da11247ffe8acf505cdb5299090c16f0)
> ----
> - source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++---------------------
> - 1 file changed, 6 insertions(+), 22 deletions(-)
> -
> -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -index 70239a4..c41cd02 100644
> ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -@@ -712,29 +712,15 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
> - user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
> - NT_STATUS_HAVE_NO_MEMORY(user_info);
> -
> -+ netlogon_creds_decrypt_samlogon_logon(creds,
> -+ r->in.logon_level,
> -+ r->in.logon);
> -+
> - switch (r->in.logon_level) {
> - case NetlogonInteractiveInformation:
> - case NetlogonServiceInformation:
> - case NetlogonInteractiveTransitiveInformation:
> - case NetlogonServiceTransitiveInformation:
> -- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- netlogon_creds_aes_decrypt(creds,
> -- r->in.logon->password->lmpassword.hash,
> -- sizeof(r->in.logon->password->lmpassword.hash));
> -- netlogon_creds_aes_decrypt(creds,
> -- r->in.logon->password->ntpassword.hash,
> -- sizeof(r->in.logon->password->ntpassword.hash));
> -- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> -- netlogon_creds_arcfour_crypt(creds,
> -- r->in.logon->password->lmpassword.hash,
> -- sizeof(r->in.logon->password->lmpassword.hash));
> -- netlogon_creds_arcfour_crypt(creds,
> -- r->in.logon->password->ntpassword.hash,
> -- sizeof(r->in.logon->password->ntpassword.hash));
> -- } else {
> -- netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword);
> -- netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword);
> -- }
> -
> - /* TODO: we need to deny anonymous access here */
> - nt_status = auth_context_create(mem_ctx,
> -@@ -788,11 +774,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
> - case NetlogonGenericInformation:
> - {
> - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- netlogon_creds_aes_decrypt(creds,
> -- r->in.logon->generic->data, r->in.logon->generic->length);
> -+ /* OK */
> - } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> -- netlogon_creds_arcfour_crypt(creds,
> -- r->in.logon->generic->data, r->in.logon->generic->length);
> -+ /* OK */
> - } else {
> - /* Using DES to verify kerberos tickets makes no sense */
> - return NT_STATUS_INVALID_PARAMETER;
> ---
> -1.9.3
> -
> -
> -From 22bdc484af1b1a4ebd9451fd5cde4d3993dd6f0a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 24 Apr 2013 16:00:44 +0200
> -Subject: [PATCH 050/249] s3:netlogon: make use of
> - netlogon_creds_decrypt_samlogon_logon()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 7b3ddd1a0bb41fe84c115555113362044620e484)
> ----
> - source3/rpc_server/netlogon/srv_netlog_nt.c | 45 ++++++++++++++---------------
> - 1 file changed, 21 insertions(+), 24 deletions(-)
> -
> -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
> -index e5ca474..09857b6 100644
> ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
> -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
> -@@ -1467,6 +1467,15 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> - struct auth_context *auth_context = NULL;
> - const char *fn;
> -
> -+#ifdef DEBUG_PASSWORD
> -+ logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
> -+ r->in.logon_level,
> -+ r->in.logon);
> -+ if (logon == NULL) {
> -+ logon = r->in.logon;
> -+ }
> -+#endif
> -+
> - switch (p->opnum) {
> - case NDR_NETR_LOGONSAMLOGON:
> - fn = "_netr_LogonSamLogon";
> -@@ -1547,6 +1556,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> -
> - status = NT_STATUS_OK;
> -
> -+ netlogon_creds_decrypt_samlogon_logon(creds,
> -+ r->in.logon_level,
> -+ logon);
> -+
> - switch (r->in.logon_level) {
> - case NetlogonNetworkInformation:
> - case NetlogonNetworkTransitiveInformation:
> -@@ -1592,32 +1605,16 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> - uint8_t chal[8];
> -
> - #ifdef DEBUG_PASSWORD
> -- DEBUG(100,("lm owf password:"));
> -- dump_data(100, logon->password->lmpassword.hash, 16);
> --
> -- DEBUG(100,("nt owf password:"));
> -- dump_data(100, logon->password->ntpassword.hash, 16);
> --#endif
> -- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- netlogon_creds_aes_decrypt(creds,
> -- logon->password->lmpassword.hash,
> -- 16);
> -- netlogon_creds_aes_decrypt(creds,
> -- logon->password->ntpassword.hash,
> -- 16);
> -- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> -- netlogon_creds_arcfour_crypt(creds,
> -- logon->password->lmpassword.hash,
> -- 16);
> -- netlogon_creds_arcfour_crypt(creds,
> -- logon->password->ntpassword.hash,
> -- 16);
> -- } else {
> -- netlogon_creds_des_decrypt(creds, &logon->password->lmpassword);
> -- netlogon_creds_des_decrypt(creds, &logon->password->ntpassword);
> -+ if (logon != r->in.logon) {
> -+ DEBUG(100,("lm owf password:"));
> -+ dump_data(100,
> -+ r->in.logon->password->lmpassword.hash, 16);
> -+
> -+ DEBUG(100,("nt owf password:"));
> -+ dump_data(100,
> -+ r->in.logon->password->ntpassword.hash, 16);
> - }
> -
> --#ifdef DEBUG_PASSWORD
> - DEBUG(100,("decrypt of lm owf password:"));
> - dump_data(100, logon->password->lmpassword.hash, 16);
> -
> ---
> -1.9.3
> -
> -
> -From b25c7249bdca17d4b4720a2e8f8ba329c4105e94 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 25 Apr 2013 18:27:57 +0200
> -Subject: [PATCH 051/249] s3:rpc_client: make rpccli_schannel_bind_data()
> - static
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 6ce645e03c279cbb2ed8a94f033b8e0601b61ef4)
> ----
> - source3/rpc_client/cli_pipe.c | 9 +++++----
> - source3/rpc_client/cli_pipe.h | 6 ------
> - 2 files changed, 5 insertions(+), 10 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 1fa8d91..66fa2d2 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2401,10 +2401,11 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> - return status;
> - }
> -
> --NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
> -- enum dcerpc_AuthLevel auth_level,
> -- struct netlogon_creds_CredentialState *creds,
> -- struct pipe_auth_data **presult)
> -+static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> -+ const char *domain,
> -+ enum dcerpc_AuthLevel auth_level,
> -+ struct netlogon_creds_CredentialState *creds,
> -+ struct pipe_auth_data **presult)
> - {
> - struct schannel_state *schannel_auth;
> - struct pipe_auth_data *result;
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index 6fcc587..8eb6040 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -58,12 +58,6 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
> - NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
> - struct pipe_auth_data **presult);
> -
> --NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> -- const char *domain,
> -- enum dcerpc_AuthLevel auth_level,
> -- struct netlogon_creds_CredentialState *creds,
> -- struct pipe_auth_data **presult);
> --
> - NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
> - const char *host,
> - const struct sockaddr_storage *ss_addr,
> ---
> -1.9.3
> -
> -
> -From 9f56e42ba78ce4e1248f06a0cecfc97789aea260 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 25 Apr 2013 18:29:31 +0200
> -Subject: [PATCH 052/249] s3:rpc_client: use the correct context for
> - netlogon_creds_copy() in rpccli_schannel_bind_data()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 8a302fc353de8d373a0ec8544da4da6f305ec923)
> ----
> - source3/rpc_client/cli_pipe.c | 5 ++++-
> - 1 file changed, 4 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 66fa2d2..afe8030 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2431,7 +2431,10 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> -
> - schannel_auth->state = SCHANNEL_STATE_START;
> - schannel_auth->initiator = true;
> -- schannel_auth->creds = netlogon_creds_copy(result, creds);
> -+ schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
> -+ if (schannel_auth->creds == NULL) {
> -+ goto fail;
> -+ }
> -
> - result->auth_ctx = schannel_auth;
> - *presult = result;
> ---
> -1.9.3
> -
> -
> -From 08d78b16f0adf1d223f29d613a498878230522be Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 25 Apr 2013 19:43:58 +0200
> -Subject: [PATCH 053/249] s3:rpc_client: rename same variables in
> - cli_rpc_pipe_open_schannel_with_key()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 94be8d63cd21fbb9e31bf7a92af82e19c596f94f)
> ----
> - source3/rpc_client/cli_pipe.c | 30 +++++++++++++++---------------
> - 1 file changed, 15 insertions(+), 15 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index afe8030..ec804e7 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -3032,32 +3032,32 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> - struct netlogon_creds_CredentialState **pdc,
> -- struct rpc_pipe_client **presult)
> -+ struct rpc_pipe_client **_rpccli)
> - {
> -- struct rpc_pipe_client *result;
> -- struct pipe_auth_data *auth;
> -+ struct rpc_pipe_client *rpccli;
> -+ struct pipe_auth_data *rpcauth;
> - NTSTATUS status;
> -
> -- status = cli_rpc_pipe_open(cli, transport, table, &result);
> -+ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -
> -- status = rpccli_schannel_bind_data(result, domain, auth_level,
> -- *pdc, &auth);
> -+ status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
> -+ *pdc, &rpcauth);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
> - nt_errstr(status)));
> -- TALLOC_FREE(result);
> -+ TALLOC_FREE(rpccli);
> - return status;
> - }
> -
> -- status = rpc_pipe_bind(result, auth);
> -+ status = rpc_pipe_bind(rpccli, rpcauth);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
> - "cli_rpc_pipe_bind failed with error %s\n",
> - nt_errstr(status) ));
> -- TALLOC_FREE(result);
> -+ TALLOC_FREE(rpccli);
> - return status;
> - }
> -
> -@@ -3065,10 +3065,10 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - * The credentials on a new netlogon pipe are the ones we are passed
> - * in - copy them over
> - */
> -- if (result->dc == NULL) {
> -- result->dc = netlogon_creds_copy(result, *pdc);
> -- if (result->dc == NULL) {
> -- TALLOC_FREE(result);
> -+ if (rpccli->dc == NULL) {
> -+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> -+ if (rpccli->dc == NULL) {
> -+ TALLOC_FREE(rpccli);
> - return NT_STATUS_NO_MEMORY;
> - }
> - }
> -@@ -3076,9 +3076,9 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> - "for domain %s and bound using schannel.\n",
> - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> -- result->desthost, domain));
> -+ rpccli->desthost, domain));
> -
> -- *presult = result;
> -+ *_rpccli = rpccli;
> - return NT_STATUS_OK;
> - }
> -
> ---
> -1.9.3
> -
> -
> -From 33991d3ea286fc5da1458ca64aa4fc004547ae04 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 5 Aug 2013 20:26:54 +0200
> -Subject: [PATCH 054/249] s3:libsmb: remove unused cli_state->is_guestlogin
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 11e0be0e72cfc4bc65ba2b0ffd10cbae3ad69b2d)
> ----
> - source3/include/client.h | 1 -
> - source3/libsmb/cliconnect.c | 5 -----
> - 2 files changed, 6 deletions(-)
> -
> -diff --git a/source3/include/client.h b/source3/include/client.h
> -index 3f92d6d..59fb104 100644
> ---- a/source3/include/client.h
> -+++ b/source3/include/client.h
> -@@ -72,7 +72,6 @@ struct cli_state {
> - int timeout; /* in milliseconds. */
> - int initialised;
> - int win95;
> -- bool is_guestlogin;
> - /* What the server offered. */
> - uint32_t server_posix_capabilities;
> - /* What the client requested. */
> -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
> -index 13e7704..81bc028 100644
> ---- a/source3/libsmb/cliconnect.c
> -+++ b/source3/libsmb/cliconnect.c
> -@@ -240,7 +240,6 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq)
> - p = bytes;
> -
> - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> -
> - status = smb_bytes_talloc_string(cli,
> - inhdr,
> -@@ -448,7 +447,6 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq)
> - p = bytes;
> -
> - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> -
> - status = smb_bytes_talloc_string(cli,
> - inhdr,
> -@@ -613,7 +611,6 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq)
> - p = bytes;
> -
> - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> -
> - status = smb_bytes_talloc_string(cli,
> - inhdr,
> -@@ -930,7 +927,6 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq)
> - p = bytes;
> -
> - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> -
> - status = smb_bytes_talloc_string(cli,
> - inhdr,
> -@@ -1180,7 +1176,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
> - state->inbuf = in;
> - inhdr = in + NBT_HDR_SIZE;
> - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> -
> - blob_length = SVAL(vwv+3, 0);
> - if (blob_length > num_bytes) {
> ---
> -1.9.3
> -
> -
> -From 937a0f2fc020e12c21c10597a889275614603add Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 15 Jun 2013 09:41:52 +0200
> -Subject: [PATCH 055/249] s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AES
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit d82ab70579ff2bcb69f997068482b198f321d1ef)
> ----
> - source3/auth/auth_domain.c | 3 ++-
> - 1 file changed, 2 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> -index 54ee5a1..06078e2 100644
> ---- a/source3/auth/auth_domain.c
> -+++ b/source3/auth/auth_domain.c
> -@@ -133,7 +133,8 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> -
> - if (!lp_client_schannel()) {
> - /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -+ NETLOGON_NEG_SUPPORTS_AES;
> - enum netr_SchannelType sec_chan_type = 0;
> - unsigned char machine_pwd[16];
> - const char *account_name;
> ---
> -1.9.3
> -
> -
> -From 981a88bb20cef572e5573ee2f18115a6e395fbf9 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 15 Jun 2013 09:41:52 +0200
> -Subject: [PATCH 056/249] s3:libnet_join: try to use NETLOGON_NEG_SUPPORTS_AES
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit beba32619a91977543f882432fd08acc9de78fd3)
> ----
> - source3/libnet/libnet_join.c | 3 ++-
> - 1 file changed, 2 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index d8ec235..c1eccda 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -1194,7 +1194,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> - const char *dc_name,
> - const bool use_kerberos)
> - {
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -+ NETLOGON_NEG_SUPPORTS_AES;
> - struct cli_state *cli = NULL;
> - struct rpc_pipe_client *pipe_hnd = NULL;
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> ---
> -1.9.3
> -
> -
> -From 846a35f004850695ca7c9d4597cd8729bb7c99e3 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 15 Jun 2013 09:41:52 +0200
> -Subject: [PATCH 057/249] s3:rpc_client: try to use NETLOGON_NEG_SUPPORTS_AES
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 04600634b3e761d7c56f699fd4ba80b4cd2926a1)
> ----
> - source3/rpc_client/cli_netlogon.c | 3 ++-
> - source3/rpc_client/cli_pipe_schannel.c | 6 ++++--
> - 2 files changed, 6 insertions(+), 3 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 3d6a3e1..5e8a2fc 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -610,7 +610,8 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> - struct dcerpc_binding_handle *b = cli->binding_handle;
> -
> - if (!cli->dc) {
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -+ NETLOGON_NEG_SUPPORTS_AES;
> - result = rpccli_netlogon_setup_creds(cli,
> - cli->desthost, /* server name */
> - lp_workgroup(), /* domain */
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index bc672ef..de745c0 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -136,7 +136,8 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> - const char *password,
> - struct rpc_pipe_client **presult)
> - {
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -+ NETLOGON_NEG_SUPPORTS_AES;
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> - struct rpc_pipe_client *result = NULL;
> - NTSTATUS status;
> -@@ -175,7 +176,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> - const char *domain,
> - struct rpc_pipe_client **presult)
> - {
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -+ NETLOGON_NEG_SUPPORTS_AES;
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> - struct rpc_pipe_client *result = NULL;
> - NTSTATUS status;
> ---
> -1.9.3
> -
> -
> -From a56391bc8cbe1fa9142d0a20f4bf977538f27e67 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 15 Jun 2013 09:41:52 +0200
> -Subject: [PATCH 058/249] s3:rpcclient: try to use NETLOGON_NEG_SUPPORTS_AES
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit e77a64f505fc43628e487e832033d0cd8ec4de8e)
> ----
> - source3/rpcclient/cmd_netlogon.c | 3 ++-
> - source3/rpcclient/rpcclient.c | 3 ++-
> - 2 files changed, 4 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> -index 01d6da4..d92434b 100644
> ---- a/source3/rpcclient/cmd_netlogon.c
> -+++ b/source3/rpcclient/cmd_netlogon.c
> -@@ -1120,7 +1120,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> - NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
> - NTSTATUS result;
> - const char *server_name = cli->desthost;
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -+ NETLOGON_NEG_SUPPORTS_AES;
> - struct netr_Authenticator clnt_creds, srv_cred;
> - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> - unsigned char trust_passwd_hash[16];
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index 9bf296e..cb7b70f 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -758,7 +758,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> -
> - if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> - &ndr_table_netlogon.syntax_id)) {
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -+ NETLOGON_NEG_SUPPORTS_AES;
> - enum netr_SchannelType sec_channel_type;
> - uchar trust_password[16];
> - const char *machine_account;
> ---
> -1.9.3
> -
> -
> -From 06c4ff36efc63ef014c449602dc314ca4e7016bd Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 25 Apr 2013 19:57:09 +0200
> -Subject: [PATCH 059/249] s3:rpc_client: fix/add AES downgrade detection to
> - rpc_pipe_bind_step_two_done()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 90e28c1825b2c48714d7b34fdb57d3878116d07e)
> ----
> - source3/rpc_client/cli_pipe.c | 19 +++++++------------
> - 1 file changed, 7 insertions(+), 12 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index ec804e7..c354a6f 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1828,8 +1828,7 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> - status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
> - TALLOC_FREE(subreq);
> - if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -- if (state->cli->dc && state->cli->dc->negotiate_flags &
> -- NETLOGON_NEG_SUPPORTS_AES) {
> -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> - DEBUG(5, ("AES is not supported and the error was %s\n",
> - nt_errstr(status)));
> - tevent_req_nterror(req,
> -@@ -1880,9 +1879,6 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> - return;
> - }
> -
> -- TALLOC_FREE(state->cli->dc);
> -- state->cli->dc = talloc_steal(state->cli, state->creds);
> --
> - if (!NT_STATUS_IS_OK(state->r.out.result)) {
> - DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
> - nt_errstr(state->r.out.result)));
> -@@ -1890,18 +1886,17 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> - return;
> - }
> -
> -- if (state->creds->negotiate_flags !=
> -- state->r.out.capabilities->server_capabilities) {
> -- DEBUG(0, ("The client capabilities don't match the server "
> -- "capabilities: local[0x%08X] remote[0x%08X]\n",
> -- state->creds->negotiate_flags,
> -- state->capabilities.server_capabilities));
> -+ if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> -+ DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
> -+ "but AES was not negotiated - downgrade detected",
> -+ state->cli->desthost));
> - tevent_req_nterror(req,
> - NT_STATUS_INVALID_NETWORK_RESPONSE);
> - return;
> - }
> -
> -- /* TODO: Add downgrade dectection. */
> -+ TALLOC_FREE(state->cli->dc);
> -+ state->cli->dc = talloc_move(state->cli, &state->creds);
> -
> - tevent_req_done(req);
> - return;
> ---
> -1.9.3
> -
> -
> -From e6416b9fe5019c3ce1aa8ecf42d73125a049338f Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 25 Apr 2013 19:45:52 +0200
> -Subject: [PATCH 060/249] s3:rpc_client: use netlogon_creds_copy before
> - rpc_pipe_bind
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit e9c8e3fb92143525f846523e446e2213e5b55d9d)
> ----
> - source3/rpc_client/cli_pipe.c | 24 ++++++++++++------------
> - 1 file changed, 12 insertions(+), 12 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index c354a6f..eb172db 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -3047,6 +3047,18 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - return status;
> - }
> -
> -+ /*
> -+ * The credentials on a new netlogon pipe are the ones we are passed
> -+ * in - copy them over
> -+ *
> -+ * This may get overwritten... in rpc_pipe_bind()...
> -+ */
> -+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> -+ if (rpccli->dc == NULL) {
> -+ TALLOC_FREE(rpccli);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> - status = rpc_pipe_bind(rpccli, rpcauth);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
> -@@ -3056,18 +3068,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - return status;
> - }
> -
> -- /*
> -- * The credentials on a new netlogon pipe are the ones we are passed
> -- * in - copy them over
> -- */
> -- if (rpccli->dc == NULL) {
> -- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> -- if (rpccli->dc == NULL) {
> -- TALLOC_FREE(rpccli);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- }
> --
> - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> - "for domain %s and bound using schannel.\n",
> - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> ---
> -1.9.3
> -
> -
> -From 1836ea96ed7dd055278fd6cac3f69a06ea979ea2 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 25 Apr 2013 19:34:13 +0200
> -Subject: [PATCH 061/249] s3:rpc_client: add netr_LogonGetCapabilities to
> - cli_rpc_pipe_open_schannel_with_key()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit eecb5bafba5b362d4fdf33d6a2a32e4ee56f30a4)
> ----
> - source3/rpc_client/cli_pipe.c | 101 ++++++++++++++++++++++++++++++++++++++++++
> - 1 file changed, 101 insertions(+)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index eb172db..314eb92 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -3032,6 +3032,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - struct rpc_pipe_client *rpccli;
> - struct pipe_auth_data *rpcauth;
> - NTSTATUS status;
> -+ NTSTATUS result;
> -+ struct netlogon_creds_CredentialState save_creds;
> -+ struct netr_Authenticator auth;
> -+ struct netr_Authenticator return_auth;
> -+ union netr_Capabilities capabilities;
> -
> - status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -3068,6 +3073,102 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - return status;
> - }
> -
> -+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
> -+ goto done;
> -+ }
> -+
> -+ save_creds = *rpccli->dc;
> -+ ZERO_STRUCT(return_auth);
> -+ ZERO_STRUCT(capabilities);
> -+
> -+ netlogon_creds_client_authenticator(&save_creds, &auth);
> -+
> -+ status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
> -+ talloc_tos(),
> -+ rpccli->srv_name_slash,
> -+ save_creds.computer_name,
> -+ &auth, &return_auth,
> -+ 1, &capabilities,
> -+ &result);
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ DEBUG(5, ("AES was negotiated and the error was %s - "
> -+ "downgrade detected\n",
> -+ nt_errstr(status)));
> -+ TALLOC_FREE(rpccli);
> -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -+ }
> -+
> -+ /* This is probably an old Samba Version */
> -+ DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
> -+ nt_errstr(status)));
> -+ goto done;
> -+ }
> -+
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> -+ nt_errstr(status)));
> -+ TALLOC_FREE(rpccli);
> -+ return status;
> -+ }
> -+
> -+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
> -+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ /* This means AES isn't supported. */
> -+ DEBUG(5, ("AES was negotiated and the result was %s - "
> -+ "downgrade detected\n",
> -+ nt_errstr(result)));
> -+ TALLOC_FREE(rpccli);
> -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -+ }
> -+
> -+ /* This is probably an old Windows version */
> -+ DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
> -+ nt_errstr(result)));
> -+ goto done;
> -+ }
> -+
> -+ /*
> -+ * We need to check the credential state here, cause win2k3 and earlier
> -+ * returns NT_STATUS_NOT_IMPLEMENTED
> -+ */
> -+ if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
> -+ /*
> -+ * Server replied with bad credential. Fail.
> -+ */
> -+ DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
> -+ "replied with bad credential\n",
> -+ rpccli->desthost));
> -+ TALLOC_FREE(rpccli);
> -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -+ }
> -+ *rpccli->dc = save_creds;
> -+
> -+ if (!NT_STATUS_IS_OK(result)) {
> -+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> -+ nt_errstr(result)));
> -+ TALLOC_FREE(rpccli);
> -+ return result;
> -+ }
> -+
> -+ if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> -+ /* This means AES isn't supported. */
> -+ DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
> -+ "was OK - downgrade detected\n"));
> -+ TALLOC_FREE(rpccli);
> -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -+ }
> -+
> -+ if (save_creds.negotiate_flags != capabilities.server_capabilities) {
> -+ DEBUG(0, ("The client capabilities don't match the server "
> -+ "capabilities: local[0x%08X] remote[0x%08X]\n",
> -+ save_creds.negotiate_flags,
> -+ capabilities.server_capabilities));
> -+ TALLOC_FREE(rpccli);
> -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -+ }
> -+
> -+done:
> - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> - "for domain %s and bound using schannel.\n",
> - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> ---
> -1.9.3
> -
> -
> -From 675be19880c2ac4bca14d69592ce39bb66a34dec Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 25 Apr 2013 18:30:36 +0200
> -Subject: [PATCH 062/249] s3:rpc_client: remove netr_LogonGetCapabilities check
> - from rpc_pipe_bind*
> -
> -It's done in the caller now.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3302356226cca474f0afab9a129220241c16663f)
> ----
> - source3/rpc_client/cli_pipe.c | 150 +-----------------------------------------
> - 1 file changed, 1 insertion(+), 149 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 314eb92..cba055a 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1568,15 +1568,9 @@ struct rpc_pipe_bind_state {
> - DATA_BLOB rpc_out;
> - bool auth3;
> - uint32_t rpc_call_id;
> -- struct netr_Authenticator auth;
> -- struct netr_Authenticator return_auth;
> -- struct netlogon_creds_CredentialState *creds;
> -- union netr_Capabilities capabilities;
> -- struct netr_LogonGetCapabilities r;
> - };
> -
> - static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
> --static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
> - static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
> - struct rpc_pipe_bind_state *state,
> - DATA_BLOB *credentials);
> -@@ -1679,14 +1673,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> -
> - case DCERPC_AUTH_TYPE_NONE:
> - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
> -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> - /* Bind complete. */
> - tevent_req_done(req);
> - return;
> -
> -- case DCERPC_AUTH_TYPE_SCHANNEL:
> -- rpc_pipe_bind_step_two_trigger(req);
> -- return;
> --
> - case DCERPC_AUTH_TYPE_NTLMSSP:
> - case DCERPC_AUTH_TYPE_SPNEGO:
> - case DCERPC_AUTH_TYPE_KRB5:
> -@@ -1763,145 +1754,6 @@ err_out:
> - tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
> - }
> -
> --static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq);
> --
> --static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req)
> --{
> -- struct rpc_pipe_bind_state *state =
> -- tevent_req_data(req,
> -- struct rpc_pipe_bind_state);
> -- struct dcerpc_binding_handle *b = state->cli->binding_handle;
> -- struct schannel_state *schannel_auth =
> -- talloc_get_type_abort(state->cli->auth->auth_ctx,
> -- struct schannel_state);
> -- struct tevent_req *subreq;
> --
> -- if (schannel_auth == NULL ||
> -- !ndr_syntax_id_equal(&state->cli->abstract_syntax,
> -- &ndr_table_netlogon.syntax_id)) {
> -- tevent_req_done(req);
> -- return;
> -- }
> --
> -- ZERO_STRUCT(state->return_auth);
> --
> -- state->creds = netlogon_creds_copy(state, schannel_auth->creds);
> -- if (state->creds == NULL) {
> -- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
> -- return;
> -- }
> --
> -- netlogon_creds_client_authenticator(state->creds, &state->auth);
> --
> -- state->r.in.server_name = state->cli->srv_name_slash;
> -- state->r.in.computer_name = state->creds->computer_name;
> -- state->r.in.credential = &state->auth;
> -- state->r.in.query_level = 1;
> -- state->r.in.return_authenticator = &state->return_auth;
> --
> -- state->r.out.capabilities = &state->capabilities;
> -- state->r.out.return_authenticator = &state->return_auth;
> --
> -- subreq = dcerpc_netr_LogonGetCapabilities_r_send(talloc_tos(),
> -- state->ev,
> -- b,
> -- &state->r);
> -- if (subreq == NULL) {
> -- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
> -- return;
> -- }
> --
> -- tevent_req_set_callback(subreq, rpc_pipe_bind_step_two_done, req);
> -- return;
> --}
> --
> --static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> --{
> -- struct tevent_req *req =
> -- tevent_req_callback_data(subreq,
> -- struct tevent_req);
> -- struct rpc_pipe_bind_state *state =
> -- tevent_req_data(req,
> -- struct rpc_pipe_bind_state);
> -- NTSTATUS status;
> --
> -- status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
> -- TALLOC_FREE(subreq);
> -- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- DEBUG(5, ("AES is not supported and the error was %s\n",
> -- nt_errstr(status)));
> -- tevent_req_nterror(req,
> -- NT_STATUS_INVALID_NETWORK_RESPONSE);
> -- return;
> -- }
> --
> -- /* This is probably NT */
> -- DEBUG(5, ("We are checking against an NT - %s\n",
> -- nt_errstr(status)));
> -- tevent_req_done(req);
> -- return;
> -- } else if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
> -- nt_errstr(status)));
> -- tevent_req_nterror(req, status);
> -- return;
> -- }
> --
> -- if (NT_STATUS_EQUAL(state->r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
> -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- /* This means AES isn't supported. */
> -- DEBUG(5, ("AES is not supported and the error was %s\n",
> -- nt_errstr(state->r.out.result)));
> -- tevent_req_nterror(req,
> -- NT_STATUS_INVALID_NETWORK_RESPONSE);
> -- return;
> -- }
> --
> -- /* This is probably an old Samba version */
> -- DEBUG(5, ("We are checking against an old Samba version - %s\n",
> -- nt_errstr(state->r.out.result)));
> -- tevent_req_done(req);
> -- return;
> -- }
> --
> -- /* We need to check the credential state here, cause win2k3 and earlier
> -- * returns NT_STATUS_NOT_IMPLEMENTED */
> -- if (!netlogon_creds_client_check(state->creds,
> -- &state->r.out.return_authenticator->cred)) {
> -- /*
> -- * Server replied with bad credential. Fail.
> -- */
> -- DEBUG(0,("rpc_pipe_bind_step_two_done: server %s "
> -- "replied with bad credential\n",
> -- state->cli->desthost));
> -- tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
> -- return;
> -- }
> --
> -- if (!NT_STATUS_IS_OK(state->r.out.result)) {
> -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
> -- nt_errstr(state->r.out.result)));
> -- tevent_req_nterror(req, state->r.out.result);
> -- return;
> -- }
> --
> -- if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> -- DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
> -- "but AES was not negotiated - downgrade detected",
> -- state->cli->desthost));
> -- tevent_req_nterror(req,
> -- NT_STATUS_INVALID_NETWORK_RESPONSE);
> -- return;
> -- }
> --
> -- TALLOC_FREE(state->cli->dc);
> -- state->cli->dc = talloc_move(state->cli, &state->creds);
> --
> -- tevent_req_done(req);
> -- return;
> --}
> --
> - static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
> - struct rpc_pipe_bind_state *state,
> - DATA_BLOB *auth_token)
> ---
> -1.9.3
> -
> -
> -From f9b4e38b8458ec905b5f78e402f21f23c4a967e1 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 25 Apr 2013 19:33:28 +0200
> -Subject: [PATCH 063/249] s3:rpc_client: remove unused
> - cli_rpc_pipe_open_ntlmssp_auth_schannel()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 04938cbeecc777f7b799a11f1ca0461b351d968a)
> ----
> - source3/rpc_client/cli_pipe.h | 9 ----
> - source3/rpc_client/cli_pipe_schannel.c | 80 ----------------------------------
> - 2 files changed, 89 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index 8eb6040..ab99373 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -109,15 +109,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - struct netlogon_creds_CredentialState **pdc,
> - struct rpc_pipe_client **presult);
> -
> --NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> -- const struct ndr_interface_table *table,
> -- enum dcerpc_transport_t transport,
> -- enum dcerpc_AuthLevel auth_level,
> -- const char *domain,
> -- const char *username,
> -- const char *password,
> -- struct rpc_pipe_client **presult);
> --
> - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> - const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index de745c0..aaae44b 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -86,86 +86,6 @@ static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon
> -
> - /****************************************************************************
> - Open a named pipe to an SMB server and bind using schannel (bind type 68).
> -- Fetch the session key ourselves using a temporary netlogon pipe. This
> -- version uses an ntlmssp auth bound netlogon pipe to get the key.
> -- ****************************************************************************/
> --
> --static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
> -- const char *domain,
> -- const char *username,
> -- const char *password,
> -- uint32 *pneg_flags,
> -- struct rpc_pipe_client **presult)
> --{
> -- struct rpc_pipe_client *netlogon_pipe = NULL;
> -- NTSTATUS status;
> --
> -- status = cli_rpc_pipe_open_spnego(
> -- cli, &ndr_table_netlogon, NCACN_NP,
> -- GENSEC_OID_NTLMSSP,
> -- DCERPC_AUTH_LEVEL_PRIVACY,
> -- smbXcli_conn_remote_name(cli->conn),
> -- domain, username, password, &netlogon_pipe);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
> -- pneg_flags);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- TALLOC_FREE(netlogon_pipe);
> -- return status;
> -- }
> --
> -- *presult = netlogon_pipe;
> -- return NT_STATUS_OK;
> --}
> --
> --/****************************************************************************
> -- Open a named pipe to an SMB server and bind using schannel (bind type 68).
> -- Fetch the session key ourselves using a temporary netlogon pipe. This version
> -- uses an ntlmssp bind to get the session key.
> -- ****************************************************************************/
> --
> --NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> -- const struct ndr_interface_table *table,
> -- enum dcerpc_transport_t transport,
> -- enum dcerpc_AuthLevel auth_level,
> -- const char *domain,
> -- const char *username,
> -- const char *password,
> -- struct rpc_pipe_client **presult)
> --{
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -- NETLOGON_NEG_SUPPORTS_AES;
> -- struct rpc_pipe_client *netlogon_pipe = NULL;
> -- struct rpc_pipe_client *result = NULL;
> -- NTSTATUS status;
> --
> -- status = get_schannel_session_key_auth_ntlmssp(
> -- cli, domain, username, password, &neg_flags, &netlogon_pipe);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
> -- "key from server %s for domain %s.\n",
> -- smbXcli_conn_remote_name(cli->conn), domain ));
> -- return status;
> -- }
> --
> -- status = cli_rpc_pipe_open_schannel_with_key(
> -- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> -- &result);
> --
> -- /* Now we've bound using the session key we can close the netlog pipe. */
> -- TALLOC_FREE(netlogon_pipe);
> --
> -- if (NT_STATUS_IS_OK(status)) {
> -- *presult = result;
> -- }
> -- return status;
> --}
> --
> --/****************************************************************************
> -- Open a named pipe to an SMB server and bind using schannel (bind type 68).
> - Fetch the session key ourselves using a temporary netlogon pipe.
> - ****************************************************************************/
> -
> ---
> -1.9.3
> -
> -
> -From 35d07a4d7ca15e4cf22f7cc96d6958c9856dc0a0 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 3 Aug 2013 11:26:13 +0200
> -Subject: [PATCH 064/249] auth/gensec: first check GENSEC_FEATURE_SESSION_KEY
> - before returning NOT_IMPLEMENTED
> -
> -Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 45c74c8084d2db14fef6a79cd98068be2ab73f30)
> ----
> - auth/gensec/gensec.c | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
> -index ea62861..9a8f0ef 100644
> ---- a/auth/gensec/gensec.c
> -+++ b/auth/gensec/gensec.c
> -@@ -155,13 +155,14 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
> - TALLOC_CTX *mem_ctx,
> - DATA_BLOB *session_key)
> - {
> -- if (!gensec_security->ops->session_key) {
> -- return NT_STATUS_NOT_IMPLEMENTED;
> -- }
> - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
> - return NT_STATUS_NO_USER_SESSION_KEY;
> - }
> -
> -+ if (!gensec_security->ops->session_key) {
> -+ return NT_STATUS_NOT_IMPLEMENTED;
> -+ }
> -+
> - return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
> - }
> -
> ---
> -1.9.3
> -
> -
> -From 6eda030bd26347cef3fb670b0876956c97c00bfa Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 3 Aug 2013 11:43:58 +0200
> -Subject: [PATCH 065/249] auth/gensec: add gensec_security_by_auth_type()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 59b09564a7edac8dc241269587146342244ce58b)
> ----
> - auth/gensec/gensec.h | 3 +++
> - auth/gensec/gensec_start.c | 26 ++++++++++++++++++++++++++
> - 2 files changed, 29 insertions(+)
> -
> -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> -index 396a16d..c080861 100644
> ---- a/auth/gensec/gensec.h
> -+++ b/auth/gensec/gensec.h
> -@@ -268,6 +268,9 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
> - const char *oid_string);
> - const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
> - const char *sasl_name);
> -+const struct gensec_security_ops *gensec_security_by_auth_type(
> -+ struct gensec_security *gensec_security,
> -+ uint32_t auth_type);
> - struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
> - TALLOC_CTX *mem_ctx);
> - const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> -index e46f0ee..c2cfa1c 100644
> ---- a/auth/gensec/gensec_start.c
> -+++ b/auth/gensec/gensec_start.c
> -@@ -246,6 +246,32 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
> - return NULL;
> - }
> -
> -+_PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
> -+ struct gensec_security *gensec_security,
> -+ uint32_t auth_type)
> -+{
> -+ int i;
> -+ struct gensec_security_ops **backends;
> -+ const struct gensec_security_ops *backend;
> -+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> -+ if (!mem_ctx) {
> -+ return NULL;
> -+ }
> -+ backends = gensec_security_mechs(gensec_security, mem_ctx);
> -+ for (i=0; backends && backends[i]; i++) {
> -+ if (!gensec_security_ops_enabled(backends[i], gensec_security))
> -+ continue;
> -+ if (backends[i]->auth_type == auth_type) {
> -+ backend = backends[i];
> -+ talloc_free(mem_ctx);
> -+ return backend;
> -+ }
> -+ }
> -+ talloc_free(mem_ctx);
> -+
> -+ return NULL;
> -+}
> -+
> - static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
> - const char *name)
> - {
> ---
> -1.9.3
> -
> -
> -From f4e1506ed3a032d38605207f592cbc4ece93a414 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 24 Apr 2013 12:33:28 +0200
> -Subject: [PATCH 066/249] libcli/auth: maintain the sequence number for the
> - NETLOGON SSP as 64bit
> -
> -See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 9f2e81ae02549369db49c05edf7071612a03a8b8)
> ----
> - libcli/auth/schannel.h | 2 +-
> - libcli/auth/schannel_sign.c | 17 +++++++++++++----
> - source3/librpc/rpc/dcerpc_helpers.c | 4 ++--
> - 3 files changed, 16 insertions(+), 7 deletions(-)
> -
> -diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
> -index bfccd95..271b5bb 100644
> ---- a/libcli/auth/schannel.h
> -+++ b/libcli/auth/schannel.h
> -@@ -30,7 +30,7 @@ enum schannel_position {
> -
> - struct schannel_state {
> - enum schannel_position state;
> -- uint32_t seq_num;
> -+ uint64_t seq_num;
> - bool initiator;
> - struct netlogon_creds_CredentialState *creds;
> - };
> -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> -index 1871da2..6e5d454 100644
> ---- a/libcli/auth/schannel_sign.c
> -+++ b/libcli/auth/schannel_sign.c
> -@@ -24,6 +24,17 @@
> - #include "../libcli/auth/schannel.h"
> - #include "../lib/crypto/crypto.h"
> -
> -+#define SETUP_SEQNUM(state, buf, initiator) do { \
> -+ uint8_t *_buf = buf; \
> -+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> -+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
> -+ if (initiator) { \
> -+ _seq_num_high |= 0x80000000; \
> -+ } \
> -+ RSIVAL(_buf, 0, _seq_num_low); \
> -+ RSIVAL(_buf, 4, _seq_num_high); \
> -+} while(0)
> -+
> - static void netsec_offset_and_sizes(struct schannel_state *state,
> - bool do_seal,
> - uint32_t *_min_sig_size,
> -@@ -255,8 +266,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> - confounder = NULL;
> - }
> -
> -- RSIVAL(seq_num, 0, state->seq_num);
> -- SIVAL(seq_num, 4, state->initiator?0:0x80);
> -+ SETUP_SEQNUM(state, seq_num, !state->initiator);
> -
> - if (do_unseal) {
> - netsec_do_seal(state, seq_num,
> -@@ -325,8 +335,7 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> - &checksum_length,
> - &confounder_ofs);
> -
> -- RSIVAL(seq_num, 0, state->seq_num);
> -- SIVAL(seq_num, 4, state->initiator?0x80:0);
> -+ SETUP_SEQNUM(state, seq_num, state->initiator);
> -
> - if (do_seal) {
> - confounder = _confounder;
> -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> -index a55e419..0095990 100644
> ---- a/source3/librpc/rpc/dcerpc_helpers.c
> -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> -@@ -462,8 +462,8 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
> - return NT_STATUS_INVALID_PARAMETER;
> - }
> -
> -- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
> -- sas->seq_num));
> -+ DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
> -+ (unsigned long long)sas->seq_num));
> -
> - switch (auth_level) {
> - case DCERPC_AUTH_LEVEL_PRIVACY:
> ---
> -1.9.3
> -
> -
> -From f99afc1924dbb267e696bbdf26db606a8c77f093 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 12:53:42 +0200
> -Subject: [PATCH 067/249] libcli/auth: add netsec_create_state()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 33215398f32c76f4b8ada7b547c6d0741cb2ac16)
> ----
> - libcli/auth/schannel_proto.h | 3 +++
> - libcli/auth/schannel_sign.c | 23 +++++++++++++++++++++++
> - 2 files changed, 26 insertions(+)
> -
> -diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
> -index 0414218..da76559 100644
> ---- a/libcli/auth/schannel_proto.h
> -+++ b/libcli/auth/schannel_proto.h
> -@@ -28,6 +28,9 @@ struct schannel_state;
> - struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
> - struct loadparm_context *lp_ctx);
> -
> -+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState *creds,
> -+ bool initiator);
> - NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> - bool do_unseal,
> - uint8_t *data, size_t length,
> -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> -index 6e5d454..518a6a9 100644
> ---- a/libcli/auth/schannel_sign.c
> -+++ b/libcli/auth/schannel_sign.c
> -@@ -35,6 +35,29 @@
> - RSIVAL(_buf, 4, _seq_num_high); \
> - } while(0)
> -
> -+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState *creds,
> -+ bool initiator)
> -+{
> -+ struct schannel_state *state;
> -+
> -+ state = talloc(mem_ctx, struct schannel_state);
> -+ if (state == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ state->state = SCHANNEL_STATE_UPDATE_1;
> -+ state->initiator = initiator;
> -+ state->seq_num = 0;
> -+ state->creds = netlogon_creds_copy(state, creds);
> -+ if (state->creds == NULL) {
> -+ talloc_free(state);
> -+ return NULL;
> -+ }
> -+
> -+ return state;
> -+}
> -+
> - static void netsec_offset_and_sizes(struct schannel_state *state,
> - bool do_seal,
> - uint32_t *_min_sig_size,
> ---
> -1.9.3
> -
> -
> -From f13417a00173fcde96417773a1a551caced24c8b Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 13:28:11 +0200
> -Subject: [PATCH 068/249] s3:cli_pipe: make use of netsec_create_state()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit e96142fc439efb7c90719f9c387778c4218ae637)
> ----
> - source3/rpc_client/cli_pipe.c | 9 +--------
> - 1 file changed, 1 insertion(+), 8 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index cba055a..9e979b0 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2271,18 +2271,11 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> - goto fail;
> - }
> -
> -- schannel_auth = talloc_zero(result, struct schannel_state);
> -+ schannel_auth = netsec_create_state(result, creds, true /* initiator */);
> - if (schannel_auth == NULL) {
> - goto fail;
> - }
> -
> -- schannel_auth->state = SCHANNEL_STATE_START;
> -- schannel_auth->initiator = true;
> -- schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
> -- if (schannel_auth->creds == NULL) {
> -- goto fail;
> -- }
> --
> - result->auth_ctx = schannel_auth;
> - *presult = result;
> - return NT_STATUS_OK;
> ---
> -1.9.3
> -
> -
> -From becf68bc072fdfab4489326d148775ebdbe27fda Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 13:28:59 +0200
> -Subject: [PATCH 069/249] s3:cli_pipe: pass down creds->computer_name to
> - NL_AUTH_MESSAGE
> -
> -We need to use the same computer_name value as in the netr_Authenticate3()
> -request.
> -
> -We abuse cli->auth->user_name to pass the value down.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 838cb539621ef19cac6badb4b10678dcc3a6f68a)
> ----
> - source3/rpc_client/cli_pipe.c | 13 ++++++-------
> - 1 file changed, 6 insertions(+), 7 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 9e979b0..1de71fb 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1027,13 +1027,12 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> - NTSTATUS status;
> - struct NL_AUTH_MESSAGE r;
> -
> -- /* Use lp_workgroup() if domain not specified */
> -+ if (!cli->auth->user_name || !cli->auth->user_name[0]) {
> -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> -+ }
> -
> - if (!cli->auth->domain || !cli->auth->domain[0]) {
> -- cli->auth->domain = talloc_strdup(cli, lp_workgroup());
> -- if (cli->auth->domain == NULL) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> - }
> -
> - /*
> -@@ -1044,7 +1043,7 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> - r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> - NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> - r.oem_netbios_domain.a = cli->auth->domain;
> -- r.oem_netbios_computer.a = lp_netbios_name();
> -+ r.oem_netbios_computer.a = cli->auth->user_name;
> -
> - status = dcerpc_push_schannel_bind(cli, &r, auth_token);
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -2265,7 +2264,7 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> - result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
> - result->auth_level = auth_level;
> -
> -- result->user_name = talloc_strdup(result, "");
> -+ result->user_name = talloc_strdup(result, creds->computer_name);
> - result->domain = talloc_strdup(result, domain);
> - if ((result->user_name == NULL) || (result->domain == NULL)) {
> - goto fail;
> ---
> -1.9.3
> -
> -
> -From b447ab32047f33d306ee891d1d3fe2ae5a8c56f1 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 3 Aug 2013 08:50:54 +0200
> -Subject: [PATCH 070/249] s3:cli_pipe.c: return NO_USER_SESSION_KEY in
> - cli_get_session_key() for schannel
> -
> -SCHANNEL connections don't have a user session key,
> -they're like anonymous connections.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit af4dc306846a30a5a1201306cc2cbf4d494e16e7)
> ----
> - source3/rpc_client/cli_pipe.c | 7 -------
> - 1 file changed, 7 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 1de71fb..470469f 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -3091,7 +3091,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> - {
> - NTSTATUS status;
> - struct pipe_auth_data *a;
> -- struct schannel_state *schannel_auth;
> - struct gensec_security *gensec_security;
> - DATA_BLOB sk = data_blob_null;
> - bool make_dup = false;
> -@@ -3107,12 +3106,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> - }
> -
> - switch (cli->auth->auth_type) {
> -- case DCERPC_AUTH_TYPE_SCHANNEL:
> -- schannel_auth = talloc_get_type_abort(a->auth_ctx,
> -- struct schannel_state);
> -- sk = data_blob_const(schannel_auth->creds->session_key, 16);
> -- make_dup = true;
> -- break;
> - case DCERPC_AUTH_TYPE_SPNEGO:
> - case DCERPC_AUTH_TYPE_NTLMSSP:
> - case DCERPC_AUTH_TYPE_KRB5:
> ---
> -1.9.3
> -
> -
> -From abebeb10c26f6fa7e61c56553ce1e52b5d45937a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 13:33:37 +0200
> -Subject: [PATCH 071/249] s3:rpc_server: make use of netsec_create_state()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a964309bf7631f4f6953e0d6556f8ed8e5300dcc)
> ----
> - source3/rpc_server/srv_pipe.c | 12 ++++--------
> - 1 file changed, 4 insertions(+), 8 deletions(-)
> -
> -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> -index 7daff04..9043a14 100644
> ---- a/source3/rpc_server/srv_pipe.c
> -+++ b/source3/rpc_server/srv_pipe.c
> -@@ -462,8 +462,8 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
> - */
> -
> - become_root();
> -- status = schannel_get_creds_state(p, lp_ctx,
> -- neg.oem_netbios_computer.a, &creds);
> -+ status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
> -+ neg.oem_netbios_computer.a, &creds);
> - unbecome_root();
> -
> - talloc_unlink(p, lp_ctx);
> -@@ -472,16 +472,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
> - return False;
> - }
> -
> -- schannel_auth = talloc_zero(p, struct schannel_state);
> -+ schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
> -+ TALLOC_FREE(creds);
> - if (!schannel_auth) {
> -- TALLOC_FREE(creds);
> - return False;
> - }
> -
> -- schannel_auth->state = SCHANNEL_STATE_START;
> -- schannel_auth->initiator = false;
> -- schannel_auth->creds = creds;
> --
> - /*
> - * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
> - * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
> ---
> -1.9.3
> -
> -
> -From b567c4ef93de5c098d724c15b614f5f233903812 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 13:36:30 +0200
> -Subject: [PATCH 072/249] s3:dcerpc_helpers: remove unused DEBUG message of
> - schannel_state->seq_num.
> -
> -This is a layer violation and not needed anymore as we know
> -how the seqnum handling works now.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a36ccdc83edb7437dd00601c459421286fd79db4)
> ----
> - source3/librpc/rpc/dcerpc_helpers.c | 3 ---
> - 1 file changed, 3 deletions(-)
> -
> -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> -index 0095990..97999d7 100644
> ---- a/source3/librpc/rpc/dcerpc_helpers.c
> -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> -@@ -462,9 +462,6 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
> - return NT_STATUS_INVALID_PARAMETER;
> - }
> -
> -- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
> -- (unsigned long long)sas->seq_num));
> --
> - switch (auth_level) {
> - case DCERPC_AUTH_LEVEL_PRIVACY:
> - status = netsec_outgoing_packet(sas,
> ---
> -1.9.3
> -
> -
> -From e044773b51b76b3582669ee7e3a388d6471e2f2e Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 10:08:54 +0200
> -Subject: [PATCH 073/249] s4:libnet: avoid usage of dcerpc_schannel_creds()
> -
> -We use cli_credentials_get_netlogon_creds() which returns the same value.
> -
> -dcerpc_schannel_creds() is a layer violation.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit c0144273af8f0956a05d102113c40cec77069f7a)
> ----
> - source4/libnet/libnet_samsync.c | 7 +++----
> - 1 file changed, 3 insertions(+), 4 deletions(-)
> -
> -diff --git a/source4/libnet/libnet_samsync.c b/source4/libnet/libnet_samsync.c
> -index 9629b9f..206d81e 100644
> ---- a/source4/libnet/libnet_samsync.c
> -+++ b/source4/libnet/libnet_samsync.c
> -@@ -25,7 +25,6 @@
> - #include "libcli/auth/libcli_auth.h"
> - #include "../libcli/samsync/samsync.h"
> - #include "auth/gensec/gensec.h"
> --#include "auth/gensec/schannel.h"
> - #include "auth/credentials/credentials.h"
> - #include "libcli/auth/schannel.h"
> - #include "librpc/gen_ndr/ndr_netlogon.h"
> -@@ -183,9 +182,9 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx
> -
> - /* get NETLOGON credentials */
> -
> -- nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds);
> -- if (!NT_STATUS_IS_OK(nt_status)) {
> -- r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer");
> -+ creds = cli_credentials_get_netlogon_creds(machine_account);
> -+ if (creds == NULL) {
> -+ r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from credentials");
> - talloc_free(samsync_ctx);
> - return nt_status;
> - }
> ---
> -1.9.3
> -
> -
> -From 322dc86454fc4e60de641ef02da2c2744c347001 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 10:08:54 +0200
> -Subject: [PATCH 074/249] s4:torture: avoid usage of dcerpc_schannel_creds()
> -
> -We use cli_credentials_get_netlogon_creds() which returns the same value.
> -
> -dcerpc_schannel_creds() is a layer violation.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 2ea3a24dced0814100e352bbbca124011be73602)
> ----
> - source4/torture/rpc/samlogon.c | 5 ++---
> - source4/torture/rpc/samr.c | 6 +++---
> - source4/torture/rpc/samsync.c | 11 ++++-------
> - source4/torture/rpc/schannel.c | 6 ++----
> - 4 files changed, 11 insertions(+), 17 deletions(-)
> -
> -diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
> -index 4861038..886ff39 100644
> ---- a/source4/torture/rpc/samlogon.c
> -+++ b/source4/torture/rpc/samlogon.c
> -@@ -29,7 +29,6 @@
> - #include "lib/cmdline/popt_common.h"
> - #include "torture/rpc/torture_rpc.h"
> - #include "auth/gensec/gensec.h"
> --#include "auth/gensec/schannel.h"
> - #include "libcli/auth/libcli_auth.h"
> - #include "param/param.h"
> -
> -@@ -1764,8 +1763,8 @@ bool torture_rpc_samlogon(struct torture_context *torture)
> - torture_assert_ntstatus_ok_goto(torture, status, ret, failed,
> - talloc_asprintf(torture, "RPC pipe connect as domain member failed: %s\n", nt_errstr(status)));
> -
> -- status = dcerpc_schannel_creds(p->conn->security_state.generic_state, mem_ctx, &creds);
> -- if (!NT_STATUS_IS_OK(status)) {
> -+ creds = cli_credentials_get_netlogon_creds(machine_credentials);
> -+ if (creds == NULL) {
> - ret = false;
> - goto failed;
> - }
> -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
> -index cdfa2b8..d4d64f9 100644
> ---- a/source4/torture/rpc/samr.c
> -+++ b/source4/torture/rpc/samr.c
> -@@ -37,7 +37,6 @@
> - #include "torture/rpc/torture_rpc.h"
> - #include "param/param.h"
> - #include "auth/gensec/gensec.h"
> --#include "auth/gensec/schannel.h"
> - #include "auth/gensec/gensec_proto.h"
> - #include "../libcli/auth/schannel.h"
> -
> -@@ -2959,6 +2958,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
> -
> - static bool test_SamLogon(struct torture_context *tctx,
> - struct dcerpc_pipe *p,
> -+ struct cli_credentials *machine_credentials,
> - struct cli_credentials *test_credentials,
> - NTSTATUS expected_result,
> - bool interactive)
> -@@ -2978,7 +2978,7 @@ static bool test_SamLogon(struct torture_context *tctx,
> - struct netr_Authenticator a;
> - struct dcerpc_binding_handle *b = p->binding_handle;
> -
> -- torture_assert_ntstatus_ok(tctx, dcerpc_schannel_creds(p->conn->security_state.generic_state, tctx, &creds), "");
> -+ torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
> -
> - if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
> - flags |= CLI_CRED_LANMAN_AUTH;
> -@@ -3105,7 +3105,7 @@ static bool test_SamLogon_with_creds(struct torture_context *tctx,
> - torture_comment(tctx, "Testing samlogon (%s) as %s password: %s\n",
> - interactive ? "interactive" : "network", acct_name, password);
> -
> -- if (!test_SamLogon(tctx, p, test_credentials,
> -+ if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
> - expected_samlogon_result, interactive)) {
> - torture_warning(tctx, "new password did not work\n");
> - ret = false;
> -diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
> -index 81027d0..15cab73 100644
> ---- a/source4/torture/rpc/samsync.c
> -+++ b/source4/torture/rpc/samsync.c
> -@@ -27,7 +27,6 @@
> - #include "system/time.h"
> - #include "torture/rpc/torture_rpc.h"
> - #include "auth/gensec/gensec.h"
> --#include "auth/gensec/schannel.h"
> - #include "libcli/auth/libcli_auth.h"
> - #include "libcli/samsync/samsync.h"
> - #include "libcli/security/security.h"
> -@@ -1720,9 +1719,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
> - }
> - samsync_state->b = samsync_state->p->binding_handle;
> -
> -- status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state,
> -- samsync_state, &samsync_state->creds);
> -- if (!NT_STATUS_IS_OK(status)) {
> -+ samsync_state->creds = cli_credentials_get_netlogon_creds(credentials);
> -+ if (samsync_state->creds == NULL) {
> - ret = false;
> - }
> -
> -@@ -1758,9 +1756,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
> - goto failed;
> - }
> -
> -- status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->conn->security_state.generic_state,
> -- samsync_state, &samsync_state->creds_netlogon_wksta);
> -- if (!NT_STATUS_IS_OK(status)) {
> -+ samsync_state->creds_netlogon_wksta = cli_credentials_get_netlogon_creds(credentials_wksta);
> -+ if (samsync_state->creds_netlogon_wksta == NULL) {
> - torture_comment(torture, "Failed to obtail schanel creds!\n");
> - ret = false;
> - }
> -diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
> -index 8203749..0098dcf 100644
> ---- a/source4/torture/rpc/schannel.c
> -+++ b/source4/torture/rpc/schannel.c
> -@@ -26,14 +26,12 @@
> - #include "auth/credentials/credentials.h"
> - #include "torture/rpc/torture_rpc.h"
> - #include "lib/cmdline/popt_common.h"
> --#include "auth/gensec/schannel.h"
> - #include "../libcli/auth/schannel.h"
> - #include "libcli/auth/libcli_auth.h"
> - #include "libcli/security/security.h"
> - #include "system/filesys.h"
> - #include "param/param.h"
> - #include "librpc/rpc/dcerpc_proto.h"
> --#include "auth/gensec/gensec.h"
> - #include "libcli/composite/composite.h"
> - #include "lib/events/events.h"
> -
> -@@ -413,8 +411,8 @@ static bool test_schannel(struct torture_context *tctx,
> -
> - torture_assert_ntstatus_ok(tctx, status, "bind auth");
> -
> -- status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
> -- torture_assert_ntstatus_ok(tctx, status, "schannel creds");
> -+ creds = cli_credentials_get_netlogon_creds(credentials);
> -+ torture_assert(tctx, (creds != NULL), "schannel creds");
> -
> - /* checks the capabilities */
> - torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
> ---
> -1.9.3
> -
> -
> -From fa1c5bc2cdff9decd361c919567c502ef0c09385 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 12:31:41 +0200
> -Subject: [PATCH 075/249] s4:gensec/schannel: remove unused
> - dcerpc_schannel_creds()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 4cad5dcb6d5e49cc9bb1aa4ca454f369e00e8c6f)
> ----
> - source4/auth/gensec/schannel.c | 23 -----------------------
> - source4/auth/gensec/schannel.h | 26 --------------------------
> - 2 files changed, 49 deletions(-)
> - delete mode 100644 source4/auth/gensec/schannel.h
> -
> -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> -index e7c545f..10d2565 100644
> ---- a/source4/auth/gensec/schannel.c
> -+++ b/source4/auth/gensec/schannel.c
> -@@ -29,7 +29,6 @@
> - #include "../libcli/auth/schannel.h"
> - #include "librpc/rpc/dcerpc.h"
> - #include "param/param.h"
> --#include "auth/gensec/schannel.h"
> - #include "auth/gensec/gensec_toplevel_proto.h"
> -
> - _PUBLIC_ NTSTATUS gensec_schannel_init(void);
> -@@ -204,28 +203,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> - }
> -
> - /**
> -- * Return the struct netlogon_creds_CredentialState.
> -- *
> -- * Make sure not to call this unless gensec is using schannel...
> -- */
> --
> --/* TODO: make this non-public */
> --
> --_PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- struct netlogon_creds_CredentialState **creds)
> --{
> -- struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
> --
> -- *creds = talloc_reference(mem_ctx, state->creds);
> -- if (!*creds) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- return NT_STATUS_OK;
> --}
> --
> --
> --/**
> - * Returns anonymous credentials for schannel, matching Win2k3.
> - *
> - */
> -diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h
> -deleted file mode 100644
> -index 88a32a7..0000000
> ---- a/source4/auth/gensec/schannel.h
> -+++ /dev/null
> -@@ -1,26 +0,0 @@
> --/*
> -- Unix SMB/CIFS implementation.
> --
> -- dcerpc schannel operations
> --
> -- Copyright (C) Andrew Tridgell 2004
> -- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> --
> -- This program is free software; you can redistribute it and/or modify
> -- it under the terms of the GNU General Public License as published by
> -- the Free Software Foundation; either version 3 of the License, or
> -- (at your option) any later version.
> --
> -- This program is distributed in the hope that it will be useful,
> -- but WITHOUT ANY WARRANTY; without even the implied warranty of
> -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -- GNU General Public License for more details.
> --
> -- You should have received a copy of the GNU General Public License
> -- along with this program. If not, see <http://www.gnu.org/licenses/>.
> --*/
> --
> --struct netlogon_creds_CredentialState;
> --NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- struct netlogon_creds_CredentialState **creds);
> ---
> -1.9.3
> -
> -
> -From eeb52af669e963ac856fc77be6a47f7ed33d8580 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 13:04:07 +0200
> -Subject: [PATCH 076/249] s4:gensec/schannel: simplify the code by using
> - netsec_create_state()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 49f347eb11bd12a3f25b0fcb8ba36d4a36594868)
> ----
> - source4/auth/gensec/schannel.c | 98 +++++++++++++-----------------------------
> - 1 file changed, 30 insertions(+), 68 deletions(-)
> -
> -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> -index 10d2565..3896a41 100644
> ---- a/source4/auth/gensec/schannel.c
> -+++ b/source4/auth/gensec/schannel.c
> -@@ -35,12 +35,11 @@ _PUBLIC_ NTSTATUS gensec_schannel_init(void);
> -
> - static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
> - {
> -- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
> -- uint32_t sig_size;
> --
> -- sig_size = netsec_outgoing_sig_size(state);
> -+ struct schannel_state *state =
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -
> -- return sig_size;
> -+ return netsec_outgoing_sig_size(state);
> - }
> -
> - static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
> -@@ -54,7 +53,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> - struct tevent_context *ev,
> - const DATA_BLOB in, DATA_BLOB *out)
> - {
> -- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
> -+ struct schannel_state *state =
> -+ talloc_get_type(gensec_security->private_data,
> -+ struct schannel_state);
> - NTSTATUS status;
> - enum ndr_err_code ndr_err;
> - struct NL_AUTH_MESSAGE bind_schannel;
> -@@ -67,24 +68,22 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> -
> - switch (gensec_security->gensec_role) {
> - case GENSEC_CLIENT:
> -- if (state->state != SCHANNEL_STATE_START) {
> -+ if (state != NULL) {
> - /* we could parse the bind ack, but we don't know what it is yet */
> - return NT_STATUS_OK;
> - }
> -
> -- state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> -- if (state->creds == NULL) {
> -+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> -+ if (creds == NULL) {
> - return NT_STATUS_INVALID_PARAMETER_MIX;
> - }
> -- /*
> -- * We need to create a reference here or we don't get
> -- * updates performed on the credentials if we create a
> -- * copy.
> -- */
> -- state->creds = talloc_reference(state, state->creds);
> -- if (state->creds == NULL) {
> -+
> -+ state = netsec_create_state(gensec_security,
> -+ creds, true /* initiator */);
> -+ if (state == NULL) {
> - return NT_STATUS_NO_MEMORY;
> - }
> -+ gensec_security->private_data = state;
> -
> - bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> - #if 0
> -@@ -117,12 +116,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> - return status;
> - }
> -
> -- state->state = SCHANNEL_STATE_UPDATE_1;
> --
> - return NT_STATUS_MORE_PROCESSING_REQUIRED;
> - case GENSEC_SERVER:
> -
> -- if (state->state != SCHANNEL_STATE_START) {
> -+ if (state != NULL) {
> - /* no third leg on this protocol */
> - return NT_STATUS_INVALID_PARAMETER;
> - }
> -@@ -177,7 +174,12 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> - return status;
> - }
> -
> -- state->creds = talloc_steal(state, creds);
> -+ state = netsec_create_state(gensec_security,
> -+ creds, false /* not initiator */);
> -+ if (state == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ gensec_security->private_data = state;
> -
> - bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> - bind_schannel_ack.Flags = 0;
> -@@ -195,8 +197,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> - return status;
> - }
> -
> -- state->state = SCHANNEL_STATE_UPDATE_1;
> --
> - return NT_STATUS_OK;
> - }
> - return NT_STATUS_INVALID_PARAMETER;
> -@@ -214,54 +214,16 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> - return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
> - }
> -
> --static NTSTATUS schannel_start(struct gensec_security *gensec_security)
> --{
> -- struct schannel_state *state;
> --
> -- state = talloc_zero(gensec_security, struct schannel_state);
> -- if (!state) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- state->state = SCHANNEL_STATE_START;
> -- gensec_security->private_data = state;
> --
> -- return NT_STATUS_OK;
> --}
> --
> - static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> - {
> -- NTSTATUS status;
> -- struct schannel_state *state;
> --
> -- status = schannel_start(gensec_security);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- state = (struct schannel_state *)gensec_security->private_data;
> -- state->initiator = false;
> --
> - return NT_STATUS_OK;
> - }
> -
> - static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
> - {
> -- NTSTATUS status;
> -- struct schannel_state *state;
> --
> -- status = schannel_start(gensec_security);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- state = (struct schannel_state *)gensec_security->private_data;
> -- state->initiator = true;
> --
> - return NT_STATUS_OK;
> - }
> -
> --
> - static bool schannel_have_feature(struct gensec_security *gensec_security,
> - uint32_t feature)
> - {
> -@@ -287,8 +249,8 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> - const DATA_BLOB *sig)
> - {
> - struct schannel_state *state =
> -- talloc_get_type(gensec_security->private_data,
> -- struct schannel_state);
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -
> - return netsec_incoming_packet(state, true,
> - discard_const_p(uint8_t, data),
> -@@ -304,8 +266,8 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> - const DATA_BLOB *sig)
> - {
> - struct schannel_state *state =
> -- talloc_get_type(gensec_security->private_data,
> -- struct schannel_state);
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -
> - return netsec_incoming_packet(state, false,
> - discard_const_p(uint8_t, data),
> -@@ -321,8 +283,8 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> - DATA_BLOB *sig)
> - {
> - struct schannel_state *state =
> -- talloc_get_type(gensec_security->private_data,
> -- struct schannel_state);
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -
> - return netsec_outgoing_packet(state, mem_ctx, true,
> - data, length, sig);
> -@@ -338,8 +300,8 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> - DATA_BLOB *sig)
> - {
> - struct schannel_state *state =
> -- talloc_get_type(gensec_security->private_data,
> -- struct schannel_state);
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -
> - return netsec_outgoing_packet(state, mem_ctx, false,
> - discard_const_p(uint8_t, data),
> ---
> -1.9.3
> -
> -
> -From 685f00cfd7be11f4c62441e17d6416b9a668bb47 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 13:25:20 +0200
> -Subject: [PATCH 077/249] s4:gensec/schannel: use the correct computer_name
> - from netlogon_creds_CredentialState
> -
> -We need to use the same computer_name we used in the netr_Authenticate3
> -request.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit b5104768225ae0308aa3f22f8d9bca389ef3cb3a)
> ----
> - source4/auth/gensec/schannel.c | 6 +++---
> - 1 file changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> -index 3896a41..91f166b 100644
> ---- a/source4/auth/gensec/schannel.c
> -+++ b/source4/auth/gensec/schannel.c
> -@@ -94,17 +94,17 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> - NL_FLAG_UTF8_DNS_DOMAIN_NAME |
> - NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
> - bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> -- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
> -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> - bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
> - /* w2k3 refuses us if we use the full DNS workstation?
> - why? perhaps because we don't fill in the dNSHostName
> - attribute in the machine account? */
> -- bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
> -+ bind_schannel.utf8_netbios_computer = creds->computer_name;
> - #else
> - bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> - NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> - bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> -- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
> -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> - #endif
> -
> - ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
> ---
> -1.9.3
> -
> -
> -From bd54e89fc5eb4d6afed3ef770dabf14a6ac6b060 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 3 Aug 2013 11:21:32 +0200
> -Subject: [PATCH 078/249] s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is
> - not supported
> -
> -There's a sequence number attached to the connection,
> -which needs to be incremented with each message...
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a07049a839729e29ca888bae353cd37fd6238486)
> ----
> - source4/auth/gensec/schannel.c | 3 ---
> - 1 file changed, 3 deletions(-)
> -
> -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> -index 91f166b..7fc0c7c 100644
> ---- a/source4/auth/gensec/schannel.c
> -+++ b/source4/auth/gensec/schannel.c
> -@@ -234,9 +234,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
> - if (feature & GENSEC_FEATURE_DCE_STYLE) {
> - return true;
> - }
> -- if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
> -- return true;
> -- }
> - return false;
> - }
> -
> ---
> -1.9.3
> -
> -
> -From afcf626800e8aaf94878d62d1fd7318b2ffe21c1 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 3 Aug 2013 11:27:55 +0200
> -Subject: [PATCH 079/249] s4:gensec/schannel: there's no point in having
> - schannel_session_key()
> -
> -gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
> -before calling schannel_session_key(), as we don't provide
> -GENSEC_FEATURE_SESSION_KEY.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 9b9ab1ae6963b3819dc2b095cbe9e1432f3459b7)
> ----
> - source4/auth/gensec/schannel.c | 8 --------
> - 1 file changed, 8 deletions(-)
> -
> -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> -index 7fc0c7c..ebf6469 100644
> ---- a/source4/auth/gensec/schannel.c
> -+++ b/source4/auth/gensec/schannel.c
> -@@ -42,13 +42,6 @@ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t
> - return netsec_outgoing_sig_size(state);
> - }
> -
> --static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- DATA_BLOB *session_key)
> --{
> -- return NT_STATUS_NOT_IMPLEMENTED;
> --}
> --
> - static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> - struct tevent_context *ev,
> - const DATA_BLOB in, DATA_BLOB *out)
> -@@ -315,7 +308,6 @@ static const struct gensec_security_ops gensec_schannel_security_ops = {
> - .sign_packet = schannel_sign_packet,
> - .check_packet = schannel_check_packet,
> - .unseal_packet = schannel_unseal_packet,
> -- .session_key = schannel_session_key,
> - .session_info = schannel_session_info,
> - .sig_size = schannel_sig_size,
> - .have_feature = schannel_have_feature,
> ---
> -1.9.3
> -
> -
> -From 56599b7019eabe3656bdba676214c74191ad068f Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 3 Aug 2013 11:32:31 +0200
> -Subject: [PATCH 080/249] s4:gensec/schannel: only require
> - librpc/gen_ndr/dcerpc.h
> -
> -We just need DCERPC_AUTH_TYPE_SCHANNEL
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit e90e1b5c76db4cf589adf8856eb32e5f0d955734)
> ----
> - source4/auth/gensec/schannel.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> -index ebf6469..e67432c 100644
> ---- a/source4/auth/gensec/schannel.c
> -+++ b/source4/auth/gensec/schannel.c
> -@@ -27,7 +27,7 @@
> - #include "auth/gensec/gensec.h"
> - #include "auth/gensec/gensec_proto.h"
> - #include "../libcli/auth/schannel.h"
> --#include "librpc/rpc/dcerpc.h"
> -+#include "librpc/gen_ndr/dcerpc.h"
> - #include "param/param.h"
> - #include "auth/gensec/gensec_toplevel_proto.h"
> -
> ---
> -1.9.3
> -
> -
> -From baa82a6ef22c1761c7206323e90781d008a7888b Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 13:37:54 +0200
> -Subject: [PATCH 081/249] libcli/auth/schannel: make struct schannel_state
> - private
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 4c978b68d9a87001f625c10421e7d4cc140b4554)
> ----
> - libcli/auth/schannel.h | 13 -------------
> - libcli/auth/schannel_sign.c | 12 ++++++++++++
> - 2 files changed, 12 insertions(+), 13 deletions(-)
> -
> -diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
> -index 271b5bb..c53d68e 100644
> ---- a/libcli/auth/schannel.h
> -+++ b/libcli/auth/schannel.h
> -@@ -22,17 +22,4 @@
> -
> - #include "libcli/auth/libcli_auth.h"
> - #include "libcli/auth/schannel_state.h"
> --
> --enum schannel_position {
> -- SCHANNEL_STATE_START = 0,
> -- SCHANNEL_STATE_UPDATE_1
> --};
> --
> --struct schannel_state {
> -- enum schannel_position state;
> -- uint64_t seq_num;
> -- bool initiator;
> -- struct netlogon_creds_CredentialState *creds;
> --};
> --
> - #include "libcli/auth/schannel_proto.h"
> -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> -index 518a6a9..88a6e1e 100644
> ---- a/libcli/auth/schannel_sign.c
> -+++ b/libcli/auth/schannel_sign.c
> -@@ -24,6 +24,18 @@
> - #include "../libcli/auth/schannel.h"
> - #include "../lib/crypto/crypto.h"
> -
> -+enum schannel_position {
> -+ SCHANNEL_STATE_START = 0,
> -+ SCHANNEL_STATE_UPDATE_1
> -+};
> -+
> -+struct schannel_state {
> -+ enum schannel_position state;
> -+ uint64_t seq_num;
> -+ bool initiator;
> -+ struct netlogon_creds_CredentialState *creds;
> -+};
> -+
> - #define SETUP_SEQNUM(state, buf, initiator) do { \
> - uint8_t *_buf = buf; \
> - uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> ---
> -1.9.3
> -
> -
> -From 29806ef23a9826688ace1dc52cd7af554cf83294 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 2 Aug 2013 15:42:21 +0200
> -Subject: [PATCH 082/249] libcli/auth/schannel: remove unused schannel_position
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 57bcbb9c50f0a0252110a1e04a2883b511cd9165)
> ----
> - libcli/auth/schannel_sign.c | 7 -------
> - 1 file changed, 7 deletions(-)
> -
> -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> -index 88a6e1e..9502cba 100644
> ---- a/libcli/auth/schannel_sign.c
> -+++ b/libcli/auth/schannel_sign.c
> -@@ -24,13 +24,7 @@
> - #include "../libcli/auth/schannel.h"
> - #include "../lib/crypto/crypto.h"
> -
> --enum schannel_position {
> -- SCHANNEL_STATE_START = 0,
> -- SCHANNEL_STATE_UPDATE_1
> --};
> --
> - struct schannel_state {
> -- enum schannel_position state;
> - uint64_t seq_num;
> - bool initiator;
> - struct netlogon_creds_CredentialState *creds;
> -@@ -58,7 +52,6 @@ struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> - return NULL;
> - }
> -
> -- state->state = SCHANNEL_STATE_UPDATE_1;
> - state->initiator = initiator;
> - state->seq_num = 0;
> - state->creds = netlogon_creds_copy(state, creds);
> ---
> -1.9.3
> -
> -
> -From a6ad9118c250446ea9571f5ce9895b11ab8537ed Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 5 Aug 2013 07:12:01 +0200
> -Subject: [PATCH 083/249] auth/gensec: introduce gensec_internal.h
> -
> -We should treat most gensec related structures private.
> -
> -It's a long way, but this is a start.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 71c63e85e7a09acb57f6b75284358f2b3b29eeed)
> ----
> - auth/gensec/gensec.c | 1 +
> - auth/gensec/gensec.h | 100 ++-------------------------
> - auth/gensec/gensec_internal.h | 127 +++++++++++++++++++++++++++++++++++
> - auth/gensec/gensec_start.c | 1 +
> - auth/gensec/gensec_util.c | 1 +
> - auth/gensec/spnego.c | 1 +
> - auth/ntlmssp/gensec_ntlmssp.c | 1 +
> - auth/ntlmssp/gensec_ntlmssp_server.c | 1 +
> - auth/ntlmssp/ntlmssp.c | 1 +
> - auth/ntlmssp/ntlmssp_client.c | 1 +
> - auth/ntlmssp/ntlmssp_server.c | 1 +
> - source3/libads/authdata.c | 1 +
> - source3/librpc/crypto/gse.c | 1 +
> - source3/libsmb/ntlmssp_wrap.c | 1 +
> - source3/utils/ntlm_auth.c | 1 +
> - source4/auth/gensec/cyrus_sasl.c | 1 +
> - source4/auth/gensec/gensec_gssapi.c | 1 +
> - source4/auth/gensec/gensec_krb5.c | 1 +
> - source4/auth/gensec/pygensec.c | 1 +
> - source4/auth/gensec/schannel.c | 1 +
> - source4/ldap_server/ldap_backend.c | 1 +
> - source4/libcli/ldap/ldap_bind.c | 1 +
> - source4/torture/auth/ntlmssp.c | 1 +
> - source4/utils/ntlm_auth.c | 1 +
> - 24 files changed, 153 insertions(+), 96 deletions(-)
> - create mode 100644 auth/gensec/gensec_internal.h
> -
> -diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
> -index 9a8f0ef..d364a34 100644
> ---- a/auth/gensec/gensec.c
> -+++ b/auth/gensec/gensec.c
> -@@ -26,6 +26,7 @@
> - #include "lib/tsocket/tsocket.h"
> - #include "lib/util/tevent_ntstatus.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "librpc/rpc/dcerpc.h"
> -
> - /*
> -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> -index c080861..5d39d81 100644
> ---- a/auth/gensec/gensec.h
> -+++ b/auth/gensec/gensec.h
> -@@ -76,6 +76,7 @@ struct gensec_settings;
> - struct tevent_context;
> - struct tevent_req;
> - struct smb_krb5_context;
> -+struct tsocket_address;
> -
> - struct gensec_settings {
> - struct loadparm_context *lp_ctx;
> -@@ -93,106 +94,13 @@ struct gensec_settings {
> - const char *server_netbios_name;
> - };
> -
> --struct gensec_security_ops {
> -- const char *name;
> -- const char *sasl_name;
> -- uint8_t auth_type; /* 0 if not offered on DCE-RPC */
> -- const char **oid; /* NULL if not offered by SPNEGO */
> -- NTSTATUS (*client_start)(struct gensec_security *gensec_security);
> -- NTSTATUS (*server_start)(struct gensec_security *gensec_security);
> -- /**
> -- Determine if a packet has the right 'magic' for this mechanism
> -- */
> -- NTSTATUS (*magic)(struct gensec_security *gensec_security,
> -- const DATA_BLOB *first_packet);
> -- NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> -- struct tevent_context *ev,
> -- const DATA_BLOB in, DATA_BLOB *out);
> -- NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> -- uint8_t *data, size_t length,
> -- const uint8_t *whole_pdu, size_t pdu_length,
> -- DATA_BLOB *sig);
> -- NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> -- const uint8_t *data, size_t length,
> -- const uint8_t *whole_pdu, size_t pdu_length,
> -- DATA_BLOB *sig);
> -- size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
> -- size_t (*max_input_size)(struct gensec_security *gensec_security);
> -- size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
> -- NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
> -- const uint8_t *data, size_t length,
> -- const uint8_t *whole_pdu, size_t pdu_length,
> -- const DATA_BLOB *sig);
> -- NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
> -- uint8_t *data, size_t length,
> -- const uint8_t *whole_pdu, size_t pdu_length,
> -- const DATA_BLOB *sig);
> -- NTSTATUS (*wrap)(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- const DATA_BLOB *in,
> -- DATA_BLOB *out);
> -- NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- const DATA_BLOB *in,
> -- DATA_BLOB *out);
> -- NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- const DATA_BLOB *in,
> -- DATA_BLOB *out,
> -- size_t *len_processed);
> -- NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- const DATA_BLOB *in,
> -- DATA_BLOB *out,
> -- size_t *len_processed);
> -- NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
> -- DATA_BLOB blob, size_t *size);
> -- NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> -- DATA_BLOB *session_key);
> -- NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> -- struct auth_session_info **session_info);
> -- void (*want_feature)(struct gensec_security *gensec_security,
> -- uint32_t feature);
> -- bool (*have_feature)(struct gensec_security *gensec_security,
> -- uint32_t feature);
> -- NTTIME (*expire_time)(struct gensec_security *gensec_security);
> -- bool enabled;
> -- bool kerberos;
> -- enum gensec_priority priority;
> --};
> --
> --struct gensec_security_ops_wrapper {
> -- const struct gensec_security_ops *op;
> -- const char *oid;
> --};
> -+struct gensec_security_ops;
> -+struct gensec_security_ops_wrapper;
> -
> - #define GENSEC_INTERFACE_VERSION 0
> -
> --struct gensec_security {
> -- const struct gensec_security_ops *ops;
> -- void *private_data;
> -- struct cli_credentials *credentials;
> -- struct gensec_target target;
> -- enum gensec_role gensec_role;
> -- bool subcontext;
> -- uint32_t want_features;
> -- uint32_t max_update_size;
> -- uint8_t dcerpc_auth_level;
> -- struct tsocket_address *local_addr, *remote_addr;
> -- struct gensec_settings *settings;
> --
> -- /* When we are a server, this may be filled in to provide an
> -- * NTLM authentication backend, and user lookup (such as if no
> -- * PAC is found) */
> -- struct auth4_context *auth_context;
> --};
> --
> - /* this structure is used by backends to determine the size of some critical types */
> --struct gensec_critical_sizes {
> -- int interface_version;
> -- int sizeof_gensec_security_ops;
> -- int sizeof_gensec_security;
> --};
> -+struct gensec_critical_sizes;
> - const struct gensec_critical_sizes *gensec_interface_version(void);
> -
> - /* Socket wrapper */
> -diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
> -new file mode 100644
> -index 0000000..41b6f0d
> ---- /dev/null
> -+++ b/auth/gensec/gensec_internal.h
> -@@ -0,0 +1,127 @@
> -+/*
> -+ Unix SMB/CIFS implementation.
> -+
> -+ Generic Authentication Interface
> -+
> -+ Copyright (C) Andrew Tridgell 2003
> -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> -+
> -+ This program is free software; you can redistribute it and/or modify
> -+ it under the terms of the GNU General Public License as published by
> -+ the Free Software Foundation; either version 3 of the License, or
> -+ (at your option) any later version.
> -+
> -+ This program is distributed in the hope that it will be useful,
> -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -+ GNU General Public License for more details.
> -+
> -+ You should have received a copy of the GNU General Public License
> -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> -+*/
> -+
> -+#ifndef __GENSEC_INTERNAL_H__
> -+#define __GENSEC_INTERNAL_H__
> -+
> -+struct gensec_security;
> -+
> -+struct gensec_security_ops {
> -+ const char *name;
> -+ const char *sasl_name;
> -+ uint8_t auth_type; /* 0 if not offered on DCE-RPC */
> -+ const char **oid; /* NULL if not offered by SPNEGO */
> -+ NTSTATUS (*client_start)(struct gensec_security *gensec_security);
> -+ NTSTATUS (*server_start)(struct gensec_security *gensec_security);
> -+ /**
> -+ Determine if a packet has the right 'magic' for this mechanism
> -+ */
> -+ NTSTATUS (*magic)(struct gensec_security *gensec_security,
> -+ const DATA_BLOB *first_packet);
> -+ NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> -+ struct tevent_context *ev,
> -+ const DATA_BLOB in, DATA_BLOB *out);
> -+ NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> -+ uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> -+ DATA_BLOB *sig);
> -+ NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> -+ const uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> -+ DATA_BLOB *sig);
> -+ size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
> -+ size_t (*max_input_size)(struct gensec_security *gensec_security);
> -+ size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
> -+ NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
> -+ const uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> -+ const DATA_BLOB *sig);
> -+ NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
> -+ uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> -+ const DATA_BLOB *sig);
> -+ NTSTATUS (*wrap)(struct gensec_security *gensec_security,
> -+ TALLOC_CTX *mem_ctx,
> -+ const DATA_BLOB *in,
> -+ DATA_BLOB *out);
> -+ NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
> -+ TALLOC_CTX *mem_ctx,
> -+ const DATA_BLOB *in,
> -+ DATA_BLOB *out);
> -+ NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
> -+ TALLOC_CTX *mem_ctx,
> -+ const DATA_BLOB *in,
> -+ DATA_BLOB *out,
> -+ size_t *len_processed);
> -+ NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
> -+ TALLOC_CTX *mem_ctx,
> -+ const DATA_BLOB *in,
> -+ DATA_BLOB *out,
> -+ size_t *len_processed);
> -+ NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
> -+ DATA_BLOB blob, size_t *size);
> -+ NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> -+ DATA_BLOB *session_key);
> -+ NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> -+ struct auth_session_info **session_info);
> -+ void (*want_feature)(struct gensec_security *gensec_security,
> -+ uint32_t feature);
> -+ bool (*have_feature)(struct gensec_security *gensec_security,
> -+ uint32_t feature);
> -+ NTTIME (*expire_time)(struct gensec_security *gensec_security);
> -+ bool enabled;
> -+ bool kerberos;
> -+ enum gensec_priority priority;
> -+};
> -+
> -+struct gensec_security_ops_wrapper {
> -+ const struct gensec_security_ops *op;
> -+ const char *oid;
> -+};
> -+
> -+struct gensec_security {
> -+ const struct gensec_security_ops *ops;
> -+ void *private_data;
> -+ struct cli_credentials *credentials;
> -+ struct gensec_target target;
> -+ enum gensec_role gensec_role;
> -+ bool subcontext;
> -+ uint32_t want_features;
> -+ uint32_t max_update_size;
> -+ uint8_t dcerpc_auth_level;
> -+ struct tsocket_address *local_addr, *remote_addr;
> -+ struct gensec_settings *settings;
> -+
> -+ /* When we are a server, this may be filled in to provide an
> -+ * NTLM authentication backend, and user lookup (such as if no
> -+ * PAC is found) */
> -+ struct auth4_context *auth_context;
> -+};
> -+
> -+/* this structure is used by backends to determine the size of some critical types */
> -+struct gensec_critical_sizes {
> -+ int interface_version;
> -+ int sizeof_gensec_security_ops;
> -+ int sizeof_gensec_security;
> -+};
> -+
> -+#endif /* __GENSEC_H__ */
> -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> -index c2cfa1c..34029f5 100644
> ---- a/auth/gensec/gensec_start.c
> -+++ b/auth/gensec/gensec_start.c
> -@@ -27,6 +27,7 @@
> - #include "librpc/rpc/dcerpc.h"
> - #include "auth/credentials/credentials.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "lib/param/param.h"
> - #include "lib/util/tsort.h"
> - #include "lib/util/samba_modules.h"
> -diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
> -index 64952b1..568128a 100644
> ---- a/auth/gensec/gensec_util.c
> -+++ b/auth/gensec/gensec_util.c
> -@@ -22,6 +22,7 @@
> -
> - #include "includes.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/common_auth.h"
> - #include "../lib/util/asn1.h"
> -
> -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
> -index da1fc0e..38a45f8 100644
> ---- a/auth/gensec/spnego.c
> -+++ b/auth/gensec/spnego.c
> -@@ -27,6 +27,7 @@
> - #include "librpc/gen_ndr/ndr_dcerpc.h"
> - #include "auth/credentials/credentials.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "param/param.h"
> - #include "lib/util/asn1.h"
> -
> -diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
> -index 9e1d8a8..654c0e3 100644
> ---- a/auth/ntlmssp/gensec_ntlmssp.c
> -+++ b/auth/ntlmssp/gensec_ntlmssp.c
> -@@ -22,6 +22,7 @@
> - #include "includes.h"
> - #include "auth/ntlmssp/ntlmssp.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/ntlmssp/ntlmssp_private.h"
> -
> - NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security,
> -diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
> -index f4dfab3..69c56fb 100644
> ---- a/auth/ntlmssp/gensec_ntlmssp_server.c
> -+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
> -@@ -31,6 +31,7 @@
> - #include "../libcli/auth/libcli_auth.h"
> - #include "../lib/crypto/crypto.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/common_auth.h"
> - #include "param/param.h"
> -
> -diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
> -index 1a2d662..916b376 100644
> ---- a/auth/ntlmssp/ntlmssp.c
> -+++ b/auth/ntlmssp/ntlmssp.c
> -@@ -29,6 +29,7 @@ struct auth_session_info;
> - #include "../libcli/auth/libcli_auth.h"
> - #include "librpc/gen_ndr/ndr_dcerpc.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> -
> - /**
> - * Callbacks for NTLMSSP - for both client and server operating modes
> -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
> -index fc66a8d..f99257d 100644
> ---- a/auth/ntlmssp/ntlmssp_client.c
> -+++ b/auth/ntlmssp/ntlmssp_client.c
> -@@ -29,6 +29,7 @@ struct auth_session_info;
> - #include "../libcli/auth/libcli_auth.h"
> - #include "auth/credentials/credentials.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "param/param.h"
> - #include "auth/ntlmssp/ntlmssp_private.h"
> - #include "../librpc/gen_ndr/ndr_ntlmssp.h"
> -diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
> -index 57179e1..2f3f0bb 100644
> ---- a/auth/ntlmssp/ntlmssp_server.c
> -+++ b/auth/ntlmssp/ntlmssp_server.c
> -@@ -28,6 +28,7 @@
> - #include "../libcli/auth/libcli_auth.h"
> - #include "../lib/crypto/crypto.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/common_auth.h"
> -
> - /**
> -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> -index 2c667a6..582917d 100644
> ---- a/source3/libads/authdata.c
> -+++ b/source3/libads/authdata.c
> -@@ -30,6 +30,7 @@
> - #include "lib/param/param.h"
> - #include "librpc/crypto/gse.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> - #include "../libcli/auth/spnego.h"
> -
> - #ifdef HAVE_KRB5
> -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
> -index 11a5457..8db3cdd 100644
> ---- a/source3/librpc/crypto/gse.c
> -+++ b/source3/librpc/crypto/gse.c
> -@@ -26,6 +26,7 @@
> - #include "libads/kerberos_proto.h"
> - #include "auth/common_auth.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/credentials/credentials.h"
> - #include "../librpc/gen_ndr/dcerpc.h"
> -
> -diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
> -index 9ce4b12..46f68ae 100644
> ---- a/source3/libsmb/ntlmssp_wrap.c
> -+++ b/source3/libsmb/ntlmssp_wrap.c
> -@@ -23,6 +23,7 @@
> - #include "auth/ntlmssp/ntlmssp_private.h"
> - #include "auth_generic.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/credentials/credentials.h"
> - #include "librpc/rpc/dcerpc.h"
> - #include "lib/param/param.h"
> -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> -index a5e0cd2..5fcb60e 100644
> ---- a/source3/utils/ntlm_auth.c
> -+++ b/source3/utils/ntlm_auth.c
> -@@ -32,6 +32,7 @@
> - #include "../libcli/auth/spnego.h"
> - #include "auth/ntlmssp/ntlmssp.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/credentials/credentials.h"
> - #include "librpc/crypto/gse.h"
> - #include "smb_krb5.h"
> -diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
> -index 2e733bf..08dccd6 100644
> ---- a/source4/auth/gensec/cyrus_sasl.c
> -+++ b/source4/auth/gensec/cyrus_sasl.c
> -@@ -23,6 +23,7 @@
> - #include "lib/tsocket/tsocket.h"
> - #include "auth/credentials/credentials.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/gensec/gensec_proto.h"
> - #include "auth/gensec/gensec_toplevel_proto.h"
> - #include <sasl/sasl.h>
> -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> -index 4fc544f..63a53bf 100644
> ---- a/source4/auth/gensec/gensec_gssapi.c
> -+++ b/source4/auth/gensec/gensec_gssapi.c
> -@@ -34,6 +34,7 @@
> - #include "auth/credentials/credentials.h"
> - #include "auth/credentials/credentials_krb5.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/gensec/gensec_proto.h"
> - #include "auth/gensec/gensec_toplevel_proto.h"
> - #include "param/param.h"
> -diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
> -index fbec64c..ecc3331 100644
> ---- a/source4/auth/gensec/gensec_krb5.c
> -+++ b/source4/auth/gensec/gensec_krb5.c
> -@@ -34,6 +34,7 @@
> - #include "auth/credentials/credentials_krb5.h"
> - #include "auth/kerberos/kerberos_credentials.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/gensec/gensec_proto.h"
> - #include "auth/gensec/gensec_toplevel_proto.h"
> - #include "param/param.h"
> -diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c
> -index 02e5ae2..fd6daff 100644
> ---- a/source4/auth/gensec/pygensec.c
> -+++ b/source4/auth/gensec/pygensec.c
> -@@ -20,6 +20,7 @@
> - #include "includes.h"
> - #include "param/pyparam.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> - #include "auth/credentials/pycredentials.h"
> - #include "libcli/util/pyerrors.h"
> - #include "python/modules.h"
> -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> -index e67432c..eb2e100 100644
> ---- a/source4/auth/gensec/schannel.c
> -+++ b/source4/auth/gensec/schannel.c
> -@@ -25,6 +25,7 @@
> - #include "auth/auth.h"
> - #include "auth/credentials/credentials.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/gensec/gensec_proto.h"
> - #include "../libcli/auth/schannel.h"
> - #include "librpc/gen_ndr/dcerpc.h"
> -diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
> -index 4a195e5..f0da82c 100644
> ---- a/source4/ldap_server/ldap_backend.c
> -+++ b/source4/ldap_server/ldap_backend.c
> -@@ -23,6 +23,7 @@
> - #include "../lib/util/dlinklist.h"
> - #include "auth/credentials/credentials.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> - #include "param/param.h"
> - #include "smbd/service_stream.h"
> - #include "dsdb/samdb/samdb.h"
> -diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
> -index b355e18..f0a498b 100644
> ---- a/source4/libcli/ldap/ldap_bind.c
> -+++ b/source4/libcli/ldap/ldap_bind.c
> -@@ -27,6 +27,7 @@
> - #include "libcli/ldap/ldap_client.h"
> - #include "lib/tls/tls.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> - #include "auth/gensec/gensec_socket.h"
> - #include "auth/credentials/credentials.h"
> - #include "lib/stream/packet.h"
> -diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c
> -index bdaa65b..45e5889 100644
> ---- a/source4/torture/auth/ntlmssp.c
> -+++ b/source4/torture/auth/ntlmssp.c
> -@@ -19,6 +19,7 @@
> -
> - #include "includes.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> - #include "auth/ntlmssp/ntlmssp.h"
> - #include "auth/ntlmssp/ntlmssp_private.h"
> - #include "lib/cmdline/popt_common.h"
> -diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
> -index 136e238..1e2feb0 100644
> ---- a/source4/utils/ntlm_auth.c
> -+++ b/source4/utils/ntlm_auth.c
> -@@ -27,6 +27,7 @@
> - #include <ldb.h>
> - #include "auth/credentials/credentials.h"
> - #include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> - #include "auth/auth.h"
> - #include "librpc/gen_ndr/ndr_netlogon.h"
> - #include "auth/auth_sam.h"
> ---
> -1.9.3
> -
> -
> -From fabdf9f539385d97bc4bf2550e7fd4de2d1b5d01 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 5 Aug 2013 10:37:26 +0200
> -Subject: [PATCH 084/249] auth/gensec: avoid talloc_reference in
> - gensec_use_kerberos_mechs()
> -
> -We now always copy.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3e3534f882651880093381f5a7846c0938df6501)
> ----
> - auth/gensec/gensec_start.c | 38 ++++++++++++++++++++------------------
> - 1 file changed, 20 insertions(+), 18 deletions(-)
> -
> -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> -index 34029f5..096ad36 100644
> ---- a/auth/gensec/gensec_start.c
> -+++ b/auth/gensec/gensec_start.c
> -@@ -80,13 +80,6 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> - use_kerberos = cli_credentials_get_kerberos_state(creds);
> - }
> -
> -- if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
> -- if (!talloc_reference(mem_ctx, old_gensec_list)) {
> -- return NULL;
> -- }
> -- return old_gensec_list;
> -- }
> --
> - for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
> - /* noop */
> - }
> -@@ -99,35 +92,44 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> - j = 0;
> - for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
> - int oid_idx;
> -- bool found_spnego = false;
> -+ bool keep = false;
> -+
> - for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
> - if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
> -- new_gensec_list[j] = old_gensec_list[i];
> -- j++;
> -- found_spnego = true;
> -+ keep = true;
> - break;
> - }
> - }
> -- if (found_spnego) {
> -- continue;
> -- }
> -+
> - switch (use_kerberos) {
> -+ case CRED_AUTO_USE_KERBEROS:
> -+ keep = true;
> -+ break;
> -+
> - case CRED_DONT_USE_KERBEROS:
> - if (old_gensec_list[i]->kerberos == false) {
> -- new_gensec_list[j] = old_gensec_list[i];
> -- j++;
> -+ keep = true;
> - }
> -+
> - break;
> -+
> - case CRED_MUST_USE_KERBEROS:
> - if (old_gensec_list[i]->kerberos == true) {
> -- new_gensec_list[j] = old_gensec_list[i];
> -- j++;
> -+ keep = true;
> - }
> -+
> - break;
> - default:
> - /* Can't happen or invalid parameter */
> - return NULL;
> - }
> -+
> -+ if (!keep) {
> -+ continue;
> -+ }
> -+
> -+ new_gensec_list[j] = old_gensec_list[i];
> -+ j++;
> - }
> - new_gensec_list[j] = NULL;
> -
> ---
> -1.9.3
> -
> -
> -From b71ed3dd183d64beda108d0881c03978ef4b3892 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 5 Aug 2013 10:39:16 +0200
> -Subject: [PATCH 085/249] auth/gensec: avoid talloc_reference in
> - gensec_security_mechs()
> -
> -We now always copy.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 6a7a44db5999af7262478eb1c186d784d6075beb)
> ----
> - auth/gensec/gensec_start.c | 27 +++++++++------------------
> - 1 file changed, 9 insertions(+), 18 deletions(-)
> -
> -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> -index 096ad36..00e2759 100644
> ---- a/auth/gensec/gensec_start.c
> -+++ b/auth/gensec/gensec_start.c
> -@@ -140,28 +140,19 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
> - struct gensec_security *gensec_security,
> - TALLOC_CTX *mem_ctx)
> - {
> -- struct gensec_security_ops **backends;
> -- if (!gensec_security) {
> -- backends = gensec_security_all();
> -- if (!talloc_reference(mem_ctx, backends)) {
> -- return NULL;
> -- }
> -- return backends;
> -- } else {
> -- struct cli_credentials *creds = gensec_get_credentials(gensec_security);
> -+ struct cli_credentials *creds = NULL;
> -+ struct gensec_security_ops **backends = gensec_security_all();
> -+
> -+ if (gensec_security != NULL) {
> -+ creds = gensec_get_credentials(gensec_security);
> -+
> - if (gensec_security->settings->backends) {
> - backends = gensec_security->settings->backends;
> -- } else {
> -- backends = gensec_security_all();
> - }
> -- if (!creds) {
> -- if (!talloc_reference(mem_ctx, backends)) {
> -- return NULL;
> -- }
> -- return backends;
> -- }
> -- return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
> - }
> -+
> -+ return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
> -+
> - }
> -
> - static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
> ---
> -1.9.3
> -
> -
> -From fe6a14d48b0eb3dfcfc6d7f0b68e8f28b7ad9796 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 5 Aug 2013 16:12:13 +0200
> -Subject: [PATCH 086/249] auth/gensec: make it possible to implement async
> - backends
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit e81550c8117166d0fbf69ba1d3957cb950c42961)
> ----
> - auth/gensec/gensec.c | 202 ++++++++++++++++++++++++++++++++----------
> - auth/gensec/gensec_internal.h | 7 ++
> - 2 files changed, 160 insertions(+), 49 deletions(-)
> -
> -diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
> -index d364a34..abcbcb9 100644
> ---- a/auth/gensec/gensec.c
> -+++ b/auth/gensec/gensec.c
> -@@ -218,61 +218,92 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
> - const DATA_BLOB in, DATA_BLOB *out)
> - {
> - NTSTATUS status;
> -+ const struct gensec_security_ops *ops = gensec_security->ops;
> -+ TALLOC_CTX *frame = NULL;
> -+ struct tevent_req *subreq = NULL;
> -+ bool ok;
> -
> -- status = gensec_security->ops->update(gensec_security, out_mem_ctx,
> -- ev, in, out);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> -+ if (ops->update_send == NULL) {
> -
> -- /*
> -- * Because callers using the
> -- * gensec_start_mech_by_auth_type() never call
> -- * gensec_want_feature(), it isn't sensible for them
> -- * to have to call gensec_have_feature() manually, and
> -- * these are not points of negotiation, but are
> -- * asserted by the client
> -- */
> -- switch (gensec_security->dcerpc_auth_level) {
> -- case DCERPC_AUTH_LEVEL_INTEGRITY:
> -- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> -- DEBUG(0,("Did not manage to negotiate mandetory feature "
> -- "SIGN for dcerpc auth_level %u\n",
> -- gensec_security->dcerpc_auth_level));
> -- return NT_STATUS_ACCESS_DENIED;
> -- }
> -- break;
> -- case DCERPC_AUTH_LEVEL_PRIVACY:
> -- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> -- DEBUG(0,("Did not manage to negotiate mandetory feature "
> -- "SIGN for dcerpc auth_level %u\n",
> -- gensec_security->dcerpc_auth_level));
> -- return NT_STATUS_ACCESS_DENIED;
> -+ status = ops->update(gensec_security, out_mem_ctx,
> -+ ev, in, out);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> - }
> -- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
> -- DEBUG(0,("Did not manage to negotiate mandetory feature "
> -- "SEAL for dcerpc auth_level %u\n",
> -- gensec_security->dcerpc_auth_level));
> -- return NT_STATUS_ACCESS_DENIED;
> -+
> -+ /*
> -+ * Because callers using the
> -+ * gensec_start_mech_by_auth_type() never call
> -+ * gensec_want_feature(), it isn't sensible for them
> -+ * to have to call gensec_have_feature() manually, and
> -+ * these are not points of negotiation, but are
> -+ * asserted by the client
> -+ */
> -+ switch (gensec_security->dcerpc_auth_level) {
> -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> -+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> -+ "SIGN for dcerpc auth_level %u\n",
> -+ gensec_security->dcerpc_auth_level));
> -+ return NT_STATUS_ACCESS_DENIED;
> -+ }
> -+ break;
> -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> -+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> -+ "SIGN for dcerpc auth_level %u\n",
> -+ gensec_security->dcerpc_auth_level));
> -+ return NT_STATUS_ACCESS_DENIED;
> -+ }
> -+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
> -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> -+ "SEAL for dcerpc auth_level %u\n",
> -+ gensec_security->dcerpc_auth_level));
> -+ return NT_STATUS_ACCESS_DENIED;
> -+ }
> -+ break;
> -+ default:
> -+ break;
> - }
> -- break;
> -- default:
> -- break;
> -+
> -+ return NT_STATUS_OK;
> - }
> -
> -- return NT_STATUS_OK;
> -+ frame = talloc_stackframe();
> -+
> -+ subreq = ops->update_send(frame, ev, gensec_security, in);
> -+ if (subreq == NULL) {
> -+ goto fail;
> -+ }
> -+ ok = tevent_req_poll_ntstatus(subreq, ev, &status);
> -+ if (!ok) {
> -+ goto fail;
> -+ }
> -+ status = ops->update_recv(subreq, out_mem_ctx, out);
> -+ fail:
> -+ TALLOC_FREE(frame);
> -+ return status;
> - }
> -
> - struct gensec_update_state {
> -- struct tevent_immediate *im;
> -+ const struct gensec_security_ops *ops;
> -+ struct tevent_req *subreq;
> - struct gensec_security *gensec_security;
> -- DATA_BLOB in;
> - DATA_BLOB out;
> -+
> -+ /*
> -+ * only for sync backends, we should remove this
> -+ * once all backends are async.
> -+ */
> -+ struct tevent_immediate *im;
> -+ DATA_BLOB in;
> - };
> -
> - static void gensec_update_async_trigger(struct tevent_context *ctx,
> - struct tevent_immediate *im,
> - void *private_data);
> -+static void gensec_update_subreq_done(struct tevent_req *subreq);
> -+
> - /**
> - * Next state function for the GENSEC state machine async version
> - *
> -@@ -298,17 +329,31 @@ _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
> - return NULL;
> - }
> -
> -- state->gensec_security = gensec_security;
> -- state->in = in;
> -- state->out = data_blob(NULL, 0);
> -- state->im = tevent_create_immediate(state);
> -- if (tevent_req_nomem(state->im, req)) {
> -+ state->ops = gensec_security->ops;
> -+ state->gensec_security = gensec_security;
> -+
> -+ if (state->ops->update_send == NULL) {
> -+ state->in = in;
> -+ state->im = tevent_create_immediate(state);
> -+ if (tevent_req_nomem(state->im, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ tevent_schedule_immediate(state->im, ev,
> -+ gensec_update_async_trigger,
> -+ req);
> -+
> -+ return req;
> -+ }
> -+
> -+ state->subreq = state->ops->update_send(state, ev, gensec_security, in);
> -+ if (tevent_req_nomem(state->subreq, req)) {
> - return tevent_req_post(req, ev);
> - }
> -
> -- tevent_schedule_immediate(state->im, ev,
> -- gensec_update_async_trigger,
> -- req);
> -+ tevent_req_set_callback(state->subreq,
> -+ gensec_update_subreq_done,
> -+ req);
> -
> - return req;
> - }
> -@@ -323,12 +368,71 @@ static void gensec_update_async_trigger(struct tevent_context *ctx,
> - tevent_req_data(req, struct gensec_update_state);
> - NTSTATUS status;
> -
> -- status = gensec_update(state->gensec_security, state, ctx,
> -- state->in, &state->out);
> -+ status = state->ops->update(state->gensec_security, state, ctx,
> -+ state->in, &state->out);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+
> -+ tevent_req_done(req);
> -+}
> -+
> -+static void gensec_update_subreq_done(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct gensec_update_state *state =
> -+ tevent_req_data(req,
> -+ struct gensec_update_state);
> -+ NTSTATUS status;
> -+
> -+ state->subreq = NULL;
> -+
> -+ status = state->ops->update_recv(subreq, state, &state->out);
> -+ TALLOC_FREE(subreq);
> - if (tevent_req_nterror(req, status)) {
> - return;
> - }
> -
> -+ /*
> -+ * Because callers using the
> -+ * gensec_start_mech_by_authtype() never call
> -+ * gensec_want_feature(), it isn't sensible for them
> -+ * to have to call gensec_have_feature() manually, and
> -+ * these are not points of negotiation, but are
> -+ * asserted by the client
> -+ */
> -+ switch (state->gensec_security->dcerpc_auth_level) {
> -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> -+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
> -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> -+ "SIGN for dcerpc auth_level %u\n",
> -+ state->gensec_security->dcerpc_auth_level));
> -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> -+ return;
> -+ }
> -+ break;
> -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> -+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
> -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> -+ "SIGN for dcerpc auth_level %u\n",
> -+ state->gensec_security->dcerpc_auth_level));
> -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> -+ return;
> -+ }
> -+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
> -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> -+ "SEAL for dcerpc auth_level %u\n",
> -+ state->gensec_security->dcerpc_auth_level));
> -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> -+ return;
> -+ }
> -+ break;
> -+ default:
> -+ break;
> -+ }
> -+
> - tevent_req_done(req);
> - }
> -
> -diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
> -index 41b6f0d..c04164a 100644
> ---- a/auth/gensec/gensec_internal.h
> -+++ b/auth/gensec/gensec_internal.h
> -@@ -40,6 +40,13 @@ struct gensec_security_ops {
> - NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> - struct tevent_context *ev,
> - const DATA_BLOB in, DATA_BLOB *out);
> -+ struct tevent_req *(*update_send)(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct gensec_security *gensec_security,
> -+ const DATA_BLOB in);
> -+ NTSTATUS (*update_recv)(struct tevent_req *req,
> -+ TALLOC_CTX *out_mem_ctx,
> -+ DATA_BLOB *out);
> - NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> - uint8_t *data, size_t length,
> - const uint8_t *whole_pdu, size_t pdu_length,
> ---
> -1.9.3
> -
> -
> -From aa559f2fc6f228fba268adafa92392dff8152747 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 5 Aug 2013 11:10:55 +0200
> -Subject: [PATCH 087/249] auth/gensec: use 'const char * const *' for function
> - parameters
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit c81b6f7448d7f945635784de645bea4f7f2e230f)
> ----
> - auth/gensec/gensec.h | 2 +-
> - auth/gensec/gensec_start.c | 2 +-
> - auth/gensec/spnego.c | 2 +-
> - 3 files changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> -index 5d39d81..d0bc451 100644
> ---- a/auth/gensec/gensec.h
> -+++ b/auth/gensec/gensec.h
> -@@ -184,7 +184,7 @@ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gense
> - const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> - struct gensec_security *gensec_security,
> - TALLOC_CTX *mem_ctx,
> -- const char **oid_strings,
> -+ const char * const *oid_strings,
> - const char *skip);
> - const char **gensec_security_oids(struct gensec_security *gensec_security,
> - TALLOC_CTX *mem_ctx,
> -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> -index 00e2759..2874c13 100644
> ---- a/auth/gensec/gensec_start.c
> -+++ b/auth/gensec/gensec_start.c
> -@@ -373,7 +373,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
> - _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> - struct gensec_security *gensec_security,
> - TALLOC_CTX *mem_ctx,
> -- const char **oid_strings,
> -+ const char * const *oid_strings,
> - const char *skip)
> - {
> - struct gensec_security_ops_wrapper *backends_out;
> -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
> -index 38a45f8..0eb6da1 100644
> ---- a/auth/gensec/spnego.c
> -+++ b/auth/gensec/spnego.c
> -@@ -417,7 +417,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
> - struct spnego_state *spnego_state,
> - TALLOC_CTX *out_mem_ctx,
> - struct tevent_context *ev,
> -- const char **mechType,
> -+ const char * const *mechType,
> - const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out)
> - {
> - int i;
> ---
> -1.9.3
> -
> -
> -From a2e14962e1eeebaac2fb4539794a454b0f486869 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 5 Aug 2013 11:20:21 +0200
> -Subject: [PATCH 088/249] auth/gensec: treat struct gensec_security_ops as
> - const if possible.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 966faef9c61d2ec02d75fc3ccc82a61524fb77e4)
> ----
> - auth/gensec/gensec.h | 14 +++++-----
> - auth/gensec/gensec_start.c | 52 ++++++++++++++++++++------------------
> - auth/gensec/spnego.c | 8 +++---
> - source3/auth/auth_generic.c | 15 ++++++-----
> - source3/libads/authdata.c | 11 ++++----
> - source3/libsmb/auth_generic.c | 15 ++++++-----
> - source3/utils/ntlm_auth.c | 22 ++++++++--------
> - source4/ldap_server/ldap_backend.c | 4 +--
> - 8 files changed, 75 insertions(+), 66 deletions(-)
> -
> -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> -index d0bc451..ac1fadf 100644
> ---- a/auth/gensec/gensec.h
> -+++ b/auth/gensec/gensec.h
> -@@ -85,7 +85,7 @@ struct gensec_settings {
> - /* this allows callers to specify a specific set of ops that
> - * should be used, rather than those loaded by the plugin
> - * mechanism */
> -- struct gensec_security_ops **backends;
> -+ const struct gensec_security_ops * const *backends;
> -
> - /* To fill in our own name in the NTLMSSP server */
> - const char *server_dns_domain;
> -@@ -179,7 +179,7 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
> - const struct gensec_security_ops *gensec_security_by_auth_type(
> - struct gensec_security *gensec_security,
> - uint32_t auth_type);
> --struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
> -+const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
> - TALLOC_CTX *mem_ctx);
> - const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> - struct gensec_security *gensec_security,
> -@@ -243,11 +243,11 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
> - const DATA_BLOB *in,
> - DATA_BLOB *out);
> -
> --struct gensec_security_ops **gensec_security_all(void);
> --bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security);
> --struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> -- struct gensec_security_ops **old_gensec_list,
> -- struct cli_credentials *creds);
> -+const struct gensec_security_ops * const *gensec_security_all(void);
> -+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security);
> -+const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> -+ const struct gensec_security_ops * const *old_gensec_list,
> -+ struct cli_credentials *creds);
> -
> - NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
> - const char *sasl_name);
> -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> -index 2874c13..3ae64d5 100644
> ---- a/auth/gensec/gensec_start.c
> -+++ b/auth/gensec/gensec_start.c
> -@@ -33,17 +33,17 @@
> - #include "lib/util/samba_modules.h"
> -
> - /* the list of currently registered GENSEC backends */
> --static struct gensec_security_ops **generic_security_ops;
> -+static const struct gensec_security_ops **generic_security_ops;
> - static int gensec_num_backends;
> -
> - /* Return all the registered mechs. Don't modify the return pointer,
> -- * but you may talloc_reference it if convient */
> --_PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
> -+ * but you may talloc_referen it if convient */
> -+_PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
> - {
> - return generic_security_ops;
> - }
> -
> --bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
> -+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
> - {
> - return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
> - }
> -@@ -68,11 +68,11 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_
> - * more compplex.
> - */
> -
> --_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> -- struct gensec_security_ops **old_gensec_list,
> -- struct cli_credentials *creds)
> -+_PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> -+ const struct gensec_security_ops * const *old_gensec_list,
> -+ struct cli_credentials *creds)
> - {
> -- struct gensec_security_ops **new_gensec_list;
> -+ const struct gensec_security_ops **new_gensec_list;
> - int i, j, num_mechs_in;
> - enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
> -
> -@@ -84,7 +84,9 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> - /* noop */
> - }
> -
> -- new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
> -+ new_gensec_list = talloc_array(mem_ctx,
> -+ const struct gensec_security_ops *,
> -+ num_mechs_in + 1);
> - if (!new_gensec_list) {
> - return NULL;
> - }
> -@@ -136,12 +138,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> - return new_gensec_list;
> - }
> -
> --_PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
> -+_PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
> - struct gensec_security *gensec_security,
> - TALLOC_CTX *mem_ctx)
> - {
> - struct cli_credentials *creds = NULL;
> -- struct gensec_security_ops **backends = gensec_security_all();
> -+ const struct gensec_security_ops * const *backends = gensec_security_all();
> -
> - if (gensec_security != NULL) {
> - creds = gensec_get_credentials(gensec_security);
> -@@ -159,7 +161,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
> - uint8_t auth_type)
> - {
> - int i;
> -- struct gensec_security_ops **backends;
> -+ const struct gensec_security_ops **backends;
> - const struct gensec_security_ops *backend;
> - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> - if (!mem_ctx) {
> -@@ -185,7 +187,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
> - const char *oid_string)
> - {
> - int i, j;
> -- struct gensec_security_ops **backends;
> -+ const struct gensec_security_ops **backends;
> - const struct gensec_security_ops *backend;
> - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> - if (!mem_ctx) {
> -@@ -218,7 +220,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
> - const char *sasl_name)
> - {
> - int i;
> -- struct gensec_security_ops **backends;
> -+ const struct gensec_security_ops **backends;
> - const struct gensec_security_ops *backend;
> - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> - if (!mem_ctx) {
> -@@ -245,7 +247,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
> - uint32_t auth_type)
> - {
> - int i;
> -- struct gensec_security_ops **backends;
> -+ const struct gensec_security_ops **backends;
> - const struct gensec_security_ops *backend;
> - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> - if (!mem_ctx) {
> -@@ -270,7 +272,7 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
> - const char *name)
> - {
> - int i;
> -- struct gensec_security_ops **backends;
> -+ const struct gensec_security_ops **backends;
> - const struct gensec_security_ops *backend;
> - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> - if (!mem_ctx) {
> -@@ -306,7 +308,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
> - const char **sasl_names)
> - {
> - const struct gensec_security_ops **backends_out;
> -- struct gensec_security_ops **backends;
> -+ const struct gensec_security_ops **backends;
> - int i, k, sasl_idx;
> - int num_backends_out = 0;
> -
> -@@ -377,7 +379,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> - const char *skip)
> - {
> - struct gensec_security_ops_wrapper *backends_out;
> -- struct gensec_security_ops **backends;
> -+ const struct gensec_security_ops **backends;
> - int i, j, k, oid_idx;
> - int num_backends_out = 0;
> -
> -@@ -451,7 +453,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> - static const char **gensec_security_oids_from_ops(
> - struct gensec_security *gensec_security,
> - TALLOC_CTX *mem_ctx,
> -- struct gensec_security_ops **ops,
> -+ const struct gensec_security_ops * const *ops,
> - const char *skip)
> - {
> - int i;
> -@@ -542,8 +544,10 @@ _PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_securi
> - TALLOC_CTX *mem_ctx,
> - const char *skip)
> - {
> -- struct gensec_security_ops **ops
> -- = gensec_security_mechs(gensec_security, mem_ctx);
> -+ const struct gensec_security_ops **ops;
> -+
> -+ ops = gensec_security_mechs(gensec_security, mem_ctx);
> -+
> - return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
> - }
> -
> -@@ -876,13 +880,13 @@ _PUBLIC_ NTSTATUS gensec_register(const struct gensec_security_ops *ops)
> -
> - generic_security_ops = talloc_realloc(talloc_autofree_context(),
> - generic_security_ops,
> -- struct gensec_security_ops *,
> -+ const struct gensec_security_ops *,
> - gensec_num_backends+2);
> - if (!generic_security_ops) {
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
> -+ generic_security_ops[gensec_num_backends] = ops;
> - gensec_num_backends++;
> - generic_security_ops[gensec_num_backends] = NULL;
> -
> -@@ -908,7 +912,7 @@ _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
> - return &critical_sizes;
> - }
> -
> --static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
> -+static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
> - return (*gs2)->priority - (*gs1)->priority;
> - }
> -
> -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
> -index 0eb6da1..d90a50c 100644
> ---- a/auth/gensec/spnego.c
> -+++ b/auth/gensec/spnego.c
> -@@ -352,9 +352,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
> - const DATA_BLOB in, DATA_BLOB *out)
> - {
> - int i,j;
> -- struct gensec_security_ops **all_ops
> -- = gensec_security_mechs(gensec_security, out_mem_ctx);
> -- for (i=0; all_ops[i]; i++) {
> -+ const struct gensec_security_ops **all_ops;
> -+
> -+ all_ops = gensec_security_mechs(gensec_security, out_mem_ctx);
> -+
> -+ for (i=0; all_ops && all_ops[i]; i++) {
> - bool is_spnego;
> - NTSTATUS nt_status;
> -
> -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> -index a2ba4e3..e15c87e 100644
> ---- a/source3/auth/auth_generic.c
> -+++ b/source3/auth/auth_generic.c
> -@@ -203,6 +203,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> - return nt_status;
> - }
> - } else {
> -+ const struct gensec_security_ops **backends = NULL;
> - struct gensec_settings *gensec_settings;
> - struct loadparm_context *lp_ctx;
> - size_t idx = 0;
> -@@ -259,24 +260,24 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> -- struct gensec_security_ops *, 4);
> -- if (gensec_settings->backends == NULL) {
> -+ backends = talloc_zero_array(gensec_settings,
> -+ const struct gensec_security_ops *, 4);
> -+ if (backends == NULL) {
> - TALLOC_FREE(tmp_ctx);
> - return NT_STATUS_NO_MEMORY;
> - }
> -+ gensec_settings->backends = backends;
> -
> - gensec_init();
> -
> - /* These need to be in priority order, krb5 before NTLMSSP */
> - #if defined(HAVE_KRB5)
> -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> - #endif
> -
> -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> -
> -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
> -- GENSEC_OID_SPNEGO);
> -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> -
> - /*
> - * This is anonymous for now, because we just use it
> -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> -index 582917d..801e551 100644
> ---- a/source3/libads/authdata.c
> -+++ b/source3/libads/authdata.c
> -@@ -111,7 +111,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - const char *cc = "MEMORY:kerberos_return_pac";
> - struct auth_session_info *session_info;
> - struct gensec_security *gensec_server_context;
> --
> -+ const struct gensec_security_ops **backends;
> - struct gensec_settings *gensec_settings;
> - size_t idx = 0;
> - struct auth4_context *auth_context;
> -@@ -230,16 +230,17 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> - goto out;
> - }
> -
> -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> -- struct gensec_security_ops *, 2);
> -- if (gensec_settings->backends == NULL) {
> -+ backends = talloc_zero_array(gensec_settings,
> -+ const struct gensec_security_ops *, 2);
> -+ if (backends == NULL) {
> - status = NT_STATUS_NO_MEMORY;
> - goto out;
> - }
> -+ gensec_settings->backends = backends;
> -
> - gensec_init();
> -
> -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> -
> - status = gensec_server_start(tmp_ctx, gensec_settings,
> - auth_context, &gensec_server_context);
> -diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
> -index ba0a0ce..e30c1b7 100644
> ---- a/source3/libsmb/auth_generic.c
> -+++ b/source3/libsmb/auth_generic.c
> -@@ -54,6 +54,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> - NTSTATUS nt_status;
> - size_t idx = 0;
> - struct gensec_settings *gensec_settings;
> -+ const struct gensec_security_ops **backends = NULL;
> - struct loadparm_context *lp_ctx;
> -
> - ans = talloc_zero(mem_ctx, struct auth_generic_state);
> -@@ -76,24 +77,24 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> -- struct gensec_security_ops *, 4);
> -- if (gensec_settings->backends == NULL) {
> -+ backends = talloc_zero_array(gensec_settings,
> -+ const struct gensec_security_ops *, 4);
> -+ if (backends == NULL) {
> - TALLOC_FREE(ans);
> - return NT_STATUS_NO_MEMORY;
> - }
> -+ gensec_settings->backends = backends;
> -
> - gensec_init();
> -
> - /* These need to be in priority order, krb5 before NTLMSSP */
> - #if defined(HAVE_KRB5)
> -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> - #endif
> -
> -- gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
> -+ backends[idx++] = &gensec_ntlmssp3_client_ops;
> -
> -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
> -- GENSEC_OID_SPNEGO);
> -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> -
> - nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
> -
> -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> -index 5fcb60e..25e717c 100644
> ---- a/source3/utils/ntlm_auth.c
> -+++ b/source3/utils/ntlm_auth.c
> -@@ -1035,7 +1035,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
> - NTSTATUS nt_status;
> -
> - TALLOC_CTX *tmp_ctx;
> --
> -+ const struct gensec_security_ops **backends;
> - struct gensec_settings *gensec_settings;
> - size_t idx = 0;
> - struct cli_credentials *server_credentials;
> -@@ -1079,26 +1079,26 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
> - gensec_settings->server_dns_name = strlower_talloc(gensec_settings,
> - get_mydnsfullname());
> -
> -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> -- struct gensec_security_ops *, 4);
> -+ backends = talloc_zero_array(gensec_settings,
> -+ const struct gensec_security_ops *, 4);
> -
> -- if (gensec_settings->backends == NULL) {
> -+ if (backends == NULL) {
> - TALLOC_FREE(tmp_ctx);
> - return NT_STATUS_NO_MEMORY;
> - }
> --
> -+ gensec_settings->backends = backends;
> -+
> - gensec_init();
> -
> - /* These need to be in priority order, krb5 before NTLMSSP */
> - #if defined(HAVE_KRB5)
> -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> - #endif
> --
> -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> -
> -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
> -- GENSEC_OID_SPNEGO);
> --
> -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> -+
> -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> -+
> - /*
> - * This is anonymous for now, because we just use it
> - * to set the kerberos state at the moment
> -diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
> -index f0da82c..3432594 100644
> ---- a/source4/ldap_server/ldap_backend.c
> -+++ b/source4/ldap_server/ldap_backend.c
> -@@ -192,8 +192,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
> -
> - if (conn->server_credentials) {
> - char **sasl_mechs = NULL;
> -- struct gensec_security_ops **backends = gensec_security_all();
> -- struct gensec_security_ops **ops
> -+ const struct gensec_security_ops * const *backends = gensec_security_all();
> -+ const struct gensec_security_ops **ops
> - = gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
> - unsigned int i, j = 0;
> - for (i = 0; ops && ops[i]; i++) {
> ---
> -1.9.3
> -
> -
> -From 6a58d4f4cb60bf25c1493ef0aedd5978abc06969 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 5 Aug 2013 10:43:38 +0200
> -Subject: [PATCH 089/249] libcli/auth: avoid possible mem leak in
> - read_negTokenInit()
> -
> -Also add error checks.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit f1e60142e12deb560e3c62441fd9ff2acd086b60)
> ----
> - libcli/auth/spnego_parse.c | 19 +++++++++++++++----
> - 1 file changed, 15 insertions(+), 4 deletions(-)
> -
> -diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
> -index 3bf7aea..2c73613 100644
> ---- a/libcli/auth/spnego_parse.c
> -+++ b/libcli/auth/spnego_parse.c
> -@@ -46,13 +46,24 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
> - asn1_start_tag(asn1, ASN1_CONTEXT(0));
> - asn1_start_tag(asn1, ASN1_SEQUENCE(0));
> -
> -- token->mechTypes = talloc(NULL, const char *);
> -+ token->mechTypes = talloc(mem_ctx, const char *);
> -+ if (token->mechTypes == NULL) {
> -+ asn1->has_error = true;
> -+ return false;
> -+ }
> - for (i = 0; !asn1->has_error &&
> - 0 < asn1_tag_remaining(asn1); i++) {
> - char *oid;
> -- token->mechTypes = talloc_realloc(NULL,
> -- token->mechTypes,
> -- const char *, i+2);
> -+ const char **p;
> -+ p = talloc_realloc(mem_ctx,
> -+ token->mechTypes,
> -+ const char *, i+2);
> -+ if (p == NULL) {
> -+ TALLOC_FREE(token->mechTypes);
> -+ asn1->has_error = true;
> -+ return false;
> -+ }
> -+ token->mechTypes = p;
> - asn1_read_OID(asn1, token->mechTypes, &oid);
> - token->mechTypes[i] = oid;
> - }
> ---
> -1.9.3
> -
> -
> -From 8835471a993521e49aa48ef55f324874e1933108 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 5 Aug 2013 10:46:47 +0200
> -Subject: [PATCH 090/249] libcli/auth: add more const to
> - spnego_negTokenInit->mechTypes
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -
> -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> -Autobuild-Date(master): Sat Aug 10 11:11:54 CEST 2013 on sn-devel-104
> -(cherry picked from commit 9177a0d1c1c92c45ef92fbda55fc6dd8aeb76b6c)
> ----
> - libcli/auth/spnego.h | 2 +-
> - libcli/auth/spnego_parse.c | 27 ++++++++++++++++-----------
> - libcli/auth/spnego_proto.h | 2 +-
> - source3/utils/ntlm_auth.c | 2 +-
> - 4 files changed, 19 insertions(+), 14 deletions(-)
> -
> -diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
> -index 9a93f2e..539b903 100644
> ---- a/libcli/auth/spnego.h
> -+++ b/libcli/auth/spnego.h
> -@@ -49,7 +49,7 @@ enum spnego_negResult {
> - };
> -
> - struct spnego_negTokenInit {
> -- const char **mechTypes;
> -+ const char * const *mechTypes;
> - DATA_BLOB reqFlags;
> - uint8_t reqFlagsPadding;
> - DATA_BLOB mechToken;
> -diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
> -index 2c73613..b1ca07d 100644
> ---- a/libcli/auth/spnego_parse.c
> -+++ b/libcli/auth/spnego_parse.c
> -@@ -42,12 +42,14 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
> -
> - switch (context) {
> - /* Read mechTypes */
> -- case ASN1_CONTEXT(0):
> -+ case ASN1_CONTEXT(0): {
> -+ const char **mechTypes;
> -+
> - asn1_start_tag(asn1, ASN1_CONTEXT(0));
> - asn1_start_tag(asn1, ASN1_SEQUENCE(0));
> -
> -- token->mechTypes = talloc(mem_ctx, const char *);
> -- if (token->mechTypes == NULL) {
> -+ mechTypes = talloc(mem_ctx, const char *);
> -+ if (mechTypes == NULL) {
> - asn1->has_error = true;
> - return false;
> - }
> -@@ -56,22 +58,25 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
> - char *oid;
> - const char **p;
> - p = talloc_realloc(mem_ctx,
> -- token->mechTypes,
> -+ mechTypes,
> - const char *, i+2);
> - if (p == NULL) {
> -- TALLOC_FREE(token->mechTypes);
> -+ talloc_free(mechTypes);
> - asn1->has_error = true;
> - return false;
> - }
> -- token->mechTypes = p;
> -- asn1_read_OID(asn1, token->mechTypes, &oid);
> -- token->mechTypes[i] = oid;
> -+ mechTypes = p;
> -+
> -+ asn1_read_OID(asn1, mechTypes, &oid);
> -+ mechTypes[i] = oid;
> - }
> -- token->mechTypes[i] = NULL;
> -+ mechTypes[i] = NULL;
> -+ token->mechTypes = mechTypes;
> -
> - asn1_end_tag(asn1);
> - asn1_end_tag(asn1);
> - break;
> -+ }
> - /* Read reqFlags */
> - case ASN1_CONTEXT(1):
> - asn1_start_tag(asn1, ASN1_CONTEXT(1));
> -@@ -366,7 +371,7 @@ bool spnego_free_data(struct spnego_data *spnego)
> - switch(spnego->type) {
> - case SPNEGO_NEG_TOKEN_INIT:
> - if (spnego->negTokenInit.mechTypes) {
> -- talloc_free(spnego->negTokenInit.mechTypes);
> -+ talloc_free(discard_const(spnego->negTokenInit.mechTypes));
> - }
> - data_blob_free(&spnego->negTokenInit.reqFlags);
> - data_blob_free(&spnego->negTokenInit.mechToken);
> -@@ -390,7 +395,7 @@ out:
> - }
> -
> - bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
> -- const char **mech_types,
> -+ const char * const *mech_types,
> - DATA_BLOB *blob)
> - {
> - struct asn1_data *asn1 = asn1_init(mem_ctx);
> -diff --git a/libcli/auth/spnego_proto.h b/libcli/auth/spnego_proto.h
> -index 5fd5e59..c0fa934 100644
> ---- a/libcli/auth/spnego_proto.h
> -+++ b/libcli/auth/spnego_proto.h
> -@@ -24,5 +24,5 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
> - ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego);
> - bool spnego_free_data(struct spnego_data *spnego);
> - bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
> -- const char **mech_types,
> -+ const char * const *mech_types,
> - DATA_BLOB *blob);
> -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> -index 25e717c..1df615c 100644
> ---- a/source3/utils/ntlm_auth.c
> -+++ b/source3/utils/ntlm_auth.c
> -@@ -2058,7 +2058,7 @@ static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper
> -
> - /* The server offers a list of mechanisms */
> -
> -- const char **mechType = (const char **)spnego.negTokenInit.mechTypes;
> -+ const char *const *mechType = spnego.negTokenInit.mechTypes;
> -
> - while (*mechType != NULL) {
> -
> ---
> -1.9.3
> -
> -
> -From c06bb0c3d2c032f8b4848c75baa1fd900650866a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 9 Aug 2013 10:15:05 +0200
> -Subject: [PATCH 091/249] auth/credentials: make sure
> - cli_credentials_get_nt_hash() always returns a talloc object
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - auth/credentials/credentials.c | 19 ++++++++++++++-----
> - auth/credentials/credentials.h | 4 ++--
> - 2 files changed, 16 insertions(+), 7 deletions(-)
> -
> -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> -index be497bc..57a7c0b 100644
> ---- a/auth/credentials/credentials.c
> -+++ b/auth/credentials/credentials.c
> -@@ -471,8 +471,8 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
> - * @param cred credentials context
> - * @retval If set, the cleartext password, otherwise NULL
> - */
> --_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> -- TALLOC_CTX *mem_ctx)
> -+_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> -+ TALLOC_CTX *mem_ctx)
> - {
> - const char *password = cli_credentials_get_password(cred);
> -
> -@@ -481,13 +481,22 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
> - if (!nt_hash) {
> - return NULL;
> - }
> --
> -+
> - E_md4hash(password, nt_hash->hash);
> -
> - return nt_hash;
> -- } else {
> -- return cred->nt_hash;
> -+ } else if (cred->nt_hash != NULL) {
> -+ struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
> -+ if (!nt_hash) {
> -+ return NULL;
> -+ }
> -+
> -+ *nt_hash = *cred->nt_hash;
> -+
> -+ return nt_hash;
> - }
> -+
> -+ return NULL;
> - }
> -
> - /**
> -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> -index cb09dc3..766a513 100644
> ---- a/auth/credentials/credentials.h
> -+++ b/auth/credentials/credentials.h
> -@@ -141,8 +141,8 @@ bool cli_credentials_set_password(struct cli_credentials *cred,
> - enum credentials_obtained obtained);
> - struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
> - void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
> --const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> -- TALLOC_CTX *mem_ctx);
> -+struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> -+ TALLOC_CTX *mem_ctx);
> - bool cli_credentials_set_realm(struct cli_credentials *cred,
> - const char *val,
> - enum credentials_obtained obtained);
> ---
> -1.9.3
> -
> -
> -From 8a3ed9f72ef9f9de32da4d454b866d64eb24ee17 Mon Sep 17 00:00:00 2001
> -From: Howard Chu <hyc@symas.com>
> -Date: Tue, 17 Sep 2013 13:09:50 -0700
> -Subject: [PATCH 092/249] Add SASL/EXTERNAL gensec module
> -
> -Signed-off-by: Howard Chu <hyc@symas.com>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
> -(cherry picked from commit 6bf59b03d72b94b71e53fc2404c11e0d237e41b2)
> ----
> - auth/gensec/external.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++
> - auth/gensec/gensec.h | 3 +-
> - auth/gensec/wscript_build | 7 ++++
> - 3 files changed, 91 insertions(+), 1 deletion(-)
> - create mode 100644 auth/gensec/external.c
> -
> -diff --git a/auth/gensec/external.c b/auth/gensec/external.c
> -new file mode 100644
> -index 0000000..a26e435
> ---- /dev/null
> -+++ b/auth/gensec/external.c
> -@@ -0,0 +1,82 @@
> -+/*
> -+ Unix SMB/CIFS implementation.
> -+
> -+ SASL/EXTERNAL authentication.
> -+
> -+ Copyright (C) Howard Chu <hyc@symas.com> 2013
> -+
> -+ This program is free software; you can redistribute it and/or modify
> -+ it under the terms of the GNU General Public License as published by
> -+ the Free Software Foundation; either version 3 of the License, or
> -+ (at your option) any later version.
> -+
> -+ This program is distributed in the hope that it will be useful,
> -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -+ GNU General Public License for more details.
> -+
> -+ You should have received a copy of the GNU General Public License
> -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> -+*/
> -+
> -+#include "includes.h"
> -+#include "auth/credentials/credentials.h"
> -+#include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> -+#include "auth/gensec/gensec_proto.h"
> -+#include "auth/gensec/gensec_toplevel_proto.h"
> -+
> -+/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
> -+ * layer is already mutually authenticated.
> -+ */
> -+
> -+NTSTATUS gensec_external_init(void);
> -+
> -+static NTSTATUS gensec_external_start(struct gensec_security *gensec_security)
> -+{
> -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN)
> -+ return NT_STATUS_INVALID_PARAMETER;
> -+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL)
> -+ return NT_STATUS_INVALID_PARAMETER;
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+static NTSTATUS gensec_external_update(struct gensec_security *gensec_security,
> -+ TALLOC_CTX *out_mem_ctx,
> -+ struct tevent_context *ev,
> -+ const DATA_BLOB in, DATA_BLOB *out)
> -+{
> -+ *out = data_blob_talloc(out_mem_ctx, "", 0);
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+/* We have no features */
> -+static bool gensec_external_have_feature(struct gensec_security *gensec_security,
> -+ uint32_t feature)
> -+{
> -+ return false;
> -+}
> -+
> -+static const struct gensec_security_ops gensec_external_ops = {
> -+ .name = "sasl-EXTERNAL",
> -+ .sasl_name = "EXTERNAL",
> -+ .client_start = gensec_external_start,
> -+ .update = gensec_external_update,
> -+ .have_feature = gensec_external_have_feature,
> -+ .enabled = true,
> -+ .priority = GENSEC_EXTERNAL
> -+};
> -+
> -+
> -+NTSTATUS gensec_external_init(void)
> -+{
> -+ NTSTATUS ret;
> -+
> -+ ret = gensec_register(&gensec_external_ops);
> -+ if (!NT_STATUS_IS_OK(ret)) {
> -+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
> -+ gensec_external_ops.name));
> -+ }
> -+ return ret;
> -+}
> -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> -index ac1fadf..6974f87 100644
> ---- a/auth/gensec/gensec.h
> -+++ b/auth/gensec/gensec.h
> -@@ -41,7 +41,8 @@ enum gensec_priority {
> - GENSEC_SCHANNEL = 60,
> - GENSEC_NTLMSSP = 50,
> - GENSEC_SASL = 20,
> -- GENSEC_OTHER = 0
> -+ GENSEC_OTHER = 10,
> -+ GENSEC_EXTERNAL = 0
> - };
> -
> - struct gensec_security;
> -diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
> -index fcd74a3..71222f7 100755
> ---- a/auth/gensec/wscript_build
> -+++ b/auth/gensec/wscript_build
> -@@ -16,3 +16,10 @@ bld.SAMBA_MODULE('gensec_spnego',
> - init_function='gensec_spnego_init',
> - deps='asn1util samba-credentials SPNEGO_PARSE'
> - )
> -+
> -+bld.SAMBA_MODULE('gensec_external',
> -+ source='external.c',
> -+ autoproto='external_proto.h',
> -+ subsystem='gensec',
> -+ init_function='gensec_external_init'
> -+ )
> ---
> -1.9.3
> -
> -
> -From 75d9566940069ebeb367191ec6a6641bf7d45a83 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 17:24:10 +0200
> -Subject: [PATCH 093/249] gensec: move schannel module to toplevel.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 4d2ec9e37ee9dcf7b521806a1c0aabdffe524d47)
> ----
> - auth/gensec/schannel.c | 330 ++++++++++++++++++++++++++++++++++++++
> - auth/gensec/wscript_build | 8 +
> - source4/auth/gensec/schannel.c | 330 --------------------------------------
> - source4/auth/gensec/wscript_build | 10 --
> - 4 files changed, 338 insertions(+), 340 deletions(-)
> - create mode 100644 auth/gensec/schannel.c
> - delete mode 100644 source4/auth/gensec/schannel.c
> -
> -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
> -new file mode 100644
> -index 0000000..eb2e100
> ---- /dev/null
> -+++ b/auth/gensec/schannel.c
> -@@ -0,0 +1,330 @@
> -+/*
> -+ Unix SMB/CIFS implementation.
> -+
> -+ dcerpc schannel operations
> -+
> -+ Copyright (C) Andrew Tridgell 2004
> -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> -+
> -+ This program is free software; you can redistribute it and/or modify
> -+ it under the terms of the GNU General Public License as published by
> -+ the Free Software Foundation; either version 3 of the License, or
> -+ (at your option) any later version.
> -+
> -+ This program is distributed in the hope that it will be useful,
> -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -+ GNU General Public License for more details.
> -+
> -+ You should have received a copy of the GNU General Public License
> -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> -+*/
> -+
> -+#include "includes.h"
> -+#include "librpc/gen_ndr/ndr_schannel.h"
> -+#include "auth/auth.h"
> -+#include "auth/credentials/credentials.h"
> -+#include "auth/gensec/gensec.h"
> -+#include "auth/gensec/gensec_internal.h"
> -+#include "auth/gensec/gensec_proto.h"
> -+#include "../libcli/auth/schannel.h"
> -+#include "librpc/gen_ndr/dcerpc.h"
> -+#include "param/param.h"
> -+#include "auth/gensec/gensec_toplevel_proto.h"
> -+
> -+_PUBLIC_ NTSTATUS gensec_schannel_init(void);
> -+
> -+static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
> -+{
> -+ struct schannel_state *state =
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -+
> -+ return netsec_outgoing_sig_size(state);
> -+}
> -+
> -+static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> -+ struct tevent_context *ev,
> -+ const DATA_BLOB in, DATA_BLOB *out)
> -+{
> -+ struct schannel_state *state =
> -+ talloc_get_type(gensec_security->private_data,
> -+ struct schannel_state);
> -+ NTSTATUS status;
> -+ enum ndr_err_code ndr_err;
> -+ struct NL_AUTH_MESSAGE bind_schannel;
> -+ struct NL_AUTH_MESSAGE bind_schannel_ack;
> -+ struct netlogon_creds_CredentialState *creds;
> -+ const char *workstation;
> -+ const char *domain;
> -+
> -+ *out = data_blob(NULL, 0);
> -+
> -+ switch (gensec_security->gensec_role) {
> -+ case GENSEC_CLIENT:
> -+ if (state != NULL) {
> -+ /* we could parse the bind ack, but we don't know what it is yet */
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> -+ if (creds == NULL) {
> -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> -+ }
> -+
> -+ state = netsec_create_state(gensec_security,
> -+ creds, true /* initiator */);
> -+ if (state == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ gensec_security->private_data = state;
> -+
> -+ bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> -+#if 0
> -+ /* to support this we'd need to have access to the full domain name */
> -+ /* 0x17, 23 */
> -+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> -+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
> -+ NL_FLAG_UTF8_DNS_DOMAIN_NAME |
> -+ NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
> -+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> -+ bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
> -+ /* w2k3 refuses us if we use the full DNS workstation?
> -+ why? perhaps because we don't fill in the dNSHostName
> -+ attribute in the machine account? */
> -+ bind_schannel.utf8_netbios_computer = creds->computer_name;
> -+#else
> -+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> -+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> -+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> -+#endif
> -+
> -+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
> -+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -+ status = ndr_map_error2ntstatus(ndr_err);
> -+ DEBUG(3, ("Could not create schannel bind: %s\n",
> -+ nt_errstr(status)));
> -+ return status;
> -+ }
> -+
> -+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
> -+ case GENSEC_SERVER:
> -+
> -+ if (state != NULL) {
> -+ /* no third leg on this protocol */
> -+ return NT_STATUS_INVALID_PARAMETER;
> -+ }
> -+
> -+ /* parse the schannel startup blob */
> -+ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
> -+ (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
> -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -+ status = ndr_map_error2ntstatus(ndr_err);
> -+ DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
> -+ nt_errstr(status)));
> -+ return status;
> -+ }
> -+
> -+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
> -+ domain = bind_schannel.oem_netbios_domain.a;
> -+ if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
> -+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> -+ domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
> -+ return NT_STATUS_LOGON_FAILURE;
> -+ }
> -+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
> -+ domain = bind_schannel.utf8_dns_domain.u;
> -+ if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
> -+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> -+ domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
> -+ return NT_STATUS_LOGON_FAILURE;
> -+ }
> -+ } else {
> -+ DEBUG(3, ("Request for schannel to without domain\n"));
> -+ return NT_STATUS_LOGON_FAILURE;
> -+ }
> -+
> -+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
> -+ workstation = bind_schannel.oem_netbios_computer.a;
> -+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
> -+ workstation = bind_schannel.utf8_netbios_computer.u;
> -+ } else {
> -+ DEBUG(3, ("Request for schannel to without netbios workstation\n"));
> -+ return NT_STATUS_LOGON_FAILURE;
> -+ }
> -+
> -+ status = schannel_get_creds_state(out_mem_ctx,
> -+ gensec_security->settings->lp_ctx,
> -+ workstation, &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
> -+ workstation, nt_errstr(status)));
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
> -+ return NT_STATUS_LOGON_FAILURE;
> -+ }
> -+ return status;
> -+ }
> -+
> -+ state = netsec_create_state(gensec_security,
> -+ creds, false /* not initiator */);
> -+ if (state == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ gensec_security->private_data = state;
> -+
> -+ bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> -+ bind_schannel_ack.Flags = 0;
> -+ bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
> -+ * this does not have
> -+ * any meaning here
> -+ * - gd */
> -+
> -+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
> -+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -+ status = ndr_map_error2ntstatus(ndr_err);
> -+ DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
> -+ workstation, nt_errstr(status)));
> -+ return status;
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+ }
> -+ return NT_STATUS_INVALID_PARAMETER;
> -+}
> -+
> -+/**
> -+ * Returns anonymous credentials for schannel, matching Win2k3.
> -+ *
> -+ */
> -+
> -+static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct auth_session_info **_session_info)
> -+{
> -+ return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
> -+}
> -+
> -+static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> -+{
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
> -+{
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+static bool schannel_have_feature(struct gensec_security *gensec_security,
> -+ uint32_t feature)
> -+{
> -+ if (feature & (GENSEC_FEATURE_SIGN |
> -+ GENSEC_FEATURE_SEAL)) {
> -+ return true;
> -+ }
> -+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
> -+ return true;
> -+ }
> -+ return false;
> -+}
> -+
> -+/*
> -+ unseal a packet
> -+*/
> -+static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> -+ uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> -+ const DATA_BLOB *sig)
> -+{
> -+ struct schannel_state *state =
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -+
> -+ return netsec_incoming_packet(state, true,
> -+ discard_const_p(uint8_t, data),
> -+ length, sig);
> -+}
> -+
> -+/*
> -+ check the signature on a packet
> -+*/
> -+static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> -+ const uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> -+ const DATA_BLOB *sig)
> -+{
> -+ struct schannel_state *state =
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -+
> -+ return netsec_incoming_packet(state, false,
> -+ discard_const_p(uint8_t, data),
> -+ length, sig);
> -+}
> -+/*
> -+ seal a packet
> -+*/
> -+static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> -+ TALLOC_CTX *mem_ctx,
> -+ uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> -+ DATA_BLOB *sig)
> -+{
> -+ struct schannel_state *state =
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -+
> -+ return netsec_outgoing_packet(state, mem_ctx, true,
> -+ data, length, sig);
> -+}
> -+
> -+/*
> -+ sign a packet
> -+*/
> -+static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> -+ TALLOC_CTX *mem_ctx,
> -+ const uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> -+ DATA_BLOB *sig)
> -+{
> -+ struct schannel_state *state =
> -+ talloc_get_type_abort(gensec_security->private_data,
> -+ struct schannel_state);
> -+
> -+ return netsec_outgoing_packet(state, mem_ctx, false,
> -+ discard_const_p(uint8_t, data),
> -+ length, sig);
> -+}
> -+
> -+static const struct gensec_security_ops gensec_schannel_security_ops = {
> -+ .name = "schannel",
> -+ .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
> -+ .client_start = schannel_client_start,
> -+ .server_start = schannel_server_start,
> -+ .update = schannel_update,
> -+ .seal_packet = schannel_seal_packet,
> -+ .sign_packet = schannel_sign_packet,
> -+ .check_packet = schannel_check_packet,
> -+ .unseal_packet = schannel_unseal_packet,
> -+ .session_info = schannel_session_info,
> -+ .sig_size = schannel_sig_size,
> -+ .have_feature = schannel_have_feature,
> -+ .enabled = true,
> -+ .priority = GENSEC_SCHANNEL
> -+};
> -+
> -+_PUBLIC_ NTSTATUS gensec_schannel_init(void)
> -+{
> -+ NTSTATUS ret;
> -+ ret = gensec_register(&gensec_schannel_security_ops);
> -+ if (!NT_STATUS_IS_OK(ret)) {
> -+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
> -+ gensec_schannel_security_ops.name));
> -+ return ret;
> -+ }
> -+
> -+ return ret;
> -+}
> -diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
> -index 71222f7..7329eec 100755
> ---- a/auth/gensec/wscript_build
> -+++ b/auth/gensec/wscript_build
> -@@ -17,6 +17,14 @@ bld.SAMBA_MODULE('gensec_spnego',
> - deps='asn1util samba-credentials SPNEGO_PARSE'
> - )
> -
> -+bld.SAMBA_MODULE('gensec_schannel',
> -+ source='schannel.c',
> -+ autoproto='schannel_proto.h',
> -+ subsystem='gensec',
> -+ init_function='gensec_schannel_init',
> -+ deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session'
> -+ )
> -+
> - bld.SAMBA_MODULE('gensec_external',
> - source='external.c',
> - autoproto='external_proto.h',
> -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> -deleted file mode 100644
> -index eb2e100..0000000
> ---- a/source4/auth/gensec/schannel.c
> -+++ /dev/null
> -@@ -1,330 +0,0 @@
> --/*
> -- Unix SMB/CIFS implementation.
> --
> -- dcerpc schannel operations
> --
> -- Copyright (C) Andrew Tridgell 2004
> -- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> --
> -- This program is free software; you can redistribute it and/or modify
> -- it under the terms of the GNU General Public License as published by
> -- the Free Software Foundation; either version 3 of the License, or
> -- (at your option) any later version.
> --
> -- This program is distributed in the hope that it will be useful,
> -- but WITHOUT ANY WARRANTY; without even the implied warranty of
> -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -- GNU General Public License for more details.
> --
> -- You should have received a copy of the GNU General Public License
> -- along with this program. If not, see <http://www.gnu.org/licenses/>.
> --*/
> --
> --#include "includes.h"
> --#include "librpc/gen_ndr/ndr_schannel.h"
> --#include "auth/auth.h"
> --#include "auth/credentials/credentials.h"
> --#include "auth/gensec/gensec.h"
> --#include "auth/gensec/gensec_internal.h"
> --#include "auth/gensec/gensec_proto.h"
> --#include "../libcli/auth/schannel.h"
> --#include "librpc/gen_ndr/dcerpc.h"
> --#include "param/param.h"
> --#include "auth/gensec/gensec_toplevel_proto.h"
> --
> --_PUBLIC_ NTSTATUS gensec_schannel_init(void);
> --
> --static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
> --{
> -- struct schannel_state *state =
> -- talloc_get_type_abort(gensec_security->private_data,
> -- struct schannel_state);
> --
> -- return netsec_outgoing_sig_size(state);
> --}
> --
> --static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> -- struct tevent_context *ev,
> -- const DATA_BLOB in, DATA_BLOB *out)
> --{
> -- struct schannel_state *state =
> -- talloc_get_type(gensec_security->private_data,
> -- struct schannel_state);
> -- NTSTATUS status;
> -- enum ndr_err_code ndr_err;
> -- struct NL_AUTH_MESSAGE bind_schannel;
> -- struct NL_AUTH_MESSAGE bind_schannel_ack;
> -- struct netlogon_creds_CredentialState *creds;
> -- const char *workstation;
> -- const char *domain;
> --
> -- *out = data_blob(NULL, 0);
> --
> -- switch (gensec_security->gensec_role) {
> -- case GENSEC_CLIENT:
> -- if (state != NULL) {
> -- /* we could parse the bind ack, but we don't know what it is yet */
> -- return NT_STATUS_OK;
> -- }
> --
> -- creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> -- if (creds == NULL) {
> -- return NT_STATUS_INVALID_PARAMETER_MIX;
> -- }
> --
> -- state = netsec_create_state(gensec_security,
> -- creds, true /* initiator */);
> -- if (state == NULL) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- gensec_security->private_data = state;
> --
> -- bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> --#if 0
> -- /* to support this we'd need to have access to the full domain name */
> -- /* 0x17, 23 */
> -- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> -- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
> -- NL_FLAG_UTF8_DNS_DOMAIN_NAME |
> -- NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
> -- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> -- bind_schannel.oem_netbios_computer.a = creds->computer_name;
> -- bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
> -- /* w2k3 refuses us if we use the full DNS workstation?
> -- why? perhaps because we don't fill in the dNSHostName
> -- attribute in the machine account? */
> -- bind_schannel.utf8_netbios_computer = creds->computer_name;
> --#else
> -- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> -- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> -- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> -- bind_schannel.oem_netbios_computer.a = creds->computer_name;
> --#endif
> --
> -- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
> -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -- status = ndr_map_error2ntstatus(ndr_err);
> -- DEBUG(3, ("Could not create schannel bind: %s\n",
> -- nt_errstr(status)));
> -- return status;
> -- }
> --
> -- return NT_STATUS_MORE_PROCESSING_REQUIRED;
> -- case GENSEC_SERVER:
> --
> -- if (state != NULL) {
> -- /* no third leg on this protocol */
> -- return NT_STATUS_INVALID_PARAMETER;
> -- }
> --
> -- /* parse the schannel startup blob */
> -- ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
> -- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
> -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -- status = ndr_map_error2ntstatus(ndr_err);
> -- DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
> -- nt_errstr(status)));
> -- return status;
> -- }
> --
> -- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
> -- domain = bind_schannel.oem_netbios_domain.a;
> -- if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
> -- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> -- domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
> -- return NT_STATUS_LOGON_FAILURE;
> -- }
> -- } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
> -- domain = bind_schannel.utf8_dns_domain.u;
> -- if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
> -- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> -- domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
> -- return NT_STATUS_LOGON_FAILURE;
> -- }
> -- } else {
> -- DEBUG(3, ("Request for schannel to without domain\n"));
> -- return NT_STATUS_LOGON_FAILURE;
> -- }
> --
> -- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
> -- workstation = bind_schannel.oem_netbios_computer.a;
> -- } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
> -- workstation = bind_schannel.utf8_netbios_computer.u;
> -- } else {
> -- DEBUG(3, ("Request for schannel to without netbios workstation\n"));
> -- return NT_STATUS_LOGON_FAILURE;
> -- }
> --
> -- status = schannel_get_creds_state(out_mem_ctx,
> -- gensec_security->settings->lp_ctx,
> -- workstation, &creds);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
> -- workstation, nt_errstr(status)));
> -- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
> -- return NT_STATUS_LOGON_FAILURE;
> -- }
> -- return status;
> -- }
> --
> -- state = netsec_create_state(gensec_security,
> -- creds, false /* not initiator */);
> -- if (state == NULL) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- gensec_security->private_data = state;
> --
> -- bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> -- bind_schannel_ack.Flags = 0;
> -- bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
> -- * this does not have
> -- * any meaning here
> -- * - gd */
> --
> -- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
> -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -- status = ndr_map_error2ntstatus(ndr_err);
> -- DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
> -- workstation, nt_errstr(status)));
> -- return status;
> -- }
> --
> -- return NT_STATUS_OK;
> -- }
> -- return NT_STATUS_INVALID_PARAMETER;
> --}
> --
> --/**
> -- * Returns anonymous credentials for schannel, matching Win2k3.
> -- *
> -- */
> --
> --static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- struct auth_session_info **_session_info)
> --{
> -- return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
> --}
> --
> --static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> --{
> -- return NT_STATUS_OK;
> --}
> --
> --static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
> --{
> -- return NT_STATUS_OK;
> --}
> --
> --static bool schannel_have_feature(struct gensec_security *gensec_security,
> -- uint32_t feature)
> --{
> -- if (feature & (GENSEC_FEATURE_SIGN |
> -- GENSEC_FEATURE_SEAL)) {
> -- return true;
> -- }
> -- if (feature & GENSEC_FEATURE_DCE_STYLE) {
> -- return true;
> -- }
> -- return false;
> --}
> --
> --/*
> -- unseal a packet
> --*/
> --static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> -- uint8_t *data, size_t length,
> -- const uint8_t *whole_pdu, size_t pdu_length,
> -- const DATA_BLOB *sig)
> --{
> -- struct schannel_state *state =
> -- talloc_get_type_abort(gensec_security->private_data,
> -- struct schannel_state);
> --
> -- return netsec_incoming_packet(state, true,
> -- discard_const_p(uint8_t, data),
> -- length, sig);
> --}
> --
> --/*
> -- check the signature on a packet
> --*/
> --static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> -- const uint8_t *data, size_t length,
> -- const uint8_t *whole_pdu, size_t pdu_length,
> -- const DATA_BLOB *sig)
> --{
> -- struct schannel_state *state =
> -- talloc_get_type_abort(gensec_security->private_data,
> -- struct schannel_state);
> --
> -- return netsec_incoming_packet(state, false,
> -- discard_const_p(uint8_t, data),
> -- length, sig);
> --}
> --/*
> -- seal a packet
> --*/
> --static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- uint8_t *data, size_t length,
> -- const uint8_t *whole_pdu, size_t pdu_length,
> -- DATA_BLOB *sig)
> --{
> -- struct schannel_state *state =
> -- talloc_get_type_abort(gensec_security->private_data,
> -- struct schannel_state);
> --
> -- return netsec_outgoing_packet(state, mem_ctx, true,
> -- data, length, sig);
> --}
> --
> --/*
> -- sign a packet
> --*/
> --static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> -- TALLOC_CTX *mem_ctx,
> -- const uint8_t *data, size_t length,
> -- const uint8_t *whole_pdu, size_t pdu_length,
> -- DATA_BLOB *sig)
> --{
> -- struct schannel_state *state =
> -- talloc_get_type_abort(gensec_security->private_data,
> -- struct schannel_state);
> --
> -- return netsec_outgoing_packet(state, mem_ctx, false,
> -- discard_const_p(uint8_t, data),
> -- length, sig);
> --}
> --
> --static const struct gensec_security_ops gensec_schannel_security_ops = {
> -- .name = "schannel",
> -- .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
> -- .client_start = schannel_client_start,
> -- .server_start = schannel_server_start,
> -- .update = schannel_update,
> -- .seal_packet = schannel_seal_packet,
> -- .sign_packet = schannel_sign_packet,
> -- .check_packet = schannel_check_packet,
> -- .unseal_packet = schannel_unseal_packet,
> -- .session_info = schannel_session_info,
> -- .sig_size = schannel_sig_size,
> -- .have_feature = schannel_have_feature,
> -- .enabled = true,
> -- .priority = GENSEC_SCHANNEL
> --};
> --
> --_PUBLIC_ NTSTATUS gensec_schannel_init(void)
> --{
> -- NTSTATUS ret;
> -- ret = gensec_register(&gensec_schannel_security_ops);
> -- if (!NT_STATUS_IS_OK(ret)) {
> -- DEBUG(0,("Failed to register '%s' gensec backend!\n",
> -- gensec_schannel_security_ops.name));
> -- return ret;
> -- }
> --
> -- return ret;
> --}
> -diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
> -index 04fccc5..a3eff97 100755
> ---- a/source4/auth/gensec/wscript_build
> -+++ b/source4/auth/gensec/wscript_build
> -@@ -32,16 +32,6 @@ bld.SAMBA_MODULE('cyrus_sasl',
> - )
> -
> -
> --bld.SAMBA_MODULE('gensec_schannel',
> -- source='schannel.c',
> -- subsystem='gensec',
> -- deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials ndr auth_session',
> -- internal_module=True,
> -- autoproto='schannel_proto.h',
> -- init_function='gensec_schannel_init'
> -- )
> --
> --
> - bld.SAMBA_PYTHON('pygensec',
> - source='pygensec.c',
> - deps='gensec pytalloc-util pyparam_util',
> ---
> -1.9.3
> -
> -
> -From c4829848f45db27d6c145b35a20bea2f33bcb4d7 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 17:24:49 +0200
> -Subject: [PATCH 094/249] gensec: remove duplicate
> - gensec_security_by_authtype() call.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -We should use the equivalent gensec_security_by_auth_type() call which is
> -exposed in the public header.
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit d433ad077f354de4fc1d5a155d991f417ae9967c)
> ----
> - auth/gensec/gensec_start.c | 29 ++---------------------------
> - 1 file changed, 2 insertions(+), 27 deletions(-)
> -
> -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> -index 3ae64d5..906ef67 100644
> ---- a/auth/gensec/gensec_start.c
> -+++ b/auth/gensec/gensec_start.c
> -@@ -157,31 +157,6 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
> -
> - }
> -
> --static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
> -- uint8_t auth_type)
> --{
> -- int i;
> -- const struct gensec_security_ops **backends;
> -- const struct gensec_security_ops *backend;
> -- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> -- if (!mem_ctx) {
> -- return NULL;
> -- }
> -- backends = gensec_security_mechs(gensec_security, mem_ctx);
> -- for (i=0; backends && backends[i]; i++) {
> -- if (!gensec_security_ops_enabled(backends[i], gensec_security))
> -- continue;
> -- if (backends[i]->auth_type == auth_type) {
> -- backend = backends[i];
> -- talloc_free(mem_ctx);
> -- return backend;
> -- }
> -- }
> -- talloc_free(mem_ctx);
> --
> -- return NULL;
> --}
> --
> - _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
> - struct gensec_security *gensec_security,
> - const char *oid_string)
> -@@ -719,7 +694,7 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
> - _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
> - uint8_t auth_type, uint8_t auth_level)
> - {
> -- gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
> -+ gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type);
> - if (!gensec_security->ops) {
> - DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
> - return NT_STATUS_INVALID_PARAMETER;
> -@@ -746,7 +721,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
> - _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
> - {
> - const struct gensec_security_ops *ops;
> -- ops = gensec_security_by_authtype(gensec_security, authtype);
> -+ ops = gensec_security_by_auth_type(gensec_security, authtype);
> - if (ops) {
> - return ops->name;
> - }
> ---
> -1.9.3
> -
> -
> -From 8c54d2ee4861a35def7cce29b900a68112356f6b Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 17:25:55 +0200
> -Subject: [PATCH 095/249] gensec: check for NULL gensec_security in
> - gensec_security_by_auth_type().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -We have equivalent checks in other gensec_security_by_X calls already.
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 4f979525e4137c536118a9c2b2b4ef798c270e27)
> ----
> - auth/gensec/gensec_start.c | 6 ++++--
> - 1 file changed, 4 insertions(+), 2 deletions(-)
> -
> -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> -index 906ef67..476134a 100644
> ---- a/auth/gensec/gensec_start.c
> -+++ b/auth/gensec/gensec_start.c
> -@@ -230,8 +230,10 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
> - }
> - backends = gensec_security_mechs(gensec_security, mem_ctx);
> - for (i=0; backends && backends[i]; i++) {
> -- if (!gensec_security_ops_enabled(backends[i], gensec_security))
> -- continue;
> -+ if (gensec_security != NULL &&
> -+ !gensec_security_ops_enabled(backends[i], gensec_security)) {
> -+ continue;
> -+ }
> - if (backends[i]->auth_type == auth_type) {
> - backend = backends[i];
> - talloc_free(mem_ctx);
> ---
> -1.9.3
> -
> -
> -From 5b941811c7ebd51bf2c8d421517fd92b3065ba47 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 17:27:28 +0200
> -Subject: [PATCH 096/249] s3-auth: also load schannel module from
> - auth_generic_client_prepare().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 8fce75aa58ec70547ad218bde154e141f2d17303)
> ----
> - source3/libsmb/auth_generic.c | 3 ++-
> - 1 file changed, 2 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
> -index e30c1b7..3130dec 100644
> ---- a/source3/libsmb/auth_generic.c
> -+++ b/source3/libsmb/auth_generic.c
> -@@ -78,7 +78,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> - }
> -
> - backends = talloc_zero_array(gensec_settings,
> -- const struct gensec_security_ops *, 4);
> -+ const struct gensec_security_ops *, 5);
> - if (backends == NULL) {
> - TALLOC_FREE(ans);
> - return NT_STATUS_NO_MEMORY;
> -@@ -95,6 +95,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> - backends[idx++] = &gensec_ntlmssp3_client_ops;
> -
> - backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> -+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
> -
> - nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
> -
> ---
> -1.9.3
> -
> -
> -From 28b5f156bcc03b88f8c0f3e52cd051a0b069334e Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 17:44:10 +0200
> -Subject: [PATCH 097/249] s3-rpc_cli: allow to pass down a netlogon
> - CredentialState struct to gensec.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 7b570b4128f9af212048ce56abd841a1f6fdc259)
> ----
> - source3/rpc_client/cli_pipe.c | 5 ++++-
> - 1 file changed, 4 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 470469f..2acbad6 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2178,6 +2178,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> - const char *username,
> - const char *password,
> - enum credentials_use_kerberos use_kerberos,
> -+ struct netlogon_creds_CredentialState *creds,
> - struct pipe_auth_data **presult)
> - {
> - struct auth_generic_state *auth_generic_ctx;
> -@@ -2231,6 +2232,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> - }
> -
> - cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
> -+ cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
> -
> - status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -2830,6 +2832,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> - server, target_service,
> - domain, username, password,
> - CRED_AUTO_USE_KERBEROS,
> -+ NULL,
> - &auth);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> -@@ -3057,7 +3060,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> - DCERPC_AUTH_TYPE_SPNEGO, auth_level,
> - server, target_service,
> - domain, username, password,
> -- use_kerberos,
> -+ use_kerberos, NULL,
> - &auth);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> ---
> -1.9.3
> -
> -
> -From 4775b3fd2905e54b2c824d901fd8a99fb8caae04 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 18:23:40 +0200
> -Subject: [PATCH 098/249] s3-auth: register schannel gensec module in
> - auth_generic_prepare() as well.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 090671aca5234f47f390054de771198e3c177060)
> ----
> - source3/auth/auth_generic.c | 5 ++++-
> - 1 file changed, 4 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> -index e15c87e..e07d3b7 100644
> ---- a/source3/auth/auth_generic.c
> -+++ b/source3/auth/auth_generic.c
> -@@ -32,6 +32,7 @@
> - #include "librpc/crypto/gse.h"
> - #include "auth/credentials/credentials.h"
> - #include "lib/param/loadparm.h"
> -+#include "librpc/gen_ndr/dcerpc.h"
> -
> - static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> - TALLOC_CTX *mem_ctx,
> -@@ -261,7 +262,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> - }
> -
> - backends = talloc_zero_array(gensec_settings,
> -- const struct gensec_security_ops *, 4);
> -+ const struct gensec_security_ops *, 5);
> - if (backends == NULL) {
> - TALLOC_FREE(tmp_ctx);
> - return NT_STATUS_NO_MEMORY;
> -@@ -279,6 +280,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> -
> - backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> -
> -+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
> -+
> - /*
> - * This is anonymous for now, because we just use it
> - * to set the kerberos state at the moment
> ---
> -1.9.3
> -
> -
> -From 080c2ac3cbd28318bc6c682dff0aea17fad07a2c Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 18:33:14 +0200
> -Subject: [PATCH 099/249] s3-rpc_cli: use gensec for schannel bind.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 89d0b89b5d58ceef13bc10036d396b10f8a102ae)
> ----
> - source3/rpc_client/cli_pipe.c | 22 +++++++++++++---------
> - 1 file changed, 13 insertions(+), 9 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 2acbad6..8a642e2 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1120,12 +1120,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
> -
> - switch (auth->auth_type) {
> - case DCERPC_AUTH_TYPE_SCHANNEL:
> -- ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
> -- if (!NT_STATUS_IS_OK(ret)) {
> -- return ret;
> -- }
> -- break;
> --
> - case DCERPC_AUTH_TYPE_NTLMSSP:
> - case DCERPC_AUTH_TYPE_KRB5:
> - case DCERPC_AUTH_TYPE_SPNEGO:
> -@@ -2884,16 +2878,26 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - struct netr_Authenticator auth;
> - struct netr_Authenticator return_auth;
> - union netr_Capabilities capabilities;
> -+ const char *target_service = table->authservices->names[0];
> -
> - status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -
> -- status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
> -- *pdc, &rpcauth);
> -+ status = rpccli_generic_bind_data(rpccli,
> -+ DCERPC_AUTH_TYPE_SCHANNEL,
> -+ auth_level,
> -+ NULL,
> -+ target_service,
> -+ domain,
> -+ (*pdc)->computer_name,
> -+ NULL,
> -+ CRED_AUTO_USE_KERBEROS,
> -+ *pdc,
> -+ &rpcauth);
> - if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
> -+ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> - nt_errstr(status)));
> - TALLOC_FREE(rpccli);
> - return status;
> ---
> -1.9.3
> -
> -
> -From 40ffd89f975e06821379fbd240187f5e268da5fe Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 18:34:58 +0200
> -Subject: [PATCH 100/249] s3-rpc_srv: use gensec for schannel bind.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit a32a83ba9d6c7b5bbe9077973e5402ba65c068e7)
> ----
> - source3/rpc_server/srv_pipe.c | 9 +++++++--
> - 1 file changed, 7 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> -index 9043a14..fd7a90a 100644
> ---- a/source3/rpc_server/srv_pipe.c
> -+++ b/source3/rpc_server/srv_pipe.c
> -@@ -808,10 +808,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> - break;
> -
> - case DCERPC_AUTH_TYPE_SCHANNEL:
> -- if (!pipe_schannel_auth_bind(p, pkt,
> -- &auth_info, &auth_resp)) {
> -+ if (!pipe_auth_generic_bind(p, pkt,
> -+ &auth_info, &auth_resp)) {
> -+ goto err_exit;
> -+ }
> -+ if (!session_info_set_session_key(p->session_info, generic_session_key())) {
> -+ DEBUG(0, ("session_info_set_session_key failed\n"));
> - goto err_exit;
> - }
> -+ p->pipe_bound = true;
> - break;
> -
> - case DCERPC_AUTH_TYPE_SPNEGO:
> ---
> -1.9.3
> -
> -
> -From 285de020b6e284ad5074492d62740ba8a370826a Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 18:36:19 +0200
> -Subject: [PATCH 101/249] s3-rpc: use gensec for schannel footer processing.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 5a628490e46f428432cd9b32c2b4b3a34a3736ae)
> ----
> - source3/librpc/rpc/dcerpc_helpers.c | 35 +++--------------------------------
> - 1 file changed, 3 insertions(+), 32 deletions(-)
> -
> -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> -index 97999d7..b9e05cb 100644
> ---- a/source3/librpc/rpc/dcerpc_helpers.c
> -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> -@@ -273,7 +273,6 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
> - size_t max_len;
> - size_t mod_len;
> - struct gensec_security *gensec_security;
> -- struct schannel_state *schannel_auth;
> -
> - /* no auth token cases first */
> - switch (auth->auth_level) {
> -@@ -307,16 +306,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
> - case DCERPC_AUTH_TYPE_SPNEGO:
> - case DCERPC_AUTH_TYPE_NTLMSSP:
> - case DCERPC_AUTH_TYPE_KRB5:
> -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> - gensec_security = talloc_get_type_abort(auth->auth_ctx,
> - struct gensec_security);
> - *auth_len = gensec_sig_size(gensec_security, max_len);
> - break;
> --
> -- case DCERPC_AUTH_TYPE_SCHANNEL:
> -- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
> -- struct schannel_state);
> -- *auth_len = netsec_outgoing_sig_size(schannel_auth);
> -- break;
> - default:
> - return NT_STATUS_INVALID_PARAMETER;
> - }
> -@@ -548,7 +542,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
> - NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
> - size_t pad_len, DATA_BLOB *rpc_out)
> - {
> -- struct schannel_state *schannel_auth;
> - struct gensec_security *gensec_security;
> - char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
> - DATA_BLOB auth_info;
> -@@ -600,19 +593,13 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
> - case DCERPC_AUTH_TYPE_SPNEGO:
> - case DCERPC_AUTH_TYPE_KRB5:
> - case DCERPC_AUTH_TYPE_NTLMSSP:
> -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> - gensec_security = talloc_get_type_abort(auth->auth_ctx,
> - struct gensec_security);
> - status = add_generic_auth_footer(gensec_security,
> - auth->auth_level,
> - rpc_out);
> - break;
> -- case DCERPC_AUTH_TYPE_SCHANNEL:
> -- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
> -- struct schannel_state);
> -- status = add_schannel_auth_footer(schannel_auth,
> -- auth->auth_level,
> -- rpc_out);
> -- break;
> - default:
> - status = NT_STATUS_INVALID_PARAMETER;
> - break;
> -@@ -640,7 +627,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> - DATA_BLOB *raw_pkt,
> - size_t *pad_len)
> - {
> -- struct schannel_state *schannel_auth;
> - struct gensec_security *gensec_security;
> - NTSTATUS status;
> - struct dcerpc_auth auth_info;
> -@@ -710,6 +696,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> - case DCERPC_AUTH_TYPE_SPNEGO:
> - case DCERPC_AUTH_TYPE_KRB5:
> - case DCERPC_AUTH_TYPE_NTLMSSP:
> -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> -
> - DEBUG(10, ("GENSEC auth\n"));
> -
> -@@ -723,22 +710,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> - return status;
> - }
> - break;
> --
> -- case DCERPC_AUTH_TYPE_SCHANNEL:
> --
> -- DEBUG(10, ("SCHANNEL auth\n"));
> --
> -- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
> -- struct schannel_state);
> -- status = get_schannel_auth_footer(pkt, schannel_auth,
> -- auth->auth_level,
> -- &data, &full_pkt,
> -- &auth_info.credentials);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> -- break;
> --
> - default:
> - DEBUG(0, ("process_request_pdu: "
> - "unknown auth type %u set.\n",
> ---
> -1.9.3
> -
> -
> -From cfa396d153cedb9b10356540a479ff299c480cae Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Thu, 19 Sep 2013 11:03:31 +0200
> -Subject: [PATCH 102/249] s3-rpc_cli: remove unused schannel calls from
> - dcerpc_helpers.c
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 639f60b1513a8c877d307ed86b7748250821fb3f)
> ----
> - source3/librpc/rpc/dcerpc.h | 3 -
> - source3/librpc/rpc/dcerpc_helpers.c | 124 ------------------------------------
> - 2 files changed, 127 deletions(-)
> -
> -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> -index b3ae3b4..38d59cd 100644
> ---- a/source3/librpc/rpc/dcerpc.h
> -+++ b/source3/librpc/rpc/dcerpc.h
> -@@ -60,9 +60,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
> - const DATA_BLOB *blob,
> - struct ncacn_packet *r,
> - bool bigendian);
> --NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
> -- struct NL_AUTH_MESSAGE *r,
> -- DATA_BLOB *blob);
> - NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
> - enum dcerpc_AuthType auth_type,
> - enum dcerpc_AuthLevel auth_level,
> -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> -index b9e05cb..2400bfd 100644
> ---- a/source3/librpc/rpc/dcerpc_helpers.c
> -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> -@@ -21,9 +21,6 @@
> - #include "includes.h"
> - #include "librpc/rpc/dcerpc.h"
> - #include "librpc/gen_ndr/ndr_dcerpc.h"
> --#include "librpc/gen_ndr/ndr_schannel.h"
> --#include "../libcli/auth/schannel.h"
> --#include "../libcli/auth/spnego.h"
> - #include "librpc/crypto/gse.h"
> - #include "auth/gensec/gensec.h"
> -
> -@@ -135,34 +132,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
> - }
> -
> - /**
> --* @brief NDR Encodes a NL_AUTH_MESSAGE
> --*
> --* @param mem_ctx The memory context the blob will be allocated on
> --* @param r The NL_AUTH_MESSAGE to encode
> --* @param blob [out] The encoded blob if successful
> --*
> --* @return a NTSTATUS error code
> --*/
> --NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
> -- struct NL_AUTH_MESSAGE *r,
> -- DATA_BLOB *blob)
> --{
> -- enum ndr_err_code ndr_err;
> --
> -- ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
> -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -- return ndr_map_error2ntstatus(ndr_err);
> -- }
> --
> -- if (DEBUGLEVEL >= 10) {
> -- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
> -- }
> --
> -- return NT_STATUS_OK;
> --}
> --
> --/**
> - * @brief NDR Encodes a dcerpc_auth structure
> - *
> - * @param mem_ctx The memory context the blob will be allocated on
> -@@ -437,99 +406,6 @@ static NTSTATUS get_generic_auth_footer(struct gensec_security *gensec_security,
> - }
> - }
> -
> --/*******************************************************************
> -- Create and add the schannel sign/seal auth data.
> -- ********************************************************************/
> --
> --static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
> -- enum dcerpc_AuthLevel auth_level,
> -- DATA_BLOB *rpc_out)
> --{
> -- uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
> -- size_t data_and_pad_len = rpc_out->length
> -- - DCERPC_RESPONSE_LENGTH
> -- - DCERPC_AUTH_TRAILER_LENGTH;
> -- DATA_BLOB auth_blob;
> -- NTSTATUS status;
> --
> -- if (!sas) {
> -- return NT_STATUS_INVALID_PARAMETER;
> -- }
> --
> -- switch (auth_level) {
> -- case DCERPC_AUTH_LEVEL_PRIVACY:
> -- status = netsec_outgoing_packet(sas,
> -- rpc_out->data,
> -- true,
> -- data_p,
> -- data_and_pad_len,
> -- &auth_blob);
> -- break;
> -- case DCERPC_AUTH_LEVEL_INTEGRITY:
> -- status = netsec_outgoing_packet(sas,
> -- rpc_out->data,
> -- false,
> -- data_p,
> -- data_and_pad_len,
> -- &auth_blob);
> -- break;
> -- default:
> -- status = NT_STATUS_INTERNAL_ERROR;
> -- break;
> -- }
> --
> -- if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
> -- nt_errstr(status)));
> -- return status;
> -- }
> --
> -- if (DEBUGLEVEL >= 10) {
> -- dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
> -- }
> --
> -- /* Finally attach the blob. */
> -- if (!data_blob_append(NULL, rpc_out,
> -- auth_blob.data, auth_blob.length)) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- data_blob_free(&auth_blob);
> --
> -- return NT_STATUS_OK;
> --}
> --
> --/*******************************************************************
> -- Check/unseal the Schannel auth data. (Unseal in place).
> -- ********************************************************************/
> --
> --static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
> -- struct schannel_state *auth_state,
> -- enum dcerpc_AuthLevel auth_level,
> -- DATA_BLOB *data, DATA_BLOB *full_pkt,
> -- DATA_BLOB *auth_token)
> --{
> -- switch (auth_level) {
> -- case DCERPC_AUTH_LEVEL_PRIVACY:
> -- /* Data portion is encrypted. */
> -- return netsec_incoming_packet(auth_state,
> -- true,
> -- data->data,
> -- data->length,
> -- auth_token);
> --
> -- case DCERPC_AUTH_LEVEL_INTEGRITY:
> -- /* Data is signed. */
> -- return netsec_incoming_packet(auth_state,
> -- false,
> -- data->data,
> -- data->length,
> -- auth_token);
> --
> -- default:
> -- return NT_STATUS_INVALID_PARAMETER;
> -- }
> --}
> --
> - /**
> - * @brief Append an auth footer according to what is the current mechanism
> - *
> ---
> -1.9.3
> -
> -
> -From 3c10a3501c04e1f5f9bd2bb1418b95b4b17248a8 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Thu, 19 Sep 2013 11:04:19 +0200
> -Subject: [PATCH 103/249] s3-rpc_cli: remove unused schannel calls from
> - cli_pipe.c
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 45949d721892a0e8a6b1a76e221c6b3bfd6a872f)
> ----
> - source3/rpc_client/cli_pipe.c | 76 -------------------------------------------
> - 1 file changed, 76 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 8a642e2..b73f2f2 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -22,11 +22,8 @@
> - #include "includes.h"
> - #include "../lib/util/tevent_ntstatus.h"
> - #include "librpc/gen_ndr/ndr_epmapper_c.h"
> --#include "../librpc/gen_ndr/ndr_schannel.h"
> - #include "../librpc/gen_ndr/ndr_dssetup.h"
> - #include "../libcli/auth/schannel.h"
> --#include "../libcli/auth/spnego.h"
> --#include "../auth/ntlmssp/ntlmssp.h"
> - #include "auth_generic.h"
> - #include "librpc/gen_ndr/ndr_dcerpc.h"
> - #include "librpc/gen_ndr/ndr_netlogon_c.h"
> -@@ -1018,42 +1015,6 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> - }
> -
> - /*******************************************************************
> -- Creates schannel auth bind.
> -- ********************************************************************/
> --
> --static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> -- DATA_BLOB *auth_token)
> --{
> -- NTSTATUS status;
> -- struct NL_AUTH_MESSAGE r;
> --
> -- if (!cli->auth->user_name || !cli->auth->user_name[0]) {
> -- return NT_STATUS_INVALID_PARAMETER_MIX;
> -- }
> --
> -- if (!cli->auth->domain || !cli->auth->domain[0]) {
> -- return NT_STATUS_INVALID_PARAMETER_MIX;
> -- }
> --
> -- /*
> -- * Now marshall the data into the auth parse_struct.
> -- */
> --
> -- r.MessageType = NL_NEGOTIATE_REQUEST;
> -- r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> -- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> -- r.oem_netbios_domain.a = cli->auth->domain;
> -- r.oem_netbios_computer.a = cli->auth->user_name;
> --
> -- status = dcerpc_push_schannel_bind(cli, &r, auth_token);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- return NT_STATUS_OK;
> --}
> --
> --/*******************************************************************
> - Creates the internals of a DCE/RPC bind request or alter context PDU.
> - ********************************************************************/
> -
> -@@ -2243,43 +2204,6 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> - return status;
> - }
> -
> --static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> -- const char *domain,
> -- enum dcerpc_AuthLevel auth_level,
> -- struct netlogon_creds_CredentialState *creds,
> -- struct pipe_auth_data **presult)
> --{
> -- struct schannel_state *schannel_auth;
> -- struct pipe_auth_data *result;
> --
> -- result = talloc(mem_ctx, struct pipe_auth_data);
> -- if (result == NULL) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
> -- result->auth_level = auth_level;
> --
> -- result->user_name = talloc_strdup(result, creds->computer_name);
> -- result->domain = talloc_strdup(result, domain);
> -- if ((result->user_name == NULL) || (result->domain == NULL)) {
> -- goto fail;
> -- }
> --
> -- schannel_auth = netsec_create_state(result, creds, true /* initiator */);
> -- if (schannel_auth == NULL) {
> -- goto fail;
> -- }
> --
> -- result->auth_ctx = schannel_auth;
> -- *presult = result;
> -- return NT_STATUS_OK;
> --
> -- fail:
> -- TALLOC_FREE(result);
> -- return NT_STATUS_NO_MEMORY;
> --}
> --
> - /**
> - * Create an rpc pipe client struct, connecting to a tcp port.
> - */
> ---
> -1.9.3
> -
> -
> -From e4b33d6311e051501815199bd6c6dbba33f1bc55 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Thu, 19 Sep 2013 11:05:21 +0200
> -Subject: [PATCH 104/249] s3-rpc_srv: remove unused schannel calls from
> - srv_pipe.c
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -
> -Autobuild-User(master): Günther Deschner <gd@samba.org>
> -Autobuild-Date(master): Thu Sep 19 12:59:04 CEST 2013 on sn-devel-104
> -(cherry picked from commit 6965f918c04328535c55a0ef9b7fe6392fba193a)
> ----
> - source3/rpc_server/srv_pipe.c | 116 ------------------------------------------
> - 1 file changed, 116 deletions(-)
> -
> -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> -index fd7a90a..06752a8 100644
> ---- a/source3/rpc_server/srv_pipe.c
> -+++ b/source3/rpc_server/srv_pipe.c
> -@@ -30,11 +30,8 @@
> - #include "includes.h"
> - #include "system/filesys.h"
> - #include "srv_pipe_internal.h"
> --#include "../librpc/gen_ndr/ndr_schannel.h"
> - #include "../librpc/gen_ndr/dcerpc.h"
> - #include "../librpc/rpc/rpc_common.h"
> --#include "../libcli/auth/schannel.h"
> --#include "../libcli/auth/spnego.h"
> - #include "dcesrv_auth_generic.h"
> - #include "rpc_server.h"
> - #include "rpc_dce.h"
> -@@ -415,119 +412,6 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
> - }
> -
> - /*******************************************************************
> -- Handle an schannel bind auth.
> --*******************************************************************/
> --
> --static bool pipe_schannel_auth_bind(struct pipes_struct *p,
> -- TALLOC_CTX *mem_ctx,
> -- struct dcerpc_auth *auth_info,
> -- DATA_BLOB *response)
> --{
> -- struct NL_AUTH_MESSAGE neg;
> -- struct NL_AUTH_MESSAGE reply;
> -- bool ret;
> -- NTSTATUS status;
> -- struct netlogon_creds_CredentialState *creds;
> -- enum ndr_err_code ndr_err;
> -- struct schannel_state *schannel_auth;
> -- struct loadparm_context *lp_ctx;
> --
> -- ndr_err = ndr_pull_struct_blob(
> -- &auth_info->credentials, mem_ctx, &neg,
> -- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
> -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -- DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
> -- return false;
> -- }
> --
> -- if (DEBUGLEVEL >= 10) {
> -- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
> -- }
> --
> -- if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
> -- DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
> -- return false;
> -- }
> --
> -- lp_ctx = loadparm_init_s3(p, loadparm_s3_helpers());
> -- if (!lp_ctx) {
> -- DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
> -- return false;
> -- }
> --
> -- /*
> -- * The neg.oem_netbios_computer.a key here must match the remote computer name
> -- * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
> -- * operations that use credentials.
> -- */
> --
> -- become_root();
> -- status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
> -- neg.oem_netbios_computer.a, &creds);
> -- unbecome_root();
> --
> -- talloc_unlink(p, lp_ctx);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
> -- return False;
> -- }
> --
> -- schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
> -- TALLOC_FREE(creds);
> -- if (!schannel_auth) {
> -- return False;
> -- }
> --
> -- /*
> -- * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
> -- * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
> -- * struct of the person who opened the pipe. I need to test this further. JRA.
> -- *
> -- * VL. As we are mapping this to guest set the generic key
> -- * "SystemLibraryDTC" key here. It's a bit difficult to test against
> -- * W2k3, as it does not allow schannel binds against SAMR and LSA
> -- * anymore.
> -- */
> --
> -- ret = session_info_set_session_key(p->session_info, generic_session_key());
> --
> -- if (!ret) {
> -- DEBUG(0, ("session_info_set_session_key failed\n"));
> -- return false;
> -- }
> --
> -- /*** SCHANNEL verifier ***/
> --
> -- reply.MessageType = NL_NEGOTIATE_RESPONSE;
> -- reply.Flags = 0;
> -- reply.Buffer.dummy = 5; /* ??? actually I don't think
> -- * this has any meaning
> -- * here - gd */
> --
> -- ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
> -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -- DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
> -- return false;
> -- }
> --
> -- if (DEBUGLEVEL >= 10) {
> -- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
> -- }
> --
> -- DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
> -- neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
> --
> -- /* We're finished with this bind - no more packets. */
> -- p->auth.auth_ctx = schannel_auth;
> -- p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
> --
> -- p->pipe_bound = True;
> --
> -- return True;
> --}
> --
> --/*******************************************************************
> - Handle an NTLMSSP bind auth.
> - *******************************************************************/
> -
> ---
> -1.9.3
> -
> -
> -From 68fbdf567cb7d0bc3550b826204c0708a771a4dc Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Mon, 12 Aug 2013 17:22:15 +0200
> -Subject: [PATCH 105/249] librpc/ndr: call ndr_table_list() from all ndr_X
> - functions.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 88c1dbf722889a2d7379cdcbac1ce9b140a42356)
> ----
> - librpc/ndr/ndr_table.c | 6 +++---
> - 1 file changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
> -index 7ca0417..01d9094 100644
> ---- a/librpc/ndr/ndr_table.c
> -+++ b/librpc/ndr/ndr_table.c
> -@@ -73,7 +73,7 @@ const char *ndr_interface_name(const struct GUID *uuid, uint32_t if_version)
> - int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
> - {
> - const struct ndr_interface_list *l;
> -- for (l=ndr_interfaces;l;l=l->next){
> -+ for (l=ndr_table_list();l;l=l->next){
> - if (GUID_equal(&l->table->syntax_id.uuid, uuid) &&
> - l->table->syntax_id.if_version == if_version) {
> - return l->table->num_calls;
> -@@ -89,7 +89,7 @@ int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
> - const struct ndr_interface_table *ndr_table_by_name(const char *name)
> - {
> - const struct ndr_interface_list *l;
> -- for (l=ndr_interfaces;l;l=l->next) {
> -+ for (l=ndr_table_list();l;l=l->next) {
> - if (strcasecmp(l->table->name, name) == 0) {
> - return l->table;
> - }
> -@@ -103,7 +103,7 @@ const struct ndr_interface_table *ndr_table_by_name(const char *name)
> - const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
> - {
> - const struct ndr_interface_list *l;
> -- for (l=ndr_interfaces;l;l=l->next) {
> -+ for (l=ndr_table_list();l;l=l->next) {
> - if (GUID_equal(&l->table->syntax_id.uuid, uuid)) {
> - return l->table;
> - }
> ---
> -1.9.3
> -
> -
> -From c936c80f7e567bab6fc749fb35e60176fca020af Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Thu, 8 Aug 2013 17:34:56 +0200
> -Subject: [PATCH 106/249] librpc/ndr: make sure ndr_table_list() always calls
> - ndr_init_table() first.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 21200b12dc14673f9a610c5798635b6052370dbe)
> ----
> - librpc/ndr/ndr_table.c | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
> -index 01d9094..f73b9fc 100644
> ---- a/librpc/ndr/ndr_table.c
> -+++ b/librpc/ndr/ndr_table.c
> -@@ -116,6 +116,7 @@ const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
> - */
> - const struct ndr_interface_list *ndr_table_list(void)
> - {
> -+ ndr_table_init();
> - return ndr_interfaces;
> - }
> -
> ---
> -1.9.3
> -
> -
> -From 2ced3243b3589b673967452a6401d665dd514525 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Thu, 8 Aug 2013 17:40:22 +0200
> -Subject: [PATCH 107/249] s3-rpc: use table->name directly in DEBUG contexts.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit a94e278883c58b35d383753e86135ff6a1d14ec7)
> ----
> - source3/lib/netapi/cm.c | 2 +-
> - source3/rpc_client/cli_pipe.c | 7 +++----
> - 2 files changed, 4 insertions(+), 5 deletions(-)
> -
> -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> -index 1cfdccf..bb5d6b2 100644
> ---- a/source3/lib/netapi/cm.c
> -+++ b/source3/lib/netapi/cm.c
> -@@ -254,7 +254,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> - status = pipe_cm_open(ctx, ipc, table, &result);
> - if (!NT_STATUS_IS_OK(status)) {
> - libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
> -- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> -+ table->name,
> - get_friendly_nt_error_msg(status));
> - return WERR_DEST_NOT_FOUND;
> - }
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index b73f2f2..64e7f1c 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2692,8 +2692,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> - }
> - DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
> - "%s failed with error %s\n",
> -- get_pipe_name_from_syntax(talloc_tos(),
> -- &table->syntax_id),
> -+ table->name,
> - nt_errstr(status) ));
> - TALLOC_FREE(result);
> - return status;
> -@@ -2701,7 +2700,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> -
> - DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
> - "%s and bound anonymously.\n",
> -- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> -+ table->name,
> - result->desthost));
> -
> - *presult = result;
> -@@ -2946,7 +2945,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - done:
> - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> - "for domain %s and bound using schannel.\n",
> -- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> -+ table->name,
> - rpccli->desthost, domain));
> -
> - *_rpccli = rpccli;
> ---
> -1.9.3
> -
> -
> -From cd864f1a3748c219df78600fc826a6e1d81fa07d Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 10:58:16 +0200
> -Subject: [PATCH 108/249] s3-rpc: use ndr_interface_name() instead of
> - get_pipe_name_from_syntax() in DEBUG.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 3135533710b2a1b64aaf6b10d30b86f3c004657d)
> ----
> - source3/rpc_server/rpc_handles.c | 15 +++++++++------
> - source3/rpc_server/srv_pipe.c | 22 ++++++++++++++--------
> - source3/rpc_server/srv_pipe_hnd.c | 16 +++++++++++-----
> - source3/wscript_build | 3 ++-
> - 4 files changed, 36 insertions(+), 20 deletions(-)
> -
> -diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
> -index 70c3919..409299a 100644
> ---- a/source3/rpc_server/rpc_handles.c
> -+++ b/source3/rpc_server/rpc_handles.c
> -@@ -27,6 +27,7 @@
> - #include "rpc_server/rpc_pipes.h"
> - #include "../libcli/security/security.h"
> - #include "lib/tsocket/tsocket.h"
> -+#include "librpc/ndr/ndr_table.h"
> -
> - #undef DBGC_CLASS
> - #define DBGC_CLASS DBGC_RPC_SRV
> -@@ -218,7 +219,8 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
> -
> - DEBUG(10,("init_pipe_handle_list: created handle list for "
> - "pipe %s\n",
> -- get_pipe_name_from_syntax(talloc_tos(), syntax)));
> -+ ndr_interface_name(&syntax->uuid,
> -+ syntax->if_version)));
> - }
> -
> - /*
> -@@ -235,7 +237,7 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
> -
> - DEBUG(10,("init_pipe_handle_list: pipe_handles ref count = %lu for "
> - "pipe %s\n", (unsigned long)p->pipe_handles->pipe_ref_count,
> -- get_pipe_name_from_syntax(talloc_tos(), syntax)));
> -+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
> -
> - return True;
> - }
> -@@ -412,8 +414,8 @@ void close_policy_by_pipe(struct pipes_struct *p)
> - TALLOC_FREE(p->pipe_handles);
> -
> - DEBUG(10,("Deleted handle list for RPC connection %s\n",
> -- get_pipe_name_from_syntax(talloc_tos(),
> -- &p->contexts->syntax)));
> -+ ndr_interface_name(&p->contexts->syntax.uuid,
> -+ p->contexts->syntax.if_version)));
> - }
> - }
> -
> -@@ -456,8 +458,9 @@ void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd,
> - if (p->pipe_handles->count > MAX_OPEN_POLS) {
> - DEBUG(0, ("ERROR: Too many handles (%d) for RPC connection %s\n",
> - (int) p->pipe_handles->count,
> -- get_pipe_name_from_syntax(talloc_tos(),
> -- &p->contexts->syntax)));
> -+ ndr_interface_name(&p->contexts->syntax.uuid,
> -+ p->contexts->syntax.if_version)));
> -+
> - *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
> - return NULL;
> - }
> -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> -index 06752a8..19dbc37 100644
> ---- a/source3/rpc_server/srv_pipe.c
> -+++ b/source3/rpc_server/srv_pipe.c
> -@@ -41,6 +41,7 @@
> - #include "rpc_server/srv_pipe.h"
> - #include "rpc_server/rpc_contexts.h"
> - #include "lib/param/param.h"
> -+#include "librpc/ndr/ndr_table.h"
> -
> - #undef DBGC_CLASS
> - #define DBGC_CLASS DBGC_RPC_SRV
> -@@ -336,7 +337,8 @@ static bool check_bind_req(struct pipes_struct *p,
> - bool ok;
> -
> - DEBUG(3,("check_bind_req for %s\n",
> -- get_pipe_name_from_syntax(talloc_tos(), abstract)));
> -+ ndr_interface_name(&abstract->uuid,
> -+ abstract->if_version)));
> -
> - /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
> - if (rpc_srv_pipe_exists_by_id(abstract) &&
> -@@ -580,7 +582,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> - if (NT_STATUS_IS_ERR(status)) {
> - DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
> - "%s in bind request.\n",
> -- get_pipe_name_from_syntax(talloc_tos(), &id)));
> -+ ndr_interface_name(&id.uuid,
> -+ id.if_version)));
> -
> - return setup_bind_nak(p, pkt);
> - }
> -@@ -595,8 +598,10 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> - } else {
> - DEBUG(0, ("module %s doesn't provide functions for "
> - "pipe %s!\n",
> -- get_pipe_name_from_syntax(talloc_tos(), &id),
> -- get_pipe_name_from_syntax(talloc_tos(), &id)));
> -+ ndr_interface_name(&id.uuid,
> -+ id.if_version),
> -+ ndr_interface_name(&id.uuid,
> -+ id.if_version)));
> - return setup_bind_nak(p, pkt);
> - }
> - }
> -@@ -1206,7 +1211,8 @@ static bool api_pipe_request(struct pipes_struct *p,
> - TALLOC_CTX *frame = talloc_stackframe();
> -
> - DEBUG(5, ("Requested %s rpc service\n",
> -- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
> -+ ndr_interface_name(&pipe_fns->syntax.uuid,
> -+ pipe_fns->syntax.if_version)));
> -
> - ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
> - &pipe_fns->syntax);
> -@@ -1237,7 +1243,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> -
> - /* interpret the command */
> - DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
> -- get_pipe_name_from_syntax(talloc_tos(), syntax),
> -+ ndr_interface_name(&syntax->uuid, syntax->if_version),
> - pkt->u.request.opnum));
> -
> - if (DEBUGLEVEL >= 50) {
> -@@ -1276,7 +1282,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> - /* do the actual command */
> - if(!api_rpc_cmds[fn_num].fn(p)) {
> - DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
> -- get_pipe_name_from_syntax(talloc_tos(), syntax),
> -+ ndr_interface_name(&syntax->uuid, syntax->if_version),
> - api_rpc_cmds[fn_num].name));
> - data_blob_free(&p->out_data.rdata);
> - return False;
> -@@ -1299,7 +1305,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> - }
> -
> - DEBUG(5,("api_rpcTNP: called %s successfully\n",
> -- get_pipe_name_from_syntax(talloc_tos(), syntax)));
> -+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
> -
> - /* Check for buffer underflow in rpc parsing */
> - if ((DEBUGLEVEL >= 10) &&
> -diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
> -index 3f8ff44..fcbfa77 100644
> ---- a/source3/rpc_server/srv_pipe_hnd.c
> -+++ b/source3/rpc_server/srv_pipe_hnd.c
> -@@ -30,6 +30,7 @@
> - #include "rpc_server/rpc_config.h"
> - #include "../lib/tsocket/tsocket.h"
> - #include "../lib/util/tevent_ntstatus.h"
> -+#include "librpc/ndr/ndr_table.h"
> -
> - #undef DBGC_CLASS
> - #define DBGC_CLASS DBGC_RPC_SRV
> -@@ -281,7 +282,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> - }
> -
> - DEBUG(6,(" name: %s len: %u\n",
> -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> -+ ndr_interface_name(&p->contexts->syntax.uuid,
> -+ p->contexts->syntax.if_version),
> - (unsigned int)n));
> -
> - /*
> -@@ -299,7 +301,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> - DEBUG(5,("read_from_pipe: too large read (%u) requested on "
> - "pipe %s. We can only service %d sized reads.\n",
> - (unsigned int)n,
> -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> -+ ndr_interface_name(&p->contexts->syntax.uuid,
> -+ p->contexts->syntax.if_version),
> - RPC_MAX_PDU_FRAG_LEN ));
> - n = RPC_MAX_PDU_FRAG_LEN;
> - }
> -@@ -320,7 +323,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> -
> - DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, "
> - "current_pdu_sent = %u returning %d bytes.\n",
> -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> -+ ndr_interface_name(&p->contexts->syntax.uuid,
> -+ p->contexts->syntax.if_version),
> - (unsigned int)p->out_data.frag.length,
> - (unsigned int)p->out_data.current_pdu_sent,
> - (int)data_returned));
> -@@ -341,7 +345,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> -
> - DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length "
> - "= %u, p->out_data.rdata.length = %u.\n",
> -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> -+ ndr_interface_name(&p->contexts->syntax.uuid,
> -+ p->contexts->syntax.if_version),
> - (int)p->fault_state,
> - (unsigned int)p->out_data.data_sent_length,
> - (unsigned int)p->out_data.rdata.length));
> -@@ -363,7 +368,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> -
> - if(!create_next_pdu(p)) {
> - DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n",
> -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax)));
> -+ ndr_interface_name(&p->contexts->syntax.uuid,
> -+ p->contexts->syntax.if_version)));
> - return -1;
> - }
> -
> -diff --git a/source3/wscript_build b/source3/wscript_build
> -index 0bf84e2..bb2e928 100755
> ---- a/source3/wscript_build
> -+++ b/source3/wscript_build
> -@@ -672,7 +672,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
> - deps='''ndr ndr-standard
> - RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
> - LIBTSOCKET gse dcerpc-binding
> -- libsmb''',
> -+ libsmb
> -+ ndr-table''',
> - vars=locals(),
> - private_library=True)
> -
> ---
> -1.9.3
> -
> -
> -From 6e6ba9bb34ac4e1d55056ef82e4bad8ab2d65b0d Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Thu, 8 Aug 2013 17:33:29 +0200
> -Subject: [PATCH 109/249] librpc: add dcerpc_default_transport_endpoint()
> - function.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 40ee3d8a5f7439b90f1ebf5e40535fad51038fe6)
> ----
> - librpc/rpc/dcerpc_util.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++
> - librpc/rpc/rpc_common.h | 3 +++
> - 2 files changed, 58 insertions(+)
> -
> -diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
> -index 0b9cca3..4046f32 100644
> ---- a/librpc/rpc/dcerpc_util.c
> -+++ b/librpc/rpc/dcerpc_util.c
> -@@ -332,3 +332,58 @@ NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
> - tevent_req_received(req);
> - return NT_STATUS_OK;
> - }
> -+
> -+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
> -+ enum dcerpc_transport_t transport,
> -+ const struct ndr_interface_table *table)
> -+{
> -+ NTSTATUS status;
> -+ const char *p = NULL;
> -+ const char *endpoint = NULL;
> -+ int i;
> -+ struct dcerpc_binding *default_binding = NULL;
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+
> -+ /* Find one of the default pipes for this interface */
> -+
> -+ for (i = 0; i < table->endpoints->count; i++) {
> -+
> -+ status = dcerpc_parse_binding(frame, table->endpoints->names[i],
> -+ &default_binding);
> -+ if (NT_STATUS_IS_OK(status)) {
> -+ if (transport == NCA_UNKNOWN &&
> -+ default_binding->endpoint != NULL) {
> -+ p = default_binding->endpoint;
> -+ break;
> -+ }
> -+ if (default_binding->transport == transport &&
> -+ default_binding->endpoint != NULL) {
> -+ p = default_binding->endpoint;
> -+ break;
> -+ }
> -+ }
> -+ }
> -+
> -+ if (i == table->endpoints->count || p == NULL) {
> -+ goto done;
> -+ }
> -+
> -+ /*
> -+ * extract the pipe name without \\pipe from for example
> -+ * ncacn_np:[\\pipe\\epmapper]
> -+ */
> -+ if (default_binding->transport == NCACN_NP) {
> -+ if (strncasecmp(p, "\\pipe\\", 6) == 0) {
> -+ p += 6;
> -+ }
> -+ if (strncmp(p, "\\", 1) == 0) {
> -+ p += 1;
> -+ }
> -+ }
> -+
> -+ endpoint = talloc_strdup(mem_ctx, p);
> -+
> -+ done:
> -+ talloc_free(frame);
> -+ return endpoint;
> -+}
> -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
> -index e2b3755..d2816f5 100644
> ---- a/librpc/rpc/rpc_common.h
> -+++ b/librpc/rpc/rpc_common.h
> -@@ -143,6 +143,9 @@ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v);
> - uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob);
> - void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v);
> - uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
> -+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
> -+ enum dcerpc_transport_t transport,
> -+ const struct ndr_interface_table *table);
> -
> - /**
> - * @brief Pull a dcerpc_auth structure, taking account of any auth
> ---
> -1.9.3
> -
> -
> -From a71f6912117ef5054cba4346f8bfd555d70d7837 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 18 Sep 2013 10:59:14 +0200
> -Subject: [PATCH 110/249] s3-rpc: use dcerpc_default_transport_endpoint
> - function.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit b73e2d927b2221cb3fde8776789c8ca085cf2b8f)
> ----
> - source3/rpc_client/rpc_transport_np.c | 4 +++-
> - source3/rpc_server/rpc_ncacn_np.c | 12 ++++++++++--
> - source3/rpc_server/srv_pipe.c | 28 +++++++++++++++++++++-------
> - 3 files changed, 34 insertions(+), 10 deletions(-)
> -
> -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
> -index c0f313e..91943f4 100644
> ---- a/source3/rpc_client/rpc_transport_np.c
> -+++ b/source3/rpc_client/rpc_transport_np.c
> -@@ -22,6 +22,7 @@
> - #include "rpc_client/rpc_transport.h"
> - #include "libsmb/cli_np_tstream.h"
> - #include "client.h"
> -+#include "librpc/ndr/ndr_table.h"
> -
> - #undef DBGC_CLASS
> - #define DBGC_CLASS DBGC_RPC_CLI
> -@@ -55,7 +56,8 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> - state->ev = ev;
> - state->cli = cli;
> - state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
> -- state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
> -+ state->pipe_name = dcerpc_default_transport_endpoint(state, NCACN_NP,
> -+ table);
> - if (tevent_req_nomem(state->pipe_name, req)) {
> - return tevent_req_post(req, ev);
> - }
> -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
> -index 7389b3e..46b77fd 100644
> ---- a/source3/rpc_server/rpc_ncacn_np.c
> -+++ b/source3/rpc_server/rpc_ncacn_np.c
> -@@ -36,6 +36,7 @@
> - #include "../lib/util/tevent_ntstatus.h"
> - #include "rpc_contexts.h"
> - #include "rpc_server/rpc_config.h"
> -+#include "librpc/ndr/ndr_table.h"
> -
> - #undef DBGC_CLASS
> - #define DBGC_CLASS DBGC_RPC_SRV
> -@@ -54,8 +55,15 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
> - struct pipe_rpc_fns *context_fns;
> - const char *pipe_name;
> - int ret;
> -+ const struct ndr_interface_table *table;
> -
> -- pipe_name = get_pipe_name_from_syntax(talloc_tos(), syntax);
> -+ table = ndr_table_by_uuid(&syntax->uuid);
> -+ if (table == NULL) {
> -+ DEBUG(0,("unknown interface\n"));
> -+ return NULL;
> -+ }
> -+
> -+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
> -
> - DEBUG(4,("Create pipe requested %s\n", pipe_name));
> -
> -@@ -783,7 +791,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
> -+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
> - if (pipe_name == NULL) {
> - status = NT_STATUS_INVALID_PARAMETER;
> - goto done;
> -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> -index 19dbc37..5f834fb 100644
> ---- a/source3/rpc_server/srv_pipe.c
> -+++ b/source3/rpc_server/srv_pipe.c
> -@@ -552,6 +552,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> - struct dcerpc_ack_ctx bind_ack_ctx;
> - DATA_BLOB auth_resp = data_blob_null;
> - DATA_BLOB auth_blob = data_blob_null;
> -+ const struct ndr_interface_table *table;
> -
> - /* No rebinds on a bound pipe - use alter context. */
> - if (p->pipe_bound) {
> -@@ -569,15 +570,21 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> - * that this is a pipe name we support.
> - */
> - id = pkt->u.bind.ctx_list[0].abstract_syntax;
> -+
> -+ table = ndr_table_by_uuid(&id.uuid);
> -+ if (table == NULL) {
> -+ DEBUG(0,("unknown interface\n"));
> -+ return false;
> -+ }
> -+
> - if (rpc_srv_pipe_exists_by_id(&id)) {
> - DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
> - rpc_srv_get_pipe_cli_name(&id),
> - rpc_srv_get_pipe_srv_name(&id)));
> - } else {
> - status = smb_probe_module(
> -- "rpc", get_pipe_name_from_syntax(
> -- talloc_tos(),
> -- &id));
> -+ "rpc", dcerpc_default_transport_endpoint(pkt,
> -+ NCACN_NP, table));
> -
> - if (NT_STATUS_IS_ERR(status)) {
> - DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
> -@@ -589,8 +596,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> - }
> -
> - if (rpc_srv_get_pipe_interface_by_cli_name(
> -- get_pipe_name_from_syntax(talloc_tos(),
> -- &id),
> -+ dcerpc_default_transport_endpoint(pkt,
> -+ NCACN_NP, table),
> - &id)) {
> - DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
> - rpc_srv_get_pipe_cli_name(&id),
> -@@ -1240,16 +1247,23 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> - {
> - int fn_num;
> - uint32_t offset1;
> -+ const struct ndr_interface_table *table;
> -
> - /* interpret the command */
> - DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
> - ndr_interface_name(&syntax->uuid, syntax->if_version),
> - pkt->u.request.opnum));
> -
> -+ table = ndr_table_by_uuid(&syntax->uuid);
> -+ if (table == NULL) {
> -+ DEBUG(0,("unknown interface\n"));
> -+ return false;
> -+ }
> -+
> - if (DEBUGLEVEL >= 50) {
> - fstring name;
> - slprintf(name, sizeof(name)-1, "in_%s",
> -- get_pipe_name_from_syntax(talloc_tos(), syntax));
> -+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
> - dump_pdu_region(name, pkt->u.request.opnum,
> - &p->in_data.data, 0,
> - p->in_data.data.length);
> -@@ -1298,7 +1312,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> - if (DEBUGLEVEL >= 50) {
> - fstring name;
> - slprintf(name, sizeof(name)-1, "out_%s",
> -- get_pipe_name_from_syntax(talloc_tos(), syntax));
> -+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
> - dump_pdu_region(name, pkt->u.request.opnum,
> - &p->out_data.rdata, offset1,
> - p->out_data.rdata.length);
> ---
> -1.9.3
> -
> -
> -From 8bb6f177b210159ea6317b20e2cc12732b4d273a Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 7 Aug 2013 17:43:08 +0200
> -Subject: [PATCH 111/249] s3-rpc: remove unused source3/librpc/rpc/rpc_common.c
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -
> -Autobuild-User(master): Günther Deschner <gd@samba.org>
> -Autobuild-Date(master): Fri Sep 20 14:57:06 CEST 2013 on sn-devel-104
> -(cherry picked from commit 807628ecac445999e75ec9ea1abdc5f2fde356d6)
> ----
> - source3/librpc/rpc/dcerpc.h | 8 --
> - source3/librpc/rpc/rpc_common.c | 209 ----------------------------------------
> - source3/wscript_build | 1 -
> - 3 files changed, 218 deletions(-)
> - delete mode 100644 source3/librpc/rpc/rpc_common.c
> -
> -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> -index 38d59cd..b18b7ba 100644
> ---- a/source3/librpc/rpc/dcerpc.h
> -+++ b/source3/librpc/rpc/dcerpc.h
> -@@ -85,12 +85,4 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> - DATA_BLOB *raw_pkt,
> - size_t *pad_len);
> -
> --/* The following definitions come from librpc/rpc/rpc_common.c */
> --
> --bool smb_register_ndr_interface(const struct ndr_interface_table *interface);
> --const struct ndr_interface_table *get_iface_from_syntax(
> -- const struct ndr_syntax_id *syntax);
> --const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
> -- const struct ndr_syntax_id *syntax);
> --
> - #endif /* __S3_DCERPC_H__ */
> -diff --git a/source3/librpc/rpc/rpc_common.c b/source3/librpc/rpc/rpc_common.c
> -deleted file mode 100644
> -index 1219b2d..0000000
> ---- a/source3/librpc/rpc/rpc_common.c
> -+++ /dev/null
> -@@ -1,209 +0,0 @@
> --/*
> -- * Unix SMB/CIFS implementation.
> -- * RPC Pipe client / server routines
> -- * Largely rewritten by Jeremy Allison 2005.
> -- *
> -- * This program is free software; you can redistribute it and/or modify
> -- * it under the terms of the GNU General Public License as published by
> -- * the Free Software Foundation; either version 3 of the License, or
> -- * (at your option) any later version.
> -- *
> -- * This program is distributed in the hope that it will be useful,
> -- * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -- * GNU General Public License for more details.
> -- *
> -- * You should have received a copy of the GNU General Public License
> -- * along with this program; if not, see <http://www.gnu.org/licenses/>.
> -- */
> --
> --#include "includes.h"
> --#include "librpc/rpc/dcerpc.h"
> --#include "../librpc/gen_ndr/ndr_lsa.h"
> --#include "../librpc/gen_ndr/ndr_dssetup.h"
> --#include "../librpc/gen_ndr/ndr_samr.h"
> --#include "../librpc/gen_ndr/ndr_netlogon.h"
> --#include "../librpc/gen_ndr/ndr_srvsvc.h"
> --#include "../librpc/gen_ndr/ndr_wkssvc.h"
> --#include "../librpc/gen_ndr/ndr_winreg.h"
> --#include "../librpc/gen_ndr/ndr_spoolss.h"
> --#include "../librpc/gen_ndr/ndr_dfs.h"
> --#include "../librpc/gen_ndr/ndr_echo.h"
> --#include "../librpc/gen_ndr/ndr_initshutdown.h"
> --#include "../librpc/gen_ndr/ndr_svcctl.h"
> --#include "../librpc/gen_ndr/ndr_eventlog.h"
> --#include "../librpc/gen_ndr/ndr_ntsvcs.h"
> --#include "../librpc/gen_ndr/ndr_epmapper.h"
> --#include "../librpc/gen_ndr/ndr_drsuapi.h"
> --#include "../librpc/gen_ndr/ndr_fsrvp.h"
> --
> --static const char *get_pipe_name_from_iface(
> -- TALLOC_CTX *mem_ctx, const struct ndr_interface_table *interface)
> --{
> -- int i;
> -- const struct ndr_interface_string_array *ep = interface->endpoints;
> -- char *p;
> --
> -- for (i=0; i<ep->count; i++) {
> -- if (strncmp(ep->names[i], "ncacn_np:[\\pipe\\", 16) == 0) {
> -- break;
> -- }
> -- }
> -- if (i == ep->count) {
> -- return NULL;
> -- }
> --
> -- /*
> -- * extract the pipe name without \\pipe from for example
> -- * ncacn_np:[\\pipe\\epmapper]
> -- */
> -- p = strchr(ep->names[i]+15, ']');
> -- if (p == NULL) {
> -- return "PIPE";
> -- }
> -- return talloc_strndup(mem_ctx, ep->names[i]+15, p - ep->names[i] - 15);
> --}
> --
> --static const struct ndr_interface_table **interfaces;
> --
> --bool smb_register_ndr_interface(const struct ndr_interface_table *interface)
> --{
> -- int num_interfaces = talloc_array_length(interfaces);
> -- const struct ndr_interface_table **tmp;
> -- int i;
> --
> -- for (i=0; i<num_interfaces; i++) {
> -- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id,
> -- &interface->syntax_id)) {
> -- return true;
> -- }
> -- }
> --
> -- tmp = talloc_realloc(NULL, interfaces,
> -- const struct ndr_interface_table *,
> -- num_interfaces + 1);
> -- if (tmp == NULL) {
> -- DEBUG(1, ("smb_register_ndr_interface: talloc failed\n"));
> -- return false;
> -- }
> -- interfaces = tmp;
> -- interfaces[num_interfaces] = interface;
> -- return true;
> --}
> --
> --static bool initialize_interfaces(void)
> --{
> -- if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_samr)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_winreg)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_eventlog)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
> -- return false;
> -- }
> -- if (!smb_register_ndr_interface(&ndr_table_FileServerVssAgent)) {
> -- return false;
> -- }
> -- return true;
> --}
> --
> --const struct ndr_interface_table *get_iface_from_syntax(
> -- const struct ndr_syntax_id *syntax)
> --{
> -- int num_interfaces;
> -- int i;
> --
> -- if (interfaces == NULL) {
> -- if (!initialize_interfaces()) {
> -- return NULL;
> -- }
> -- }
> -- num_interfaces = talloc_array_length(interfaces);
> --
> -- for (i=0; i<num_interfaces; i++) {
> -- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id, syntax)) {
> -- return interfaces[i];
> -- }
> -- }
> --
> -- return NULL;
> --}
> --
> --/****************************************************************************
> -- Return the pipe name from the interface.
> -- ****************************************************************************/
> --
> --const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
> -- const struct ndr_syntax_id *syntax)
> --{
> -- const struct ndr_interface_table *interface;
> -- char *guid_str;
> -- const char *result;
> --
> -- interface = get_iface_from_syntax(syntax);
> -- if (interface != NULL) {
> -- result = get_pipe_name_from_iface(mem_ctx, interface);
> -- if (result != NULL) {
> -- return result;
> -- }
> -- }
> --
> -- /*
> -- * Here we should ask \\epmapper, but for now our code is only
> -- * interested in the known pipes mentioned in pipe_names[]
> -- */
> --
> -- guid_str = GUID_string(talloc_tos(), &syntax->uuid);
> -- if (guid_str == NULL) {
> -- return NULL;
> -- }
> -- result = talloc_asprintf(mem_ctx, "Interface %s.%d", guid_str,
> -- (int)syntax->if_version);
> -- TALLOC_FREE(guid_str);
> --
> -- if (result == NULL) {
> -- return "PIPE";
> -- }
> -- return result;
> --}
> --
> -diff --git a/source3/wscript_build b/source3/wscript_build
> -index bb2e928..8126cf6 100755
> ---- a/source3/wscript_build
> -+++ b/source3/wscript_build
> -@@ -141,7 +141,6 @@ LIBSMB_SRC = '''libsmb/clientgen.c libsmb/cliconnect.c libsmb/clifile.c
> -
> - LIBMSRPC_SRC = '''
> - rpc_client/cli_pipe.c
> -- librpc/rpc/rpc_common.c
> - rpc_client/rpc_transport_np.c
> - rpc_client/rpc_transport_sock.c
> - rpc_client/rpc_transport_tstream.c
> ---
> -1.9.3
> -
> -
> -From 2b2d978bd97299371a1fd7798d69ab377a76d389 Mon Sep 17 00:00:00 2001
> -From: Volker Lendecke <vl@samba.org>
> -Date: Wed, 14 Aug 2013 09:27:59 +0000
> -Subject: [PATCH 112/249] winbind3: Fix an invalid free
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -This fixes a warning I've never seen before :-)
> -
> -../source3/winbindd/winbindd_cm.c:781:59: warning: attempt to free a non-heap object ‘machine_krb5_principal’ [-Wfree-nonheap-object]
> -
> -Signed-off-by: Volker Lendecke <vl@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -
> -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> -Autobuild-Date(master): Wed Aug 14 14:04:16 CEST 2013 on sn-devel-104
> -(cherry picked from commit 5f75814586f2d6f7c2dc8fd9342cb045c1f7e68c)
> ----
> - source3/winbindd/winbindd_cm.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> -index facef64..d868826 100644
> ---- a/source3/winbindd/winbindd_cm.c
> -+++ b/source3/winbindd/winbindd_cm.c
> -@@ -840,7 +840,7 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
> - }
> -
> - if (!strupper_m(*machine_krb5_principal)) {
> -- SAFE_FREE(machine_krb5_principal);
> -+ SAFE_FREE(*machine_krb5_principal);
> - return NT_STATUS_INVALID_PARAMETER;
> - }
> - }
> ---
> -1.9.3
> -
> -
> -From 1b88903c4f5931397e22874b3751dd05a03a2dea Mon Sep 17 00:00:00 2001
> -From: Andrew Bartlett <abartlet@samba.org>
> -Date: Fri, 11 Oct 2013 13:34:13 +1300
> -Subject: [PATCH 113/249] s3-winbindd: Remove undocumented winbindd:socket dir
> - parameter
> -
> -This uses the documeted "winbindd socket directory" parameter instead.
> -
> -This came about due to the merge of the two smb.conf tables in s3 and
> -s4 for the Samba 4.0 release. The s4 code used a real parameter,
> -which caused this to be documented, whereas no automatic procedure
> -existed to notice the parametric option and the need to document that.
> -The fact that this was not used consistently in both codebases is one
> -of the many areas of technical debt we still need to pay off here.
> -
> -Andrew Bartlett
> -
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit e512491552d9ed0dc1005a23ffc8f77ba237f863)
> ----
> - selftest/target/Samba3.pm | 2 +-
> - source3/include/proto.h | 1 +
> - source3/param/loadparm.c | 1 +
> - source3/winbindd/winbindd.c | 9 ++-------
> - source3/winbindd/winbindd_proto.h | 1 -
> - 5 files changed, 5 insertions(+), 9 deletions(-)
> -
> -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
> -index ba01154..d8f0c27 100755
> ---- a/selftest/target/Samba3.pm
> -+++ b/selftest/target/Samba3.pm
> -@@ -972,7 +972,7 @@ sub provision($$$$$$)
> - printing = bsd
> - printcap name = /dev/null
> -
> -- winbindd:socket dir = $wbsockdir
> -+ winbindd socket directory = $wbsockdir
> - nmbd:socket dir = $nmbdsockdir
> - idmap config * : range = 100000-200000
> - winbind enum users = yes
> -diff --git a/source3/include/proto.h b/source3/include/proto.h
> -index cbad7ac..53cd59d 100644
> ---- a/source3/include/proto.h
> -+++ b/source3/include/proto.h
> -@@ -1069,6 +1069,7 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
> - const char *lp_template_homedir(void);
> - const char *lp_template_shell(void);
> - const char *lp_winbind_separator(void);
> -+const char *lp_winbindd_socket_directory(void);
> - bool lp_winbind_enum_users(void);
> - bool lp_winbind_enum_groups(void);
> - bool lp_winbind_use_default_domain(void);
> -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> -index 4b31023..b2804ae 100644
> ---- a/source3/param/loadparm.c
> -+++ b/source3/param/loadparm.c
> -@@ -961,6 +961,7 @@ static void init_globals(bool reinit_globals)
> - string_set(&Globals.szTemplateShell, "/bin/false");
> - string_set(&Globals.szTemplateHomedir, "/home/%D/%U");
> - string_set(&Globals.szWinbindSeparator, "\\");
> -+ string_set(&Globals.szWinbinddSocketDirectory, dyn_WINBINDD_SOCKET_DIR);
> -
> - string_set(&Globals.szCupsServer, "");
> - string_set(&Globals.szIPrintServer, "");
> -diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
> -index f101e52..69a17bf 100644
> ---- a/source3/winbindd/winbindd.c
> -+++ b/source3/winbindd/winbindd.c
> -@@ -189,7 +189,7 @@ static void terminate(bool is_parent)
> - char *path = NULL;
> -
> - if (asprintf(&path, "%s/%s",
> -- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME) > 0) {
> -+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME) > 0) {
> - unlink(path);
> - SAFE_FREE(path);
> - }
> -@@ -1067,11 +1067,6 @@ static void winbindd_listen_fde_handler(struct tevent_context *ev,
> - * Winbindd socket accessor functions
> - */
> -
> --const char *get_winbind_pipe_dir(void)
> --{
> -- return lp_parm_const_string(-1, "winbindd", "socket dir", get_dyn_WINBINDD_SOCKET_DIR());
> --}
> --
> - char *get_winbind_priv_pipe_dir(void)
> - {
> - return state_path(WINBINDD_PRIV_SOCKET_SUBDIR);
> -@@ -1092,7 +1087,7 @@ static bool winbindd_setup_listeners(void)
> -
> - pub_state->privileged = false;
> - pub_state->fd = create_pipe_sock(
> -- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
> -+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME, 0755);
> - if (pub_state->fd == -1) {
> - goto failed;
> - }
> -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
> -index 3df7d7c..cfc19d0 100644
> ---- a/source3/winbindd/winbindd_proto.h
> -+++ b/source3/winbindd/winbindd_proto.h
> -@@ -34,7 +34,6 @@ bool winbindd_setup_stdin_handler(bool parent, bool foreground);
> - bool winbindd_setup_sig_hup_handler(const char *lfile);
> - bool winbindd_use_idmap_cache(void);
> - bool winbindd_use_cache(void);
> --const char *get_winbind_pipe_dir(void);
> - char *get_winbind_priv_pipe_dir(void);
> - struct tevent_context *winbind_event_context(void);
> - int main(int argc, char **argv, char **envp);
> ---
> -1.9.3
> -
> -
> -From d0ae2d10385dea4b8fae3d8932d40f546ff8905b Mon Sep 17 00:00:00 2001
> -From: Andrew Bartlett <abartlet@samba.org>
> -Date: Mon, 14 Oct 2013 15:33:20 +1300
> -Subject: [PATCH 114/249] lib/param: lp_magicchar takes a const struct
> - share_params *p so should be FN_LOCAL_PARM_CHAR
> -
> -This was found when trying to autogenerate prototypes for lp_ functions again.
> -
> -Andrew Bartlett
> -
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - lib/param/loadparm.c | 2 +-
> - lib/param/param_functions.c | 2 +-
> - source3/param/loadparm.c | 2 +-
> - 3 files changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> -index 455c5e6..4497dbf 100644
> ---- a/lib/param/loadparm.c
> -+++ b/lib/param/loadparm.c
> -@@ -314,7 +314,7 @@ static struct loadparm_context *global_loadparm_context;
> -
> - #define FN_LOCAL_PARM_INTEGER(fn_name, val) FN_LOCAL_INTEGER(fn_name, val)
> -
> --#define FN_LOCAL_CHAR(fn_name,val) \
> -+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
> - _PUBLIC_ char lpcfg_ ## fn_name(struct loadparm_service *service, \
> - struct loadparm_service *sDefault) { \
> - return((service != NULL)? service->val : sDefault->val); \
> -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> -index d9d5df6..60f9c07 100644
> ---- a/lib/param/param_functions.c
> -+++ b/lib/param/param_functions.c
> -@@ -147,7 +147,7 @@ FN_LOCAL_INTEGER(aio_write_size, iAioWriteSize)
> - FN_LOCAL_INTEGER(map_readonly, iMap_readonly)
> - FN_LOCAL_INTEGER(directory_name_cache_size, iDirectoryNameCacheSize)
> - FN_LOCAL_INTEGER(smb_encrypt, ismb_encrypt)
> --FN_LOCAL_CHAR(magicchar, magic_char)
> -+FN_LOCAL_PARM_CHAR(magicchar, magic_char)
> - FN_LOCAL_STRING(cups_options, szCupsOptions)
> - FN_LOCAL_PARM_BOOL(change_notify, bChangeNotify)
> - FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
> -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> -index b2804ae..40f3242 100644
> ---- a/source3/param/loadparm.c
> -+++ b/source3/param/loadparm.c
> -@@ -1116,7 +1116,7 @@ char *lp_ ## fn_name(TALLOC_CTX *ctx,int i) {return(lp_string((ctx), (LP_SNUM_OK
> - bool lp_ ## fn_name(const struct share_params *p) {return(bool)(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
> - #define FN_LOCAL_PARM_INTEGER(fn_name,val) \
> - int lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
> --#define FN_LOCAL_CHAR(fn_name,val) \
> -+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
> - char lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
> -
> -
> ---
> -1.9.3
> -
> -
> -From bf5cb3b6c6e2d3171b70fff5deb9a7767d6609a8 Mon Sep 17 00:00:00 2001
> -From: Andrew Bartlett <abartlet@samba.org>
> -Date: Mon, 14 Oct 2013 13:47:27 +1300
> -Subject: [PATCH 115/249] build: Move loadparm-related build rules to
> - source3/param/wscript_build
> -
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/param/wscript_build | 32 ++++++++++++++++++++++++++++++++
> - source3/wscript_build | 36 ++----------------------------------
> - 2 files changed, 34 insertions(+), 34 deletions(-)
> - create mode 100644 source3/param/wscript_build
> -
> -diff --git a/source3/param/wscript_build b/source3/param/wscript_build
> -new file mode 100644
> -index 0000000..278d5f5
> ---- /dev/null
> -+++ b/source3/param/wscript_build
> -@@ -0,0 +1,32 @@
> -+#!/usr/bin/env python
> -+
> -+bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
> -+ source='util.c',
> -+ deps='talloc')
> -+
> -+bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
> -+ source='loadparm_ctx.c',
> -+ deps='''talloc s3_param_h param''')
> -+
> -+bld.SAMBA_GENERATOR('s3_param_global_h',
> -+ source= '../../script/mkparamdefs.pl loadparm.c ../../lib/param/param_functions.c',
> -+ target='param_global.h',
> -+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
> -+
> -+bld.SAMBA3_PYTHON('pys3param',
> -+ source='pyparam.c',
> -+ deps='param',
> -+ public_deps='samba-hostconfig pytalloc-util talloc',
> -+ realname='samba/samba3/param.so')
> -+
> -+bld.SAMBA3_SUBSYSTEM('param_service',
> -+ source='service.c',
> -+ deps = 'USER_UTIL param PRINTING')
> -+
> -+bld.SAMBA3_BINARY('test_lp_load',
> -+ source='test_lp_load.c',
> -+ deps='''
> -+ talloc
> -+ param
> -+ popt_samba3''',
> -+ install=False)
> -diff --git a/source3/wscript_build b/source3/wscript_build
> -index 8126cf6..13d15c3 100755
> ---- a/source3/wscript_build
> -+++ b/source3/wscript_build
> -@@ -751,33 +751,9 @@ bld.SAMBA3_SUBSYSTEM('SERVER_MUTEX',
> - source=SERVER_MUTEX_SRC,
> - deps='talloc')
> -
> --bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
> -- source=PARAM_UTIL_SRC,
> -- deps='talloc')
> --
> --bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
> -- source='param/loadparm_ctx.c',
> -- deps='''talloc s3_param_h param''',
> -- vars=locals())
> --
> --bld.SAMBA_GENERATOR('param/param_global_h',
> -- source= '../script/mkparamdefs.pl param/loadparm.c ../lib/param/param_functions.c',
> -- target='param/param_global.h',
> -- rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
> --
> - bld.SAMBA3_SUBSYSTEM('param',
> - source=PARAM_WITHOUT_REG_SRC,
> -- deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h param/param_global_h cups''')
> --
> --bld.SAMBA3_PYTHON('pys3param',
> -- source='param/pyparam.c',
> -- deps='param',
> -- public_deps='samba-hostconfig pytalloc-util talloc',
> -- realname='samba/samba3/param.so')
> --
> --bld.SAMBA3_SUBSYSTEM('param_service',
> -- source='param/service.c',
> -- deps = 'USER_UTIL param PRINTING')
> -+ deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h s3_param_global_h cups''')
> -
> - bld.SAMBA3_SUBSYSTEM('REGFIO',
> - source=REGFIO_SRC,
> -@@ -1566,15 +1542,6 @@ bld.SAMBA3_BINARY('rpc_open_tcp',
> - install=False,
> - vars=locals())
> -
> --bld.SAMBA3_BINARY('test_lp_load',
> -- source=TEST_LP_LOAD_SRC,
> -- deps='''
> -- talloc
> -- param
> -- popt_samba3''',
> -- install=False,
> -- vars=locals())
> --
> - bld.SAMBA3_BINARY('dbwrap_tool',
> - source=DBWRAP_TOOL_SRC,
> - deps='''
> -@@ -1638,6 +1605,7 @@ bld.RECURSE('librpc/idl')
> - bld.RECURSE('libsmb')
> - bld.RECURSE('modules')
> - bld.RECURSE('pam_smbpass')
> -+bld.RECURSE('param')
> - bld.RECURSE('passdb')
> - bld.RECURSE('rpc_server')
> - bld.RECURSE('script')
> ---
> -1.9.3
> -
> -
> -From 281cb415404f7044a4bdbc93a21b2f755cbc74ee Mon Sep 17 00:00:00 2001
> -From: Andrew Bartlett <abartlet@samba.org>
> -Date: Mon, 14 Oct 2013 15:34:40 +1300
> -Subject: [PATCH 116/249] lib/param: Do not attempt to access the s3 function
> - for allocated and subbed string parameters
> -
> -This allows us not to generate array entries for these, which in turn allows
> -us to avoid initialising them. The issue is that we do not have the
> -% macro sub context nor a talloc context handy (yet).
> -
> -Andrew Bartlett
> -
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - lib/param/loadparm.c | 21 ++++++++++-----------
> - 1 file changed, 10 insertions(+), 11 deletions(-)
> -
> -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> -index 4497dbf..23b45e2 100644
> ---- a/lib/param/loadparm.c
> -+++ b/lib/param/loadparm.c
> -@@ -232,7 +232,16 @@ static struct loadparm_context *global_loadparm_context;
> - #define lpcfg_default_service global_loadparm_context->sDefault
> - #define lpcfg_global_service(i) global_loadparm_context->services[i]
> -
> --#define FN_GLOBAL_STRING(fn_name,var_name) \
> -+#define FN_GLOBAL_STRING(fn_name,var_name) \
> -+ _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
> -+ if (lp_ctx == NULL) return NULL; \
> -+ if (lp_ctx->s3_fns) { \
> -+ smb_panic( __location__ ": " #fn_name " not implemented because it is an allocated and substiuted string"); \
> -+ } \
> -+ return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
> -+}
> -+
> -+#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
> - _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
> - if (lp_ctx == NULL) return NULL; \
> - if (lp_ctx->s3_fns) { \
> -@@ -242,16 +251,6 @@ static struct loadparm_context *global_loadparm_context;
> - return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
> - }
> -
> --#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
> -- _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
> -- if (lp_ctx == NULL) return NULL; \
> -- if (lp_ctx->s3_fns) { \
> -- SMB_ASSERT(lp_ctx->s3_fns->fn_name); \
> -- return lp_ctx->s3_fns->fn_name(); \
> -- } \
> -- return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
> -- }
> --
> - #define FN_GLOBAL_LIST(fn_name,var_name) \
> - _PUBLIC_ const char **lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
> - if (lp_ctx == NULL) return NULL; \
> ---
> -1.9.3
> -
> -
> -From e610d185d26910e6cb96ddf8507c31c5f1503271 Mon Sep 17 00:00:00 2001
> -From: Andrew Bartlett <abartlet@samba.org>
> -Date: Mon, 14 Oct 2013 15:36:18 +1300
> -Subject: [PATCH 117/249] param: Skip generating hooks for local and string
> - parameters
> -
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - script/mks3param.pl | 9 ++++++++-
> - 1 file changed, 8 insertions(+), 1 deletion(-)
> -
> -diff --git a/script/mks3param.pl b/script/mks3param.pl
> -index 4222ca5..799958c 100644
> ---- a/script/mks3param.pl
> -+++ b/script/mks3param.pl
> -@@ -108,7 +108,14 @@ sub handle_loadparm($$)
> - {
> - my ($file,$line) = @_;
> -
> -- if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
> -+ # Local parameters don't need the ->s3_fns because the struct
> -+ # loadparm_service is shared and lpcfg_service() checks the ->s3_fns
> -+ # hook
> -+ #
> -+ # STRING isn't handled as we do not yet have a way to pass in a memory context nor
> -+ # do we have a good way of dealing with the % macros yet.
> -+
> -+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
> - my $scope = $1;
> - my $type = $2;
> - my $name = $3;
> ---
> -1.9.3
> -
> -
> -From 970290dc75404ab366617210edfca718fe21864b Mon Sep 17 00:00:00 2001
> -From: Andrew Bartlett <abartlet@samba.org>
> -Date: Mon, 14 Oct 2013 15:39:10 +1300
> -Subject: [PATCH 118/249] s3/param: Autogenerate parameters prototypes again
> - after proto.h was frozen
> -
> -This autogenerates the parameters so that we can keep everything in sync easier,
> -particularly when adding new parameters. This will also make it easier to move
> -to a fully autogenerated system in the future, as it reduces special cases.
> -
> -Andrew Bartlett
> -
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - script/mks3param_proto.pl | 199 ++++++++++++++++++++++++++++++++++++++++++++
> - source3/include/proto.h | 2 +
> - source3/param/wscript_build | 5 ++
> - 3 files changed, 206 insertions(+)
> - create mode 100644 script/mks3param_proto.pl
> -
> -diff --git a/script/mks3param_proto.pl b/script/mks3param_proto.pl
> -new file mode 100644
> -index 0000000..446e343
> ---- /dev/null
> -+++ b/script/mks3param_proto.pl
> -@@ -0,0 +1,199 @@
> -+#!/usr/bin/perl
> -+# Generate loadparm interfaces tables for Samba3/Samba4 integration
> -+# by Andrew Bartlett
> -+# based on mkproto.pl Written by Jelmer Vernooij
> -+# based on the original mkproto.sh by Andrew Tridgell
> -+
> -+use strict;
> -+
> -+# don't use warnings module as it is not portable enough
> -+# use warnings;
> -+
> -+use Getopt::Long;
> -+use File::Basename;
> -+use File::Path;
> -+
> -+#####################################################################
> -+# read a file into a string
> -+
> -+my $file = undef;
> -+my $public_define = undef;
> -+my $_public = "";
> -+my $_private = "";
> -+my $public_data = \$_public;
> -+my $builddir = ".";
> -+my $srcdir = ".";
> -+
> -+sub public($)
> -+{
> -+ my ($d) = @_;
> -+ $$public_data .= $d;
> -+}
> -+
> -+sub usage()
> -+{
> -+ print "Usage: mks3param.pl [options] [c files]\n";
> -+ print "OPTIONS:\n";
> -+ print " --srcdir=path Read files relative to this directory\n";
> -+ print " --builddir=path Write file relative to this directory\n";
> -+ print " --help Print this help message\n\n";
> -+ exit 0;
> -+}
> -+
> -+GetOptions(
> -+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
> -+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
> -+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
> -+ 'help' => \&usage
> -+) or exit(1);
> -+
> -+sub normalize_define($$)
> -+{
> -+ my ($define, $file) = @_;
> -+
> -+ if (not defined($define) and defined($file)) {
> -+ $define = "__" . uc($file) . "__";
> -+ $define =~ tr{./}{__};
> -+ $define =~ tr{\-}{_};
> -+ } elsif (not defined($define)) {
> -+ $define = '_S3_PARAM_PROTO_H_';
> -+ }
> -+
> -+ return $define;
> -+}
> -+
> -+$public_define = normalize_define($public_define, $file);
> -+
> -+sub file_load($)
> -+{
> -+ my($filename) = @_;
> -+ local(*INPUTFILE);
> -+ open(INPUTFILE, $filename) or return undef;
> -+ my($saved_delim) = $/;
> -+ undef $/;
> -+ my($data) = <INPUTFILE>;
> -+ close(INPUTFILE);
> -+ $/ = $saved_delim;
> -+ return $data;
> -+}
> -+
> -+sub print_header($$)
> -+{
> -+ my ($file, $header_name) = @_;
> -+ $file->("#ifndef $header_name\n");
> -+ $file->("#define $header_name\n\n");
> -+ $file->("/* This file was automatically generated by mks3param_proto.pl. DO NOT EDIT */\n\n");
> -+}
> -+
> -+sub print_footer($$)
> -+{
> -+ my ($file, $header_name) = @_;
> -+ $file->("\n#endif /* $header_name */\n\n");
> -+}
> -+
> -+sub handle_loadparm($$)
> -+{
> -+ my ($file,$line) = @_;
> -+
> -+ my $scope;
> -+ my $type;
> -+ my $name;
> -+ my $var;
> -+ my $param;
> -+
> -+ if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
> -+ $scope = $1;
> -+ $type = $2;
> -+ $name = $3;
> -+ $var = $4;
> -+ $param = "int";
> -+ } elsif ($line =~ /^FN_(GLOBAL|LOCAL)_PARM_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
> -+ $scope = $1;
> -+ $type = $2;
> -+ $name = $3;
> -+ $var = $4;
> -+ $param = "const struct share_params *p";
> -+ } else {
> -+ return;
> -+ }
> -+
> -+ my %tmap = (
> -+ "BOOL" => "bool ",
> -+ "CONST_STRING" => "const char *",
> -+ "STRING" => "char *",
> -+ "INTEGER" => "int ",
> -+ "CHAR" => "char ",
> -+ "LIST" => "const char **",
> -+ );
> -+
> -+ my %smap = (
> -+ "GLOBAL" => "void",
> -+ "LOCAL" => "$param"
> -+ );
> -+
> -+ if (($type eq "STRING") and ($scope eq "GLOBAL")) {
> -+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx);\n");
> -+ } elsif (($type eq "STRING") and ($scope eq "LOCAL")) {
> -+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx, $smap{$scope});\n");
> -+ } else {
> -+ $file->("$tmap{$type}lp_$name($smap{$scope});\n");
> -+ }
> -+}
> -+
> -+sub process_file($$)
> -+{
> -+ my ($file, $filename) = @_;
> -+
> -+ $filename =~ s/\.o$/\.c/g;
> -+
> -+ if ($filename =~ /^\//) {
> -+ open(FH, "<$filename") or die("Failed to open $filename");
> -+ } elsif (!open(FH, "< $builddir/$filename")) {
> -+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
> -+ }
> -+
> -+ my $comment = undef;
> -+ my $incomment = 0;
> -+ while (my $line = <FH>) {
> -+ if ($line =~ /^\/\*\*/) {
> -+ $comment = "";
> -+ $incomment = 1;
> -+ }
> -+
> -+ if ($incomment) {
> -+ $comment .= $line;
> -+ if ($line =~ /\*\//) {
> -+ $incomment = 0;
> -+ }
> -+ }
> -+
> -+ # these are ordered for maximum speed
> -+ next if ($line =~ /^\s/);
> -+
> -+ next unless ($line =~ /\(/);
> -+
> -+ next if ($line =~ /^\/|[;]/);
> -+
> -+ if ($line =~ /^FN_/) {
> -+ handle_loadparm($file, $line);
> -+ }
> -+ next;
> -+ }
> -+
> -+ close(FH);
> -+}
> -+
> -+
> -+print_header(\&public, $public_define);
> -+
> -+process_file(\&public, $_) foreach (@ARGV);
> -+print_footer(\&public, $public_define);
> -+
> -+if (not defined($file)) {
> -+ print STDOUT $$public_data;
> -+}
> -+
> -+mkpath(dirname($file), 0, 0755);
> -+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
> -+print PUBLIC "$$public_data";
> -+close(PUBLIC);
> -diff --git a/source3/include/proto.h b/source3/include/proto.h
> -index 53cd59d..614baa4 100644
> ---- a/source3/include/proto.h
> -+++ b/source3/include/proto.h
> -@@ -993,6 +993,8 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
> -
> - /* The following definitions come from param/loadparm.c */
> -
> -+#include "source3/param/param_proto.h"
> -+
> - const char **lp_smb_ports(void);
> - const char *lp_dos_charset(void);
> - const char *lp_unix_charset(void);
> -diff --git a/source3/param/wscript_build b/source3/param/wscript_build
> -index 278d5f5..643c27e 100644
> ---- a/source3/param/wscript_build
> -+++ b/source3/param/wscript_build
> -@@ -13,6 +13,11 @@ bld.SAMBA_GENERATOR('s3_param_global_h',
> - target='param_global.h',
> - rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
> -
> -+bld.SAMBA_GENERATOR('s3_param_proto_h',
> -+ source= '../../script/mks3param_proto.pl loadparm.c ../../lib/param/param_functions.c',
> -+ target='param_proto.h',
> -+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> -+
> - bld.SAMBA3_PYTHON('pys3param',
> - source='pyparam.c',
> - deps='param',
> ---
> -1.9.3
> -
> -
> -From 4f87a4ca65b386e90cca479aabdf9051de2c67e3 Mon Sep 17 00:00:00 2001
> -From: Andrew Bartlett <abartlet@samba.org>
> -Date: Mon, 14 Oct 2013 15:46:43 +1300
> -Subject: [PATCH 119/249] param: Autogenerate s3 lp_ctx glue table
> -
> -This allows us to use more lpcfg_ functions without adding them
> -manually.
> -
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - lib/param/wscript_build | 1 +
> - script/mks3param_ctx_table.pl | 139 ++++++++++++++++++++++++++++++++++++++++++
> - source3/param/loadparm_ctx.c | 64 +------------------
> - source3/param/wscript_build | 5 ++
> - 4 files changed, 146 insertions(+), 63 deletions(-)
> - create mode 100644 script/mks3param_ctx_table.pl
> -
> -diff --git a/lib/param/wscript_build b/lib/param/wscript_build
> -index 10e05a3..0e1a2e0 100644
> ---- a/lib/param/wscript_build
> -+++ b/lib/param/wscript_build
> -@@ -11,6 +11,7 @@ bld.SAMBA_GENERATOR('s3_param_h',
> - target='s3_param.h',
> - rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> -
> -+
> - bld.SAMBA_GENERATOR('param_global_h',
> - source= '../../script/mkparamdefs.pl loadparm.c param_functions.c',
> - target='param_global.h',
> -diff --git a/script/mks3param_ctx_table.pl b/script/mks3param_ctx_table.pl
> -new file mode 100644
> -index 0000000..cfd6e02
> ---- /dev/null
> -+++ b/script/mks3param_ctx_table.pl
> -@@ -0,0 +1,139 @@
> -+#!/usr/bin/perl
> -+# Generate loadparm interfaces tables for Samba3/Samba4 integration
> -+# by Andrew Bartlett
> -+# based on mkproto.pl Written by Jelmer Vernooij
> -+# based on the original mkproto.sh by Andrew Tridgell
> -+
> -+use strict;
> -+
> -+# don't use warnings module as it is not portable enough
> -+# use warnings;
> -+
> -+use Getopt::Long;
> -+use File::Basename;
> -+use File::Path;
> -+
> -+#####################################################################
> -+# read a file into a string
> -+
> -+my $file = undef;
> -+my $public_define = undef;
> -+my $_public = "";
> -+my $_private = "";
> -+my $public_data = \$_public;
> -+my $builddir = ".";
> -+my $srcdir = ".";
> -+
> -+sub public($)
> -+{
> -+ my ($d) = @_;
> -+ $$public_data .= $d;
> -+}
> -+
> -+sub usage()
> -+{
> -+ print "Usage: mks3param.pl [options] [c files]\n";
> -+ print "OPTIONS:\n";
> -+ print " --srcdir=path Read files relative to this directory\n";
> -+ print " --builddir=path Write file relative to this directory\n";
> -+ print " --help Print this help message\n\n";
> -+ exit 0;
> -+}
> -+
> -+GetOptions(
> -+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
> -+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
> -+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
> -+ 'help' => \&usage
> -+) or exit(1);
> -+
> -+sub file_load($)
> -+{
> -+ my($filename) = @_;
> -+ local(*INPUTFILE);
> -+ open(INPUTFILE, $filename) or return undef;
> -+ my($saved_delim) = $/;
> -+ undef $/;
> -+ my($data) = <INPUTFILE>;
> -+ close(INPUTFILE);
> -+ $/ = $saved_delim;
> -+ return $data;
> -+}
> -+
> -+sub print_header($)
> -+{
> -+ my ($file) = @_;
> -+ $file->("/* This file was automatically generated by mks3param_ctx.pl. DO NOT EDIT */\n\n");
> -+ $file->("static const struct loadparm_s3_helpers s3_fns = \n");
> -+ $file->("{\n");
> -+ $file->("\t.get_parametric = lp_parm_const_string_service,\n");
> -+ $file->("\t.get_parm_struct = lp_get_parameter,\n");
> -+ $file->("\t.get_parm_ptr = lp_parm_ptr,\n");
> -+ $file->("\t.get_service = lp_service_for_s4_ctx,\n");
> -+ $file->("\t.get_servicebynum = lp_servicebynum_for_s4_ctx,\n");
> -+ $file->("\t.get_default_loadparm_service = lp_default_loadparm_service,\n");
> -+ $file->("\t.get_numservices = lp_numservices,\n");
> -+ $file->("\t.load = lp_load_for_s4_ctx,\n");
> -+ $file->("\t.set_cmdline = lp_set_cmdline,\n");
> -+ $file->("\t.dump = lp_dump,\n");
> -+}
> -+
> -+sub print_footer($)
> -+{
> -+ my ($file) = @_;
> -+ $file->("};");
> -+}
> -+
> -+sub handle_loadparm($$)
> -+{
> -+ my ($file,$line) = @_;
> -+
> -+ # STRING isn't handled here, as we still don't know what to do with the substituted vars */
> -+ # LOCAL also isn't handled here
> -+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
> -+ my $scope = $1;
> -+ my $type = $2;
> -+ my $name = $3;
> -+
> -+ $file->(".$name = lp_$name,\n");
> -+ }
> -+}
> -+
> -+sub process_file($$)
> -+{
> -+ my ($file, $filename) = @_;
> -+
> -+ $filename =~ s/\.o$/\.c/g;
> -+
> -+ if ($filename =~ /^\//) {
> -+ open(FH, "<$filename") or die("Failed to open $filename");
> -+ } elsif (!open(FH, "< $builddir/$filename")) {
> -+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
> -+ }
> -+
> -+ my $comment = undef;
> -+ my $incomment = 0;
> -+ while (my $line = <FH>) {
> -+ if ($line =~ /^FN_/) {
> -+ handle_loadparm($file, $line);
> -+ }
> -+ next;
> -+ }
> -+
> -+ close(FH);
> -+}
> -+
> -+
> -+print_header(\&public);
> -+
> -+process_file(\&public, $_) foreach (@ARGV);
> -+print_footer(\&public);
> -+
> -+if (not defined($file)) {
> -+ print STDOUT $$public_data;
> -+}
> -+
> -+mkpath(dirname($file), 0, 0755);
> -+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
> -+print PUBLIC "$$public_data";
> -+close(PUBLIC);
> -diff --git a/source3/param/loadparm_ctx.c b/source3/param/loadparm_ctx.c
> -index 63ead53..5cbc920 100644
> ---- a/source3/param/loadparm_ctx.c
> -+++ b/source3/param/loadparm_ctx.c
> -@@ -56,69 +56,7 @@ static bool lp_load_for_s4_ctx(const char *filename)
> - return status;
> - }
> -
> --/* These are in the order that they appear in the s4 loadparm file.
> -- * All of the s4 loadparm functions should be here eventually, once
> -- * they are implemented in the s3 loadparm, have the same format (enum
> -- * values in particular) and defaults. */
> --static const struct loadparm_s3_helpers s3_fns =
> --{
> -- .get_parametric = lp_parm_const_string_service,
> -- .get_parm_struct = lp_get_parameter,
> -- .get_parm_ptr = lp_parm_ptr,
> -- .get_service = lp_service_for_s4_ctx,
> -- .get_servicebynum = lp_servicebynum_for_s4_ctx,
> -- .get_default_loadparm_service = lp_default_loadparm_service,
> -- .get_numservices = lp_numservices,
> -- .load = lp_load_for_s4_ctx,
> -- .set_cmdline = lp_set_cmdline,
> -- .dump = lp_dump,
> --
> -- ._server_role = lp__server_role,
> -- ._security = lp__security,
> -- ._domain_master = lp__domain_master,
> -- ._domain_logons = lp__domain_logons,
> --
> -- .winbind_separator = lp_winbind_separator,
> -- .template_homedir = lp_template_homedir,
> -- .template_shell = lp_template_shell,
> --
> -- .dos_charset = lp_dos_charset,
> -- .unix_charset = lp_unix_charset,
> --
> -- .realm = lp_realm,
> -- .dnsdomain = lp_dnsdomain,
> -- .socket_options = lp_socket_options,
> -- .workgroup = lp_workgroup,
> --
> -- .netbios_name = lp_netbios_name,
> -- .netbios_scope = lp_netbios_scope,
> -- .netbios_aliases = lp_netbios_aliases,
> --
> -- .lanman_auth = lp_lanman_auth,
> -- .ntlm_auth = lp_ntlm_auth,
> --
> -- .client_plaintext_auth = lp_client_plaintext_auth,
> -- .client_lanman_auth = lp_client_lanman_auth,
> -- .client_ntlmv2_auth = lp_client_ntlmv2_auth,
> -- .client_use_spnego_principal = lp_client_use_spnego_principal,
> --
> -- .private_dir = lp_private_dir,
> -- .ncalrpc_dir = lp_ncalrpc_dir,
> -- .lockdir = lp_lockdir,
> --
> -- .passdb_backend = lp_passdb_backend,
> --
> -- .host_msdfs = lp_host_msdfs,
> -- .unix_extensions = lp_unix_extensions,
> -- .use_spnego = lp_use_spnego,
> -- .use_mmap = lp_use_mmap,
> -- .use_ntdb = lp_use_ntdb,
> --
> -- .srv_minprotocol = lp_srv_minprotocol,
> -- .srv_maxprotocol = lp_srv_maxprotocol,
> --
> -- .passwordserver = lp_passwordserver
> --};
> -+#include "loadparm_ctx_table.c"
> -
> - const struct loadparm_s3_helpers *loadparm_s3_helpers(void)
> - {
> -diff --git a/source3/param/wscript_build b/source3/param/wscript_build
> -index 643c27e..673cb4d 100644
> ---- a/source3/param/wscript_build
> -+++ b/source3/param/wscript_build
> -@@ -18,6 +18,11 @@ bld.SAMBA_GENERATOR('s3_param_proto_h',
> - target='param_proto.h',
> - rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> -
> -+bld.SAMBA_GENERATOR('s3_loadparm_ctx_table_c',
> -+ source= ' ../../script/mks3param_ctx_table.pl ../../lib/param/loadparm.c ../../lib/param/param_functions.c',
> -+ target='loadparm_ctx_table.c',
> -+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> -+
> - bld.SAMBA3_PYTHON('pys3param',
> - source='pyparam.c',
> - deps='param',
> ---
> -1.9.3
> -
> -
> -From 0046f49e1c690cf5b119859650f06559697fd103 Mon Sep 17 00:00:00 2001
> -From: Andrew Bartlett <abartlet@samba.org>
> -Date: Mon, 14 Oct 2013 15:49:25 +1300
> -Subject: [PATCH 120/249] proto: Remove manually written lp_ prototypes
> -
> -This also ensures we remove prototypes from parameters we remove or
> -rename, and easily see how many special cases we have left.
> -
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/include/proto.h | 361 +-----------------------------------------------
> - 1 file changed, 1 insertion(+), 360 deletions(-)
> -
> -diff --git a/source3/include/proto.h b/source3/include/proto.h
> -index 614baa4..5e068d2 100644
> ---- a/source3/include/proto.h
> -+++ b/source3/include/proto.h
> -@@ -995,379 +995,20 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
> -
> - #include "source3/param/param_proto.h"
> -
> --const char **lp_smb_ports(void);
> --const char *lp_dos_charset(void);
> --const char *lp_unix_charset(void);
> --char *lp_logfile(TALLOC_CTX *ctx);
> --char *lp_configfile(TALLOC_CTX *ctx);
> --const char *lp_smb_passwd_file(void);
> --const char *lp_private_dir(void);
> --char *lp_serverstring(TALLOC_CTX *ctx);
> --int lp_printcap_cache_time(void);
> --char *lp_addport_cmd(TALLOC_CTX *ctx);
> --char *lp_enumports_cmd(TALLOC_CTX *ctx);
> --char *lp_addprinter_cmd(TALLOC_CTX *ctx);
> --char *lp_deleteprinter_cmd(TALLOC_CTX *ctx);
> --char *lp_os2_driver_map(TALLOC_CTX *ctx);
> --const char *lp_lockdir(void);
> - const char *lp_statedir(void);
> - const char *lp_cachedir(void);
> --const char *lp_piddir(void);
> --char *lp_mangling_method(TALLOC_CTX *ctx);
> --int lp_mangle_prefix(void);
> --const char *lp_utmpdir(void);
> --const char *lp_wtmpdir(void);
> --bool lp_utmp(void);
> --char *lp_rootdir(TALLOC_CTX *ctx);
> --char *lp_defaultservice(TALLOC_CTX *ctx);
> --char *lp_msg_command(TALLOC_CTX *ctx);
> --char *lp_get_quota_command(TALLOC_CTX *ctx);
> --char *lp_set_quota_command(TALLOC_CTX *ctx);
> --char *lp_auto_services(TALLOC_CTX *ctx);
> --char *lp_passwd_program(TALLOC_CTX *ctx);
> --char *lp_passwd_chat(TALLOC_CTX *ctx);
> --const char *lp_passwordserver(void);
> --const char **lp_name_resolve_order(void);
> --const char *lp_netbios_scope(void);
> --const char *lp_netbios_name(void);
> --const char *lp_workgroup(void);
> --const char *lp_realm(void);
> --const char *lp_dnsdomain(void);
> --const char *lp_afs_username_map(void);
> --int lp_afs_token_lifetime(void);
> --char *lp_log_nt_token_command(TALLOC_CTX *ctx);
> --char *lp_username_map(TALLOC_CTX *ctx);
> --const char *lp_logon_script(void);
> --const char *lp_logon_path(void);
> --const char *lp_logon_drive(void);
> --const char *lp_logon_home(void);
> --char *lp_remote_announce(TALLOC_CTX *ctx);
> --char *lp_remote_browse_sync(TALLOC_CTX *ctx);
> --bool lp_nmbd_bind_explicit_broadcast(void);
> --const char **lp_wins_server_list(void);
> --const char **lp_interfaces(void);
> --const char *lp_nbt_client_socket_address(void);
> --char *lp_nis_home_map_name(TALLOC_CTX *ctx);
> --const char **lp_netbios_aliases(void);
> --const char *lp_passdb_backend(void);
> --const char **lp_preload_modules(void);
> --char *lp_panic_action(TALLOC_CTX *ctx);
> --char *lp_adduser_script(TALLOC_CTX *ctx);
> --char *lp_renameuser_script(TALLOC_CTX *ctx);
> --char *lp_deluser_script(TALLOC_CTX *ctx);
> --const char *lp_guestaccount(void);
> --char *lp_addgroup_script(TALLOC_CTX *ctx);
> --char *lp_delgroup_script(TALLOC_CTX *ctx);
> --char *lp_addusertogroup_script(TALLOC_CTX *ctx);
> --char *lp_deluserfromgroup_script(TALLOC_CTX *ctx);
> --char *lp_setprimarygroup_script(TALLOC_CTX *ctx);
> --char *lp_addmachine_script(TALLOC_CTX *ctx);
> --char *lp_shutdown_script(TALLOC_CTX *ctx);
> --char *lp_abort_shutdown_script(TALLOC_CTX *ctx);
> --char *lp_username_map_script(TALLOC_CTX *ctx);
> --int lp_username_map_cache_time(void);
> --char *lp_check_password_script(TALLOC_CTX *ctx);
> --char *lp_wins_hook(TALLOC_CTX *ctx);
> --const char *lp_template_homedir(void);
> --const char *lp_template_shell(void);
> --const char *lp_winbind_separator(void);
> --const char *lp_winbindd_socket_directory(void);
> --bool lp_winbind_enum_users(void);
> --bool lp_winbind_enum_groups(void);
> --bool lp_winbind_use_default_domain(void);
> --bool lp_winbind_trusted_domains_only(void);
> --bool lp_winbind_nested_groups(void);
> --int lp_winbind_expand_groups(void);
> --bool lp_winbind_refresh_tickets(void);
> --bool lp_winbind_offline_logon(void);
> --bool lp_winbind_normalize_names(void);
> --bool lp_winbind_rpc_only(void);
> --bool lp_create_krb5_conf(void);
> - int lp_winbind_max_domain_connections(void);
> --int lp_idmap_cache_time(void);
> --int lp_idmap_negative_cache_time(void);
> - bool lp_idmap_range(const char *domain_name, uint32_t *low, uint32_t *high);
> - bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
> - const char *lp_idmap_backend(const char *domain_name);
> - const char *lp_idmap_default_backend (void);
> --int lp_keepalive(void);
> --bool lp_passdb_expand_explicit(void);
> --char *lp_ldap_suffix(TALLOC_CTX *ctx);
> --char *lp_ldap_admin_dn(TALLOC_CTX *ctx);
> --int lp_ldap_ssl(void);
> --bool lp_ldap_ssl_ads(void);
> --int lp_ldap_deref(void);
> --int lp_ldap_follow_referral(void);
> --int lp_ldap_passwd_sync(void);
> --bool lp_ldap_delete_dn(void);
> --int lp_ldap_replication_sleep(void);
> --int lp_ldap_timeout(void);
> --int lp_ldap_connection_timeout(void);
> --int lp_ldap_page_size(void);
> --int lp_ldap_debug_level(void);
> --int lp_ldap_debug_threshold(void);
> --char *lp_add_share_cmd(TALLOC_CTX *ctx);
> --char *lp_change_share_cmd(TALLOC_CTX *ctx);
> --char *lp_delete_share_cmd(TALLOC_CTX *ctx);
> --char *lp_usershare_path(TALLOC_CTX *ctx);
> --const char **lp_usershare_prefix_allow_list(void);
> --const char **lp_usershare_prefix_deny_list(void);
> --const char **lp_eventlog_list(void);
> --bool lp_registry_shares(void);
> --bool lp_usershare_allow_guests(void);
> --bool lp_usershare_owner_only(void);
> --bool lp_disable_netbios(void);
> --bool lp_reset_on_zero_vc(void);
> --bool lp_log_writeable_files_on_exit(void);
> --bool lp_ms_add_printer_wizard(void);
> --bool lp_wins_dns_proxy(void);
> --bool lp_we_are_a_wins_server(void);
> --bool lp_wins_proxy(void);
> --bool lp_local_master(void);
> --const char **lp_init_logon_delayed_hosts(void);
> --int lp_init_logon_delay(void);
> --bool lp_load_printers(void);
> - bool lp_readraw(void);
> --bool lp_large_readwrite(void);
> - bool lp_writeraw(void);
> --bool lp_null_passwords(void);
> --bool lp_obey_pam_restrictions(void);
> --bool lp_encrypted_passwords(void);
> --int lp_client_schannel(void);
> --int lp_server_schannel(void);
> --bool lp_syslog_only(void);
> --bool lp_timestamp_logs(void);
> --bool lp_debug_prefix_timestamp(void);
> --bool lp_debug_hires_timestamp(void);
> --bool lp_debug_pid(void);
> --bool lp_debug_uid(void);
> --bool lp_debug_class(void);
> --bool lp_enable_core_files(void);
> --bool lp_browse_list(void);
> --bool lp_nis_home_map(void);
> --bool lp_bind_interfaces_only(void);
> --bool lp_pam_password_change(void);
> --bool lp_unix_password_sync(void);
> --bool lp_passwd_chat_debug(void);
> --int lp_passwd_chat_timeout(void);
> --bool lp_nt_pipe_support(void);
> --bool lp_nt_status_support(void);
> --bool lp_stat_cache(void);
> --int lp_max_stat_cache_size(void);
> --bool lp_allow_trusted_domains(void);
> --bool lp_map_untrusted_to_domain(void);
> --int lp_restrict_anonymous(void);
> --bool lp_lanman_auth(void);
> --bool lp_ntlm_auth(void);
> --bool lp_client_plaintext_auth(void);
> --bool lp_client_lanman_auth(void);
> --bool lp_client_ntlmv2_auth(void);
> --bool lp_host_msdfs(void);
> --bool lp_enhanced_browsing(void);
> --bool lp_use_mmap(void);
> --bool lp_use_ntdb(void);
> --bool lp_unix_extensions(void);
> --bool lp_unicode(void);
> --bool lp_use_spnego(void);
> --bool lp_client_use_spnego(void);
> --bool lp_client_use_spnego_principal(void);
> --bool lp_hostname_lookups(void);
> --bool lp_change_notify(const struct share_params *p );
> --bool lp_kernel_change_notify(const struct share_params *p );
> --const char * lp_dedicated_keytab_file(void);
> --int lp_kerberos_method(void);
> --bool lp_defer_sharing_violations(void);
> --bool lp_enable_privileges(void);
> --bool lp_enable_asu_support(void);
> --int lp_os_level(void);
> --int lp_max_ttl(void);
> --int lp_max_wins_ttl(void);
> --int lp_min_wins_ttl(void);
> --int lp_max_log_size(void);
> --int lp_max_open_files(void);
> --int lp_open_files_db_hash_size(void);
> --int lp_max_xmit(void);
> --int lp_maxmux(void);
> --int lp_passwordlevel(void);
> --int lp_usernamelevel(void);
> --int lp_deadtime(void);
> --bool lp_getwd_cache(void);
> --int lp_srv_maxprotocol(void);
> --int lp_srv_minprotocol(void);
> --int lp_cli_maxprotocol(void);
> --int lp_cli_minprotocol(void);
> - int lp_security(void);
> --int lp__server_role(void);
> --int lp__security(void);
> --int lp__domain_master(void);
> --bool lp__domain_logons(void);
> --const char **lp_auth_methods(void);
> --bool lp_paranoid_server_security(void);
> --int lp_maxdisksize(void);
> --int lp_lpqcachetime(void);
> --int lp_max_smbd_processes(void);
> --bool lp__disable_spoolss(void);
> --int lp_syslog(void);
> --int lp_lm_announce(void);
> --int lp_lm_interval(void);
> --int lp_machine_password_timeout(void);
> --int lp_map_to_guest(void);
> --int lp_oplock_break_wait_time(void);
> --int lp_lock_spin_time(void);
> --int lp_usershare_max_shares(void);
> --const char *lp_socket_options(void);
> --int lp_config_backend(void);
> --int lp_smb2_max_read(void);
> --int lp_smb2_max_write(void);
> --int lp_smb2_max_trans(void);
> - int lp_smb2_max_credits(void);
> --char *lp_preexec(TALLOC_CTX *ctx, int );
> --char *lp_postexec(TALLOC_CTX *ctx, int );
> --char *lp_rootpreexec(TALLOC_CTX *ctx, int );
> --char *lp_rootpostexec(TALLOC_CTX *ctx, int );
> --char *lp_servicename(TALLOC_CTX *ctx, int );
> --const char *lp_const_servicename(int );
> --char *lp_pathname(TALLOC_CTX *ctx, int );
> --char *lp_dontdescend(TALLOC_CTX *ctx, int );
> --char *lp_username(TALLOC_CTX *ctx, int );
> --const char **lp_invalid_users(int );
> --const char **lp_valid_users(int );
> --const char **lp_admin_users(int );
> --const char **lp_svcctl_list(void);
> --char *lp_cups_options(TALLOC_CTX *ctx, int );
> --char *lp_cups_server(TALLOC_CTX *ctx);
> - int lp_cups_encrypt(void);
> --char *lp_iprint_server(TALLOC_CTX *ctx);
> --int lp_cups_connection_timeout(void);
> --const char *lp_ctdbd_socket(void);
> --const char *_lp_ctdbd_socket(void);
> --const char **lp_cluster_addresses(void);
> --bool lp_clustering(void);
> --int lp_ctdb_timeout(void);
> --int lp_ctdb_locktime_warn_threshold(void);
> --char *lp_printcommand(TALLOC_CTX *ctx, int );
> --char *lp_lpqcommand(TALLOC_CTX *ctx, int );
> --char *lp_lprmcommand(TALLOC_CTX *ctx, int );
> --char *lp_lppausecommand(TALLOC_CTX *ctx, int );
> --char *lp_lpresumecommand(TALLOC_CTX *ctx, int );
> --char *lp_queuepausecommand(TALLOC_CTX *ctx, int );
> --char *lp_queueresumecommand(TALLOC_CTX *ctx, int );
> --const char *lp_printjob_username(int );
> --const char **lp_hostsallow(int );
> --const char **lp_hostsdeny(int );
> --char *lp_magicscript(TALLOC_CTX *ctx, int );
> --char *lp_magicoutput(TALLOC_CTX *ctx, int );
> --char *lp_comment(TALLOC_CTX *ctx, int );
> --char *lp_force_user(TALLOC_CTX *ctx, int );
> --char *lp_force_group(TALLOC_CTX *ctx, int );
> --const char **lp_readlist(int );
> --const char **lp_writelist(int );
> --char *lp_fstype(TALLOC_CTX *ctx, int );
> --const char **lp_vfs_objects(int );
> --char *lp_msdfs_proxy(TALLOC_CTX *ctx, int );
> --char *lp_veto_files(TALLOC_CTX *ctx, int );
> --char *lp_hide_files(TALLOC_CTX *ctx, int );
> --char *lp_veto_oplocks(TALLOC_CTX *ctx, int );
> --bool lp_msdfs_root(int );
> --char *lp_aio_write_behind(TALLOC_CTX *ctx, int );
> --char *lp_dfree_command(TALLOC_CTX *ctx, int );
> --bool lp_autoloaded(int );
> --bool lp_preexec_close(int );
> --bool lp_rootpreexec_close(int );
> --int lp_casesensitive(int );
> --bool lp_preservecase(int );
> --bool lp_shortpreservecase(int );
> --bool lp_hide_dot_files(int );
> --bool lp_hide_special_files(int );
> --bool lp_hideunreadable(int );
> --bool lp_hideunwriteable_files(int );
> --bool lp_browseable(int );
> --bool lp_access_based_share_enum(int );
> --bool lp_readonly(int );
> --bool lp_guest_ok(int );
> --bool lp_guest_only(int );
> --bool lp_administrative_share(int );
> --bool lp_print_ok(int );
> --bool lp_print_notify_backchannel(int );
> --bool lp_map_hidden(int );
> --bool lp_map_archive(int );
> --bool lp_store_dos_attributes(int );
> --bool lp_dmapi_support(int );
> --bool lp_locking(const struct share_params *p );
> --int lp_strict_locking(const struct share_params *p );
> --bool lp_posix_locking(const struct share_params *p );
> --bool lp_oplocks(int );
> --bool lp_kernel_oplocks(int );
> --bool lp_level2_oplocks(int );
> --bool lp_kernel_share_modes(int);
> --bool lp_onlyuser(int );
> --bool lp_manglednames(const struct share_params *p );
> --bool lp_allow_insecure_widelinks(void);
> - bool lp_widelinks(int );
> --bool lp_symlinks(int );
> --bool lp_syncalways(int );
> --bool lp_strict_allocate(int );
> --bool lp_strict_sync(int );
> --bool lp_map_system(int );
> --bool lp_delete_readonly(int );
> --bool lp_fake_oplocks(int );
> --bool lp_recursive_veto_delete(int );
> --bool lp_dos_filemode(int );
> --bool lp_dos_filetimes(int );
> --bool lp_dos_filetime_resolution(int );
> --bool lp_fake_dir_create_times(int);
> --bool lp_async_smb_echo_handler(void);
> --bool lp_multicast_dns_register(void);
> --bool lp_blocking_locks(int );
> --bool lp_inherit_perms(int );
> --bool lp_inherit_acls(int );
> --bool lp_inherit_owner(int );
> --bool lp_use_client_driver(int );
> --bool lp_default_devmode(int );
> --bool lp_force_printername(int );
> --bool lp_nt_acl_support(int );
> --bool lp_force_unknown_acl_user(int );
> --bool lp_ea_support(int );
> --bool lp__use_sendfile(int );
> --bool lp_profile_acls(int );
> --bool lp_map_acl_inherit(int );
> --bool lp_afs_share(int );
> --bool lp_acl_check_permissions(int );
> --bool lp_acl_group_control(int );
> --bool lp_acl_map_full_control(int );
> --bool lp_acl_allow_execute_always(int);
> --bool lp_durable_handles(int);
> --int lp_create_mask(int );
> --int lp_force_create_mode(int );
> --int lp_dir_mask(int );
> --int lp_force_dir_mode(int );
> --int lp_max_connections(int );
> --int lp_defaultcase(int );
> --int lp_minprintspace(int );
> --int lp_printing(int );
> --int lp_max_reported_jobs(int );
> --int lp_oplock_contention_limit(int );
> --int lp_csc_policy(int );
> --int lp_write_cache_size(int );
> --int lp_block_size(int );
> --int lp_dfree_cache_time(int );
> --int lp_allocation_roundup_size(int );
> --int lp_aio_read_size(int );
> --int lp_aio_write_size(int );
> --int lp_map_readonly(int );
> --int lp_directory_name_cache_size(int );
> --int lp_smb_encrypt(int );
> --char lp_magicchar(const struct share_params *p );
> --int lp_winbind_cache_time(void);
> --int lp_winbind_reconnect_delay(void);
> --int lp_winbind_request_timeout(void);
> --int lp_winbind_max_clients(void);
> --const char **lp_winbind_nss_info(void);
> --int lp_algorithmic_rid_base(void);
> --int lp_name_cache_timeout(void);
> --int lp_client_signing(void);
> --int lp_server_signing(void);
> --int lp_client_ldap_sasl_wrapping(void);
> -+
> - char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def);
> - const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
> - struct loadparm_service;
> ---
> -1.9.3
> -
> -
> -From 5d2278756b5a7372106cbdf9b8d66fb8a0cf5033 Mon Sep 17 00:00:00 2001
> -From: Andrew Bartlett <abartlet@samba.org>
> -Date: Wed, 16 Oct 2013 14:45:31 +1300
> -Subject: [PATCH 121/249] lib/param: Add documentation on how loadparm works
> -
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Volker Lendecke <vl@samba.org>
> ----
> - lib/param/README | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> - 1 file changed, 69 insertions(+)
> -
> -diff --git a/lib/param/README b/lib/param/README
> -index 403a217..b567d71 100644
> ---- a/lib/param/README
> -+++ b/lib/param/README
> -@@ -1,4 +1,73 @@
> -+libsamba-hostconfig
> -+-------------------
> -+
> - This directory contains "libsamba-hostconfig".
> -
> - The libsamba-hostconfig library provides access to all host-wide configuration
> - such as the configured shares, default parameter values and host secret keys.
> -+
> -+
> -+Adding a parameter
> -+------------------
> -+
> -+To add or change an smb.conf option, you only have to modify
> -+lib/param/param_table.c and lib/param/param_functions.c. The rest is
> -+generated for you.
> -+
> -+
> -+Using smb.conf parameters in the code
> -+-------------------------------------
> -+
> -+Call the lpcfg_*() function. To get the lp_ctx, have the caller pass
> -+it to you. To get a lp_ctx for the source3/param loadparm system, use:
> -+
> -+struct loadparm_context *lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
> -+
> -+Remember to talloc_unlink(tmp_ctx, lp_ctx) the result when you are done!
> -+
> -+To get a lp_ctx for the lib/param loadparm system, typically the
> -+pointer is already set up by popt at startup, and is passed down from
> -+cmdline_lp_ctx.
> -+
> -+In pure source3/ code, you may use lp_*() functions, but are
> -+encouraged to use the lpcfg_*() functions so that code can be made
> -+common.
> -+
> -+
> -+How does loadparm_init_s3() work?
> -+---------------------------------
> -+
> -+loadparm_s3_helpers() returns a initialised table of function
> -+pointers, pointing at all global lp_*() functions, except for those
> -+that return substituted strings (% macros). The lpcfg_*() function
> -+then calls this plugged in function, allowing the one function and
> -+pattern to use either loadparm system.
> -+
> -+
> -+There is a lot of generated code, here, what generates what?
> -+------------------------------------------------------------
> -+
> -+The regular format of the CPP macros in param_functions.c is used to
> -+generate up the prototypes (mkproto.pl, mks3param_proto.pl), the service
> -+and globals table (mkparamdefs.pl), the glue table (mmks3param.pl) and
> -+the initilisation of the glue table (mks3param_ctx_table.pl).
> -+
> -+I have tried combining some of these, but it just makes the scripts more
> -+complex.
> -+
> -+The CPP macros are defined in and expand in lib/param/loadparm.c and
> -+source3/param/loadparm.c to read the values from the generated
> -+stuctures. They are CPP #included into these files so that the same
> -+macro has two definitions, depending on the system it is loading into.
> -+
> -+
> -+Why was this done, rather than a 'proper' fix, or just using one system or the other?
> -+-------------------------------------------------------------------------------------
> -+
> -+This was done to allow merging from both ends - merging more parts of
> -+the loadparm handling, and merging code that needs to read the
> -+smb.conf, without having to do it all at once. Ideally
> -+param_functions.c would be generated from param_table.c or (even
> -+better) our XML manpage source, and the CPP macros would instead be
> -+generated expanded as generated C files, but this is a task nobody has
> -+taken on yet.
> ---
> -1.9.3
> -
> -
> -From 7734a867500f5b7415f818077229f74486101c51 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 12 Aug 2013 08:19:08 +0200
> -Subject: [PATCH 122/249] librpc/rpc: add dcerpc_binding_handle_auth_info()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - librpc/rpc/binding_handle.c | 25 +++++++++++++++++++++++++
> - librpc/rpc/rpc_common.h | 8 ++++++++
> - 2 files changed, 33 insertions(+)
> -
> -diff --git a/librpc/rpc/binding_handle.c b/librpc/rpc/binding_handle.c
> -index 9354bbd..714baa7 100644
> ---- a/librpc/rpc/binding_handle.c
> -+++ b/librpc/rpc/binding_handle.c
> -@@ -98,6 +98,31 @@ uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
> - return h->ops->set_timeout(h, timeout);
> - }
> -
> -+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
> -+ enum dcerpc_AuthType *auth_type,
> -+ enum dcerpc_AuthLevel *auth_level)
> -+{
> -+ enum dcerpc_AuthType _auth_type;
> -+ enum dcerpc_AuthLevel _auth_level;
> -+
> -+ if (auth_type == NULL) {
> -+ auth_type = &_auth_type;
> -+ }
> -+
> -+ if (auth_level == NULL) {
> -+ auth_level = &_auth_level;
> -+ }
> -+
> -+ *auth_type = DCERPC_AUTH_TYPE_NONE;
> -+ *auth_level = DCERPC_AUTH_LEVEL_NONE;
> -+
> -+ if (h->ops->auth_info == NULL) {
> -+ return;
> -+ }
> -+
> -+ h->ops->auth_info(h, auth_type, auth_level);
> -+}
> -+
> - struct dcerpc_binding_handle_raw_call_state {
> - const struct dcerpc_binding_handle_ops *ops;
> - uint8_t *out_data;
> -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
> -index d2816f5..978229e 100644
> ---- a/librpc/rpc/rpc_common.h
> -+++ b/librpc/rpc/rpc_common.h
> -@@ -189,6 +189,10 @@ struct dcerpc_binding_handle_ops {
> - uint32_t (*set_timeout)(struct dcerpc_binding_handle *h,
> - uint32_t timeout);
> -
> -+ void (*auth_info)(struct dcerpc_binding_handle *h,
> -+ enum dcerpc_AuthType *auth_type,
> -+ enum dcerpc_AuthLevel *auth_level);
> -+
> - struct tevent_req *(*raw_call_send)(TALLOC_CTX *mem_ctx,
> - struct tevent_context *ev,
> - struct dcerpc_binding_handle *h,
> -@@ -259,6 +263,10 @@ bool dcerpc_binding_handle_is_connected(struct dcerpc_binding_handle *h);
> - uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
> - uint32_t timeout);
> -
> -+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
> -+ enum dcerpc_AuthType *auth_type,
> -+ enum dcerpc_AuthLevel *auth_level);
> -+
> - struct tevent_req *dcerpc_binding_handle_raw_call_send(TALLOC_CTX *mem_ctx,
> - struct tevent_context *ev,
> - struct dcerpc_binding_handle *h,
> ---
> -1.9.3
> -
> -
> -From 04a9531474630c62c3f717e251d9f1469013f5ae Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 12 Aug 2013 08:19:35 +0200
> -Subject: [PATCH 123/249] s3:rpc_client: implement
> - dcerpc_binding_handle_auth_info()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/rpc_client/cli_pipe.c | 20 ++++++++++++++++++++
> - 1 file changed, 20 insertions(+)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 64e7f1c..a343997 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1867,6 +1867,25 @@ static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
> - return rpccli_set_timeout(hs->rpc_cli, timeout);
> - }
> -
> -+static void rpccli_bh_auth_info(struct dcerpc_binding_handle *h,
> -+ enum dcerpc_AuthType *auth_type,
> -+ enum dcerpc_AuthLevel *auth_level)
> -+{
> -+ struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
> -+ struct rpccli_bh_state);
> -+
> -+ if (hs->rpc_cli == NULL) {
> -+ return;
> -+ }
> -+
> -+ if (hs->rpc_cli->auth == NULL) {
> -+ return;
> -+ }
> -+
> -+ *auth_type = hs->rpc_cli->auth->auth_type;
> -+ *auth_level = hs->rpc_cli->auth->auth_level;
> -+}
> -+
> - struct rpccli_bh_raw_call_state {
> - DATA_BLOB in_data;
> - DATA_BLOB out_data;
> -@@ -2046,6 +2065,7 @@ static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
> - .name = "rpccli",
> - .is_connected = rpccli_bh_is_connected,
> - .set_timeout = rpccli_bh_set_timeout,
> -+ .auth_info = rpccli_bh_auth_info,
> - .raw_call_send = rpccli_bh_raw_call_send,
> - .raw_call_recv = rpccli_bh_raw_call_recv,
> - .disconnect_send = rpccli_bh_disconnect_send,
> ---
> -1.9.3
> -
> -
> -From 1db891bac30bb6c3bb0a022c5d1529a9f001237d Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 12 Aug 2013 08:19:57 +0200
> -Subject: [PATCH 124/249] s4:librpc: implement
> - dcerpc_binding_handle_auth_info()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source4/librpc/rpc/dcerpc.c | 24 ++++++++++++++++++++++++
> - 1 file changed, 24 insertions(+)
> -
> -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
> -index 2826160..56b821e 100644
> ---- a/source4/librpc/rpc/dcerpc.c
> -+++ b/source4/librpc/rpc/dcerpc.c
> -@@ -200,6 +200,29 @@ static uint32_t dcerpc_bh_set_timeout(struct dcerpc_binding_handle *h,
> - return old;
> - }
> -
> -+static void dcerpc_bh_auth_info(struct dcerpc_binding_handle *h,
> -+ enum dcerpc_AuthType *auth_type,
> -+ enum dcerpc_AuthLevel *auth_level)
> -+{
> -+ struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
> -+ struct dcerpc_bh_state);
> -+
> -+ if (hs->p == NULL) {
> -+ return;
> -+ }
> -+
> -+ if (hs->p->conn == NULL) {
> -+ return;
> -+ }
> -+
> -+ if (hs->p->conn->security_state.auth_info == NULL) {
> -+ return;
> -+ }
> -+
> -+ *auth_type = hs->p->conn->security_state.auth_info->auth_type;
> -+ *auth_level = hs->p->conn->security_state.auth_info->auth_level;
> -+}
> -+
> - struct dcerpc_bh_raw_call_state {
> - struct tevent_context *ev;
> - struct dcerpc_binding_handle *h;
> -@@ -552,6 +575,7 @@ static const struct dcerpc_binding_handle_ops dcerpc_bh_ops = {
> - .name = "dcerpc",
> - .is_connected = dcerpc_bh_is_connected,
> - .set_timeout = dcerpc_bh_set_timeout,
> -+ .auth_info = dcerpc_bh_auth_info,
> - .raw_call_send = dcerpc_bh_raw_call_send,
> - .raw_call_recv = dcerpc_bh_raw_call_recv,
> - .disconnect_send = dcerpc_bh_disconnect_send,
> ---
> -1.9.3
> -
> -
> -From 76304ed57d561eb89dceb3881236a78209dd592c Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 17 Sep 2013 04:25:39 +0200
> -Subject: [PATCH 125/249] s3:winbindd: don't hide the error in cm_connect_lsa()
> -
> -We should not overwrite the error with NT_STATUS_PIPE_NOT_AVAILABLE.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/winbindd/winbindd_cm.c | 1 -
> - 1 file changed, 1 deletion(-)
> -
> -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> -index d868826..c4f59d3 100644
> ---- a/source3/winbindd/winbindd_cm.c
> -+++ b/source3/winbindd/winbindd_cm.c
> -@@ -2677,7 +2677,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - &ndr_table_lsarpc,
> - &conn->lsa_pipe);
> - if (!NT_STATUS_IS_OK(result)) {
> -- result = NT_STATUS_PIPE_NOT_AVAILABLE;
> - goto done;
> - }
> -
> ---
> -1.9.3
> -
> -
> -From 9948366e88b1d11127317008c79a2f7182a34d65 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 2 Sep 2013 09:24:42 +0200
> -Subject: [PATCH 126/249] s3:include: add forward declaration for struct
> - messaging_context; in g_lock.h
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/include/g_lock.h | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/source3/include/g_lock.h b/source3/include/g_lock.h
> -index 004c452..f513349 100644
> ---- a/source3/include/g_lock.h
> -+++ b/source3/include/g_lock.h
> -@@ -23,6 +23,7 @@
> - #include "dbwrap/dbwrap.h"
> -
> - struct g_lock_ctx;
> -+struct messaging_context;
> -
> - enum g_lock_type {
> - G_LOCK_READ = 0,
> ---
> -1.9.3
> -
> -
> -From 4c30267e3c26cb065b908ff396ca21937fc870c4 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 2 Sep 2013 19:29:05 +0200
> -Subject: [PATCH 127/249] s3:include: fix messaging_send_buf() protype in
> - messages.h
> -
> -The function already used 'uint8_t' instead of 'uint8'.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/include/messages.h | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/source3/include/messages.h b/source3/include/messages.h
> -index 09c39cc..50b2a84 100644
> ---- a/source3/include/messages.h
> -+++ b/source3/include/messages.h
> -@@ -139,7 +139,7 @@ NTSTATUS messaging_send(struct messaging_context *msg_ctx,
> -
> - NTSTATUS messaging_send_buf(struct messaging_context *msg_ctx,
> - struct server_id server, uint32_t msg_type,
> -- const uint8 *buf, size_t len);
> -+ const uint8_t *buf, size_t len);
> - void messaging_dispatch_rec(struct messaging_context *msg_ctx,
> - struct messaging_rec *rec);
> -
> ---
> -1.9.3
> -
> -
> -From ff45e4d1ca6cff9b2f329d18e98ebd4883639ed9 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 27 Aug 2013 12:09:51 +0200
> -Subject: [PATCH 128/249] s3:auth_domain: remove dead code in
> - check_trustdomain_security()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/auth/auth_domain.c | 22 ----------------------
> - 1 file changed, 22 deletions(-)
> -
> -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> -index 06078e2..9f88c4a 100644
> ---- a/source3/auth/auth_domain.c
> -+++ b/source3/auth/auth_domain.c
> -@@ -378,8 +378,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
> - struct auth_serversupplied_info **server_info)
> - {
> - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
> -- unsigned char trust_md4_password[16];
> -- char *trust_password;
> - fstring dc_name;
> - struct sockaddr_storage dc_ss;
> -
> -@@ -408,26 +406,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
> - if ( !is_trusted_domain( user_info->mapped.domain_name ) )
> - return NT_STATUS_NOT_IMPLEMENTED;
> -
> -- /*
> -- * Get the trusted account password for the trusted domain
> -- * No need to become_root() as secrets_init() is done at startup.
> -- */
> --
> -- if (!pdb_get_trusteddom_pw(user_info->mapped.domain_name, &trust_password,
> -- NULL, NULL)) {
> -- DEBUG(0, ("check_trustdomain_security: could not fetch trust "
> -- "account password for domain %s\n",
> -- user_info->mapped.domain_name));
> -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> -- }
> --
> --#ifdef DEBUG_PASSWORD
> -- DEBUG(100, ("Trust password for domain %s is %s\n", user_info->mapped.domain_name,
> -- trust_password));
> --#endif
> -- E_md4hash(trust_password, trust_md4_password);
> -- SAFE_FREE(trust_password);
> --
> - /* use get_dc_name() for consistency even through we know that it will be
> - a netbios name */
> -
> ---
> -1.9.3
> -
> -
> -From d9160b0834f74508b711eeec0354aa43d5a1b215 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 2 Sep 2013 20:18:39 +0200
> -Subject: [PATCH 129/249] s3:libsmb: remove unused
> - change_trust_account_password()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/include/proto.h | 1 -
> - source3/libsmb/trusts_util.c | 72 --------------------------------------------
> - 2 files changed, 73 deletions(-)
> -
> -diff --git a/source3/include/proto.h b/source3/include/proto.h
> -index 5e068d2..a40d3c1 100644
> ---- a/source3/include/proto.h
> -+++ b/source3/include/proto.h
> -@@ -989,7 +989,6 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> - NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> - TALLOC_CTX *mem_ctx,
> - const char *domain) ;
> --NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine);
> -
> - /* The following definitions come from param/loadparm.c */
> -
> -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> -index 6156ba0..8a0e53d 100644
> ---- a/source3/libsmb/trusts_util.c
> -+++ b/source3/libsmb/trusts_util.c
> -@@ -135,75 +135,3 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> - sec_channel_type);
> - }
> -
> --NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
> --{
> -- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
> -- struct sockaddr_storage pdc_ss;
> -- fstring dc_name;
> -- struct cli_state *cli = NULL;
> -- struct rpc_pipe_client *netlogon_pipe = NULL;
> --
> -- DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
> -- domain));
> --
> -- if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
> -- /* Use the PDC *only* for this */
> --
> -- if ( !get_pdc_ip(domain, &pdc_ss) ) {
> -- DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
> -- goto failed;
> -- }
> --
> -- if ( !name_status_find( domain, 0x1b, 0x20, &pdc_ss, dc_name) )
> -- goto failed;
> -- } else {
> -- /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
> -- fstrcpy( dc_name, remote_machine );
> -- }
> --
> -- /* if this next call fails, then give up. We can't do
> -- password changes on BDC's --jerry */
> --
> -- if (!NT_STATUS_IS_OK(cli_full_connection(&cli, lp_netbios_name(), dc_name,
> -- NULL, 0,
> -- "IPC$", "IPC",
> -- "", "",
> -- "", 0, SMB_SIGNING_DEFAULT))) {
> -- DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name));
> -- nt_status = NT_STATUS_UNSUCCESSFUL;
> -- goto failed;
> -- }
> --
> -- /*
> -- * Ok - we have an anonymous connection to the IPC$ share.
> -- * Now start the NT Domain stuff :-).
> -- */
> --
> -- /* Shouldn't we open this with schannel ? JRA. */
> --
> -- nt_status = cli_rpc_pipe_open_noauth(
> -- cli, &ndr_table_netlogon, &netlogon_pipe);
> -- if (!NT_STATUS_IS_OK(nt_status)) {
> -- DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
> -- dc_name, nt_errstr(nt_status)));
> -- cli_shutdown(cli);
> -- cli = NULL;
> -- goto failed;
> -- }
> --
> -- nt_status = trust_pw_find_change_and_store_it(
> -- netlogon_pipe, netlogon_pipe, domain);
> --
> -- cli_shutdown(cli);
> -- cli = NULL;
> --
> --failed:
> -- if (!NT_STATUS_IS_OK(nt_status)) {
> -- DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
> -- current_timestring(talloc_tos(), False), domain));
> -- }
> -- else
> -- DEBUG(5,("change_trust_account_password: sucess!\n"));
> --
> -- return nt_status;
> --}
> ---
> -1.9.3
> -
> -
> -From c6b50a3d8c382f19a8ae16428d557928438be464 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 2 Sep 2013 20:19:28 +0200
> -Subject: [PATCH 130/249] s3:libsmb: inline trust_pw_change_and_store_it() into
> - trust_pw_find_change_and_store_it()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/include/proto.h | 5 -----
> - source3/libsmb/trusts_util.c | 50 +++++++++++++-------------------------------
> - 2 files changed, 15 insertions(+), 40 deletions(-)
> -
> -diff --git a/source3/include/proto.h b/source3/include/proto.h
> -index a40d3c1..216a377 100644
> ---- a/source3/include/proto.h
> -+++ b/source3/include/proto.h
> -@@ -981,11 +981,6 @@ void update_trustdom_cache( void );
> -
> - /* The following definitions come from libsmb/trusts_util.c */
> -
> --NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
> -- const char *domain,
> -- const char *account_name,
> -- unsigned char orig_trust_passwd_hash[16],
> -- enum netr_SchannelType sec_channel_type);
> - NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> - TALLOC_CTX *mem_ctx,
> - const char *domain) ;
> -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> -index 8a0e53d..428e0c1 100644
> ---- a/source3/libsmb/trusts_util.c
> -+++ b/source3/libsmb/trusts_util.c
> -@@ -29,20 +29,27 @@
> -
> - /*********************************************************
> - Change the domain password on the PDC.
> -- Store the password ourselves, but use the supplied password
> -- Caller must have already setup the connection to the NETLOGON pipe
> -+ Do most of the legwork ourselfs. Caller must have
> -+ already setup the connection to the NETLOGON pipe
> - **********************************************************/
> -
> --NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
> -- const char *domain,
> -- const char *account_name,
> -- unsigned char orig_trust_passwd_hash[16],
> -- enum netr_SchannelType sec_channel_type)
> -+NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> -+ TALLOC_CTX *mem_ctx,
> -+ const char *domain)
> - {
> -+ unsigned char old_trust_passwd_hash[16];
> - unsigned char new_trust_passwd_hash[16];
> -+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> -+ const char *account_name;
> - char *new_trust_passwd;
> - NTSTATUS nt_status;
> -
> -+ if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
> -+ &sec_channel_type)) {
> -+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> -+ return NT_STATUS_UNSUCCESSFUL;
> -+ }
> -+
> - switch (sec_channel_type) {
> - case SEC_CHAN_WKSTA:
> - case SEC_CHAN_DOMAIN:
> -@@ -64,7 +71,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> -
> - nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
> - account_name,
> -- orig_trust_passwd_hash,
> -+ old_trust_passwd_hash,
> - new_trust_passwd,
> - new_trust_passwd_hash,
> - sec_channel_type);
> -@@ -108,30 +115,3 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> -
> - return nt_status;
> - }
> --
> --/*********************************************************
> -- Change the domain password on the PDC.
> -- Do most of the legwork ourselfs. Caller must have
> -- already setup the connection to the NETLOGON pipe
> --**********************************************************/
> --
> --NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- const char *domain)
> --{
> -- unsigned char old_trust_passwd_hash[16];
> -- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> -- const char *account_name;
> --
> -- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
> -- &sec_channel_type)) {
> -- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> -- return NT_STATUS_UNSUCCESSFUL;
> -- }
> --
> -- return trust_pw_change_and_store_it(cli, mem_ctx, domain,
> -- account_name,
> -- old_trust_passwd_hash,
> -- sec_channel_type);
> --}
> --
> ---
> -1.9.3
> -
> -
> -From fdac5d6b0ed96f262830a3a923b9d2a42d7fd98d Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 20 Sep 2013 04:14:00 +0200
> -Subject: [PATCH 131/249] s4:librpc: make dcerpc_schannel_key_send/recv static
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source4/librpc/rpc/dcerpc_schannel.c | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
> -index 130ebeb..cd62508 100644
> ---- a/source4/librpc/rpc/dcerpc_schannel.c
> -+++ b/source4/librpc/rpc/dcerpc_schannel.c
> -@@ -306,7 +306,7 @@ static void continue_srv_auth2(struct tevent_req *subreq)
> - Initiate establishing a schannel key using netlogon challenge
> - on a secondary pipe
> - */
> --struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> -+static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> - struct dcerpc_pipe *p,
> - struct cli_credentials *credentials,
> - struct loadparm_context *lp_ctx)
> -@@ -369,7 +369,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> - /*
> - Receive result of schannel key request
> - */
> --NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
> -+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
> - {
> - NTSTATUS status = composite_wait(c);
> -
> ---
> -1.9.3
> -
> -
> -From de42a3f8b1a69a5abd5fb1a95e1c5f80ee68430e Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 20 Sep 2013 04:16:00 +0200
> -Subject: [PATCH 132/249] s4:librpc: let dcerpc_schannel_key_recv() return
> - netlogon_creds_CredentialState
> -
> -cli_credentials_set_netlogon_creds() should only be used directly before
> -a DCERPC bind in order to pass the session information to the
> -gensec layer.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source4/librpc/rpc/dcerpc_schannel.c | 24 +++++++++++++++---------
> - 1 file changed, 15 insertions(+), 9 deletions(-)
> -
> -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
> -index cd62508..c4bedfa 100644
> ---- a/source4/librpc/rpc/dcerpc_schannel.c
> -+++ b/source4/librpc/rpc/dcerpc_schannel.c
> -@@ -296,9 +296,6 @@ static void continue_srv_auth2(struct tevent_req *subreq)
> - return;
> - }
> -
> -- /* setup current netlogon credentials */
> -- cli_credentials_set_netlogon_creds(s->credentials, s->creds);
> --
> - composite_done(c);
> - }
> -
> -@@ -369,10 +366,19 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> - /*
> - Receive result of schannel key request
> - */
> --static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
> -+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState **creds)
> - {
> - NTSTATUS status = composite_wait(c);
> --
> -+
> -+ if (NT_STATUS_IS_OK(status)) {
> -+ struct schannel_key_state *s =
> -+ talloc_get_type_abort(c->private_data,
> -+ struct schannel_key_state);
> -+ *creds = talloc_move(mem_ctx, &s->creds);
> -+ }
> -+
> - talloc_free(c);
> - return status;
> - }
> -@@ -410,13 +416,15 @@ static void continue_schannel_key(struct composite_context *ctx)
> - NTSTATUS status;
> -
> - /* receive schannel key */
> -- status = c->status = dcerpc_schannel_key_recv(ctx);
> -+ status = c->status = dcerpc_schannel_key_recv(ctx, s, &s->creds_state);
> - if (!composite_is_ok(c)) {
> - DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
> - return;
> - }
> -
> - /* send bind auth request with received creds */
> -+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
> -+
> - auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
> - lpcfg_gensec_settings(c, s->lp_ctx),
> - DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
> -@@ -447,9 +455,6 @@ static void continue_bind_auth(struct composite_context *ctx)
> - &ndr_table_netlogon.syntax_id)) {
> - ZERO_STRUCT(s->return_auth);
> -
> -- s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
> -- if (composite_nomem(s->creds_state, c)) return;
> --
> - s->save_creds_state = *s->creds_state;
> - netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
> -
> -@@ -528,6 +533,7 @@ static void continue_get_capabilities(struct tevent_req *subreq)
> - }
> -
> - *s->creds_state = s->save_creds_state;
> -+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
> -
> - if (!NT_STATUS_IS_OK(s->c.out.result)) {
> - composite_error(c, s->c.out.result);
> ---
> -1.9.3
> -
> -
> -From f6a6e4e91b676461dc8b6dd5abca4120d9bf920a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 20 Sep 2013 04:33:07 +0200
> -Subject: [PATCH 133/249] auth:credentials: avoid talloc_reference in
> - cli_credentials_set_netlogon_creds()
> -
> -Typically cli_credentials_set_netlogon_creds() should be used directly
> -before the DCERPC bind. And cli_credentials_get_netlogon_creds()
> -should be only used by the gensec layer, which only needs a copy.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ----
> - auth/credentials/credentials.c | 6 +++++-
> - 1 file changed, 5 insertions(+), 1 deletion(-)
> -
> -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> -index 57a7c0b..9ce38d0 100644
> ---- a/auth/credentials/credentials.c
> -+++ b/auth/credentials/credentials.c
> -@@ -814,7 +814,11 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
> - _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
> - struct netlogon_creds_CredentialState *netlogon_creds)
> - {
> -- cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
> -+ TALLOC_FREE(cred->netlogon_creds);
> -+ if (netlogon_creds == NULL) {
> -+ return;
> -+ }
> -+ cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds);
> - }
> -
> - /**
> ---
> -1.9.3
> -
> -
> -From 14b9bb276a798ad71776ebcb698afeeb44aa173a Mon Sep 17 00:00:00 2001
> -From: Volker Lendecke <vl@samba.org>
> -Date: Sat, 9 Nov 2013 19:14:15 +0100
> -Subject: [PATCH 134/249] libsmb: Fix CID 1127343 Dead default in switch
> -
> -We have checked sec_channel_type a few lines above already
> -
> -Signed-off-by: Volker Lendecke <vl@samba.org>
> -Reviewed-by: Ira Cooper <ira@samba.org>
> -(cherry picked from commit 1cae867f72b79995a02eed96265fe9f69ce945da)
> ----
> - source3/libsmb/trusts_util.c | 2 --
> - 1 file changed, 2 deletions(-)
> -
> -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> -index 428e0c1..52fb481 100644
> ---- a/source3/libsmb/trusts_util.c
> -+++ b/source3/libsmb/trusts_util.c
> -@@ -108,8 +108,6 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> - }
> - break;
> - }
> -- default:
> -- break;
> - }
> - }
> -
> ---
> -1.9.3
> -
> -
> -From efb32bbe25d534f69aca03e0945220cb5049c366 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 29 Nov 2013 09:46:01 +0100
> -Subject: [PATCH 135/249] s3:rpc_server: use make_session_info_guest() directly
> -
> -This removes the useless static auth_anonymous_session_info() wrapper.
> -
> -auth_anonymous_session_info() is also a public function in source4.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit ae6720117ae5fb3c922486ce46e2b0d51e020301)
> ----
> - source3/rpc_server/rpc_server.c | 22 ++++++----------------
> - 1 file changed, 6 insertions(+), 16 deletions(-)
> -
> -diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
> -index de54ddc..c3a7f28 100644
> ---- a/source3/rpc_server/rpc_server.c
> -+++ b/source3/rpc_server/rpc_server.c
> -@@ -37,19 +37,6 @@
> - #define SERVER_TCP_LOW_PORT 1024
> - #define SERVER_TCP_HIGH_PORT 1300
> -
> --static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
> -- struct auth_session_info **session_info)
> --{
> -- NTSTATUS status;
> --
> -- status = make_session_info_guest(mem_ctx, session_info);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- return NT_STATUS_OK;
> --}
> --
> - /* Creates a pipes_struct and initializes it with the information
> - * sent from the client */
> - static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
> -@@ -1067,11 +1054,14 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx,
> - }
> -
> - if (ncacn_conn->session_info == NULL) {
> -- status = auth_anonymous_session_info(ncacn_conn,
> -- &ncacn_conn->session_info);
> -+ /*
> -+ * TODO: use auth_anonymous_session_info() here?
> -+ */
> -+ status = make_session_info_guest(ncacn_conn,
> -+ &ncacn_conn->session_info);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(2, ("Failed to create "
> -- "auth_anonymous_session_info - %s\n",
> -+ "make_session_info_guest - %s\n",
> - nt_errstr(status)));
> - talloc_free(ncacn_conn);
> - return;
> ---
> -1.9.3
> -
> -
> -From 215d591403e63b785308ff5d6b2e3c87ad9ee408 Mon Sep 17 00:00:00 2001
> -From: Garming Sam <garming@catalyst.net.nz>
> -Date: Fri, 29 Nov 2013 16:51:08 +1300
> -Subject: [PATCH 136/249] selftest: add new rpc client test
> -
> -Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
> -
> -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 0e46205ff83d137ca486868e4376b258b6dfa1a2)
> ----
> - source3/script/tests/test_rpcclient_samlogon.sh | 27 +++++++++++++++++++++++++
> - source3/selftest/tests.py | 2 ++
> - 2 files changed, 29 insertions(+)
> - create mode 100755 source3/script/tests/test_rpcclient_samlogon.sh
> -
> -diff --git a/source3/script/tests/test_rpcclient_samlogon.sh b/source3/script/tests/test_rpcclient_samlogon.sh
> -new file mode 100755
> -index 0000000..01af7f8
> ---- /dev/null
> -+++ b/source3/script/tests/test_rpcclient_samlogon.sh
> -@@ -0,0 +1,27 @@
> -+#!/bin/sh
> -+
> -+if [ $# -lt 3 ]; then
> -+cat <<EOF
> -+Usage: test_rpcclient_samlogon.sh USERNAME PASSWORD binding <rpcclient commands>
> -+EOF
> -+exit 1;
> -+fi
> -+
> -+USERNAME="$1"
> -+PASSWORD="$2"
> -+shift 2
> -+ADDARGS="$*"
> -+
> -+rpcclient_samlogon()
> -+{
> -+ $VALGRIND $BINDIR/rpcclient -U% -c "samlogon $USERNAME $PASSWORD;samlogon $USERNAME $PASSWORD" $@
> -+}
> -+
> -+
> -+incdir=`dirname $0`/../../../testprogs/blackbox
> -+. $incdir/subunit.sh
> -+testit "rpcclient dsenumdomtrusts" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "dsenumdomtrusts" || failed=`expr $failed + 1`
> -+testit "rpcclient getdcsitecoverage" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "getdcsitecoverage" || failed=`expr $failed + 1`
> -+testit "rpcclient samlogon" rpcclient_samlogon $ADDARGS || failed=`expr $failed +1`
> -+
> -+testok $0 $failed
> -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
> -index 85d67d6..f9cc3d1 100755
> ---- a/source3/selftest/tests.py
> -+++ b/source3/selftest/tests.py
> -@@ -394,6 +394,8 @@ for s in signseal_options:
> - plantestsuite("samba3.blackbox.rpcclient krb5 ncacn_np with [%s%s%s] " % (a, s, e), "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
> - "$PREFIX/ktest/krb5_ccache-3", binding_string, "-k", configuration])
> -
> -+plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
> -+ "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
> -
> - options_list = ["", "-e"]
> - for options in options_list:
> ---
> -1.9.3
> -
> -
> -From 05251d449931c29a0bb0c0b8ad194253dc5b66cb Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 29 Nov 2013 08:45:38 +0100
> -Subject: [PATCH 137/249] s3:rpcclient: close the connection if setting up the
> - netlogon secure channel fails
> -
> -This is based on a patch from Garming Sam <garming@catalyst.net.nz>.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 2fae806550f3355298541a344b217bf810bf92e4)
> ----
> - source3/rpcclient/rpcclient.c | 5 +++++
> - 1 file changed, 5 insertions(+)
> -
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index cb7b70f..0cbec20 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -768,6 +768,10 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - trust_password, &machine_account,
> - &sec_channel_type))
> - {
> -+ DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
> -+ get_cmdline_auth_info_domain(auth_info),
> -+ cmd_entry->table->name));
> -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> - talloc_free(mem_ctx);
> - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - }
> -@@ -784,6 +788,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - if (!NT_STATUS_IS_OK(ntresult)) {
> - DEBUG(0, ("Could not initialise credentials for %s.\n",
> - cmd_entry->table->name));
> -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> - talloc_free(mem_ctx);
> - return ntresult;
> - }
> ---
> -1.9.3
> -
> -
> -From 8d3336b9a61a185a4194313fec338321fed6b151 Mon Sep 17 00:00:00 2001
> -From: Garming Sam <garming@catalyst.net.nz>
> -Date: Mon, 2 Dec 2013 13:20:39 +1300
> -Subject: [PATCH 138/249] selftest: add new credential change test
> -
> -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 48820b95285f7dffd827143ba56f432f3e283a6f)
> ----
> - source3/script/tests/test_net_cred_change.sh | 16 ++++++++++++++++
> - source3/selftest/tests.py | 3 +++
> - 2 files changed, 19 insertions(+)
> - create mode 100755 source3/script/tests/test_net_cred_change.sh
> -
> -diff --git a/source3/script/tests/test_net_cred_change.sh b/source3/script/tests/test_net_cred_change.sh
> -new file mode 100755
> -index 0000000..9013d07
> ---- /dev/null
> -+++ b/source3/script/tests/test_net_cred_change.sh
> -@@ -0,0 +1,16 @@
> -+#!/bin/sh
> -+
> -+if [ $# -lt 1 ]; then
> -+cat <<EOF
> -+Usage: test_net_cred_change.sh CONFIGURATION
> -+EOF
> -+exit 1;
> -+fi
> -+
> -+incdir=`dirname $0`/../../../testprogs/blackbox
> -+. $incdir/subunit.sh
> -+testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
> -+testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed =`expr $failed + 1`
> -+testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
> -+
> -+testok $0 $failed
> -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
> -index f9cc3d1..aac1bbb 100755
> ---- a/source3/selftest/tests.py
> -+++ b/source3/selftest/tests.py
> -@@ -165,6 +165,9 @@ for env in ["s3dc", "member", "s3member"]:
> -
> - plantestsuite("samba3.ntlm_auth.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_s3.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
> -
> -+for env in ["member", "s3member"]:
> -+ plantestsuite("samba3.blackbox.net_cred_change.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_net_cred_change.sh"), configuration])
> -+
> - env = "s3member"
> - t = "--krb5auth=$DOMAIN\\\\$DC_USERNAME%$DC_PASSWORD"
> - plantestsuite("samba3.wbinfo_s3.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_wbinfo_s3.sh"), t])
> ---
> -1.9.3
> -
> -
> -From 4b97cece12602437f3a2c9a395f5ed62cc00c0c4 Mon Sep 17 00:00:00 2001
> -From: Garming Sam <garming@catalyst.net.nz>
> -Date: Mon, 23 Dec 2013 17:12:39 +1300
> -Subject: [PATCH 139/249] selftest: add rodc and other env tests for wbinfo
> -
> -Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
> -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -
> -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> -Autobuild-Date(master): Mon Dec 23 17:17:39 CET 2013 on sn-devel-104
> -(cherry picked from commit 819e1f561df5074ae21db77c6558b34f4b0e1351)
> ----
> - source4/selftest/tests.py | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> -index e738d1d9..c3a33c7 100755
> ---- a/source4/selftest/tests.py
> -+++ b/source4/selftest/tests.py
> -@@ -309,8 +309,8 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
> - plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
> - plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
> - plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
> --plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"])
> --plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"])
> -+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
> -+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
> - plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
> - plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
> - plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
> ---
> -1.9.3
> -
> -
> -From 689deff949e8ce9b6aa900e7b0c714d5a025d516 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 17 Dec 2013 19:35:37 +0100
> -Subject: [PATCH 140/249] libcli/auth: set the return_authenticator->timestamp
> - = 0
> -
> -This is what windows returns, the value is ignored by the client anyway.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 202bcf9096e53d94b294936d6144ae77f1536b72)
> ----
> - libcli/auth/credentials.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> -index 1f664d3..197db86 100644
> ---- a/libcli/auth/credentials.c
> -+++ b/libcli/auth/credentials.c
> -@@ -479,7 +479,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
> - netlogon_creds_step(creds);
> - if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
> - return_authenticator->cred = creds->server;
> -- return_authenticator->timestamp = creds->sequence;
> -+ return_authenticator->timestamp = 0;
> - return NT_STATUS_OK;
> - } else {
> - ZERO_STRUCTP(return_authenticator);
> ---
> -1.9.3
> -
> -
> -From fe8a979787c9528bb3b403272be3dc6a313bbebd Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 17 Dec 2013 19:40:15 +0100
> -Subject: [PATCH 141/249] libcli/auth: remove bogus comment regarding replay
> - attacks
> -
> -creds->sequence (timestamp) is the value that is used to increment the internal
> -state, it's not a real sequence number. The sequence comes
> -from adding all timestamps of the whole session.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 636daac3b7b08ccb8845dab060157918d296ef67)
> ----
> - libcli/auth/credentials.c | 2 --
> - 1 file changed, 2 deletions(-)
> -
> -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> -index 197db86..afb4a04 100644
> ---- a/libcli/auth/credentials.c
> -+++ b/libcli/auth/credentials.c
> -@@ -473,8 +473,6 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
> - return NT_STATUS_ACCESS_DENIED;
> - }
> -
> -- /* TODO: this may allow the a replay attack on a non-signed
> -- connection. Should we check that this is increasing? */
> - creds->sequence = received_authenticator->timestamp;
> - netlogon_creds_step(creds);
> - if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
> ---
> -1.9.3
> -
> -
> -From 1f6a52bb1f756be05e28dc9e16725ac73b005d00 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 17 Dec 2013 19:55:12 +0100
> -Subject: [PATCH 142/249] libcli/auth: try to use the current timestamp
> - creds->sequence
> -
> -If the last usage of netlogon_creds_client_authenticator()
> -is in the past try to use the current timestamp and increment
> -more than just 2.
> -
> -If we use netlogon_creds_client_authenticator() a lot within a
> -second, we increment keep incrementing by 2.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -
> -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> -Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
> -(cherry picked from commit e6afeae69537f55ed187b28b60ad29b9e237ec6e)
> ----
> - libcli/auth/credentials.c | 22 ++++++++++++++++++++++
> - 1 file changed, 22 insertions(+)
> -
> -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> -index afb4a04..f52538a 100644
> ---- a/libcli/auth/credentials.c
> -+++ b/libcli/auth/credentials.c
> -@@ -344,7 +344,29 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
> - void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
> - struct netr_Authenticator *next)
> - {
> -+ uint32_t t32n = (uint32_t)time(NULL);
> -+
> -+ /*
> -+ * we always increment and ignore an overflow here
> -+ */
> - creds->sequence += 2;
> -+
> -+ if (t32n > creds->sequence) {
> -+ /*
> -+ * we may increment more
> -+ */
> -+ creds->sequence = t32n;
> -+ } else {
> -+ uint32_t d = creds->sequence - t32n;
> -+
> -+ if (d >= INT32_MAX) {
> -+ /*
> -+ * got an overflow of time_t vs. uint32_t
> -+ */
> -+ creds->sequence = t32n;
> -+ }
> -+ }
> -+
> - netlogon_creds_step(creds);
> -
> - next->cred = creds->client;
> ---
> -1.9.3
> -
> -
> -From 1cc32f5bf176a6daba93603a5b9aa4fc4fe42479 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 3 Jan 2014 12:56:38 +0100
> -Subject: [PATCH 143/249] s4:selftest: run wbinfo tests at the end...
> -
> -This avoids flakey crashes in the promoted_dc environment.
> -
> -See the examples below, we had up to 50% of the daily build failing...
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -
> -https://git.samba.org/autobuild.flakey/2013-12-23-1942/samba.stdout
> -
> - [1586/1594 in 1h39m20s] samba4.drs.fsmo.python(promoted_dc)
> - Testing for schema role transfer from localdc.samba.example.com to PROMOTEDVDC.samba.example.com
> - FSMO transfer of 'schema' role successful
> - Testing for schema role transfer from PROMOTEDVDC.samba.example.com to localdc.samba.example.com
> - ERROR: Failed to initiate transfer of 'schema' role: LDAP error 52 LDAP_UNAVAILABLE - <Failed FSMO transfer: WERR_DS_DRA_INTERNAL_ERROR> <>
> - UNEXPECTED(failure): samba4.drs.fsmo.python(promoted_dc).fsmo.DrsFsmoTestCase.test_SchemaMasterTransfer(promoted_dc)
> - REASON: _StringException: _StringException: Content-Type: text/x-traceback;charset=utf8,language=python
> - traceback
> - 380
> -
> -https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stdout
> -
> - [1583/1594 in 1h36m4s] samba.tests.blackbox.samba_tool_drs
> - ERROR: Testsuite[samba.tests.blackbox.samba_tool_drs]
> - REASON: unable to set up environment promoted_dc - exiting
> -
> -https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stderr
> -
> - Unable to convert 1.2.840.86419.1.5.9939 to an attid, and can_change_pfm=false!
> - Unable to convert governsID on CN=test-class30318,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com to DRS object - WERR_NOT_FOUND
> - ../source4/rpc_server/drsuapi/getncchanges.c:1646: DsGetNCChanges 2nd replication on different DN CN=Configuration,DC=samba,DC=example,DC=com CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com (last_dn CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com)
> - ===============================================================
> - INTERNAL ERROR: Signal 11 in pid 884274 (4.2.0pre1-DEVELOPERBUILD)
> - Please read the Trouble-Shooting section of the Samba HOWTO
> - ===============================================================
> - smb_panic(): calling panic action [/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274]
> - [Thread debugging using libthread_db enabled]
> - 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
> - stat_loc=0x7fff67c7709c, options=<value optimized out>)
> - at ../sysdeps/unix/sysv/linux/waitpid.c:32
> - 32 ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
> - in ../sysdeps/unix/sysv/linux/waitpid.c
> - #0 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
> - stat_loc=0x7fff67c7709c, options=<value optimized out>)
> - at ../sysdeps/unix/sysv/linux/waitpid.c:32
> - oldtype = <value optimized out>
> - result = <value optimized out>
> - #1 0x00002af6b5baeb39 in do_system (line=<value optimized out>)
> - at ../sysdeps/posix/system.c:149
> - __result = -512
> - _buffer = {__routine = 0x2af6b5baee90 <cancel_handler>,
> - __arg = 0x7fff67c77098, __canceltype = 0, __prev = 0x0}
> - _avail = 1
> - status = <value optimized out>
> - save = <value optimized out>
> - pid = 886733
> - sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1},
> - sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0,
> - sa_restorer = 0x2af6b5b730f0}
> - omask = {__val = {7808, 4294967295, 140734934511616, 1, 2195512, 0,
> - 0, 0, 47239032274944, 47239027992529, 140733193388033, 0, 0,
> - 47239099003120, 140734934511792, 47239558787328}}
> - #2 0x00002af6b311821f in smb_panic_default (
> - why=0x2af6b312a875 "internal error") at ../lib/util/fault.c:134
> - result = 32767
> - pidstr = "884274\000\000\001\375\376\320\366*\000\000\260\377\377\377"
> - cmdstring = "/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274\000\307g\377\177\000\000\001\000\000\000\000\000\000\000\320\301#", '\000' <repeats 30 times>"\240, \017\263\366*\000\000\321\247{\261\366*\000\000\001\000\000\000\005", '\000' <repeats 11 times>"\260, \016\v\321\366*\000\000X\351\017\263\366*\000\000\260q\307g\377\177\000\000\000\361\036\321\366*\000\000\020r\307g\377\177\000\000\240\301z\326\366*\000\000\000Z\304\320\366*\000"
> - __FUNCTION__ = "smb_panic_default"
> - #3 0x00002af6b31183b5 in smb_panic (why=0x2af6b312a875 "internal error")
> - at ../lib/util/fault.c:162
> - No locals.
> - #4 0x00002af6b311809f in fault_report (sig=11) at ../lib/util/fault.c:77
> - counter = 1
> - __FUNCTION__ = "fault_report"
> - #5 0x00002af6b31180b4 in sig_fault (sig=11) at ../lib/util/fault.c:88
> - No locals.
> - #6 <signal handler called>
> - No symbol table info available.
> - #7 0x00002af6cabef930 in replmd_check_urgent_objectclass (
> - objectclass_el=0x0, situation=REPL_URGENT_ON_UPDATE)
> - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:205
> - i = 2
> - j = 0
> - #8 0x00002af6cabf29b6 in replmd_update_rpmd (module=0x2af6b17f2c20,
> - schema=0x2af6d05e5570, req=0x2af6d05e8ad0, rename_attrs=0x0,
> - msg=0x2af6d11ef100, seq_num=0x2af6d0c315b8, t=1387895162,
> - is_urgent=0x7fff67c778bf, rodc=0x7fff67c778be)
> - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1432
> - omd_value = 0x7fff67c77810
> - ndr_err = 3508465920
> - omd = {version = 1741125552, reserved = 32767, ctr = {ctr1 = {
> - count = 3008684740, reserved = 10998, array = 0x7fff67c777b0}}}
> - i = 10998
> - now = 130323687620000000
> - our_invocation_id = 0x2af6d1796390
> - ret = 0
> - attrs = 0x7fff67c77750
> - attrs1 = {0x2af6cabff775 "replPropertyMetaData", 0x2af6cabffc8b "*",
> - 0x0}
> - attrs2 = {0x2af6cabff76a "uSNChanged", 0x2af6cabffa98 "objectClass",
> - 0x2af6cabffc8d "instanceType", 0x0}
> - res = 0x2af6d10b0eb0
> - ldb = 0x2af6b17f2470
> - objectclass_el = 0x0
> - situation = REPL_URGENT_ON_UPDATE
> - rmd_is_provided = false
> - __FUNCTION__ = "replmd_update_rpmd"
> - #9 0x00002af6cabf5a06 in replmd_modify (module=0x2af6b17f2c20,
> - req=0x2af6d05e8ad0)
> - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:2455
> - msds_intid_struct = 0x2af6d05e8ad0
> - ldb = 0x2af6b17f2470
> - ac = 0x2af6d0c31580
> - down_req = 0x2af6d0e6a100
> - msg = 0x2af6d11ef100
> - t = 1387895162
> - ret = 1741125936
> - is_urgent = false
> - rodc = false
> - functional_level = 3
> - guid_blob = 0x0
> - sd_propagation_control = 0x0
> - #10 0x00002af6bf69f94d in dsdb_module_modify (module=0x2af6b17f2c20,
> - message=0x2af6d1183fe0, dsdb_flags=4194304, parent=0x2af6ce6ea980)
> - at ../source4/dsdb/samdb/ldb_modules/util.c:460
> - ops = 0x2af6cae06b40
> - mod_req = 0x2af6d05e8ad0
> - ret = 0
> - ldb = 0x2af6b17f2470
> - tmp_ctx = 0x2af6d0ed62f0
> - res = 0x2af6d0e6a100
> - __FUNCTION__ = "dsdb_module_modify"
> - #11 0x00002af6cabf7ebc in replmd_delete_internals (module=0x2af6b17f2c20,
> - req=0x2af6ce6ea980, re_delete=true)
> - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3309
> - ret = 0
> - retb = true
> - disallow_move_on_delete = false
> - old_dn = 0x2af6d6a2a010
> - new_dn = 0x2af6d0794a90
> - rdn_name = 0x2af6d0885c10 "CN"
> - rdn_value = 0x2af6d10d7368
> - new_rdn_value = 0x2af6d0c45a00
> - guid = {time_low = 48, time_mid = 0, time_hi_and_version = 0,
> - clock_seq = "\200\251", node = "n\316\366*\000"}
> - ldb = 0x2af6b17f2470
> - schema = 0x2af6d05e5570
> - msg = 0x2af6d1183fe0
> - old_msg = 0x2af6d1902800
> - el = 0x2af6d0874900
> - tmp_ctx = 0x2af6d0b77560
> - res = 0x2af6d0d57980
> - parent_res = 0x30
> - preserved_attrs = {0x2af6cac00fe1 "nTSecurityDescriptor",
> - 0x2af6cac055c3 "attributeID", 0x2af6cac055cf "attributeSyntax",
> - 0x2af6cac055df "dNReferenceUpdate", 0x2af6cac055f1 "dNSHostName",
> - 0x2af6cac055fd "flatName", 0x2af6cac05606 "governsID",
> - 0x2af6cac05610 "groupType", 0x2af6cabffc8d "instanceType",
> - 0x2af6cac0561a "lDAPDisplayName",
> - 0x2af6cac0562a "legacyExchangeDN", 0x2af6cabfe94d "isDeleted",
> - 0x2af6cabfe957 "isRecycled", 0x2af6cac020f8 "lastKnownParent",
> - 0x2af6cac021e8 "msDS-LastKnownRDN",
> - 0x2af6cac0563b "mS-DS-CreatorSID", 0x2af6cac0564c "mSMQOwnerID",
> - 0x2af6cac05658 "nCName", 0x2af6cabffa98 "objectClass",
> - 0x2af6cac0565f "distinguishedName", 0x2af6cabff5b5 "objectGUID",
> - 0x2af6cac05671 "objectSid", 0x2af6cac0567b "oMSyntax",
> - 0x2af6cac05684 "proxiedObjectName", 0x2af6cac014d8 "name",
> - 0x2af6cabff775 "replPropertyMetaData",
> - 0x2af6cac05696 "sAMAccountName",
> - 0x2af6cac056a5 "securityIdentifier", 0x2af6cac056b8 "sIDHistory",
> - 0x2af6cac056c3 "subClassOf", 0x2af6cac01ba8 "systemFlags",
> - 0x2af6cac056ce "trustPartner", 0x2af6cac056db "trustDirection",
> - 0x2af6cac056ea "trustType", 0x2af6cac056f4 "trustAttributes",
> - 0x2af6cabfe9b8 "userAccountControl", 0x2af6cabff76a "uSNChanged",
> - 0x2af6cabff75f "uSNCreated", 0x2af6cabff747 "whenCreated",
> - 0x2af6cabff753 "whenChanged", 0x0}
> - i = 12
> - el_count = 1
> - deletion_state = OBJECT_TOMBSTONE
> - next_deletion_state = OBJECT_TOMBSTONE
> - __FUNCTION__ = "replmd_delete_internals"
> - #12 0x00002af6cabfbbe3 in replmd_replicated_apply_isDeleted (
> - ar=0x2af6d74c0b40)
> - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4718
> - del_req = 0x2af6ce6ea980
> - res = 0x2af6d0cdebf0
> - tmp_ctx = 0x2af6d0949230
> - deleted_objects_dn = 0x2af6d1a49f00
> - msg = 0x2af6d0a39620
> - ret = 0
> - #13 0x00002af6cabf0766 in replmd_op_callback (req=0x2af6d05a21e0,
> - ares=0x2af6d0d715c0)
> - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:526
> - ret = 10998
> - ac = 0x2af6d74c0b40
> - replmd_private = 0x2af6b188c7c0
> - modified_partition = 0x2af6d141b670
> - partition_ctrl = 0x2af6d1905f40
> - partition = 0x2af6ce6bdbe0
> - controls = 0x0
> - __FUNCTION__ = "replmd_op_callback"
> - #14 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
> - ctrls=0x2af6d1629aa0, response=0x0, error=0)
> - at ../lib/ldb/common/ldb_modules.c:832
> - ares = 0x2af6d0d715c0
> - #15 0x00002af6cabf896b in replmd_op_possible_conflict_callback (
> - req=0x2af6d05a21e0, ares=0x2af6b1883eb0,
> - callback=0x2af6cabf0334 <replmd_op_callback>)
> - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3606
> - conflict_dn = 0x2af6cac03470
> - ar = 0x2af6d74c0b40
> - res = 0x2af6b354f89b
> - attrs = {0x2af6cabff775 "replPropertyMetaData",
> - 0x2af6cabff5b5 "objectGUID", 0x0}
> - ret = -682882240
> - omd_value = 0x7fff67c77e20
> - omd = {version = 1741127104, reserved = 32767, ctr = {ctr1 = {
> - count = 0, reserved = 0, array = 0x28}}}
> - rmd = 0x2af6d74c0ae0
> - ndr_err = 10998
> - rename_incoming_record = false
> - rodc = false
> - rmd_name = 0x7fff67c77e10
> - omd_name = 0x2af6d74c0b40
> - msg = 0x2af6b1883e50
> - __FUNCTION__ = "replmd_op_possible_conflict_callback"
> - #16 0x00002af6cabf93fb in replmd_op_add_callback (req=0x2af6d05a21e0,
> - ares=0x2af6b1883eb0)
> - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3802
> - ar = 0x2af6d74c0b40
> - #17 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
> - ctrls=0x2af6d1629aa0, response=0x0, error=0)
> - at ../lib/ldb/common/ldb_modules.c:832
> - ares = 0x2af6b1883eb0
> - #18 0x00002af6ca3c8b6a in partition_req_callback (req=0x2af6d087a1e0,
> - ares=0x2af6d05a1fa0) at ../source4/dsdb/samdb/ldb_modules/partition.c:213
> - ac = 0x2af6d0949370
> - module = 0x2af6cd27bf12
> - nreq = 0x2af6d05b67b0
> - ret = 0
> - partition_ctrl = 0x2af6d0d71740
> - #19 0x00002af6cd2752ab in ltdb_request_done (ctx=0x2af6d1cd7ed0, error=0)
> - at ../lib/ldb/ldb_tdb/ldb_tdb.c:1280
> - ldb = 0x2af6b17f2470
> - req = 0x2af6d087a1e0
> - ares = 0x2af6d05a1fa0
> - #20 0x00002af6cd275597 in ltdb_callback (ev=0x2af6b17ef8c0,
> - te=0x2af6d17f75d0, t=..., private_data=0x2af6d1cd7ed0)
> - at ../lib/ldb/ldb_tdb/ldb_tdb.c:1390
> - ctx = 0x2af6d1cd7ed0
> - ret = 0
> - #21 0x00002af6b3343259 in tevent_common_loop_timer_delay (ev=0x2af6b17ef8c0)
> - at ../lib/tevent/tevent_timed.c:341
> - current_time = {tv_sec = 0, tv_usec = 0}
> - te = 0x2af6d17f75d0
> - #22 0x00002af6b334558a in epoll_event_loop_once (ev=0x2af6b17ef8c0,
> - location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
> - at ../lib/tevent/tevent_epoll.c:912
> - epoll_ev = 0x2af6b17efb00
> - tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
> - panic_triggered = false
> - #23 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
> - location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
> - at ../lib/tevent/tevent_standard.c:112
> - glue_ptr = 0x2af6b17ef9b0
> - glue = 0x2af6b17ef9b0
> - ret = 10998
> - #24 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
> - location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
> - at ../lib/tevent/tevent.c:530
> - ret = 0
> - nesting_stack_ptr = 0x0
> - #25 0x00002af6b1e154c4 in ldb_wait (handle=0x2af6d67624c0, type=LDB_WAIT_ALL)
> - at ../lib/ldb/common/ldb.c:621
> - ev = 0x2af6b17ef8c0
> - ret = 0
> - #26 0x00002af6b1e1786b in ldb_extended (ldb=0x2af6b17f2470,
> - oid=0x2af6b4c4f9ce "1.3.6.1.4.1.7165.4.4.1", data=0x2af6d0e2bc60,
> - _res=0x7fff67c78240) at ../lib/ldb/common/ldb.c:1506
> - req = 0x2af6d0c45a00
> - ret = 0
> - res = 0x2af6d69238f0
> - #27 0x00002af6b4c4a0d6 in dsdb_replicated_objects_commit (ldb=0x2af6b17f2470,
> - working_schema=0x0, objects=0x2af6d0e2bc60, notify_uSN=0x2af6d14a65f0)
> - at ../source4/dsdb/repl/replicated_objects.c:773
> - werr = {w = 0}
> - ext_res = 0x0
> - cur_schema = 0x0
> - new_schema = 0x0
> - ret = 0
> - seq_num1 = 5554
> - seq_num2 = 47239626746464
> - used_global_schema = false
> - tmp_ctx = 0x2af6d03c5860
> - __FUNCTION__ = "dsdb_replicated_objects_commit"
> - #28 0x00002af6c1c6babb in dreplsrv_op_pull_source_apply_changes_trigger (
> - req=0x2af6d17daed0, r=0x2af6d17db0d0, ctr_level=6, ctr1=0x0,
> - ctr6=0x2af6d1b02bb0) at ../source4/dsdb/repl/drepl_out_helpers.c:717
> - state = 0x2af6d17db050
> - rf1 = {blobsize = 274, consecutive_sync_failures = 0,
> - last_success = 130323684670000000,
> - last_attempt = 130323687610000000, result_last_attempt = {w = 0},
> - other_info = 0x2af6d0949910, other_info_length = 66,
> - replica_flags = 112, schedule = '\021' <repeats 84 times>,
> - reserved = 0, highwatermark = {tmp_highest_usn = 12398,
> - reserved_usn = 0, highest_usn = 12398}, source_dsa_obj_guid = {
> - time_low = 984092159, time_mid = 850,
> - time_hi_and_version = 18870, clock_seq = "\251X",
> - node = "UF\324\223\205\241"}, source_dsa_invocation_id = {
> - time_low = 1460694408, time_mid = 52035,
> - time_hi_and_version = 18738, clock_seq = "\204}",
> - node = "\264\365\276\372\256\303"}, transport_guid = {
> - time_low = 0, time_mid = 0, time_hi_and_version = 0,
> - clock_seq = "\000", node = "\000\000\000\000\000"}}
> - service = 0x2af6d0ff6b00
> - partition = 0x2af6d0b6f220
> - drsuapi = 0x2af6d1c8d480
> - schema = 0x2af6d05e5570
> - working_schema = 0x0
> - mapping_ctr = 0x2af6d1b02c10
> - object_count = 50
> - first_object = 0x2af6d0571800
> - linked_attributes_count = 0
> - linked_attributes = 0x2af6d5212140
> - uptodateness_vector = 0x2af6d1a741c0
> - objects = 0x2af6d0e2bc60
> - more_data = false
> - status = {w = 0}
> - nt_status = {v = 3006553120}
> - dsdb_repl_flags = 0
> - __FUNCTION__ = "dreplsrv_op_pull_source_apply_changes_trigger"
> - #29 0x00002af6c1c6b3e7 in dreplsrv_op_pull_source_get_changes_done (
> - subreq=0x0) at ../source4/dsdb/repl/drepl_out_helpers.c:599
> - req = 0x2af6d17daed0
> - state = 0x2af6d17db050
> - status = {v = 0}
> - r = 0x2af6d17db0d0
> - ctr_level = 6
> - ctr1 = 0x0
> - ctr6 = 0x2af6d1b02bb0
> - extended_ret = DRSUAPI_EXOP_ERR_NONE
> - #30 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d1a73f70,
> - location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
> - at ../lib/tevent/tevent_req.c:102
> - No locals.
> - #31 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d1a73f70,
> - state=TEVENT_REQ_DONE,
> - location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
> - at ../lib/tevent/tevent_req.c:117
> - No locals.
> - #32 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d1a73f70,
> - location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
> - at ../lib/tevent/tevent_req.c:123
> - No locals.
> - #33 0x00002af6c1c708df in dcerpc_drsuapi_DsGetNCChanges_r_done (
> - subreq=0x2af6d122f4c0) at default/librpc/gen_ndr/ndr_drsuapi_c.c:712
> - req = 0x2af6d1a73f70
> - status = {v = 0}
> - #34 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d122f4c0,
> - location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
> - at ../lib/tevent/tevent_req.c:102
> - No locals.
> - #35 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d122f4c0,
> - state=TEVENT_REQ_DONE,
> - location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
> - at ../lib/tevent/tevent_req.c:117
> - No locals.
> - #36 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d122f4c0,
> - location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
> - at ../lib/tevent/tevent_req.c:123
> - No locals.
> - #37 0x00002af6b5757ede in dcerpc_binding_handle_call_done (subreq=0x0)
> - at ../librpc/rpc/binding_handle.c:517
> - req = 0x2af6d122f4c0
> - state = 0x2af6d122f640
> - h = 0x2af6d0959d10
> - error = {v = 0}
> - out_flags = 0
> - ndr_err = NDR_ERR_SUCCESS
> - #38 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d522f7a0,
> - location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
> - at ../lib/tevent/tevent_req.c:102
> - No locals.
> - #39 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d522f7a0,
> - state=TEVENT_REQ_DONE,
> - location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
> - at ../lib/tevent/tevent_req.c:117
> - No locals.
> - #40 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d522f7a0,
> - location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
> - at ../lib/tevent/tevent_req.c:123
> - No locals.
> - #41 0x00002af6b5757398 in dcerpc_binding_handle_raw_call_done (subreq=0x0)
> - at ../librpc/rpc/binding_handle.c:188
> - req = 0x2af6d522f7a0
> - state = 0x2af6d522f920
> - error = {v = 0}
> - #42 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d0712430,
> - location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
> - at ../lib/tevent/tevent_req.c:102
> - No locals.
> - #43 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d0712430,
> - state=TEVENT_REQ_DONE,
> - location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
> - at ../lib/tevent/tevent_req.c:117
> - No locals.
> - #44 0x00002af6b333e472 in tevent_req_trigger (ev=0x2af6b17ef8c0,
> - im=0x2af6d0712500, private_data=0x2af6d0712430)
> - at ../lib/tevent/tevent_req.c:174
> - req = 0x2af6d0712430
> - #45 0x00002af6b333d6d4 in tevent_common_loop_immediate (ev=0x2af6b17ef8c0)
> - at ../lib/tevent/tevent_immediate.c:135
> - im = 0x2af6d0712500
> - handler = 0x2af6b333e423 <tevent_req_trigger>
> - private_data = 0x2af6d0712430
> - #46 0x00002af6b3345570 in epoll_event_loop_once (ev=0x2af6b17ef8c0,
> - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> - at ../lib/tevent/tevent_epoll.c:907
> - epoll_ev = 0x2af6b17efb00
> - tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
> - panic_triggered = false
> - #47 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
> - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> - at ../lib/tevent/tevent_standard.c:112
> - glue_ptr = 0x2af6b17ef9b0
> - glue = 0x2af6b17ef9b0
> - ret = 10998
> - #48 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
> - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> - at ../lib/tevent/tevent.c:530
> - ret = 0
> - nesting_stack_ptr = 0x0
> - #49 0x00002af6b333ca11 in tevent_common_loop_wait (ev=0x2af6b17ef8c0,
> - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> - at ../lib/tevent/tevent.c:634
> - ret = 0
> - #50 0x00002af6b3342405 in std_event_loop_wait (ev=0x2af6b17ef8c0,
> - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> - at ../lib/tevent/tevent_standard.c:138
> - glue_ptr = 0x2af6b17ef9b0
> - glue = 0x2af6b17ef9b0
> - ret = 10998
> - #51 0x00002af6b333cadc in _tevent_loop_wait (ev=0x2af6b17ef8c0,
> - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> - at ../lib/tevent/tevent.c:653
> - No locals.
> - #52 0x00002af6b15a37bc in binary_smbd_main (
> - binary_name=0x2af6b15a737b "samba", argc=6, argv=0x7fff67c78de8)
> - at ../source4/smbd/server.c:503
> - opt_daemon = false
> - opt_interactive = true
> - opt = -1
> - pc = 0x2af6b17d5040
> - static_init = {0x2af6b2ac7d8c <server_service_auth_init>,
> - 0x2af6b2aca9e7 <server_service_echo_init>, 0}
> - shared_init = 0x2af6b18143b0
> - event_ctx = 0x2af6b17ef8c0
> - stdin_event_flags = 1
> - status = {v = 0}
> - model = 0x2af6b17d5b90 "single"
> - max_runtime = 7500
> -
> -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> -Autobuild-Date(master): Mon Jan 6 01:16:13 CET 2014 on sn-devel-104
> -(cherry picked from commit 056008df62cb66090b3e30cb09c0edacfbdb5720)
> ----
> - source4/selftest/tests.py | 6 ++++--
> - 1 file changed, 4 insertions(+), 2 deletions(-)
> -
> -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> -index c3a33c7..9567a8e 100755
> ---- a/source4/selftest/tests.py
> -+++ b/source4/selftest/tests.py
> -@@ -309,8 +309,6 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
> - plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
> - plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
> - plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
> --for env in ["dc", "s4member", "rodc", "promoted_dc"]:
> -- plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
> - plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
> - plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
> - plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
> -@@ -502,6 +500,10 @@ for env in ['vampire_dc', 'promoted_dc']:
> - extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
> -
> - plantestsuite("samba4.blackbox.samba_tool_demote(%s)" % env, env, [os.path.join(samba4srcdir, "utils/tests/test_demote.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$DOMAIN', '$DC_SERVER', '$PREFIX/%s' % env, smbclient4])
> -+
> -+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
> -+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
> -+
> - # TODO: Verifying the databases really should be a part of the
> - # environment teardown.
> - # check the databases are all OK. PLEASE LEAVE THIS AS THE LAST TEST
> ---
> -1.9.3
> -
> -
> -From 3e44e7485dbfea37cb84034c4d13c96059bd9687 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 3 Jan 2014 08:35:27 +0100
> -Subject: [PATCH 144/249] s4:librpc: always try to negotiate
> - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
> -
> -If the gensec backend supports it there's no reason not sign the header.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 7db1dc13b0149441a2beebca65b75f6e11af13a3)
> ----
> - librpc/rpc/binding.c | 1 -
> - librpc/rpc/rpc_common.h | 5 ++++-
> - source4/librpc/rpc/dcerpc.c | 12 ++----------
> - source4/librpc/rpc/dcerpc_auth.c | 14 ++++++++++----
> - 4 files changed, 16 insertions(+), 16 deletions(-)
> -
> -diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
> -index 49651e8..52122cf 100644
> ---- a/librpc/rpc/binding.c
> -+++ b/librpc/rpc/binding.c
> -@@ -88,7 +88,6 @@ static const struct {
> - {"padcheck", DCERPC_DEBUG_PAD_CHECK},
> - {"bigendian", DCERPC_PUSH_BIGENDIAN},
> - {"smb2", DCERPC_SMB2},
> -- {"hdrsign", DCERPC_HEADER_SIGNING},
> - {"ndr64", DCERPC_NDR64},
> - {"localaddress", DCERPC_LOCALADDRESS}
> - };
> -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
> -index 978229e..93d3bb4 100644
> ---- a/librpc/rpc/rpc_common.h
> -+++ b/librpc/rpc/rpc_common.h
> -@@ -98,7 +98,7 @@ struct dcerpc_binding {
> - /* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */
> - #define DCERPC_CONCURRENT_MULTIPLEX (1<<19)
> -
> --/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
> -+/* this indicates DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag was negotiated */
> - #define DCERPC_HEADER_SIGNING (1<<20)
> -
> - /* use NDR64 transport */
> -@@ -113,6 +113,9 @@ struct dcerpc_binding {
> - /* use aes schannel with hmac-sh256 session key */
> - #define DCERPC_SCHANNEL_AES (1<<24)
> -
> -+/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
> -+#define DCERPC_PROPOSE_HEADER_SIGNING (1<<25)
> -+
> - /* The following definitions come from ../librpc/rpc/dcerpc_error.c */
> -
> - const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
> -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
> -index 56b821e..2f6c8dd 100644
> ---- a/source4/librpc/rpc/dcerpc.c
> -+++ b/source4/librpc/rpc/dcerpc.c
> -@@ -1162,7 +1162,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx,
> - pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
> - }
> -
> -- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
> -+ if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) {
> - pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> - }
> -
> -@@ -1304,7 +1304,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq,
> - conn->flags |= DCERPC_CONCURRENT_MULTIPLEX;
> - }
> -
> -- if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) &&
> -+ if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) &&
> - (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
> - conn->flags |= DCERPC_HEADER_SIGNING;
> - }
> -@@ -1352,10 +1352,6 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
> - pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
> - }
> -
> -- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
> -- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> -- }
> --
> - /* construct the NDR form of the packet */
> - status = ncacn_push_auth(&blob, mem_ctx,
> - &pkt,
> -@@ -2046,10 +2042,6 @@ struct tevent_req *dcerpc_alter_context_send(TALLOC_CTX *mem_ctx,
> - pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
> - }
> -
> -- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
> -- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> -- }
> --
> - pkt.u.alter.max_xmit_frag = 5840;
> - pkt.u.alter.max_recv_frag = 5840;
> - pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;
> -diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
> -index d5e5620..9a5d04d 100644
> ---- a/source4/librpc/rpc/dcerpc_auth.c
> -+++ b/source4/librpc/rpc/dcerpc_auth.c
> -@@ -173,10 +173,6 @@ static void bind_auth_next_step(struct composite_context *c)
> -
> - if (!composite_is_ok(c)) return;
> -
> -- if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
> -- gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
> -- }
> --
> - if (state->credentials.length == 0) {
> - composite_done(c);
> - return;
> -@@ -234,6 +230,12 @@ static void bind_auth_recv_bindreply(struct tevent_req *subreq)
> - TALLOC_FREE(subreq);
> - if (!composite_is_ok(c)) return;
> -
> -+ if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
> -+ struct dcecli_security *sec = &state->pipe->conn->security_state;
> -+
> -+ gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
> -+ }
> -+
> - if (!state->more_processing) {
> - /* The first gensec_update has not requested a second run, so
> - * we're done here. */
> -@@ -395,6 +397,10 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
> -
> - sec->auth_info->credentials = state->credentials;
> -
> -+ if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
> -+ state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
> -+ }
> -+
> - /* The first request always is a dcerpc_bind. The subsequent ones
> - * depend on gensec results */
> - subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
> ---
> -1.9.3
> -
> -
> -From 6bdc135a63647fbbc31c7b2e673396231541641d Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 3 Jan 2014 08:39:12 +0100
> -Subject: [PATCH 145/249] s4:rpc_server: support
> - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default
> -
> -If the gensec backend supports it there's no reason to disable it.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 661fe3cf890b91f8750872b0f5a09da536f76ae2)
> ----
> - source4/rpc_server/dcerpc_server.c | 6 ------
> - source4/rpc_server/dcesrv_auth.c | 37 ++++++++++++++++++++++++++++++++-----
> - 2 files changed, 32 insertions(+), 11 deletions(-)
> -
> -diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
> -index ad53685..3b35703 100644
> ---- a/source4/rpc_server/dcerpc_server.c
> -+++ b/source4/rpc_server/dcerpc_server.c
> -@@ -610,12 +610,6 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
> - call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
> - }
> -
> -- if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
> -- lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
> -- call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
> -- extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> -- }
> --
> - /* handle any authentication that is being requested */
> - if (!dcesrv_auth_bind(call)) {
> - talloc_free(call->context);
> -diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
> -index c891cc6..152715b 100644
> ---- a/source4/rpc_server/dcesrv_auth.c
> -+++ b/source4/rpc_server/dcesrv_auth.c
> -@@ -92,10 +92,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
> - return false;
> - }
> -
> -- if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
> -- gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER);
> -- }
> --
> - return true;
> - }
> -
> -@@ -107,11 +103,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
> - {
> - struct dcesrv_connection *dce_conn = call->conn;
> - NTSTATUS status;
> -+ bool want_header_signing = false;
> -
> - if (!call->conn->auth_state.gensec_security) {
> - return NT_STATUS_OK;
> - }
> -
> -+ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
> -+ want_header_signing = true;
> -+ }
> -+
> -+ if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
> -+ want_header_signing = false;
> -+ }
> -+
> - status = gensec_update(dce_conn->auth_state.gensec_security,
> - call, call->event_ctx,
> - dce_conn->auth_state.auth_info->credentials,
> -@@ -126,9 +131,17 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
> - return status;
> - }
> -
> -- if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
> -+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
> -+ GENSEC_FEATURE_SIGN_PKT_HEADER))
> -+ {
> -+ want_header_signing = false;
> -+ }
> -+
> -+ if (want_header_signing) {
> - gensec_want_feature(dce_conn->auth_state.gensec_security,
> - GENSEC_FEATURE_SIGN_PKT_HEADER);
> -+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
> -+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> - }
> -
> - /* Now that we are authenticated, go back to the generic session key... */
> -@@ -137,6 +150,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
> - } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
> - dce_conn->auth_state.auth_info->auth_pad_length = 0;
> - dce_conn->auth_state.auth_info->auth_reserved = 0;
> -+
> -+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
> -+ GENSEC_FEATURE_SIGN_PKT_HEADER))
> -+ {
> -+ want_header_signing = false;
> -+ }
> -+
> -+ if (want_header_signing) {
> -+ gensec_want_feature(dce_conn->auth_state.gensec_security,
> -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> -+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
> -+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> -+ }
> -+
> - return NT_STATUS_OK;
> - } else {
> - DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
> ---
> -1.9.3
> -
> -
> -From 868676160bb3bcfb4145a5c4b47fbb513c0bfac4 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 31 Dec 2013 09:53:55 +0100
> -Subject: [PATCH 146/249] auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is
> - always supported
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 64fc015a85f9b5ed74f3dabe05dbdff185093278)
> ----
> - auth/ntlmssp/gensec_ntlmssp.c | 4 ++++
> - 1 file changed, 4 insertions(+)
> -
> -diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
> -index 654c0e3..5672589 100644
> ---- a/auth/ntlmssp/gensec_ntlmssp.c
> -+++ b/auth/ntlmssp/gensec_ntlmssp.c
> -@@ -102,6 +102,10 @@ bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
> - return true;
> - }
> - }
> -+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> -+ return true;
> -+ }
> -+
> - return false;
> - }
> -
> ---
> -1.9.3
> -
> -
> -From e486316c74d3781413e66e451b51737fc194bdc2 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 31 Dec 2013 09:54:54 +0100
> -Subject: [PATCH 147/249] s4:auth/gensec_gssapi: handle
> - GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 14f6c41754960d73f46aca1bade2266b7e934d03)
> ----
> - source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
> - 1 file changed, 12 insertions(+)
> -
> -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> -index 63a53bf..ffdefcf 100644
> ---- a/source4/auth/gensec/gensec_gssapi.c
> -+++ b/source4/auth/gensec/gensec_gssapi.c
> -@@ -1275,6 +1275,18 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
> - if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
> - return true;
> - }
> -+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> -+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
> -+ /* TODO: implement this using gss_wrap_iov() */
> -+ return false;
> -+ }
> -+
> -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
> -+ return true;
> -+ }
> -+
> -+ return false;
> -+ }
> - return false;
> - }
> -
> ---
> -1.9.3
> -
> -
> -From fa8d0a7726240f8fc6648424d9724bcd65949bfd Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 3 Jan 2014 15:30:46 +0100
> -Subject: [PATCH 148/249] s4:gensec_gssapi: make sure
> - gensec_gssapi_[un]seal_packet() rejects header signing
> -
> -If header signing is requested we should error out instead of
> -silently ignoring it, our peer would hopefully reject it,
> -but we should also do that.
> -
> -TODO: we should implement header signing using gss_wrap_iov().
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 54b5b3067f5b7a0eb6dd9f1326c903f9fe4a5592)
> ----
> - source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
> - 1 file changed, 12 insertions(+)
> -
> -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> -index ffdefcf..b8f007d 100644
> ---- a/source4/auth/gensec/gensec_gssapi.c
> -+++ b/source4/auth/gensec/gensec_gssapi.c
> -@@ -1028,6 +1028,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
> - int conf_state;
> - ssize_t sig_length;
> -
> -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> -+ DEBUG(1, ("gensec_gssapi_seal_packet: "
> -+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
> -+ return NT_STATUS_ACCESS_DENIED;
> -+ }
> -+
> - input_token.length = length;
> - input_token.value = data;
> -
> -@@ -1082,6 +1088,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
> -
> - dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
> -
> -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> -+ DEBUG(1, ("gensec_gssapi_unseal_packet: "
> -+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
> -+ return NT_STATUS_ACCESS_DENIED;
> -+ }
> -+
> - in = data_blob_talloc(gensec_security, NULL, sig->length + length);
> -
> - memcpy(in.data, sig->data, sig->length);
> ---
> -1.9.3
> -
> -
> -From 2b1f62e3d99047e2981dcdd32c6820346917dc04 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 31 Dec 2013 09:42:36 +0100
> -Subject: [PATCH 149/249] auth/gensec: move libcli/auth/schannel_sign.c into
> - schannel.c
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 616cd009955b1722e6749019e2c1cac8bbb94e52)
> ----
> - auth/gensec/schannel.c | 380 ++++++++++++++++++++++++++++++++++++++++
> - libcli/auth/schannel_proto.h | 14 --
> - libcli/auth/schannel_sign.c | 404 -------------------------------------------
> - libcli/auth/wscript_build | 2 +-
> - 4 files changed, 381 insertions(+), 419 deletions(-)
> - delete mode 100644 libcli/auth/schannel_sign.c
> -
> -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
> -index eb2e100..c60ab4f 100644
> ---- a/auth/gensec/schannel.c
> -+++ b/auth/gensec/schannel.c
> -@@ -31,6 +31,386 @@
> - #include "librpc/gen_ndr/dcerpc.h"
> - #include "param/param.h"
> - #include "auth/gensec/gensec_toplevel_proto.h"
> -+#include "lib/crypto/crypto.h"
> -+
> -+struct schannel_state {
> -+ uint64_t seq_num;
> -+ bool initiator;
> -+ struct netlogon_creds_CredentialState *creds;
> -+};
> -+
> -+#define SETUP_SEQNUM(state, buf, initiator) do { \
> -+ uint8_t *_buf = buf; \
> -+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> -+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
> -+ if (initiator) { \
> -+ _seq_num_high |= 0x80000000; \
> -+ } \
> -+ RSIVAL(_buf, 0, _seq_num_low); \
> -+ RSIVAL(_buf, 4, _seq_num_high); \
> -+} while(0)
> -+
> -+static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState *creds,
> -+ bool initiator)
> -+{
> -+ struct schannel_state *state;
> -+
> -+ state = talloc(mem_ctx, struct schannel_state);
> -+ if (state == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ state->initiator = initiator;
> -+ state->seq_num = 0;
> -+ state->creds = netlogon_creds_copy(state, creds);
> -+ if (state->creds == NULL) {
> -+ talloc_free(state);
> -+ return NULL;
> -+ }
> -+
> -+ return state;
> -+}
> -+
> -+static void netsec_offset_and_sizes(struct schannel_state *state,
> -+ bool do_seal,
> -+ uint32_t *_min_sig_size,
> -+ uint32_t *_used_sig_size,
> -+ uint32_t *_checksum_length,
> -+ uint32_t *_confounder_ofs)
> -+{
> -+ uint32_t min_sig_size;
> -+ uint32_t used_sig_size;
> -+ uint32_t checksum_length;
> -+ uint32_t confounder_ofs;
> -+
> -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ min_sig_size = 48;
> -+ used_sig_size = 56;
> -+ /*
> -+ * Note: windows has a bug here and uses the old values...
> -+ *
> -+ * checksum_length = 32;
> -+ * confounder_ofs = 48;
> -+ */
> -+ checksum_length = 8;
> -+ confounder_ofs = 24;
> -+ } else {
> -+ min_sig_size = 24;
> -+ used_sig_size = 32;
> -+ checksum_length = 8;
> -+ confounder_ofs = 24;
> -+ }
> -+
> -+ if (do_seal) {
> -+ min_sig_size += 8;
> -+ }
> -+
> -+ if (_min_sig_size) {
> -+ *_min_sig_size = min_sig_size;
> -+ }
> -+
> -+ if (_used_sig_size) {
> -+ *_used_sig_size = used_sig_size;
> -+ }
> -+
> -+ if (_checksum_length) {
> -+ *_checksum_length = checksum_length;
> -+ }
> -+
> -+ if (_confounder_ofs) {
> -+ *_confounder_ofs = confounder_ofs;
> -+ }
> -+}
> -+
> -+/*******************************************************************
> -+ Encode or Decode the sequence number (which is symmetric)
> -+ ********************************************************************/
> -+static void netsec_do_seq_num(struct schannel_state *state,
> -+ const uint8_t *checksum,
> -+ uint32_t checksum_length,
> -+ uint8_t seq_num[8])
> -+{
> -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ AES_KEY key;
> -+ uint8_t iv[AES_BLOCK_SIZE];
> -+
> -+ AES_set_encrypt_key(state->creds->session_key, 128, &key);
> -+ ZERO_STRUCT(iv);
> -+ memcpy(iv+0, checksum, 8);
> -+ memcpy(iv+8, checksum, 8);
> -+
> -+ aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
> -+ } else {
> -+ static const uint8_t zeros[4];
> -+ uint8_t sequence_key[16];
> -+ uint8_t digest1[16];
> -+
> -+ hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
> -+ hmac_md5(digest1, checksum, checksum_length, sequence_key);
> -+ arcfour_crypt(seq_num, sequence_key, 8);
> -+ }
> -+
> -+ state->seq_num++;
> -+}
> -+
> -+static void netsec_do_seal(struct schannel_state *state,
> -+ const uint8_t seq_num[8],
> -+ uint8_t confounder[8],
> -+ uint8_t *data, uint32_t length,
> -+ bool forward)
> -+{
> -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ AES_KEY key;
> -+ uint8_t iv[AES_BLOCK_SIZE];
> -+ uint8_t sess_kf0[16];
> -+ int i;
> -+
> -+ for (i = 0; i < 16; i++) {
> -+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> -+ }
> -+
> -+ AES_set_encrypt_key(sess_kf0, 128, &key);
> -+ ZERO_STRUCT(iv);
> -+ memcpy(iv+0, seq_num, 8);
> -+ memcpy(iv+8, seq_num, 8);
> -+
> -+ if (forward) {
> -+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
> -+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
> -+ } else {
> -+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
> -+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
> -+ }
> -+ } else {
> -+ uint8_t sealing_key[16];
> -+ static const uint8_t zeros[4];
> -+ uint8_t digest2[16];
> -+ uint8_t sess_kf0[16];
> -+ int i;
> -+
> -+ for (i = 0; i < 16; i++) {
> -+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> -+ }
> -+
> -+ hmac_md5(sess_kf0, zeros, 4, digest2);
> -+ hmac_md5(digest2, seq_num, 8, sealing_key);
> -+
> -+ arcfour_crypt(confounder, sealing_key, 8);
> -+ arcfour_crypt(data, sealing_key, length);
> -+ }
> -+}
> -+
> -+/*******************************************************************
> -+ Create a digest over the entire packet (including the data), and
> -+ MD5 it with the session key.
> -+ ********************************************************************/
> -+static void netsec_do_sign(struct schannel_state *state,
> -+ const uint8_t *confounder,
> -+ const uint8_t *data, size_t length,
> -+ uint8_t header[8],
> -+ uint8_t *checksum)
> -+{
> -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ struct HMACSHA256Context ctx;
> -+
> -+ hmac_sha256_init(state->creds->session_key,
> -+ sizeof(state->creds->session_key),
> -+ &ctx);
> -+
> -+ if (confounder) {
> -+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> -+ SSVAL(header, 2, NL_SEAL_AES128);
> -+ SSVAL(header, 4, 0xFFFF);
> -+ SSVAL(header, 6, 0x0000);
> -+
> -+ hmac_sha256_update(header, 8, &ctx);
> -+ hmac_sha256_update(confounder, 8, &ctx);
> -+ } else {
> -+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> -+ SSVAL(header, 2, NL_SEAL_NONE);
> -+ SSVAL(header, 4, 0xFFFF);
> -+ SSVAL(header, 6, 0x0000);
> -+
> -+ hmac_sha256_update(header, 8, &ctx);
> -+ }
> -+
> -+ hmac_sha256_update(data, length, &ctx);
> -+
> -+ hmac_sha256_final(checksum, &ctx);
> -+ } else {
> -+ uint8_t packet_digest[16];
> -+ static const uint8_t zeros[4];
> -+ MD5_CTX ctx;
> -+
> -+ MD5Init(&ctx);
> -+ MD5Update(&ctx, zeros, 4);
> -+ if (confounder) {
> -+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> -+ SSVAL(header, 2, NL_SEAL_RC4);
> -+ SSVAL(header, 4, 0xFFFF);
> -+ SSVAL(header, 6, 0x0000);
> -+
> -+ MD5Update(&ctx, header, 8);
> -+ MD5Update(&ctx, confounder, 8);
> -+ } else {
> -+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> -+ SSVAL(header, 2, NL_SEAL_NONE);
> -+ SSVAL(header, 4, 0xFFFF);
> -+ SSVAL(header, 6, 0x0000);
> -+
> -+ MD5Update(&ctx, header, 8);
> -+ }
> -+ MD5Update(&ctx, data, length);
> -+ MD5Final(packet_digest, &ctx);
> -+
> -+ hmac_md5(state->creds->session_key,
> -+ packet_digest, sizeof(packet_digest),
> -+ checksum);
> -+ }
> -+}
> -+
> -+static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> -+ bool do_unseal,
> -+ uint8_t *data, size_t length,
> -+ const DATA_BLOB *sig)
> -+{
> -+ uint32_t min_sig_size = 0;
> -+ uint8_t header[8];
> -+ uint8_t checksum[32];
> -+ uint32_t checksum_length = sizeof(checksum_length);
> -+ uint8_t _confounder[8];
> -+ uint8_t *confounder = NULL;
> -+ uint32_t confounder_ofs = 0;
> -+ uint8_t seq_num[8];
> -+ int ret;
> -+
> -+ netsec_offset_and_sizes(state,
> -+ do_unseal,
> -+ &min_sig_size,
> -+ NULL,
> -+ &checksum_length,
> -+ &confounder_ofs);
> -+
> -+ if (sig->length < min_sig_size) {
> -+ return NT_STATUS_ACCESS_DENIED;
> -+ }
> -+
> -+ if (do_unseal) {
> -+ confounder = _confounder;
> -+ memcpy(confounder, sig->data+confounder_ofs, 8);
> -+ } else {
> -+ confounder = NULL;
> -+ }
> -+
> -+ SETUP_SEQNUM(state, seq_num, !state->initiator);
> -+
> -+ if (do_unseal) {
> -+ netsec_do_seal(state, seq_num,
> -+ confounder,
> -+ data, length,
> -+ false);
> -+ }
> -+
> -+ netsec_do_sign(state, confounder,
> -+ data, length,
> -+ header, checksum);
> -+
> -+ ret = memcmp(checksum, sig->data+16, checksum_length);
> -+ if (ret != 0) {
> -+ dump_data_pw("calc digest:", checksum, checksum_length);
> -+ dump_data_pw("wire digest:", sig->data+16, checksum_length);
> -+ return NT_STATUS_ACCESS_DENIED;
> -+ }
> -+
> -+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> -+
> -+ ret = memcmp(seq_num, sig->data+8, 8);
> -+ if (ret != 0) {
> -+ dump_data_pw("calc seq num:", seq_num, 8);
> -+ dump_data_pw("wire seq num:", sig->data+8, 8);
> -+ return NT_STATUS_ACCESS_DENIED;
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+static uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
> -+{
> -+ uint32_t sig_size = 0;
> -+
> -+ netsec_offset_and_sizes(state,
> -+ true,
> -+ NULL,
> -+ &sig_size,
> -+ NULL,
> -+ NULL);
> -+
> -+ return sig_size;
> -+}
> -+
> -+static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> -+ TALLOC_CTX *mem_ctx,
> -+ bool do_seal,
> -+ uint8_t *data, size_t length,
> -+ DATA_BLOB *sig)
> -+{
> -+ uint32_t min_sig_size = 0;
> -+ uint32_t used_sig_size = 0;
> -+ uint8_t header[8];
> -+ uint8_t checksum[32];
> -+ uint32_t checksum_length = sizeof(checksum_length);
> -+ uint8_t _confounder[8];
> -+ uint8_t *confounder = NULL;
> -+ uint32_t confounder_ofs = 0;
> -+ uint8_t seq_num[8];
> -+
> -+ netsec_offset_and_sizes(state,
> -+ do_seal,
> -+ &min_sig_size,
> -+ &used_sig_size,
> -+ &checksum_length,
> -+ &confounder_ofs);
> -+
> -+ SETUP_SEQNUM(state, seq_num, state->initiator);
> -+
> -+ if (do_seal) {
> -+ confounder = _confounder;
> -+ generate_random_buffer(confounder, 8);
> -+ } else {
> -+ confounder = NULL;
> -+ }
> -+
> -+ netsec_do_sign(state, confounder,
> -+ data, length,
> -+ header, checksum);
> -+
> -+ if (do_seal) {
> -+ netsec_do_seal(state, seq_num,
> -+ confounder,
> -+ data, length,
> -+ true);
> -+ }
> -+
> -+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> -+
> -+ (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
> -+
> -+ memcpy(sig->data, header, 8);
> -+ memcpy(sig->data+8, seq_num, 8);
> -+ memcpy(sig->data+16, checksum, checksum_length);
> -+
> -+ if (confounder) {
> -+ memcpy(sig->data+confounder_ofs, confounder, 8);
> -+ }
> -+
> -+ dump_data_pw("signature:", sig->data+ 0, 8);
> -+ dump_data_pw("seq_num :", sig->data+ 8, 8);
> -+ dump_data_pw("digest :", sig->data+16, checksum_length);
> -+ dump_data_pw("confound :", sig->data+confounder_ofs, 8);
> -+
> -+ return NT_STATUS_OK;
> -+}
> -
> - _PUBLIC_ NTSTATUS gensec_schannel_init(void);
> -
> -diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
> -index da76559..bce37c8 100644
> ---- a/libcli/auth/schannel_proto.h
> -+++ b/libcli/auth/schannel_proto.h
> -@@ -28,18 +28,4 @@ struct schannel_state;
> - struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
> - struct loadparm_context *lp_ctx);
> -
> --struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> -- struct netlogon_creds_CredentialState *creds,
> -- bool initiator);
> --NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> -- bool do_unseal,
> -- uint8_t *data, size_t length,
> -- const DATA_BLOB *sig);
> --uint32_t netsec_outgoing_sig_size(struct schannel_state *state);
> --NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> -- TALLOC_CTX *mem_ctx,
> -- bool do_seal,
> -- uint8_t *data, size_t length,
> -- DATA_BLOB *sig);
> --
> - #endif
> -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> -deleted file mode 100644
> -index 9502cba..0000000
> ---- a/libcli/auth/schannel_sign.c
> -+++ /dev/null
> -@@ -1,404 +0,0 @@
> --/*
> -- Unix SMB/CIFS implementation.
> --
> -- schannel library code
> --
> -- Copyright (C) Andrew Tridgell 2004
> -- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
> --
> -- This program is free software; you can redistribute it and/or modify
> -- it under the terms of the GNU General Public License as published by
> -- the Free Software Foundation; either version 3 of the License, or
> -- (at your option) any later version.
> --
> -- This program is distributed in the hope that it will be useful,
> -- but WITHOUT ANY WARRANTY; without even the implied warranty of
> -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -- GNU General Public License for more details.
> --
> -- You should have received a copy of the GNU General Public License
> -- along with this program. If not, see <http://www.gnu.org/licenses/>.
> --*/
> --
> --#include "includes.h"
> --#include "../libcli/auth/schannel.h"
> --#include "../lib/crypto/crypto.h"
> --
> --struct schannel_state {
> -- uint64_t seq_num;
> -- bool initiator;
> -- struct netlogon_creds_CredentialState *creds;
> --};
> --
> --#define SETUP_SEQNUM(state, buf, initiator) do { \
> -- uint8_t *_buf = buf; \
> -- uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> -- uint32_t _seq_num_high = (state)->seq_num >> 32; \
> -- if (initiator) { \
> -- _seq_num_high |= 0x80000000; \
> -- } \
> -- RSIVAL(_buf, 0, _seq_num_low); \
> -- RSIVAL(_buf, 4, _seq_num_high); \
> --} while(0)
> --
> --struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> -- struct netlogon_creds_CredentialState *creds,
> -- bool initiator)
> --{
> -- struct schannel_state *state;
> --
> -- state = talloc(mem_ctx, struct schannel_state);
> -- if (state == NULL) {
> -- return NULL;
> -- }
> --
> -- state->initiator = initiator;
> -- state->seq_num = 0;
> -- state->creds = netlogon_creds_copy(state, creds);
> -- if (state->creds == NULL) {
> -- talloc_free(state);
> -- return NULL;
> -- }
> --
> -- return state;
> --}
> --
> --static void netsec_offset_and_sizes(struct schannel_state *state,
> -- bool do_seal,
> -- uint32_t *_min_sig_size,
> -- uint32_t *_used_sig_size,
> -- uint32_t *_checksum_length,
> -- uint32_t *_confounder_ofs)
> --{
> -- uint32_t min_sig_size;
> -- uint32_t used_sig_size;
> -- uint32_t checksum_length;
> -- uint32_t confounder_ofs;
> --
> -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- min_sig_size = 48;
> -- used_sig_size = 56;
> -- /*
> -- * Note: windows has a bug here and uses the old values...
> -- *
> -- * checksum_length = 32;
> -- * confounder_ofs = 48;
> -- */
> -- checksum_length = 8;
> -- confounder_ofs = 24;
> -- } else {
> -- min_sig_size = 24;
> -- used_sig_size = 32;
> -- checksum_length = 8;
> -- confounder_ofs = 24;
> -- }
> --
> -- if (do_seal) {
> -- min_sig_size += 8;
> -- }
> --
> -- if (_min_sig_size) {
> -- *_min_sig_size = min_sig_size;
> -- }
> --
> -- if (_used_sig_size) {
> -- *_used_sig_size = used_sig_size;
> -- }
> --
> -- if (_checksum_length) {
> -- *_checksum_length = checksum_length;
> -- }
> --
> -- if (_confounder_ofs) {
> -- *_confounder_ofs = confounder_ofs;
> -- }
> --}
> --
> --/*******************************************************************
> -- Encode or Decode the sequence number (which is symmetric)
> -- ********************************************************************/
> --static void netsec_do_seq_num(struct schannel_state *state,
> -- const uint8_t *checksum,
> -- uint32_t checksum_length,
> -- uint8_t seq_num[8])
> --{
> -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- AES_KEY key;
> -- uint8_t iv[AES_BLOCK_SIZE];
> --
> -- AES_set_encrypt_key(state->creds->session_key, 128, &key);
> -- ZERO_STRUCT(iv);
> -- memcpy(iv+0, checksum, 8);
> -- memcpy(iv+8, checksum, 8);
> --
> -- aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
> -- } else {
> -- static const uint8_t zeros[4];
> -- uint8_t sequence_key[16];
> -- uint8_t digest1[16];
> --
> -- hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
> -- hmac_md5(digest1, checksum, checksum_length, sequence_key);
> -- arcfour_crypt(seq_num, sequence_key, 8);
> -- }
> --
> -- state->seq_num++;
> --}
> --
> --static void netsec_do_seal(struct schannel_state *state,
> -- const uint8_t seq_num[8],
> -- uint8_t confounder[8],
> -- uint8_t *data, uint32_t length,
> -- bool forward)
> --{
> -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- AES_KEY key;
> -- uint8_t iv[AES_BLOCK_SIZE];
> -- uint8_t sess_kf0[16];
> -- int i;
> --
> -- for (i = 0; i < 16; i++) {
> -- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> -- }
> --
> -- AES_set_encrypt_key(sess_kf0, 128, &key);
> -- ZERO_STRUCT(iv);
> -- memcpy(iv+0, seq_num, 8);
> -- memcpy(iv+8, seq_num, 8);
> --
> -- if (forward) {
> -- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
> -- aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
> -- } else {
> -- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
> -- aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
> -- }
> -- } else {
> -- uint8_t sealing_key[16];
> -- static const uint8_t zeros[4];
> -- uint8_t digest2[16];
> -- uint8_t sess_kf0[16];
> -- int i;
> --
> -- for (i = 0; i < 16; i++) {
> -- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> -- }
> --
> -- hmac_md5(sess_kf0, zeros, 4, digest2);
> -- hmac_md5(digest2, seq_num, 8, sealing_key);
> --
> -- arcfour_crypt(confounder, sealing_key, 8);
> -- arcfour_crypt(data, sealing_key, length);
> -- }
> --}
> --
> --/*******************************************************************
> -- Create a digest over the entire packet (including the data), and
> -- MD5 it with the session key.
> -- ********************************************************************/
> --static void netsec_do_sign(struct schannel_state *state,
> -- const uint8_t *confounder,
> -- const uint8_t *data, size_t length,
> -- uint8_t header[8],
> -- uint8_t *checksum)
> --{
> -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- struct HMACSHA256Context ctx;
> --
> -- hmac_sha256_init(state->creds->session_key,
> -- sizeof(state->creds->session_key),
> -- &ctx);
> --
> -- if (confounder) {
> -- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> -- SSVAL(header, 2, NL_SEAL_AES128);
> -- SSVAL(header, 4, 0xFFFF);
> -- SSVAL(header, 6, 0x0000);
> --
> -- hmac_sha256_update(header, 8, &ctx);
> -- hmac_sha256_update(confounder, 8, &ctx);
> -- } else {
> -- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> -- SSVAL(header, 2, NL_SEAL_NONE);
> -- SSVAL(header, 4, 0xFFFF);
> -- SSVAL(header, 6, 0x0000);
> --
> -- hmac_sha256_update(header, 8, &ctx);
> -- }
> --
> -- hmac_sha256_update(data, length, &ctx);
> --
> -- hmac_sha256_final(checksum, &ctx);
> -- } else {
> -- uint8_t packet_digest[16];
> -- static const uint8_t zeros[4];
> -- MD5_CTX ctx;
> --
> -- MD5Init(&ctx);
> -- MD5Update(&ctx, zeros, 4);
> -- if (confounder) {
> -- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> -- SSVAL(header, 2, NL_SEAL_RC4);
> -- SSVAL(header, 4, 0xFFFF);
> -- SSVAL(header, 6, 0x0000);
> --
> -- MD5Update(&ctx, header, 8);
> -- MD5Update(&ctx, confounder, 8);
> -- } else {
> -- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> -- SSVAL(header, 2, NL_SEAL_NONE);
> -- SSVAL(header, 4, 0xFFFF);
> -- SSVAL(header, 6, 0x0000);
> --
> -- MD5Update(&ctx, header, 8);
> -- }
> -- MD5Update(&ctx, data, length);
> -- MD5Final(packet_digest, &ctx);
> --
> -- hmac_md5(state->creds->session_key,
> -- packet_digest, sizeof(packet_digest),
> -- checksum);
> -- }
> --}
> --
> --NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> -- bool do_unseal,
> -- uint8_t *data, size_t length,
> -- const DATA_BLOB *sig)
> --{
> -- uint32_t min_sig_size = 0;
> -- uint8_t header[8];
> -- uint8_t checksum[32];
> -- uint32_t checksum_length = sizeof(checksum_length);
> -- uint8_t _confounder[8];
> -- uint8_t *confounder = NULL;
> -- uint32_t confounder_ofs = 0;
> -- uint8_t seq_num[8];
> -- int ret;
> --
> -- netsec_offset_and_sizes(state,
> -- do_unseal,
> -- &min_sig_size,
> -- NULL,
> -- &checksum_length,
> -- &confounder_ofs);
> --
> -- if (sig->length < min_sig_size) {
> -- return NT_STATUS_ACCESS_DENIED;
> -- }
> --
> -- if (do_unseal) {
> -- confounder = _confounder;
> -- memcpy(confounder, sig->data+confounder_ofs, 8);
> -- } else {
> -- confounder = NULL;
> -- }
> --
> -- SETUP_SEQNUM(state, seq_num, !state->initiator);
> --
> -- if (do_unseal) {
> -- netsec_do_seal(state, seq_num,
> -- confounder,
> -- data, length,
> -- false);
> -- }
> --
> -- netsec_do_sign(state, confounder,
> -- data, length,
> -- header, checksum);
> --
> -- ret = memcmp(checksum, sig->data+16, checksum_length);
> -- if (ret != 0) {
> -- dump_data_pw("calc digest:", checksum, checksum_length);
> -- dump_data_pw("wire digest:", sig->data+16, checksum_length);
> -- return NT_STATUS_ACCESS_DENIED;
> -- }
> --
> -- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> --
> -- ret = memcmp(seq_num, sig->data+8, 8);
> -- if (ret != 0) {
> -- dump_data_pw("calc seq num:", seq_num, 8);
> -- dump_data_pw("wire seq num:", sig->data+8, 8);
> -- return NT_STATUS_ACCESS_DENIED;
> -- }
> --
> -- return NT_STATUS_OK;
> --}
> --
> --uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
> --{
> -- uint32_t sig_size = 0;
> --
> -- netsec_offset_and_sizes(state,
> -- true,
> -- NULL,
> -- &sig_size,
> -- NULL,
> -- NULL);
> --
> -- return sig_size;
> --}
> --
> --NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> -- TALLOC_CTX *mem_ctx,
> -- bool do_seal,
> -- uint8_t *data, size_t length,
> -- DATA_BLOB *sig)
> --{
> -- uint32_t min_sig_size = 0;
> -- uint32_t used_sig_size = 0;
> -- uint8_t header[8];
> -- uint8_t checksum[32];
> -- uint32_t checksum_length = sizeof(checksum_length);
> -- uint8_t _confounder[8];
> -- uint8_t *confounder = NULL;
> -- uint32_t confounder_ofs = 0;
> -- uint8_t seq_num[8];
> --
> -- netsec_offset_and_sizes(state,
> -- do_seal,
> -- &min_sig_size,
> -- &used_sig_size,
> -- &checksum_length,
> -- &confounder_ofs);
> --
> -- SETUP_SEQNUM(state, seq_num, state->initiator);
> --
> -- if (do_seal) {
> -- confounder = _confounder;
> -- generate_random_buffer(confounder, 8);
> -- } else {
> -- confounder = NULL;
> -- }
> --
> -- netsec_do_sign(state, confounder,
> -- data, length,
> -- header, checksum);
> --
> -- if (do_seal) {
> -- netsec_do_seal(state, seq_num,
> -- confounder,
> -- data, length,
> -- true);
> -- }
> --
> -- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> --
> -- (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
> --
> -- memcpy(sig->data, header, 8);
> -- memcpy(sig->data+8, seq_num, 8);
> -- memcpy(sig->data+16, checksum, checksum_length);
> --
> -- if (confounder) {
> -- memcpy(sig->data+confounder_ofs, confounder, 8);
> -- }
> --
> -- dump_data_pw("signature:", sig->data+ 0, 8);
> -- dump_data_pw("seq_num :", sig->data+ 8, 8);
> -- dump_data_pw("digest :", sig->data+16, checksum_length);
> -- dump_data_pw("confound :", sig->data+confounder_ofs, 8);
> --
> -- return NT_STATUS_OK;
> --}
> -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
> -index df23058..ca2be2d 100755
> ---- a/libcli/auth/wscript_build
> -+++ b/libcli/auth/wscript_build
> -@@ -24,7 +24,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
> -
> -
> - bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
> -- source='schannel_state_tdb.c schannel_sign.c',
> -+ source='schannel_state_tdb.c',
> - deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
> - )
> -
> ---
> -1.9.3
> -
> -
> -From 307627065568a259eb9e94953b872bf723477be6 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 31 Dec 2013 10:11:18 +0100
> -Subject: [PATCH 150/249] auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER
> - in schannel.c
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 03006d0e4471465f071517097145806fbe46fdba)
> ----
> - auth/gensec/schannel.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
> - 1 file changed, 46 insertions(+), 10 deletions(-)
> -
> -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
> -index c60ab4f..3d30e83 100644
> ---- a/auth/gensec/schannel.c
> -+++ b/auth/gensec/schannel.c
> -@@ -34,6 +34,7 @@
> - #include "lib/crypto/crypto.h"
> -
> - struct schannel_state {
> -+ struct gensec_security *gensec;
> - uint64_t seq_num;
> - bool initiator;
> - struct netlogon_creds_CredentialState *creds;
> -@@ -50,17 +51,19 @@ struct schannel_state {
> - RSIVAL(_buf, 4, _seq_num_high); \
> - } while(0)
> -
> --static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> -+static struct schannel_state *netsec_create_state(
> -+ struct gensec_security *gensec,
> - struct netlogon_creds_CredentialState *creds,
> - bool initiator)
> - {
> - struct schannel_state *state;
> -
> -- state = talloc(mem_ctx, struct schannel_state);
> -+ state = talloc(gensec, struct schannel_state);
> - if (state == NULL) {
> - return NULL;
> - }
> -
> -+ state->gensec = gensec;
> - state->initiator = initiator;
> - state->seq_num = 0;
> - state->creds = netlogon_creds_copy(state, creds);
> -@@ -69,6 +72,8 @@ static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> - return NULL;
> - }
> -
> -+ gensec->private_data = state;
> -+
> - return state;
> - }
> -
> -@@ -273,6 +278,7 @@ static void netsec_do_sign(struct schannel_state *state,
> - static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> - bool do_unseal,
> - uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> - const DATA_BLOB *sig)
> - {
> - uint32_t min_sig_size = 0;
> -@@ -284,6 +290,8 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> - uint32_t confounder_ofs = 0;
> - uint8_t seq_num[8];
> - int ret;
> -+ const uint8_t *sign_data = NULL;
> -+ size_t sign_length = 0;
> -
> - netsec_offset_and_sizes(state,
> - do_unseal,
> -@@ -312,8 +320,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> - false);
> - }
> -
> -+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> -+ sign_data = whole_pdu;
> -+ sign_length = pdu_length;
> -+ } else {
> -+ sign_data = data;
> -+ sign_length = length;
> -+ }
> -+
> - netsec_do_sign(state, confounder,
> -- data, length,
> -+ sign_data, sign_length,
> - header, checksum);
> -
> - ret = memcmp(checksum, sig->data+16, checksum_length);
> -@@ -353,6 +369,7 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> - TALLOC_CTX *mem_ctx,
> - bool do_seal,
> - uint8_t *data, size_t length,
> -+ const uint8_t *whole_pdu, size_t pdu_length,
> - DATA_BLOB *sig)
> - {
> - uint32_t min_sig_size = 0;
> -@@ -364,6 +381,8 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> - uint8_t *confounder = NULL;
> - uint32_t confounder_ofs = 0;
> - uint8_t seq_num[8];
> -+ const uint8_t *sign_data = NULL;
> -+ size_t sign_length = 0;
> -
> - netsec_offset_and_sizes(state,
> - do_seal,
> -@@ -381,8 +400,16 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> - confounder = NULL;
> - }
> -
> -+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> -+ sign_data = whole_pdu;
> -+ sign_length = pdu_length;
> -+ } else {
> -+ sign_data = data;
> -+ sign_length = length;
> -+ }
> -+
> - netsec_do_sign(state, confounder,
> -- data, length,
> -+ sign_data, sign_length,
> - header, checksum);
> -
> - if (do_seal) {
> -@@ -457,7 +484,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> - if (state == NULL) {
> - return NT_STATUS_NO_MEMORY;
> - }
> -- gensec_security->private_data = state;
> -
> - bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> - #if 0
> -@@ -553,7 +579,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> - if (state == NULL) {
> - return NT_STATUS_NO_MEMORY;
> - }
> -- gensec_security->private_data = state;
> -
> - bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> - bind_schannel_ack.Flags = 0;
> -@@ -608,6 +633,9 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
> - if (feature & GENSEC_FEATURE_DCE_STYLE) {
> - return true;
> - }
> -+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> -+ return true;
> -+ }
> - return false;
> - }
> -
> -@@ -625,7 +653,9 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> -
> - return netsec_incoming_packet(state, true,
> - discard_const_p(uint8_t, data),
> -- length, sig);
> -+ length,
> -+ whole_pdu, pdu_length,
> -+ sig);
> - }
> -
> - /*
> -@@ -642,7 +672,9 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> -
> - return netsec_incoming_packet(state, false,
> - discard_const_p(uint8_t, data),
> -- length, sig);
> -+ length,
> -+ whole_pdu, pdu_length,
> -+ sig);
> - }
> - /*
> - seal a packet
> -@@ -658,7 +690,9 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> - struct schannel_state);
> -
> - return netsec_outgoing_packet(state, mem_ctx, true,
> -- data, length, sig);
> -+ data, length,
> -+ whole_pdu, pdu_length,
> -+ sig);
> - }
> -
> - /*
> -@@ -676,7 +710,9 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> -
> - return netsec_outgoing_packet(state, mem_ctx, false,
> - discard_const_p(uint8_t, data),
> -- length, sig);
> -+ length,
> -+ whole_pdu, pdu_length,
> -+ sig);
> - }
> -
> - static const struct gensec_security_ops gensec_schannel_security_ops = {
> ---
> -1.9.3
> -
> -
> -From 5b457559dfaeaf8f3d9227a93e5b75e0e7464c23 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sun, 5 Jan 2014 06:16:03 +0100
> -Subject: [PATCH 151/249] s3:rpc_client: talloc_zero pipe_auth_data
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 5b39a351a8ceb3bec04236ceb4b2fe10651958a9)
> ----
> - source3/rpc_client/cli_pipe.c | 6 +++---
> - 1 file changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index a343997..7d1e347 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -2101,7 +2101,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
> - {
> - struct pipe_auth_data *result;
> -
> -- result = talloc(mem_ctx, struct pipe_auth_data);
> -+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
> - if (result == NULL) {
> - return NT_STATUS_NO_MEMORY;
> - }
> -@@ -2125,7 +2125,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
> - {
> - struct pipe_auth_data *result;
> -
> -- result = talloc(mem_ctx, struct pipe_auth_data);
> -+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
> - if (result == NULL) {
> - return NT_STATUS_NO_MEMORY;
> - }
> -@@ -2160,7 +2160,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> - struct pipe_auth_data *result;
> - NTSTATUS status;
> -
> -- result = talloc(mem_ctx, struct pipe_auth_data);
> -+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
> - if (result == NULL) {
> - return NT_STATUS_NO_MEMORY;
> - }
> ---
> -1.9.3
> -
> -
> -From dd35874efea280b91ccaadf14a9a18e8a9017ea4 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sun, 5 Jan 2014 06:31:44 +0100
> -Subject: [PATCH 152/249] s3:rpc_client: make rpc_api_pipe_req_send/recv static
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 946e29dbc148d40fadbee81d4d530a36c0f2f1e6)
> ----
> - source3/rpc_client/cli_pipe.c | 4 ++--
> - source3/rpc_client/cli_pipe.h | 10 ----------
> - 2 files changed, 2 insertions(+), 12 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 7d1e347..3d12454 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1153,7 +1153,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq);
> - static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> - bool *is_last_frag);
> -
> --struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> -+static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> - struct tevent_context *ev,
> - struct rpc_pipe_client *cli,
> - uint8_t op_num,
> -@@ -1366,7 +1366,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
> - tevent_req_done(req);
> - }
> -
> --NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
> -+static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
> - DATA_BLOB *reply_pdu)
> - {
> - struct rpc_api_pipe_req_state *state = tevent_req_data(
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index ab99373..826f9bf 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -27,16 +27,6 @@
> -
> - /* The following definitions come from rpc_client/cli_pipe.c */
> -
> --struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> -- struct tevent_context *ev,
> -- struct rpc_pipe_client *cli,
> -- uint8_t op_num,
> -- DATA_BLOB *req_data);
> --
> --NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req,
> -- TALLOC_CTX *mem_ctx,
> -- DATA_BLOB *reply_pdu);
> --
> - struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
> - struct tevent_context *ev,
> - struct rpc_pipe_client *cli,
> ---
> -1.9.3
> -
> -
> -From 9ea586bbac52bf17e6a1147420bfc9648e697706 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sun, 5 Jan 2014 07:56:20 +0100
> -Subject: [PATCH 153/249] s3:rpc_client: add some const to
> - rpc_api_pipe_req_send()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 4d3376e919b5c33f272b3a584d8172729a7468e0)
> ----
> - source3/rpc_client/cli_pipe.c | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 3d12454..6b7fee2 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1142,7 +1142,7 @@ struct rpc_api_pipe_req_state {
> - struct rpc_pipe_client *cli;
> - uint8_t op_num;
> - uint32_t call_id;
> -- DATA_BLOB *req_data;
> -+ const DATA_BLOB *req_data;
> - uint32_t req_data_sent;
> - DATA_BLOB rpc_out;
> - DATA_BLOB reply_pdu;
> -@@ -1157,7 +1157,7 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> - struct tevent_context *ev,
> - struct rpc_pipe_client *cli,
> - uint8_t op_num,
> -- DATA_BLOB *req_data)
> -+ const DATA_BLOB *req_data)
> - {
> - struct tevent_req *req, *subreq;
> - struct rpc_api_pipe_req_state *state;
> ---
> -1.9.3
> -
> -
> -From cc6303171f06ae26bce9d54013a63a6296563dd7 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sun, 5 Jan 2014 08:26:15 +0100
> -Subject: [PATCH 154/249] s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as
> - any other gensec backend
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit f7bf7e705e704d2f1702e42a8e400baff9521066)
> ----
> - source3/rpc_client/cli_pipe.c | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 6b7fee2..b142774 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1627,11 +1627,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> -
> - case DCERPC_AUTH_TYPE_NONE:
> - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
> -- case DCERPC_AUTH_TYPE_SCHANNEL:
> - /* Bind complete. */
> - tevent_req_done(req);
> - return;
> -
> -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> - case DCERPC_AUTH_TYPE_NTLMSSP:
> - case DCERPC_AUTH_TYPE_SPNEGO:
> - case DCERPC_AUTH_TYPE_KRB5:
> -@@ -1666,11 +1666,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> -
> - case DCERPC_AUTH_TYPE_NONE:
> - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
> -- case DCERPC_AUTH_TYPE_SCHANNEL:
> - /* Bind complete. */
> - tevent_req_done(req);
> - return;
> -
> -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> - case DCERPC_AUTH_TYPE_NTLMSSP:
> - case DCERPC_AUTH_TYPE_KRB5:
> - case DCERPC_AUTH_TYPE_SPNEGO:
> ---
> -1.9.3
> -
> -
> -From 044ca24f9d8a3bf57d6981c89e6dcc5e4477059d Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 3 Jan 2014 22:41:33 +0100
> -Subject: [PATCH 155/249] s3:rpc_client: implement
> - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 61bdbc23cd09a594a63f49ff8626934c85a8e51a)
> ----
> - source3/librpc/rpc/dcerpc.h | 4 +++-
> - source3/rpc_client/cli_pipe.c | 44 +++++++++++++++++++++++++++++++++++++------
> - 2 files changed, 41 insertions(+), 7 deletions(-)
> -
> -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> -index b18b7ba..aaf8d68 100644
> ---- a/source3/librpc/rpc/dcerpc.h
> -+++ b/source3/librpc/rpc/dcerpc.h
> -@@ -39,7 +39,9 @@ struct NL_AUTH_MESSAGE;
> - struct pipe_auth_data {
> - enum dcerpc_AuthType auth_type;
> - enum dcerpc_AuthLevel auth_level;
> --
> -+ bool client_hdr_signing;
> -+ bool hdr_signing;
> -+
> - void *auth_ctx;
> -
> - /* Only the client code uses these 3 for now */
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index b142774..1cab580 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1002,16 +1002,31 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
> -
> - static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> - TALLOC_CTX *mem_ctx,
> -- DATA_BLOB *auth_token)
> -+ DATA_BLOB *auth_token,
> -+ bool *client_hdr_signing)
> - {
> - struct gensec_security *gensec_security;
> - DATA_BLOB null_blob = data_blob_null;
> -+ NTSTATUS status;
> -
> - gensec_security = talloc_get_type_abort(cli->auth->auth_ctx,
> - struct gensec_security);
> -
> - DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
> -- return gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
> -+ status = gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
> -+
> -+ if (!NT_STATUS_IS_OK(status) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
> -+ {
> -+ return status;
> -+ }
> -+
> -+ if (client_hdr_signing != NULL) {
> -+ *client_hdr_signing = gensec_have_feature(gensec_security,
> -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> -+ }
> -+
> -+ return status;
> - }
> -
> - /*******************************************************************
> -@@ -1024,17 +1039,23 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
> - const struct ndr_syntax_id *abstract,
> - const struct ndr_syntax_id *transfer,
> - const DATA_BLOB *auth_info,
> -+ bool client_hdr_signing,
> - DATA_BLOB *blob)
> - {
> - uint16 auth_len = auth_info->length;
> - NTSTATUS status;
> - union dcerpc_payload u;
> - struct dcerpc_ctx_list ctx_list;
> -+ uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
> -
> - if (auth_len) {
> - auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
> - }
> -
> -+ if (client_hdr_signing) {
> -+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> -+ }
> -+
> - ctx_list.context_id = 0;
> - ctx_list.num_transfer_syntaxes = 1;
> - ctx_list.abstract_syntax = *abstract;
> -@@ -1048,9 +1069,7 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
> - u.bind.auth_info = *auth_info;
> -
> - status = dcerpc_push_ncacn_packet(mem_ctx,
> -- ptype,
> -- DCERPC_PFC_FLAG_FIRST |
> -- DCERPC_PFC_FLAG_LAST,
> -+ ptype, pfc_flags,
> - auth_len,
> - rpc_call_id,
> - &u,
> -@@ -1084,7 +1103,9 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
> - case DCERPC_AUTH_TYPE_NTLMSSP:
> - case DCERPC_AUTH_TYPE_KRB5:
> - case DCERPC_AUTH_TYPE_SPNEGO:
> -- ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
> -+ ret = create_generic_auth_rpc_bind_req(cli, mem_ctx,
> -+ &auth_token,
> -+ &auth->client_hdr_signing);
> -
> - if (!NT_STATUS_IS_OK(ret) &&
> - !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
> -@@ -1126,6 +1147,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
> - abstract,
> - transfer,
> - &auth_info,
> -+ auth->client_hdr_signing,
> - rpc_out);
> - return ret;
> - }
> -@@ -1507,6 +1529,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
> - abstract,
> - transfer,
> - &auth_info,
> -+ false, /* client_hdr_signing */
> - rpc_out);
> - data_blob_free(&auth_info);
> - return status;
> -@@ -1676,6 +1699,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> - case DCERPC_AUTH_TYPE_SPNEGO:
> - gensec_security = talloc_get_type_abort(pauth->auth_ctx,
> - struct gensec_security);
> -+
> -+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
> -+ if (pauth->client_hdr_signing) {
> -+ pauth->hdr_signing = true;
> -+ gensec_want_feature(gensec_security,
> -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> -+ }
> -+ }
> -+
> - status = gensec_update(gensec_security, state, NULL,
> - auth.credentials, &auth_token);
> - if (NT_STATUS_EQUAL(status,
> ---
> -1.9.3
> -
> -
> -From 472b11d1b0fdbb1ca61e64979e4b5fd7dc1756a5 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 3 Jan 2014 22:56:03 +0100
> -Subject: [PATCH 156/249] s3:rpc_server: add support for
> - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
> -
> -If the backend supports it there's no reason to avoid it.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 523d616268af5f94e11c863f9acdebabace80608)
> ----
> - source3/rpc_server/srv_pipe.c | 25 ++++++++++++++++++++++---
> - 1 file changed, 22 insertions(+), 3 deletions(-)
> -
> -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> -index 5f834fb..f572819 100644
> ---- a/source3/rpc_server/srv_pipe.c
> -+++ b/source3/rpc_server/srv_pipe.c
> -@@ -42,6 +42,7 @@
> - #include "rpc_server/rpc_contexts.h"
> - #include "lib/param/param.h"
> - #include "librpc/ndr/ndr_table.h"
> -+#include "auth/gensec/gensec.h"
> -
> - #undef DBGC_CLASS
> - #define DBGC_CLASS DBGC_RPC_SRV
> -@@ -418,10 +419,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
> - *******************************************************************/
> -
> - static bool pipe_auth_generic_bind(struct pipes_struct *p,
> -- TALLOC_CTX *mem_ctx,
> -+ struct ncacn_packet *pkt,
> - struct dcerpc_auth *auth_info,
> - DATA_BLOB *response)
> - {
> -+ TALLOC_CTX *mem_ctx = pkt;
> - struct gensec_security *gensec_security = NULL;
> - NTSTATUS status;
> -
> -@@ -444,6 +446,17 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
> - p->auth.auth_ctx = gensec_security;
> - p->auth.auth_type = auth_info->auth_type;
> -
> -+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
> -+ p->auth.client_hdr_signing = true;
> -+ p->auth.hdr_signing = gensec_have_feature(gensec_security,
> -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> -+ }
> -+
> -+ if (p->auth.hdr_signing) {
> -+ gensec_want_feature(gensec_security,
> -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> -+ }
> -+
> - return true;
> - }
> -
> -@@ -548,6 +561,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> - unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
> - NTSTATUS status;
> - struct ndr_syntax_id id;
> -+ uint8_t pfc_flags = 0;
> - union dcerpc_payload u;
> - struct dcerpc_ack_ctx bind_ack_ctx;
> - DATA_BLOB auth_resp = data_blob_null;
> -@@ -792,10 +806,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> - * header and are never sending more than one PDU here.
> - */
> -
> -+ pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
> -+
> -+ if (p->auth.hdr_signing) {
> -+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> -+ }
> -+
> - status = dcerpc_push_ncacn_packet(p->mem_ctx,
> - DCERPC_PKT_BIND_ACK,
> -- DCERPC_PFC_FLAG_FIRST |
> -- DCERPC_PFC_FLAG_LAST,
> -+ pfc_flags,
> - auth_resp.length,
> - pkt->call_id,
> - &u,
> ---
> -1.9.3
> -
> -
> -From 4e6bea89ffcca074e0320b98e65485f348a469a5 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 3 Jan 2014 09:25:23 +0100
> -Subject: [PATCH 157/249] librpc/ndr: add
> - LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
> -
> -This lets ndr_pull_subcontext_end() make sure that all
> -subcontext bytes are consumed otherwise it returns NDR_ERR_UNREAD_BYTES.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit b62308ed994e9734dfd934d230531010d9e7cefa)
> ----
> - librpc/idl/idl_types.h | 2 ++
> - librpc/ndr/libndr.h | 6 ++++++
> - librpc/ndr/ndr.c | 20 ++++++++++++++++++++
> - 3 files changed, 28 insertions(+)
> -
> -diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h
> -index c50efac..838c219 100644
> ---- a/librpc/idl/idl_types.h
> -+++ b/librpc/idl/idl_types.h
> -@@ -53,3 +53,5 @@
> -
> - #define NDR_RELATIVE_REVERSE LIBNDR_FLAG_RELATIVE_REVERSE
> - #define NDR_NO_RELATIVE_REVERSE LIBNDR_FLAG_NO_RELATIVE_REVERSE
> -+
> -+#define NDR_SUBCONTEXT_NO_UNREAD_BYTES LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
> -diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
> -index a950519..8070c3c 100644
> ---- a/librpc/ndr/libndr.h
> -+++ b/librpc/ndr/libndr.h
> -@@ -123,6 +123,12 @@ struct ndr_print {
> - #define LIBNDR_FLAG_STR_RAW8 (1<<13)
> - #define LIBNDR_STRING_FLAGS (0x7FFC)
> -
> -+/*
> -+ * This lets ndr_pull_subcontext_end() return
> -+ * NDR_ERR_UNREAD_BYTES.
> -+ */
> -+#define LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES (1<<17)
> -+
> - /* set if relative pointers should *not* be marshalled in reverse order */
> - #define LIBNDR_FLAG_NO_RELATIVE_REVERSE (1<<18)
> -
> -diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
> -index e86cf2f..15a7f12 100644
> ---- a/librpc/ndr/ndr.c
> -+++ b/librpc/ndr/ndr.c
> -@@ -638,6 +638,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
> - ssize_t size_is)
> - {
> - uint32_t advance;
> -+ uint32_t highest_ofs;
> -+
> - if (size_is >= 0) {
> - advance = size_is;
> - } else if (header_size > 0) {
> -@@ -645,6 +647,24 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
> - } else {
> - advance = subndr->offset;
> - }
> -+
> -+ if (subndr->offset > ndr->relative_highest_offset) {
> -+ highest_ofs = subndr->offset;
> -+ } else {
> -+ highest_ofs = subndr->relative_highest_offset;
> -+ }
> -+ if (!(subndr->flags & LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES)) {
> -+ /*
> -+ * avoid an error unless SUBCONTEXT_NO_UNREAD_BYTES is specified
> -+ */
> -+ highest_ofs = advance;
> -+ }
> -+ if (highest_ofs < advance) {
> -+ return ndr_pull_error(subndr, NDR_ERR_UNREAD_BYTES,
> -+ "not all bytes consumed ofs[%u] advance[%u]",
> -+ highest_ofs, advance);
> -+ }
> -+
> - NDR_CHECK(ndr_pull_advance(ndr, advance));
> - return NDR_ERR_SUCCESS;
> - }
> ---
> -1.9.3
> -
> -
> -From 5960d93d9cddca327ad8d24a41c64421ac6bb561 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 3 Jan 2014 15:06:23 +0100
> -Subject: [PATCH 158/249] dcerpc.idl: add documentation references
> -
> -To [C706 - DCE 1.1: Remote Procedure Call] and [MS-RPCE].
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 66c39420e29e7c257d9cdc5d04c061472bbefd19)
> ----
> - librpc/idl/dcerpc.idl | 13 +++++++++++--
> - 1 file changed, 11 insertions(+), 2 deletions(-)
> -
> -diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
> -index 86f22a4..23cac89 100644
> ---- a/librpc/idl/dcerpc.idl
> -+++ b/librpc/idl/dcerpc.idl
> -@@ -5,8 +5,17 @@
> - but given that pidl can handle it nicely it simplifies things a lot
> - to do it this way
> -
> -- see http://www.opengroup.org/onlinepubs/9629399/chap12.htm for packet
> -- layouts
> -+ See [C706 - DCE 1.1: Remote Procedure Call] for the OpenGroup
> -+ DCERPC specification:
> -+ http://pubs.opengroup.org/onlinepubs/9629399/toc.htm
> -+
> -+ See C706 - Chapter 12: RPC PDU Encodings for packet layouts:
> -+ http://www.opengroup.org/onlinepubs/9629399/chap12.htm
> -+
> -+ See also [MS-RPCE] for the Microsoft
> -+ "Remote Procedure Call Protocol Extensions".
> -+ http://msdn.microsoft.com/en-us/library/cc243560.aspx
> -+
> - */
> - import "misc.idl";
> -
> ---
> -1.9.3
> -
> -
> -From 812cb7e6010b39fb752cf85026fd8d8a5dccbb39 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 2 Jan 2014 11:18:38 +0100
> -Subject: [PATCH 159/249] dcerpc.idl: add dcerpc_sec_verification_trailer
> -
> -See [MS-RPCE] 2.2.2.13 Verification Trailer for details.
> -
> -Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
> -
> -Signed-off-by: Gregor Beck <gbeck@sernet.de>
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit c0dc2fb7e1dadcef35a132040448cb27ff1d5bfa)
> ----
> - librpc/idl/dcerpc.idl | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
> - librpc/ndr/ndr_dcerpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
> - librpc/wscript_build | 2 +-
> - 3 files changed, 134 insertions(+), 1 deletion(-)
> - create mode 100644 librpc/ndr/ndr_dcerpc.c
> -
> -diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
> -index 23cac89..8e9be0e 100644
> ---- a/librpc/idl/dcerpc.idl
> -+++ b/librpc/idl/dcerpc.idl
> -@@ -19,6 +19,8 @@
> - */
> - import "misc.idl";
> -
> -+cpp_quote("extern const uint8_t DCERPC_SEC_VT_MAGIC[8];")
> -+
> - interface dcerpc
> - {
> - typedef struct {
> -@@ -514,4 +516,69 @@ interface dcerpc
> - uint8 serial_low;
> - [switch_is(ptype)] dcerpc_payload u;
> - } ncadg_packet;
> -+
> -+ typedef [bitmap16bit] bitmap {
> -+ DCERPC_SEC_VT_COMMAND_ENUM = 0x3FFF,
> -+ DCERPC_SEC_VT_COMMAND_END = 0x4000,
> -+ DCERPC_SEC_VT_MUST_PROCESS = 0x8000
> -+ } dcerpc_sec_vt_command;
> -+
> -+ typedef [enum16bit] enum {
> -+ DCERPC_SEC_VT_COMMAND_BITMASK1 = 0x0001,
> -+ DCERPC_SEC_VT_COMMAND_PCONTEXT = 0x0002,
> -+ DCERPC_SEC_VT_COMMAND_HEADER2 = 0x0003
> -+ } dcerpc_sec_vt_command_enum;
> -+
> -+ typedef [bitmap32bit] bitmap {
> -+ DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING = 0x00000001
> -+ } dcerpc_sec_vt_bitmask1;
> -+
> -+ typedef struct {
> -+ ndr_syntax_id abstract_syntax;
> -+ ndr_syntax_id transfer_syntax;
> -+ } dcerpc_sec_vt_pcontext;
> -+
> -+ typedef struct {
> -+ dcerpc_pkt_type ptype; /* Packet type */
> -+ [value(0)] uint8 reserved1;
> -+ [value(0)] uint16 reserved2;
> -+ uint8 drep[4]; /* NDR data representation */
> -+ uint32 call_id; /* Call identifier */
> -+ uint16 context_id;
> -+ uint16 opnum;
> -+ } dcerpc_sec_vt_header2;
> -+
> -+ typedef [switch_type(dcerpc_sec_vt_command_enum),nodiscriminant] union {
> -+ [case(DCERPC_SEC_VT_COMMAND_BITMASK1)] dcerpc_sec_vt_bitmask1 bitmask1;
> -+ [case(DCERPC_SEC_VT_COMMAND_PCONTEXT)] dcerpc_sec_vt_pcontext pcontext;
> -+ [case(DCERPC_SEC_VT_COMMAND_HEADER2)] dcerpc_sec_vt_header2 header2;
> -+ [default,flag(NDR_REMAINING)] DATA_BLOB _unknown;
> -+ } dcerpc_sec_vt_union;
> -+
> -+ typedef struct {
> -+ dcerpc_sec_vt_command command;
> -+ [switch_is(command & DCERPC_SEC_VT_COMMAND_ENUM)]
> -+ [subcontext(2),flag(NDR_SUBCONTEXT_NO_UNREAD_BYTES)]
> -+ dcerpc_sec_vt_union u;
> -+ } dcerpc_sec_vt;
> -+
> -+ typedef [public,nopush,nopull] struct {
> -+ uint16 count;
> -+ } dcerpc_sec_vt_count;
> -+
> -+ /*
> -+ * We assume that the whole verification trailer fits into
> -+ * the last 1024 bytes after the stub data.
> -+ *
> -+ * There're currently only 3 commands defined and each should
> -+ * only be used once.
> -+ */
> -+ const uint16 DCERPC_SEC_VT_MAX_SIZE = 1024;
> -+
> -+ typedef [public,flag(NDR_PAHEX)] struct {
> -+ [flag(NDR_ALIGN4)] DATA_BLOB _pad;
> -+ [value(DCERPC_SEC_VT_MAGIC)] uint8 magic[8];
> -+ dcerpc_sec_vt_count count;
> -+ dcerpc_sec_vt commands[count.count];
> -+ } dcerpc_sec_verification_trailer;
> - }
> -diff --git a/librpc/ndr/ndr_dcerpc.c b/librpc/ndr/ndr_dcerpc.c
> -new file mode 100644
> -index 0000000..88a7f38
> ---- /dev/null
> -+++ b/librpc/ndr/ndr_dcerpc.c
> -@@ -0,0 +1,66 @@
> -+/*
> -+ Unix SMB/CIFS implementation.
> -+
> -+ Manually parsed structures found in the DCERPC protocol
> -+
> -+ Copyright (C) Stefan Metzmacher 2014
> -+ Copyright (C) Gregor Beck 2014
> -+
> -+ This program is free software; you can redistribute it and/or modify
> -+ it under the terms of the GNU General Public License as published by
> -+ the Free Software Foundation; either version 3 of the License, or
> -+ (at your option) any later version.
> -+
> -+ This program is distributed in the hope that it will be useful,
> -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -+ GNU General Public License for more details.
> -+
> -+ You should have received a copy of the GNU General Public License
> -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> -+*/
> -+
> -+#include "includes.h"
> -+#include "bin/default/librpc/gen_ndr/ndr_dcerpc.h"
> -+
> -+#include "librpc/gen_ndr/ndr_misc.h"
> -+
> -+const uint8_t DCERPC_SEC_VT_MAGIC[] = {0x8a,0xe3,0x13,0x71,0x02,0xf4,0x36,0x71};
> -+
> -+_PUBLIC_ enum ndr_err_code ndr_push_dcerpc_sec_vt_count(struct ndr_push *ndr, int ndr_flags, const struct dcerpc_sec_vt_count *r)
> -+{
> -+ NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
> -+ /* nothing */
> -+ return NDR_ERR_SUCCESS;
> -+}
> -+
> -+_PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_sec_vt_count(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_sec_vt_count *r)
> -+{
> -+ uint32_t _saved_ofs = ndr->offset;
> -+
> -+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
> -+
> -+ if (!(ndr_flags & NDR_SCALARS)) {
> -+ return NDR_ERR_SUCCESS;
> -+ }
> -+
> -+ r->count = 0;
> -+
> -+ while (true) {
> -+ uint16_t command;
> -+ uint16_t length;
> -+
> -+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &command));
> -+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &length));
> -+ NDR_CHECK(ndr_pull_advance(ndr, length));
> -+
> -+ r->count += 1;
> -+
> -+ if (command & DCERPC_SEC_VT_COMMAND_END) {
> -+ break;
> -+ }
> -+ }
> -+
> -+ ndr->offset = _saved_ofs;
> -+ return NDR_ERR_SUCCESS;
> -+}
> -diff --git a/librpc/wscript_build b/librpc/wscript_build
> -index 2017a29..a5cf687 100644
> ---- a/librpc/wscript_build
> -+++ b/librpc/wscript_build
> -@@ -301,7 +301,7 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP',
> - )
> -
> - bld.SAMBA_SUBSYSTEM('NDR_DCERPC',
> -- source='gen_ndr/ndr_dcerpc.c',
> -+ source='gen_ndr/ndr_dcerpc.c ndr/ndr_dcerpc.c',
> - public_deps='ndr',
> - public_headers='gen_ndr/ndr_dcerpc.h gen_ndr/dcerpc.h',
> - header_path= [ ('*gen_ndr*', 'gen_ndr') ],
> ---
> -1.9.3
> -
> -
> -From 3480b809bd9426ce6b976b9965a54de32d246a66 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sun, 5 Jan 2014 07:57:51 +0100
> -Subject: [PATCH 160/249] s3:rpc_client: fill alloc_hint with the remaining
> - data not the total data.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit f0532fe0cd69aeb161088ca990d376f119102e61)
> ----
> - source3/rpc_client/cli_pipe.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 1cab580..5edd897 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1277,7 +1277,7 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> -
> - ZERO_STRUCT(u.request);
> -
> -- u.request.alloc_hint = state->req_data->length;
> -+ u.request.alloc_hint = data_left;
> - u.request.context_id = 0;
> - u.request.opnum = state->op_num;
> -
> ---
> -1.9.3
> -
> -
> -From bd675cd6e4848bee8798dacf1768556de48f3112 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sun, 5 Jan 2014 08:12:45 +0100
> -Subject: [PATCH 161/249] s3:rpc_client: send a dcerpc_sec_verification_trailer
> - if needed
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -
> -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> -Autobuild-Date(master): Tue Jan 7 02:24:42 CET 2014 on sn-devel-104
> -(cherry picked from commit 6ab9164c74e0ad57bdde8abb568953026b644e27)
> ----
> - source3/librpc/rpc/dcerpc.h | 1 +
> - source3/rpc_client/cli_pipe.c | 202 ++++++++++++++++++++++++++++++++++++++--
> - source3/rpc_client/rpc_client.h | 1 +
> - 3 files changed, 194 insertions(+), 10 deletions(-)
> -
> -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> -index aaf8d68..9d0f861 100644
> ---- a/source3/librpc/rpc/dcerpc.h
> -+++ b/source3/librpc/rpc/dcerpc.h
> -@@ -41,6 +41,7 @@ struct pipe_auth_data {
> - enum dcerpc_AuthLevel auth_level;
> - bool client_hdr_signing;
> - bool hdr_signing;
> -+ bool verified_bitmask1;
> -
> - void *auth_ctx;
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 5edd897..a45023f 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -1166,12 +1166,17 @@ struct rpc_api_pipe_req_state {
> - uint32_t call_id;
> - const DATA_BLOB *req_data;
> - uint32_t req_data_sent;
> -+ DATA_BLOB req_trailer;
> -+ uint32_t req_trailer_sent;
> -+ bool verify_bitmask1;
> -+ bool verify_pcontext;
> - DATA_BLOB rpc_out;
> - DATA_BLOB reply_pdu;
> - };
> -
> - static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
> - static void rpc_api_pipe_req_done(struct tevent_req *subreq);
> -+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
> - static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> - bool *is_last_frag);
> -
> -@@ -1207,6 +1212,11 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> - goto post_status;
> - }
> -
> -+ status = prepare_verification_trailer(state);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ goto post_status;
> -+ }
> -+
> - status = prepare_next_frag(state, &is_last_frag);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto post_status;
> -@@ -1241,25 +1251,164 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> - return NULL;
> - }
> -
> -+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
> -+{
> -+ struct pipe_auth_data *a = state->cli->auth;
> -+ struct dcerpc_sec_verification_trailer *t;
> -+ struct dcerpc_sec_vt *c = NULL;
> -+ struct ndr_push *ndr = NULL;
> -+ enum ndr_err_code ndr_err;
> -+ size_t align = 0;
> -+ size_t pad = 0;
> -+
> -+ if (a == NULL) {
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
> -+ if (t == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ if (!a->verified_bitmask1) {
> -+ t->commands = talloc_realloc(t, t->commands,
> -+ struct dcerpc_sec_vt,
> -+ t->count.count + 1);
> -+ if (t->commands == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ c = &t->commands[t->count.count++];
> -+ ZERO_STRUCTP(c);
> -+
> -+ c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
> -+ if (a->client_hdr_signing) {
> -+ c->u.bitmask1 = DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING;
> -+ }
> -+ state->verify_bitmask1 = true;
> -+ }
> -+
> -+ if (!state->cli->verified_pcontext) {
> -+ t->commands = talloc_realloc(t, t->commands,
> -+ struct dcerpc_sec_vt,
> -+ t->count.count + 1);
> -+ if (t->commands == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ c = &t->commands[t->count.count++];
> -+ ZERO_STRUCTP(c);
> -+
> -+ c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
> -+ c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
> -+ c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
> -+
> -+ state->verify_pcontext = true;
> -+ }
> -+
> -+ if (!a->hdr_signing) {
> -+ t->commands = talloc_realloc(t, t->commands,
> -+ struct dcerpc_sec_vt,
> -+ t->count.count + 1);
> -+ if (t->commands == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ c = &t->commands[t->count.count++];
> -+ ZERO_STRUCTP(c);
> -+
> -+ c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
> -+ c->u.header2.ptype = DCERPC_PKT_REQUEST;
> -+ c->u.header2.drep[0] = DCERPC_DREP_LE;
> -+ c->u.header2.drep[1] = 0;
> -+ c->u.header2.drep[2] = 0;
> -+ c->u.header2.drep[3] = 0;
> -+ c->u.header2.call_id = state->call_id;
> -+ c->u.header2.context_id = 0;
> -+ c->u.header2.opnum = state->op_num;
> -+ }
> -+
> -+ if (t->count.count == 0) {
> -+ TALLOC_FREE(t);
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ c = &t->commands[t->count.count - 1];
> -+ c->command |= DCERPC_SEC_VT_COMMAND_END;
> -+
> -+ if (DEBUGLEVEL >= 10) {
> -+ NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
> -+ }
> -+
> -+ ndr = ndr_push_init_ctx(state);
> -+ if (ndr == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
> -+ NDR_SCALARS | NDR_BUFFERS,
> -+ t);
> -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -+ return ndr_map_error2ntstatus(ndr_err);
> -+ }
> -+ state->req_trailer = ndr_push_blob(ndr);
> -+
> -+ align = state->req_data->length & 0x3;
> -+ if (align > 0) {
> -+ pad = 4 - align;
> -+ }
> -+ if (pad > 0) {
> -+ bool ok;
> -+ uint8_t *p;
> -+ const uint8_t zeros[4] = { 0, };
> -+
> -+ ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
> -+ if (!ok) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ /* move the padding to the start */
> -+ p = state->req_trailer.data;
> -+ memmove(p + pad, p, state->req_trailer.length - pad);
> -+ memset(p, 0, pad);
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> - static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> - bool *is_last_frag)
> - {
> -- size_t data_sent_thistime;
> - size_t auth_len;
> - size_t frag_len;
> - uint8_t flags = 0;
> - size_t pad_len;
> - size_t data_left;
> -+ size_t data_thistime;
> -+ size_t trailer_left;
> -+ size_t trailer_thistime = 0;
> -+ size_t total_left;
> -+ size_t total_thistime;
> - NTSTATUS status;
> -+ bool ok;
> - union dcerpc_payload u;
> -
> - data_left = state->req_data->length - state->req_data_sent;
> -+ trailer_left = state->req_trailer.length - state->req_trailer_sent;
> -+ total_left = data_left + trailer_left;
> -+ if ((total_left < data_left) || (total_left < trailer_left)) {
> -+ /*
> -+ * overflow
> -+ */
> -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> -+ }
> -
> - status = dcerpc_guess_sizes(state->cli->auth,
> -- DCERPC_REQUEST_LENGTH, data_left,
> -+ DCERPC_REQUEST_LENGTH, total_left,
> - state->cli->max_xmit_frag,
> - CLIENT_NDR_PADDING_SIZE,
> -- &data_sent_thistime,
> -+ &total_thistime,
> - &frag_len, &auth_len, &pad_len);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> -@@ -1269,15 +1418,20 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> - flags = DCERPC_PFC_FLAG_FIRST;
> - }
> -
> -- if (data_sent_thistime == data_left) {
> -+ if (total_thistime == total_left) {
> - flags |= DCERPC_PFC_FLAG_LAST;
> - }
> -
> -+ data_thistime = MIN(total_thistime, data_left);
> -+ if (data_thistime < total_thistime) {
> -+ trailer_thistime = total_thistime - data_thistime;
> -+ }
> -+
> - data_blob_free(&state->rpc_out);
> -
> - ZERO_STRUCT(u.request);
> -
> -- u.request.alloc_hint = data_left;
> -+ u.request.alloc_hint = total_left;
> - u.request.context_id = 0;
> - u.request.opnum = state->op_num;
> -
> -@@ -1297,11 +1451,26 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> - * at this stage */
> - dcerpc_set_frag_length(&state->rpc_out, frag_len);
> -
> -- /* Copy in the data. */
> -- if (!data_blob_append(NULL, &state->rpc_out,
> -+ if (data_thistime > 0) {
> -+ /* Copy in the data. */
> -+ ok = data_blob_append(NULL, &state->rpc_out,
> - state->req_data->data + state->req_data_sent,
> -- data_sent_thistime)) {
> -- return NT_STATUS_NO_MEMORY;
> -+ data_thistime);
> -+ if (!ok) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ state->req_data_sent += data_thistime;
> -+ }
> -+
> -+ if (trailer_thistime > 0) {
> -+ /* Copy in the verification trailer. */
> -+ ok = data_blob_append(NULL, &state->rpc_out,
> -+ state->req_trailer.data + state->req_trailer_sent,
> -+ trailer_thistime);
> -+ if (!ok) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ state->req_trailer_sent += trailer_thistime;
> - }
> -
> - switch (state->cli->auth->auth_level) {
> -@@ -1321,7 +1490,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> - return NT_STATUS_INVALID_PARAMETER;
> - }
> -
> -- state->req_data_sent += data_sent_thistime;
> - *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
> -
> - return status;
> -@@ -1385,6 +1553,20 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
> - tevent_req_nterror(req, status);
> - return;
> - }
> -+
> -+ if (state->cli->auth == NULL) {
> -+ tevent_req_done(req);
> -+ return;
> -+ }
> -+
> -+ if (state->verify_bitmask1) {
> -+ state->cli->auth->verified_bitmask1 = true;
> -+ }
> -+
> -+ if (state->verify_pcontext) {
> -+ state->cli->verified_pcontext = true;
> -+ }
> -+
> - tevent_req_done(req);
> - }
> -
> -diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
> -index 6561b28..8024f01 100644
> ---- a/source3/rpc_client/rpc_client.h
> -+++ b/source3/rpc_client/rpc_client.h
> -@@ -39,6 +39,7 @@ struct rpc_pipe_client {
> -
> - struct ndr_syntax_id abstract_syntax;
> - struct ndr_syntax_id transfer_syntax;
> -+ bool verified_pcontext;
> -
> - char *desthost;
> - char *srv_name_slash;
> ---
> -1.9.3
> -
> -
> -From 3df8f8c1dda254a85e4fa02b74d23a4802bc595c Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 18 Apr 2013 19:16:42 +0200
> -Subject: [PATCH 162/249] libcli/auth: add netlogon_creds_cli* infrastructure
> -
> -This provides an abstraction to hide netlogon_creds_CredentialState,
> -which is stored in a node local tdb.
> -
> -Where the global state (netlogon_creds_CredentialState) between client and
> -server was only kept in memory (on the client side), we now use
> -the abstracted netlogon_creds_cli_context.
> -
> -We now use a node specific computer name in order to establish
> -individual netlogon sessions per node.
> -
> -If the caller wants to use some netlogon calls with credential chain
> -(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
> -to get the current netlogon_creds_CredentialState in a g_lock'ed
> -fashion, a talloc_free() will release the lock.
> -
> -The locking is needed as there might be more than one process
> -(multiple winbindd child, cmdline tools) which want to talk
> -to a specific domain controller. The usage of netlogon_creds_CredentialState
> -needs to be serialized as it uses sequence numbers.
> -
> -LogonSamLogonEx doesn't use the credential chain, but for some operations
> -it needs the global session in order to de/encrypt individual fields.
> -It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
> -functions, which just make sure the session hasn't changed between
> -get and validate.
> -
> -This is prepares the proper fix for a large number of bugs:
> -https://bugzilla.samba.org/show_bug.cgi?id=6563
> -https://bugzilla.samba.org/show_bug.cgi?id=7944
> -https://bugzilla.samba.org/show_bug.cgi?id=7945
> -https://bugzilla.samba.org/show_bug.cgi?id=7568
> -https://bugzilla.samba.org/show_bug.cgi?id=8599
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 6e6d9f9f12284ed06a21cc02080e436b7326065f)
> ----
> - libcli/auth/netlogon_creds_cli.c | 2596 ++++++++++++++++++++++++++++++++++++++
> - libcli/auth/netlogon_creds_cli.h | 138 ++
> - libcli/auth/wscript_build | 4 +
> - 3 files changed, 2738 insertions(+)
> - create mode 100644 libcli/auth/netlogon_creds_cli.c
> - create mode 100644 libcli/auth/netlogon_creds_cli.h
> -
> -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> -new file mode 100644
> -index 0000000..75d6b2c
> ---- /dev/null
> -+++ b/libcli/auth/netlogon_creds_cli.c
> -@@ -0,0 +1,2596 @@
> -+/*
> -+ Unix SMB/CIFS implementation.
> -+
> -+ module to store/fetch session keys for the schannel client
> -+
> -+ Copyright (C) Stefan Metzmacher 2013
> -+
> -+ This program is free software; you can redistribute it and/or modify
> -+ it under the terms of the GNU General Public License as published by
> -+ the Free Software Foundation; either version 3 of the License, or
> -+ (at your option) any later version.
> -+
> -+ This program is distributed in the hope that it will be useful,
> -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -+ GNU General Public License for more details.
> -+
> -+ You should have received a copy of the GNU General Public License
> -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> -+*/
> -+
> -+#include "includes.h"
> -+#include "system/filesys.h"
> -+#include <tevent.h>
> -+#include "lib/util/tevent_ntstatus.h"
> -+#include "lib/dbwrap/dbwrap.h"
> -+#include "lib/dbwrap/dbwrap_rbt.h"
> -+#include "lib/util/util_tdb.h"
> -+#include "libcli/security/security.h"
> -+#include "../lib/param/param.h"
> -+#include "../libcli/auth/schannel.h"
> -+#include "../librpc/gen_ndr/ndr_schannel.h"
> -+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
> -+#include "../librpc/gen_ndr/server_id.h"
> -+#include "netlogon_creds_cli.h"
> -+#include "source3/include/messages.h"
> -+#include "source3/include/g_lock.h"
> -+
> -+struct netlogon_creds_cli_locked_state;
> -+
> -+struct netlogon_creds_cli_context {
> -+ struct {
> -+ const char *computer;
> -+ const char *account;
> -+ uint32_t proposed_flags;
> -+ uint32_t required_flags;
> -+ enum netr_SchannelType type;
> -+ enum dcerpc_AuthLevel auth_level;
> -+ } client;
> -+
> -+ struct {
> -+ const char *computer;
> -+ const char *netbios_domain;
> -+ uint32_t cached_flags;
> -+ bool try_validation6;
> -+ bool try_logon_ex;
> -+ bool try_logon_with;
> -+ } server;
> -+
> -+ struct {
> -+ const char *key_name;
> -+ TDB_DATA key_data;
> -+ struct db_context *ctx;
> -+ struct g_lock_ctx *g_ctx;
> -+ struct netlogon_creds_cli_locked_state *locked_state;
> -+ } db;
> -+};
> -+
> -+struct netlogon_creds_cli_locked_state {
> -+ struct netlogon_creds_cli_context *context;
> -+ bool is_glocked;
> -+ struct netlogon_creds_CredentialState *creds;
> -+};
> -+
> -+static int netlogon_creds_cli_locked_state_destructor(
> -+ struct netlogon_creds_cli_locked_state *state)
> -+{
> -+ struct netlogon_creds_cli_context *context = state->context;
> -+
> -+ if (context == NULL) {
> -+ return 0;
> -+ }
> -+
> -+ if (context->db.locked_state == state) {
> -+ context->db.locked_state = NULL;
> -+ }
> -+
> -+ if (state->is_glocked) {
> -+ g_lock_unlock(context->db.g_ctx,
> -+ context->db.key_name);
> -+ }
> -+
> -+ return 0;
> -+}
> -+
> -+static NTSTATUS netlogon_creds_cli_context_common(
> -+ const char *client_computer,
> -+ const char *client_account,
> -+ enum netr_SchannelType type,
> -+ enum dcerpc_AuthLevel auth_level,
> -+ uint32_t proposed_flags,
> -+ uint32_t required_flags,
> -+ const char *server_computer,
> -+ const char *server_netbios_domain,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **_context)
> -+{
> -+ struct netlogon_creds_cli_context *context = NULL;
> -+
> -+ *_context = NULL;
> -+
> -+ context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> -+ if (context == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ context->client.computer = talloc_strdup(context, client_computer);
> -+ if (context->client.computer == NULL) {
> -+ talloc_free(context);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ context->client.account = talloc_strdup(context, client_account);
> -+ if (context->client.account == NULL) {
> -+ talloc_free(context);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ context->client.proposed_flags = proposed_flags;
> -+ context->client.required_flags = required_flags;
> -+ context->client.type = type;
> -+ context->client.auth_level = auth_level;
> -+
> -+ context->server.computer = talloc_strdup(context, server_computer);
> -+ if (context->server.computer == NULL) {
> -+ talloc_free(context);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
> -+ if (context->server.netbios_domain == NULL) {
> -+ talloc_free(context);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
> -+ client_computer,
> -+ client_account,
> -+ server_computer,
> -+ server_netbios_domain);
> -+ if (context->db.key_name == NULL) {
> -+ talloc_free(context);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ context->db.key_data = string_term_tdb_data(context->db.key_name);
> -+
> -+ *_context = context;
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+static struct db_context *netlogon_creds_cli_global_db;
> -+
> -+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
> -+{
> -+ char *fname;
> -+ struct db_context *global_db;
> -+
> -+ if (netlogon_creds_cli_global_db != NULL) {
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ fname = lpcfg_private_db_path(talloc_autofree_context(), lp_ctx, "netlogon_creds_cli");
> -+ if (fname == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ global_db = dbwrap_local_open(talloc_autofree_context(), lp_ctx,
> -+ fname, 0,
> -+ TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> -+ O_RDWR|O_CREAT,
> -+ 0600, DBWRAP_LOCK_ORDER_2);
> -+ if (global_db == NULL) {
> -+ DEBUG(0,("netlogon_creds_cli_open_global_db: Failed to open %s - %s\n",
> -+ fname, strerror(errno)));
> -+ talloc_free(fname);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ TALLOC_FREE(fname);
> -+
> -+ netlogon_creds_cli_global_db = global_db;
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> -+ struct messaging_context *msg_ctx,
> -+ const char *client_account,
> -+ enum netr_SchannelType type,
> -+ const char *server_computer,
> -+ const char *server_netbios_domain,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **_context)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ NTSTATUS status;
> -+ struct netlogon_creds_cli_context *context = NULL;
> -+ const char *client_computer;
> -+ uint32_t proposed_flags;
> -+ uint32_t required_flags = 0;
> -+ bool reject_md5_servers = false;
> -+ bool require_strong_key = false;
> -+ int require_sign_or_seal = true;
> -+ bool seal_secure_channel = true;
> -+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
> -+ bool neutralize_nt4_emulation = false;
> -+ struct server_id self = {
> -+ .vnn = NONCLUSTER_VNN,
> -+ .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
> -+ };
> -+
> -+ if (msg_ctx != NULL) {
> -+ self = messaging_server_id(msg_ctx);
> -+ }
> -+
> -+ *_context = NULL;
> -+
> -+ if (self.vnn != NONCLUSTER_VNN) {
> -+ client_computer = talloc_asprintf(frame,
> -+ "%s_cluster_vnn_%u",
> -+ lpcfg_netbios_name(lp_ctx),
> -+ (unsigned)self.vnn);
> -+ if (client_computer == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ } else {
> -+ client_computer = lpcfg_netbios_name(lp_ctx);
> -+ }
> -+
> -+ /*
> -+ * allow overwrite per domain
> -+ * reject md5 servers:<netbios_domain>
> -+ */
> -+ //TODO: add lpcfp_reject_md5_servers()
> -+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> -+ "__default__",
> -+ "reject md5 servers",
> -+ reject_md5_servers);
> -+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> -+ "reject md5 servers",
> -+ server_netbios_domain,
> -+ reject_md5_servers);
> -+
> -+ /*
> -+ * allow overwrite per domain
> -+ * require strong key:<netbios_domain>
> -+ */
> -+ //TODO: add lpcfp_require_strong_key()
> -+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> -+ "__default__",
> -+ "require strong key",
> -+ require_strong_key);
> -+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> -+ "require strong key",
> -+ server_netbios_domain,
> -+ require_strong_key);
> -+
> -+ /*
> -+ * allow overwrite per domain
> -+ * client schannel:<netbios_domain>
> -+ */
> -+ require_sign_or_seal = lpcfg_client_schannel(lp_ctx);
> -+ require_sign_or_seal = lpcfg_parm_int(lp_ctx, NULL,
> -+ "client schannel",
> -+ server_netbios_domain,
> -+ require_sign_or_seal);
> -+
> -+ /*
> -+ * allow overwrite per domain
> -+ * winbind sealed pipes:<netbios_domain>
> -+ */
> -+ seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
> -+ seal_secure_channel = lpcfg_parm_bool(lp_ctx, NULL,
> -+ "winbind sealed pipes",
> -+ server_netbios_domain,
> -+ seal_secure_channel);
> -+
> -+ /*
> -+ * allow overwrite per domain
> -+ * neutralize nt4 emulation:<netbios_domain>
> -+ */
> -+ //TODO: add lpcfp_neutralize_nt4_emulation()
> -+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> -+ "__default__",
> -+ "neutralize nt4 emulation",
> -+ neutralize_nt4_emulation);
> -+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> -+ "neutralize nt4 emulation",
> -+ server_netbios_domain,
> -+ neutralize_nt4_emulation);
> -+
> -+ proposed_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> -+ proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
> -+
> -+ switch (type) {
> -+ case SEC_CHAN_WKSTA:
> -+ if (lpcfg_security(lp_ctx) == SEC_ADS) {
> -+ /*
> -+ * AD domains should be secure
> -+ */
> -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> -+ require_sign_or_seal = true;
> -+ require_strong_key = true;
> -+ }
> -+ break;
> -+
> -+ case SEC_CHAN_DOMAIN:
> -+ break;
> -+
> -+ case SEC_CHAN_DNS_DOMAIN:
> -+ /*
> -+ * AD domains should be secure
> -+ */
> -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> -+ require_sign_or_seal = true;
> -+ require_strong_key = true;
> -+ neutralize_nt4_emulation = true;
> -+ break;
> -+
> -+ case SEC_CHAN_BDC:
> -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> -+ require_sign_or_seal = true;
> -+ require_strong_key = true;
> -+ break;
> -+
> -+ case SEC_CHAN_RODC:
> -+ required_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
> -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> -+ require_sign_or_seal = true;
> -+ require_strong_key = true;
> -+ neutralize_nt4_emulation = true;
> -+ break;
> -+
> -+ default:
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_INVALID_PARAMETER;
> -+ }
> -+
> -+ if (neutralize_nt4_emulation) {
> -+ proposed_flags |= NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
> -+ }
> -+
> -+ if (require_sign_or_seal == false) {
> -+ proposed_flags &= ~NETLOGON_NEG_AUTHENTICATED_RPC;
> -+ } else {
> -+ required_flags |= NETLOGON_NEG_ARCFOUR;
> -+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
> -+ }
> -+
> -+ if (reject_md5_servers) {
> -+ required_flags |= NETLOGON_NEG_ARCFOUR;
> -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> -+ required_flags |= NETLOGON_NEG_SUPPORTS_AES;
> -+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
> -+ }
> -+
> -+ if (require_strong_key) {
> -+ required_flags |= NETLOGON_NEG_ARCFOUR;
> -+ required_flags |= NETLOGON_NEG_STRONG_KEYS;
> -+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
> -+ }
> -+
> -+ proposed_flags |= required_flags;
> -+
> -+ if (seal_secure_channel) {
> -+ auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> -+ } else {
> -+ auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
> -+ }
> -+
> -+ status = netlogon_creds_cli_context_common(client_computer,
> -+ client_account,
> -+ type,
> -+ auth_level,
> -+ proposed_flags,
> -+ required_flags,
> -+ server_computer,
> -+ server_netbios_domain,
> -+ mem_ctx,
> -+ &context);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ if (msg_ctx != NULL) {
> -+ context->db.g_ctx = g_lock_ctx_init(context, msg_ctx);
> -+ if (context->db.g_ctx == NULL) {
> -+ TALLOC_FREE(context);
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ }
> -+
> -+ if (netlogon_creds_cli_global_db != NULL) {
> -+ context->db.ctx = netlogon_creds_cli_global_db;
> -+ *_context = context;
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ status = netlogon_creds_cli_open_global_db(lp_ctx);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(context);
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ context->db.ctx = netlogon_creds_cli_global_db;
> -+ *_context = context;
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> -+ const char *client_account,
> -+ enum netr_SchannelType type,
> -+ uint32_t proposed_flags,
> -+ uint32_t required_flags,
> -+ enum dcerpc_AuthLevel auth_level,
> -+ const char *server_computer,
> -+ const char *server_netbios_domain,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **_context)
> -+{
> -+ NTSTATUS status;
> -+ struct netlogon_creds_cli_context *context = NULL;
> -+
> -+ *_context = NULL;
> -+
> -+ status = netlogon_creds_cli_context_common(client_computer,
> -+ client_account,
> -+ type,
> -+ auth_level,
> -+ proposed_flags,
> -+ required_flags,
> -+ server_computer,
> -+ server_netbios_domain,
> -+ mem_ctx,
> -+ &context);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ context->db.ctx = db_open_rbt(context);
> -+ if (context->db.ctx == NULL) {
> -+ talloc_free(context);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ *_context = context;
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_context_copy(
> -+ const struct netlogon_creds_cli_context *src,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **_dst)
> -+{
> -+ struct netlogon_creds_cli_context *dst;
> -+
> -+ dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> -+ if (dst == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ *dst = *src;
> -+
> -+ dst->client.computer = talloc_strdup(dst, src->client.computer);
> -+ if (dst->client.computer == NULL) {
> -+ TALLOC_FREE(dst);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ dst->client.account = talloc_strdup(dst, src->client.account);
> -+ if (dst->client.account == NULL) {
> -+ TALLOC_FREE(dst);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ dst->server.computer = talloc_strdup(dst, src->server.computer);
> -+ if (dst->server.computer == NULL) {
> -+ TALLOC_FREE(dst);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
> -+ if (dst->server.netbios_domain == NULL) {
> -+ TALLOC_FREE(dst);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ dst->db.key_name = talloc_strdup(dst, src->db.key_name);
> -+ if (dst->db.key_name == NULL) {
> -+ TALLOC_FREE(dst);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ dst->db.key_data = string_term_tdb_data(dst->db.key_name);
> -+
> -+ *_dst = dst;
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> -+ struct netlogon_creds_cli_context *context)
> -+{
> -+ return context->client.auth_level;
> -+}
> -+
> -+struct netlogon_creds_cli_fetch_state {
> -+ TALLOC_CTX *mem_ctx;
> -+ struct netlogon_creds_CredentialState *creds;
> -+ uint32_t required_flags;
> -+ NTSTATUS status;
> -+};
> -+
> -+static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
> -+ void *private_data)
> -+{
> -+ struct netlogon_creds_cli_fetch_state *state =
> -+ (struct netlogon_creds_cli_fetch_state *)private_data;
> -+ enum ndr_err_code ndr_err;
> -+ DATA_BLOB blob;
> -+ uint32_t tmp_flags;
> -+
> -+ state->creds = talloc_zero(state->mem_ctx,
> -+ struct netlogon_creds_CredentialState);
> -+ if (state->creds == NULL) {
> -+ state->status = NT_STATUS_NO_MEMORY;
> -+ return;
> -+ }
> -+
> -+ blob.data = data.dptr;
> -+ blob.length = data.dsize;
> -+
> -+ ndr_err = ndr_pull_struct_blob(&blob, state->creds, state->creds,
> -+ (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
> -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -+ TALLOC_FREE(state->creds);
> -+ state->status = ndr_map_error2ntstatus(ndr_err);
> -+ return;
> -+ }
> -+
> -+ tmp_flags = state->creds->negotiate_flags;
> -+ tmp_flags &= state->required_flags;
> -+ if (tmp_flags != state->required_flags) {
> -+ TALLOC_FREE(state->creds);
> -+ state->status = NT_STATUS_DOWNGRADE_DETECTED;
> -+ return;
> -+ }
> -+
> -+ state->status = NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState **_creds)
> -+{
> -+ NTSTATUS status;
> -+ struct netlogon_creds_cli_fetch_state fstate = {
> -+ .mem_ctx = mem_ctx,
> -+ .status = NT_STATUS_INTERNAL_ERROR,
> -+ .required_flags = context->client.required_flags,
> -+ };
> -+ static const struct netr_Credential zero_creds;
> -+
> -+ *_creds = NULL;
> -+
> -+ status = dbwrap_parse_record(context->db.ctx,
> -+ context->db.key_data,
> -+ netlogon_creds_cli_fetch_parser,
> -+ &fstate);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+ status = fstate.status;
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ /*
> -+ * mark it as invalid for step operations.
> -+ */
> -+ fstate.creds->sequence = 0;
> -+ fstate.creds->seed = zero_creds;
> -+ fstate.creds->client = zero_creds;
> -+ fstate.creds->server = zero_creds;
> -+
> -+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
> -+ *_creds = fstate.creds;
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ /*
> -+ * It is really important to try SamLogonEx here,
> -+ * because multiple processes can talk to the same
> -+ * domain controller, without using the credential
> -+ * chain.
> -+ *
> -+ * With a normal SamLogon call, we must keep the
> -+ * credentials chain updated and intact between all
> -+ * users of the machine account (which would imply
> -+ * cross-node communication for every NTLM logon).
> -+ *
> -+ * The credentials chain is not per NETLOGON pipe
> -+ * connection, but globally on the server/client pair
> -+ * by computer name, while the client is free to use
> -+ * any computer name. We include the cluster node number
> -+ * in our computer name in order to avoid cross node
> -+ * coordination of the credential chain.
> -+ *
> -+ * It's also important to use NetlogonValidationSamInfo4 (6),
> -+ * because it relies on the rpc transport encryption
> -+ * and avoids using the global netlogon schannel
> -+ * session key to en/decrypt secret information
> -+ * like the user_session_key for network logons.
> -+ *
> -+ * [MS-APDS] 3.1.5.2 NTLM Network Logon
> -+ * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
> -+ * NETLOGON_NEG_AUTHENTICATED_RPC set together
> -+ * are the indication that the server supports
> -+ * NetlogonValidationSamInfo4 (6). And it must only
> -+ * be used if "SealSecureChannel" is used.
> -+ *
> -+ * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
> -+ * check is done in netlogon_creds_cli_LogonSamLogon*().
> -+ */
> -+ context->server.cached_flags = fstate.creds->negotiate_flags;
> -+ context->server.try_validation6 = true;
> -+ context->server.try_logon_ex = true;
> -+ context->server.try_logon_with = true;
> -+
> -+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> -+ context->server.try_validation6 = false;
> -+ context->server.try_logon_ex = false;
> -+ }
> -+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
> -+ context->server.try_validation6 = false;
> -+ }
> -+
> -+ *_creds = fstate.creds;
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
> -+ const struct netlogon_creds_CredentialState *creds1)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct netlogon_creds_CredentialState *creds2;
> -+ DATA_BLOB blob1;
> -+ DATA_BLOB blob2;
> -+ NTSTATUS status;
> -+ enum ndr_err_code ndr_err;
> -+ int cmp;
> -+
> -+ status = netlogon_creds_cli_get(context, frame, &creds2);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return false;
> -+ }
> -+
> -+ ndr_err = ndr_push_struct_blob(&blob1, frame, creds1,
> -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -+ TALLOC_FREE(frame);
> -+ return false;
> -+ }
> -+
> -+ ndr_err = ndr_push_struct_blob(&blob2, frame, creds2,
> -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -+ TALLOC_FREE(frame);
> -+ return false;
> -+ }
> -+
> -+ if (blob1.length != blob2.length) {
> -+ TALLOC_FREE(frame);
> -+ return false;
> -+ }
> -+
> -+ cmp = memcmp(blob1.data, blob2.data, blob1.length);
> -+ if (cmp != 0) {
> -+ TALLOC_FREE(frame);
> -+ return false;
> -+ }
> -+
> -+ TALLOC_FREE(frame);
> -+ return true;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
> -+ struct netlogon_creds_CredentialState **_creds)
> -+{
> -+ struct netlogon_creds_CredentialState *creds = *_creds;
> -+ NTSTATUS status;
> -+ enum ndr_err_code ndr_err;
> -+ DATA_BLOB blob;
> -+ TDB_DATA data;
> -+
> -+ *_creds = NULL;
> -+
> -+ if (context->db.locked_state == NULL) {
> -+ /*
> -+ * this was not the result of netlogon_creds_cli_lock*()
> -+ */
> -+ TALLOC_FREE(creds);
> -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> -+ }
> -+
> -+ if (context->db.locked_state->creds != creds) {
> -+ /*
> -+ * this was not the result of netlogon_creds_cli_lock*()
> -+ */
> -+ TALLOC_FREE(creds);
> -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> -+ }
> -+
> -+ ndr_err = ndr_push_struct_blob(&blob, creds, creds,
> -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -+ TALLOC_FREE(creds);
> -+ status = ndr_map_error2ntstatus(ndr_err);
> -+ return status;
> -+ }
> -+
> -+ data.dptr = blob.data;
> -+ data.dsize = blob.length;
> -+
> -+ status = dbwrap_store(context->db.ctx,
> -+ context->db.key_data,
> -+ data, TDB_REPLACE);
> -+ TALLOC_FREE(creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
> -+ struct netlogon_creds_CredentialState **_creds)
> -+{
> -+ struct netlogon_creds_CredentialState *creds = *_creds;
> -+ NTSTATUS status;
> -+
> -+ *_creds = NULL;
> -+
> -+ if (context->db.locked_state == NULL) {
> -+ /*
> -+ * this was not the result of netlogon_creds_cli_lock*()
> -+ */
> -+ TALLOC_FREE(creds);
> -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> -+ }
> -+
> -+ if (context->db.locked_state->creds != creds) {
> -+ /*
> -+ * this was not the result of netlogon_creds_cli_lock*()
> -+ */
> -+ TALLOC_FREE(creds);
> -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> -+ }
> -+
> -+ status = dbwrap_delete(context->db.ctx,
> -+ context->db.key_data);
> -+ TALLOC_FREE(creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+struct netlogon_creds_cli_lock_state {
> -+ struct netlogon_creds_cli_locked_state *locked_state;
> -+ struct netlogon_creds_CredentialState *creds;
> -+};
> -+
> -+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
> -+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req);
> -+
> -+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context)
> -+{
> -+ struct tevent_req *req;
> -+ struct netlogon_creds_cli_lock_state *state;
> -+ struct netlogon_creds_cli_locked_state *locked_state;
> -+ struct tevent_req *subreq;
> -+
> -+ req = tevent_req_create(mem_ctx, &state,
> -+ struct netlogon_creds_cli_lock_state);
> -+ if (req == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ if (context->db.locked_state != NULL) {
> -+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
> -+ if (tevent_req_nomem(locked_state, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+ talloc_set_destructor(locked_state,
> -+ netlogon_creds_cli_locked_state_destructor);
> -+ locked_state->context = context;
> -+
> -+ context->db.locked_state = locked_state;
> -+ state->locked_state = locked_state;
> -+
> -+ if (context->db.g_ctx == NULL) {
> -+ netlogon_creds_cli_lock_fetch(req);
> -+ if (!tevent_req_is_in_progress(req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ return req;
> -+ }
> -+
> -+ subreq = g_lock_lock_send(state, ev,
> -+ context->db.g_ctx,
> -+ context->db.key_name,
> -+ G_LOCK_WRITE);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+ tevent_req_set_callback(subreq, netlogon_creds_cli_lock_done, req);
> -+
> -+ return req;
> -+}
> -+
> -+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct netlogon_creds_cli_lock_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_lock_state);
> -+ NTSTATUS status;
> -+
> -+ status = g_lock_lock_recv(subreq);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+ state->locked_state->is_glocked = true;
> -+
> -+ netlogon_creds_cli_lock_fetch(req);
> -+}
> -+
> -+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
> -+{
> -+ struct netlogon_creds_cli_lock_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_lock_state);
> -+ struct netlogon_creds_cli_context *context = state->locked_state->context;
> -+ struct netlogon_creds_cli_fetch_state fstate = {
> -+ .status = NT_STATUS_INTERNAL_ERROR,
> -+ .required_flags = context->client.required_flags,
> -+ };
> -+ NTSTATUS status;
> -+
> -+ fstate.mem_ctx = state;
> -+ status = dbwrap_parse_record(context->db.ctx,
> -+ context->db.key_data,
> -+ netlogon_creds_cli_fetch_parser,
> -+ &fstate);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+ status = fstate.status;
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+
> -+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
> -+ state->creds = fstate.creds;
> -+ tevent_req_done(req);
> -+ return;
> -+ }
> -+
> -+ context->server.cached_flags = fstate.creds->negotiate_flags;
> -+ context->server.try_validation6 = true;
> -+ context->server.try_logon_ex = true;
> -+ context->server.try_logon_with = true;
> -+
> -+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> -+ context->server.try_validation6 = false;
> -+ context->server.try_logon_ex = false;
> -+ }
> -+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
> -+ context->server.try_validation6 = false;
> -+ }
> -+
> -+ state->creds = fstate.creds;
> -+ tevent_req_done(req);
> -+ return;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState **creds)
> -+{
> -+ struct netlogon_creds_cli_lock_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_lock_state);
> -+ NTSTATUS status;
> -+
> -+ if (tevent_req_is_nterror(req, &status)) {
> -+ tevent_req_received(req);
> -+ return status;
> -+ }
> -+
> -+ talloc_steal(state->creds, state->locked_state);
> -+ state->locked_state->creds = state->creds;
> -+ *creds = talloc_move(mem_ctx, &state->creds);
> -+ tevent_req_received(req);
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState **creds)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct tevent_context *ev;
> -+ struct tevent_req *req;
> -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> -+
> -+ ev = samba_tevent_context_init(frame);
> -+ if (ev == NULL) {
> -+ goto fail;
> -+ }
> -+ req = netlogon_creds_cli_lock_send(frame, ev, context);
> -+ if (req == NULL) {
> -+ goto fail;
> -+ }
> -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> -+ goto fail;
> -+ }
> -+ status = netlogon_creds_cli_lock_recv(req, mem_ctx, creds);
> -+ fail:
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+}
> -+
> -+struct netlogon_creds_cli_auth_state {
> -+ struct tevent_context *ev;
> -+ struct netlogon_creds_cli_context *context;
> -+ struct dcerpc_binding_handle *binding_handle;
> -+ struct samr_Password current_nt_hash;
> -+ struct samr_Password previous_nt_hash;
> -+ struct samr_Password used_nt_hash;
> -+ char *srv_name_slash;
> -+ uint32_t current_flags;
> -+ struct netr_Credential client_challenge;
> -+ struct netr_Credential server_challenge;
> -+ struct netlogon_creds_CredentialState *creds;
> -+ struct netr_Credential client_credential;
> -+ struct netr_Credential server_credential;
> -+ uint32_t rid;
> -+ bool try_auth3;
> -+ bool try_auth2;
> -+ bool require_auth2;
> -+ bool try_previous_nt_hash;
> -+ struct netlogon_creds_cli_locked_state *locked_state;
> -+};
> -+
> -+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq);
> -+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req);
> -+
> -+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ struct samr_Password current_nt_hash,
> -+ const struct samr_Password *previous_nt_hash)
> -+{
> -+ struct tevent_req *req;
> -+ struct netlogon_creds_cli_auth_state *state;
> -+ struct netlogon_creds_cli_locked_state *locked_state;
> -+ NTSTATUS status;
> -+
> -+ req = tevent_req_create(mem_ctx, &state,
> -+ struct netlogon_creds_cli_auth_state);
> -+ if (req == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ state->ev = ev;
> -+ state->context = context;
> -+ state->binding_handle = b;
> -+ state->current_nt_hash = current_nt_hash;
> -+ if (previous_nt_hash != NULL) {
> -+ state->previous_nt_hash = *previous_nt_hash;
> -+ state->try_previous_nt_hash = true;
> -+ }
> -+
> -+ if (context->db.locked_state != NULL) {
> -+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
> -+ if (tevent_req_nomem(locked_state, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+ talloc_set_destructor(locked_state,
> -+ netlogon_creds_cli_locked_state_destructor);
> -+ locked_state->context = context;
> -+
> -+ context->db.locked_state = locked_state;
> -+ state->locked_state = locked_state;
> -+
> -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> -+ context->server.computer);
> -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ state->try_auth3 = true;
> -+ state->try_auth2 = true;
> -+
> -+ if (context->client.required_flags != 0) {
> -+ state->require_auth2 = true;
> -+ }
> -+
> -+ state->used_nt_hash = state->current_nt_hash;
> -+ state->current_flags = context->client.proposed_flags;
> -+
> -+ if (context->db.g_ctx != NULL) {
> -+ struct tevent_req *subreq;
> -+
> -+ subreq = g_lock_lock_send(state, ev,
> -+ context->db.g_ctx,
> -+ context->db.key_name,
> -+ G_LOCK_WRITE);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_auth_locked,
> -+ req);
> -+
> -+ return req;
> -+ }
> -+
> -+ status = dbwrap_delete(state->context->db.ctx,
> -+ state->context->db.key_data);
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
> -+ status = NT_STATUS_OK;
> -+ }
> -+ if (tevent_req_nterror(req, status)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ netlogon_creds_cli_auth_challenge_start(req);
> -+ if (!tevent_req_is_in_progress(req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ return req;
> -+}
> -+
> -+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct netlogon_creds_cli_auth_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_auth_state);
> -+ NTSTATUS status;
> -+
> -+ status = g_lock_lock_recv(subreq);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+ state->locked_state->is_glocked = true;
> -+
> -+ status = dbwrap_delete(state->context->db.ctx,
> -+ state->context->db.key_data);
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
> -+ status = NT_STATUS_OK;
> -+ }
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+
> -+ netlogon_creds_cli_auth_challenge_start(req);
> -+}
> -+
> -+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq);
> -+
> -+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
> -+{
> -+ struct netlogon_creds_cli_auth_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_auth_state);
> -+ struct tevent_req *subreq;
> -+
> -+ TALLOC_FREE(state->creds);
> -+
> -+ generate_random_buffer(state->client_challenge.data,
> -+ sizeof(state->client_challenge.data));
> -+
> -+ subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->context->client.computer,
> -+ &state->client_challenge,
> -+ &state->server_challenge);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ return;
> -+ }
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_auth_challenge_done,
> -+ req);
> -+}
> -+
> -+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq);
> -+
> -+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct netlogon_creds_cli_auth_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_auth_state);
> -+ NTSTATUS status;
> -+ NTSTATUS result;
> -+
> -+ status = dcerpc_netr_ServerReqChallenge_recv(subreq, state, &result);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+ if (tevent_req_nterror(req, result)) {
> -+ return;
> -+ }
> -+
> -+ if (!state->try_auth3 && !state->try_auth2) {
> -+ state->current_flags = 0;
> -+ }
> -+
> -+ /* Calculate the session key and client credentials */
> -+
> -+ state->creds = netlogon_creds_client_init(state,
> -+ state->context->client.account,
> -+ state->context->client.computer,
> -+ state->context->client.type,
> -+ &state->client_challenge,
> -+ &state->server_challenge,
> -+ &state->used_nt_hash,
> -+ &state->client_credential,
> -+ state->current_flags);
> -+ if (tevent_req_nomem(state->creds, req)) {
> -+ return;
> -+ }
> -+
> -+ if (state->try_auth3) {
> -+ subreq = dcerpc_netr_ServerAuthenticate3_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->context->client.account,
> -+ state->context->client.type,
> -+ state->context->client.computer,
> -+ &state->client_credential,
> -+ &state->server_credential,
> -+ &state->creds->negotiate_flags,
> -+ &state->rid);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ return;
> -+ }
> -+ } else if (state->try_auth2) {
> -+ state->rid = 0;
> -+
> -+ subreq = dcerpc_netr_ServerAuthenticate2_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->context->client.account,
> -+ state->context->client.type,
> -+ state->context->client.computer,
> -+ &state->client_credential,
> -+ &state->server_credential,
> -+ &state->creds->negotiate_flags);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ return;
> -+ }
> -+ } else {
> -+ state->rid = 0;
> -+
> -+ subreq = dcerpc_netr_ServerAuthenticate_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->context->client.account,
> -+ state->context->client.type,
> -+ state->context->client.computer,
> -+ &state->client_credential,
> -+ &state->server_credential);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ return;
> -+ }
> -+ }
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_auth_srvauth_done,
> -+ req);
> -+}
> -+
> -+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct netlogon_creds_cli_auth_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_auth_state);
> -+ NTSTATUS status;
> -+ NTSTATUS result;
> -+ bool ok;
> -+ enum ndr_err_code ndr_err;
> -+ DATA_BLOB blob;
> -+ TDB_DATA data;
> -+ uint32_t tmp_flags;
> -+
> -+ if (state->try_auth3) {
> -+ status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
> -+ &result);
> -+ TALLOC_FREE(subreq);
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -+ state->try_auth3 = false;
> -+ netlogon_creds_cli_auth_challenge_start(req);
> -+ return;
> -+ }
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+ } else if (state->try_auth2) {
> -+ status = dcerpc_netr_ServerAuthenticate2_recv(subreq, state,
> -+ &result);
> -+ TALLOC_FREE(subreq);
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -+ state->try_auth2 = false;
> -+ if (state->require_auth2) {
> -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> -+ tevent_req_nterror(req, status);
> -+ return;
> -+ }
> -+ netlogon_creds_cli_auth_challenge_start(req);
> -+ return;
> -+ }
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+ } else {
> -+ status = dcerpc_netr_ServerAuthenticate_recv(subreq, state,
> -+ &result);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+ }
> -+
> -+ if (!NT_STATUS_IS_OK(result) &&
> -+ !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
> -+ {
> -+ tevent_req_nterror(req, result);
> -+ return;
> -+ }
> -+
> -+ tmp_flags = state->creds->negotiate_flags;
> -+ tmp_flags &= state->context->client.required_flags;
> -+ if (tmp_flags != state->context->client.required_flags) {
> -+ if (NT_STATUS_IS_OK(result)) {
> -+ tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
> -+ return;
> -+ }
> -+ tevent_req_nterror(req, result);
> -+ return;
> -+ }
> -+
> -+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
> -+
> -+ tmp_flags = state->context->client.proposed_flags;
> -+ if ((state->current_flags == tmp_flags) &&
> -+ (state->creds->negotiate_flags != tmp_flags))
> -+ {
> -+ /*
> -+ * lets retry with the negotiated flags
> -+ */
> -+ state->current_flags = state->creds->negotiate_flags;
> -+ netlogon_creds_cli_auth_challenge_start(req);
> -+ return;
> -+ }
> -+
> -+ if (!state->try_previous_nt_hash) {
> -+ /*
> -+ * we already retried, giving up...
> -+ */
> -+ tevent_req_nterror(req, result);
> -+ return;
> -+ }
> -+
> -+ /*
> -+ * lets retry with the old nt hash.
> -+ */
> -+ state->try_previous_nt_hash = false;
> -+ state->used_nt_hash = state->previous_nt_hash;
> -+ state->current_flags = state->context->client.proposed_flags;
> -+ netlogon_creds_cli_auth_challenge_start(req);
> -+ return;
> -+ }
> -+
> -+ ok = netlogon_creds_client_check(state->creds,
> -+ &state->server_credential);
> -+ if (!ok) {
> -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> -+ return;
> -+ }
> -+
> -+ ndr_err = ndr_push_struct_blob(&blob, state, state->creds,
> -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> -+ status = ndr_map_error2ntstatus(ndr_err);
> -+ tevent_req_nterror(req, status);
> -+ return;
> -+ }
> -+
> -+ data.dptr = blob.data;
> -+ data.dsize = blob.length;
> -+
> -+ status = dbwrap_store(state->context->db.ctx,
> -+ state->context->db.key_data,
> -+ data, TDB_REPLACE);
> -+ TALLOC_FREE(state->locked_state);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+
> -+ tevent_req_done(req);
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
> -+{
> -+ NTSTATUS status;
> -+
> -+ if (tevent_req_is_nterror(req, &status)) {
> -+ tevent_req_received(req);
> -+ return status;
> -+ }
> -+
> -+ tevent_req_received(req);
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ struct samr_Password current_nt_hash,
> -+ const struct samr_Password *previous_nt_hash)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct tevent_context *ev;
> -+ struct tevent_req *req;
> -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> -+
> -+ ev = samba_tevent_context_init(frame);
> -+ if (ev == NULL) {
> -+ goto fail;
> -+ }
> -+ req = netlogon_creds_cli_auth_send(frame, ev, context, b,
> -+ current_nt_hash,
> -+ previous_nt_hash);
> -+ if (req == NULL) {
> -+ goto fail;
> -+ }
> -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> -+ goto fail;
> -+ }
> -+ status = netlogon_creds_cli_auth_recv(req);
> -+ fail:
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+}
> -+
> -+struct netlogon_creds_cli_check_state {
> -+ struct tevent_context *ev;
> -+ struct netlogon_creds_cli_context *context;
> -+ struct dcerpc_binding_handle *binding_handle;
> -+
> -+ char *srv_name_slash;
> -+
> -+ union netr_Capabilities caps;
> -+
> -+ struct netlogon_creds_CredentialState *creds;
> -+ struct netlogon_creds_CredentialState tmp_creds;
> -+ struct netr_Authenticator req_auth;
> -+ struct netr_Authenticator rep_auth;
> -+};
> -+
> -+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
> -+ NTSTATUS status);
> -+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
> -+
> -+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b)
> -+{
> -+ struct tevent_req *req;
> -+ struct netlogon_creds_cli_check_state *state;
> -+ struct tevent_req *subreq;
> -+ enum dcerpc_AuthType auth_type;
> -+ enum dcerpc_AuthLevel auth_level;
> -+
> -+ req = tevent_req_create(mem_ctx, &state,
> -+ struct netlogon_creds_cli_check_state);
> -+ if (req == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ state->ev = ev;
> -+ state->context = context;
> -+ state->binding_handle = b;
> -+
> -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> -+ context->server.computer);
> -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ dcerpc_binding_handle_auth_info(state->binding_handle,
> -+ &auth_type, &auth_level);
> -+
> -+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
> -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ switch (auth_level) {
> -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> -+ break;
> -+ default:
> -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
> -+ state->context);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_check_locked,
> -+ req);
> -+
> -+ return req;
> -+}
> -+
> -+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
> -+ NTSTATUS status)
> -+{
> -+ struct netlogon_creds_cli_check_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_check_state);
> -+
> -+ if (state->creds == NULL) {
> -+ return;
> -+ }
> -+
> -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
> -+ TALLOC_FREE(state->creds);
> -+ return;
> -+ }
> -+
> -+ netlogon_creds_cli_delete(state->context, &state->creds);
> -+}
> -+
> -+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq);
> -+
> -+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct netlogon_creds_cli_check_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_check_state);
> -+ NTSTATUS status;
> -+
> -+ status = netlogon_creds_cli_lock_recv(subreq, state,
> -+ &state->creds);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+
> -+ /*
> -+ * we defer all callbacks in order to cleanup
> -+ * the database record.
> -+ */
> -+ tevent_req_defer_callback(req, state->ev);
> -+
> -+ state->tmp_creds = *state->creds;
> -+ netlogon_creds_client_authenticator(&state->tmp_creds,
> -+ &state->req_auth);
> -+ ZERO_STRUCT(state->rep_auth);
> -+
> -+ subreq = dcerpc_netr_LogonGetCapabilities_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->context->client.computer,
> -+ &state->req_auth,
> -+ &state->rep_auth,
> -+ 1,
> -+ &state->caps);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ return;
> -+ }
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_check_caps,
> -+ req);
> -+}
> -+
> -+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct netlogon_creds_cli_check_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_check_state);
> -+ NTSTATUS status;
> -+ NTSTATUS result;
> -+ bool ok;
> -+
> -+ status = dcerpc_netr_LogonGetCapabilities_recv(subreq, state,
> -+ &result);
> -+ TALLOC_FREE(subreq);
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -+ /*
> -+ * Note that the negotiated flags are already checked
> -+ * for our required flags after the ServerAuthenticate3/2 call.
> -+ */
> -+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
> -+
> -+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
> -+ /*
> -+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
> -+ * already, we expect this to work!
> -+ */
> -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> -+ tevent_req_nterror(req, status);
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ if (negotiated & NETLOGON_NEG_STRONG_KEYS) {
> -+ /*
> -+ * If we have negotiated NETLOGON_NEG_STRONG_KEYS
> -+ * we expect this to work at least as far as the
> -+ * NOT_SUPPORTED error handled below!
> -+ *
> -+ * NT 4.0 and Old Samba servers are not
> -+ * allowed without "require strong key = no"
> -+ */
> -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> -+ tevent_req_nterror(req, status);
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ /*
> -+ * If we not require NETLOGON_NEG_SUPPORTS_AES or
> -+ * NETLOGON_NEG_STRONG_KEYS, it's ok to ignore
> -+ * NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> -+ *
> -+ * This is needed against NT 4.0 and old Samba servers.
> -+ *
> -+ * As we're using DCERPC_AUTH_TYPE_SCHANNEL with
> -+ * DCERPC_AUTH_LEVEL_INTEGRITY or DCERPC_AUTH_LEVEL_PRIVACY
> -+ * we should detect a faked NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
> -+ * with the next request as the sequence number processing
> -+ * gets out of sync.
> -+ */
> -+ netlogon_creds_cli_check_cleanup(req, result);
> -+ tevent_req_done(req);
> -+ return;
> -+ }
> -+ if (tevent_req_nterror(req, status)) {
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
> -+ /*
> -+ * Note that the negotiated flags are already checked
> -+ * for our required flags after the ServerAuthenticate3/2 call.
> -+ */
> -+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
> -+
> -+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
> -+ /*
> -+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
> -+ * already, we expect this to work!
> -+ */
> -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> -+ tevent_req_nterror(req, status);
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ /*
> -+ * This is ok, the server does not support
> -+ * NETLOGON_NEG_SUPPORTS_AES.
> -+ *
> -+ * netr_LogonGetCapabilities() was
> -+ * netr_LogonDummyRoutine1() before
> -+ * NETLOGON_NEG_SUPPORTS_AES was invented.
> -+ */
> -+ netlogon_creds_cli_check_cleanup(req, result);
> -+ tevent_req_done(req);
> -+ return;
> -+ }
> -+
> -+ ok = netlogon_creds_client_check(&state->tmp_creds,
> -+ &state->rep_auth.cred);
> -+ if (!ok) {
> -+ status = NT_STATUS_ACCESS_DENIED;
> -+ tevent_req_nterror(req, status);
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ if (tevent_req_nterror(req, result)) {
> -+ netlogon_creds_cli_check_cleanup(req, result);
> -+ return;
> -+ }
> -+
> -+ if (state->caps.server_capabilities != state->tmp_creds.negotiate_flags) {
> -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> -+ tevent_req_nterror(req, status);
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ /*
> -+ * This is the key check that makes this check secure. If we
> -+ * get OK here (rather than NOT_SUPPORTED), then the server
> -+ * did support AES. If the server only proposed STRONG_KEYS
> -+ * and not AES, then it should have failed with
> -+ * NOT_IMPLEMENTED. We always send AES as a client, so the
> -+ * server should always have returned it.
> -+ */
> -+ if (!(state->caps.server_capabilities & NETLOGON_NEG_SUPPORTS_AES)) {
> -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> -+ tevent_req_nterror(req, status);
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ *state->creds = state->tmp_creds;
> -+ status = netlogon_creds_cli_store(state->context,
> -+ &state->creds);
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+
> -+ tevent_req_done(req);
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req)
> -+{
> -+ NTSTATUS status;
> -+
> -+ if (tevent_req_is_nterror(req, &status)) {
> -+ netlogon_creds_cli_check_cleanup(req, status);
> -+ tevent_req_received(req);
> -+ return status;
> -+ }
> -+
> -+ tevent_req_received(req);
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct tevent_context *ev;
> -+ struct tevent_req *req;
> -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> -+
> -+ ev = samba_tevent_context_init(frame);
> -+ if (ev == NULL) {
> -+ goto fail;
> -+ }
> -+ req = netlogon_creds_cli_check_send(frame, ev, context, b);
> -+ if (req == NULL) {
> -+ goto fail;
> -+ }
> -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> -+ goto fail;
> -+ }
> -+ status = netlogon_creds_cli_check_recv(req);
> -+ fail:
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+}
> -+
> -+struct netlogon_creds_cli_ServerPasswordSet_state {
> -+ struct tevent_context *ev;
> -+ struct netlogon_creds_cli_context *context;
> -+ struct dcerpc_binding_handle *binding_handle;
> -+ uint32_t old_timeout;
> -+
> -+ char *srv_name_slash;
> -+ enum dcerpc_AuthType auth_type;
> -+ enum dcerpc_AuthLevel auth_level;
> -+
> -+ struct samr_CryptPassword samr_crypt_password;
> -+ struct netr_CryptPassword netr_crypt_password;
> -+ struct samr_Password samr_password;
> -+
> -+ struct netlogon_creds_CredentialState *creds;
> -+ struct netlogon_creds_CredentialState tmp_creds;
> -+ struct netr_Authenticator req_auth;
> -+ struct netr_Authenticator rep_auth;
> -+};
> -+
> -+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
> -+ NTSTATUS status);
> -+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq);
> -+
> -+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ const char *new_password,
> -+ const uint32_t *new_version)
> -+{
> -+ struct tevent_req *req;
> -+ struct netlogon_creds_cli_ServerPasswordSet_state *state;
> -+ struct tevent_req *subreq;
> -+ bool ok;
> -+
> -+ req = tevent_req_create(mem_ctx, &state,
> -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> -+ if (req == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ state->ev = ev;
> -+ state->context = context;
> -+ state->binding_handle = b;
> -+
> -+ /*
> -+ * netr_ServerPasswordSet
> -+ */
> -+ E_md4hash(new_password, state->samr_password.hash);
> -+
> -+ /*
> -+ * netr_ServerPasswordSet2
> -+ */
> -+ ok = encode_pw_buffer(state->samr_crypt_password.data,
> -+ new_password, STR_UNICODE);
> -+ if (!ok) {
> -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ if (new_version != NULL) {
> -+ struct NL_PASSWORD_VERSION version;
> -+ uint32_t len = IVAL(state->samr_crypt_password.data, 512);
> -+ uint32_t ofs = 512 - len;
> -+ uint8_t *p;
> -+
> -+ if (ofs < 12) {
> -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> -+ return tevent_req_post(req, ev);
> -+ }
> -+ ofs -= 12;
> -+
> -+ version.ReservedField = 0;
> -+ version.PasswordVersionNumber = *new_version;
> -+ version.PasswordVersionPresent =
> -+ NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT;
> -+
> -+ p = state->samr_crypt_password.data + ofs;
> -+ SIVAL(p, 0, version.ReservedField);
> -+ SIVAL(p, 4, version.PasswordVersionNumber);
> -+ SIVAL(p, 8, version.PasswordVersionPresent);
> -+ }
> -+
> -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> -+ context->server.computer);
> -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ dcerpc_binding_handle_auth_info(state->binding_handle,
> -+ &state->auth_type,
> -+ &state->auth_level);
> -+
> -+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
> -+ state->context);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_ServerPasswordSet_locked,
> -+ req);
> -+
> -+ return req;
> -+}
> -+
> -+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
> -+ NTSTATUS status)
> -+{
> -+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> -+
> -+ if (state->creds == NULL) {
> -+ return;
> -+ }
> -+
> -+ dcerpc_binding_handle_set_timeout(state->binding_handle,
> -+ state->old_timeout);
> -+
> -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
> -+ TALLOC_FREE(state->creds);
> -+ return;
> -+ }
> -+
> -+ netlogon_creds_cli_delete(state->context, &state->creds);
> -+}
> -+
> -+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq);
> -+
> -+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> -+ NTSTATUS status;
> -+
> -+ status = netlogon_creds_cli_lock_recv(subreq, state,
> -+ &state->creds);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ return;
> -+ }
> -+
> -+ if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
> -+ switch (state->auth_level) {
> -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> -+ break;
> -+ default:
> -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> -+ return;
> -+ }
> -+ } else {
> -+ uint32_t tmp = state->creds->negotiate_flags;
> -+
> -+ if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
> -+ /*
> -+ * if DCERPC_AUTH_TYPE_SCHANNEL is supported
> -+ * it should be used, which means
> -+ * we had a chance to verify no downgrade
> -+ * happened.
> -+ *
> -+ * This relies on netlogon_creds_cli_check*
> -+ * being called before, as first request after
> -+ * the DCERPC bind.
> -+ */
> -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> -+ return;
> -+ }
> -+ }
> -+
> -+ state->old_timeout = dcerpc_binding_handle_set_timeout(
> -+ state->binding_handle, 600000);
> -+
> -+ /*
> -+ * we defer all callbacks in order to cleanup
> -+ * the database record.
> -+ */
> -+ tevent_req_defer_callback(req, state->ev);
> -+
> -+ state->tmp_creds = *state->creds;
> -+ netlogon_creds_client_authenticator(&state->tmp_creds,
> -+ &state->req_auth);
> -+ ZERO_STRUCT(state->rep_auth);
> -+
> -+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
> -+
> -+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ netlogon_creds_aes_encrypt(&state->tmp_creds,
> -+ state->samr_crypt_password.data,
> -+ 516);
> -+ } else {
> -+ netlogon_creds_arcfour_crypt(&state->tmp_creds,
> -+ state->samr_crypt_password.data,
> -+ 516);
> -+ }
> -+
> -+ memcpy(state->netr_crypt_password.data,
> -+ state->samr_crypt_password.data, 512);
> -+ state->netr_crypt_password.length =
> -+ IVAL(state->samr_crypt_password.data, 512);
> -+
> -+ subreq = dcerpc_netr_ServerPasswordSet2_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->tmp_creds.account_name,
> -+ state->tmp_creds.secure_channel_type,
> -+ state->tmp_creds.computer_name,
> -+ &state->req_auth,
> -+ &state->rep_auth,
> -+ &state->netr_crypt_password);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> -+ return;
> -+ }
> -+ } else {
> -+ netlogon_creds_des_encrypt(&state->tmp_creds,
> -+ &state->samr_password);
> -+
> -+ subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->tmp_creds.account_name,
> -+ state->tmp_creds.secure_channel_type,
> -+ state->tmp_creds.computer_name,
> -+ &state->req_auth,
> -+ &state->rep_auth,
> -+ &state->samr_password);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> -+ return;
> -+ }
> -+ }
> -+
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_ServerPasswordSet_done,
> -+ req);
> -+}
> -+
> -+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> -+ NTSTATUS status;
> -+ NTSTATUS result;
> -+ bool ok;
> -+
> -+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
> -+ status = dcerpc_netr_ServerPasswordSet2_recv(subreq, state,
> -+ &result);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> -+ return;
> -+ }
> -+ } else {
> -+ status = dcerpc_netr_ServerPasswordSet_recv(subreq, state,
> -+ &result);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> -+ return;
> -+ }
> -+ }
> -+
> -+ ok = netlogon_creds_client_check(&state->tmp_creds,
> -+ &state->rep_auth.cred);
> -+ if (!ok) {
> -+ status = NT_STATUS_ACCESS_DENIED;
> -+ tevent_req_nterror(req, status);
> -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ if (tevent_req_nterror(req, result)) {
> -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, result);
> -+ return;
> -+ }
> -+
> -+ dcerpc_binding_handle_set_timeout(state->binding_handle,
> -+ state->old_timeout);
> -+
> -+ *state->creds = state->tmp_creds;
> -+ status = netlogon_creds_cli_store(state->context,
> -+ &state->creds);
> -+ if (tevent_req_nterror(req, status)) {
> -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ tevent_req_done(req);
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
> -+{
> -+ NTSTATUS status;
> -+
> -+ if (tevent_req_is_nterror(req, &status)) {
> -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> -+ tevent_req_received(req);
> -+ return status;
> -+ }
> -+
> -+ tevent_req_received(req);
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ const char *new_password,
> -+ const uint32_t *new_version)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct tevent_context *ev;
> -+ struct tevent_req *req;
> -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> -+
> -+ ev = samba_tevent_context_init(frame);
> -+ if (ev == NULL) {
> -+ goto fail;
> -+ }
> -+ req = netlogon_creds_cli_ServerPasswordSet_send(frame, ev, context, b,
> -+ new_password,
> -+ new_version);
> -+ if (req == NULL) {
> -+ goto fail;
> -+ }
> -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> -+ goto fail;
> -+ }
> -+ status = netlogon_creds_cli_ServerPasswordSet_recv(req);
> -+ fail:
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+}
> -+
> -+struct netlogon_creds_cli_LogonSamLogon_state {
> -+ struct tevent_context *ev;
> -+ struct netlogon_creds_cli_context *context;
> -+ struct dcerpc_binding_handle *binding_handle;
> -+
> -+ char *srv_name_slash;
> -+
> -+ enum netr_LogonInfoClass logon_level;
> -+ const union netr_LogonLevel *const_logon;
> -+ union netr_LogonLevel *logon;
> -+ uint32_t flags;
> -+
> -+ uint16_t validation_level;
> -+ union netr_Validation *validation;
> -+ uint8_t authoritative;
> -+
> -+ /*
> -+ * do we need encryption at the application layer?
> -+ */
> -+ bool user_encrypt;
> -+ bool try_logon_ex;
> -+ bool try_validation6;
> -+
> -+ /*
> -+ * the read only credentials before we started the operation
> -+ */
> -+ struct netlogon_creds_CredentialState *ro_creds;
> -+
> -+ struct netlogon_creds_CredentialState *lk_creds;
> -+
> -+ struct netlogon_creds_CredentialState tmp_creds;
> -+ struct netr_Authenticator req_auth;
> -+ struct netr_Authenticator rep_auth;
> -+};
> -+
> -+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req);
> -+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
> -+ NTSTATUS status);
> -+
> -+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ enum netr_LogonInfoClass logon_level,
> -+ const union netr_LogonLevel *logon,
> -+ uint32_t flags)
> -+{
> -+ struct tevent_req *req;
> -+ struct netlogon_creds_cli_LogonSamLogon_state *state;
> -+
> -+ req = tevent_req_create(mem_ctx, &state,
> -+ struct netlogon_creds_cli_LogonSamLogon_state);
> -+ if (req == NULL) {
> -+ return NULL;
> -+ }
> -+
> -+ state->ev = ev;
> -+ state->context = context;
> -+ state->binding_handle = b;
> -+
> -+ state->logon_level = logon_level;
> -+ state->const_logon = logon;
> -+ state->flags = flags;
> -+
> -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> -+ context->server.computer);
> -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ switch (logon_level) {
> -+ case NetlogonInteractiveInformation:
> -+ case NetlogonInteractiveTransitiveInformation:
> -+ case NetlogonServiceInformation:
> -+ case NetlogonServiceTransitiveInformation:
> -+ case NetlogonGenericInformation:
> -+ state->user_encrypt = true;
> -+ break;
> -+
> -+ case NetlogonNetworkInformation:
> -+ case NetlogonNetworkTransitiveInformation:
> -+ break;
> -+ }
> -+
> -+ state->validation = talloc_zero(state, union netr_Validation);
> -+ if (tevent_req_nomem(state->validation, req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ netlogon_creds_cli_LogonSamLogon_start(req);
> -+ if (!tevent_req_is_in_progress(req)) {
> -+ return tevent_req_post(req, ev);
> -+ }
> -+
> -+ /*
> -+ * we defer all callbacks in order to cleanup
> -+ * the database record.
> -+ */
> -+ tevent_req_defer_callback(req, state->ev);
> -+ return req;
> -+}
> -+
> -+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
> -+ NTSTATUS status)
> -+{
> -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_LogonSamLogon_state);
> -+
> -+ if (state->lk_creds == NULL) {
> -+ return;
> -+ }
> -+
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -+ /*
> -+ * This is a hack to recover from a bug in old
> -+ * Samba servers, when LogonSamLogonEx() fails:
> -+ *
> -+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
> -+ *
> -+ * All following request will get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> -+ *
> -+ * A second bug generates NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE,
> -+ * instead of NT_STATUS_ACCESS_DENIED or NT_STATUS_RPC_SEC_PKG_ERROR
> -+ * If the sign/seal check fails.
> -+ *
> -+ * In that case we need to cleanup the netlogon session.
> -+ *
> -+ * It's the job of the caller to disconnect the current
> -+ * connection, if netlogon_creds_cli_LogonSamLogon()
> -+ * returns NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> -+ */
> -+ if (!state->context->server.try_logon_with) {
> -+ status = NT_STATUS_NETWORK_ACCESS_DENIED;
> -+ }
> -+ }
> -+
> -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
> -+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
> -+ TALLOC_FREE(state->lk_creds);
> -+ return;
> -+ }
> -+
> -+ netlogon_creds_cli_delete(state->context, &state->lk_creds);
> -+}
> -+
> -+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq);
> -+
> -+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
> -+{
> -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_LogonSamLogon_state);
> -+ struct tevent_req *subreq;
> -+ NTSTATUS status;
> -+ enum dcerpc_AuthType auth_type;
> -+ enum dcerpc_AuthLevel auth_level;
> -+
> -+ TALLOC_FREE(state->ro_creds);
> -+ TALLOC_FREE(state->logon);
> -+ ZERO_STRUCTP(state->validation);
> -+
> -+ dcerpc_binding_handle_auth_info(state->binding_handle,
> -+ &auth_type, &auth_level);
> -+
> -+ state->try_logon_ex = state->context->server.try_logon_ex;
> -+ state->try_validation6 = state->context->server.try_validation6;
> -+
> -+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
> -+ state->try_logon_ex = false;
> -+ }
> -+
> -+ if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
> -+ state->try_validation6 = false;
> -+ }
> -+
> -+ if (state->try_logon_ex) {
> -+ if (state->try_validation6) {
> -+ state->validation_level = 6;
> -+ } else {
> -+ state->validation_level = 3;
> -+ state->user_encrypt = true;
> -+ }
> -+
> -+ state->logon = netlogon_creds_shallow_copy_logon(state,
> -+ state->logon_level,
> -+ state->const_logon);
> -+ if (tevent_req_nomem(state->logon, req)) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ if (state->user_encrypt) {
> -+ status = netlogon_creds_cli_get(state->context,
> -+ state,
> -+ &state->ro_creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ status = NT_STATUS_ACCESS_DENIED;
> -+ tevent_req_nterror(req, status);
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
> -+ state->logon_level,
> -+ state->logon);
> -+ }
> -+
> -+ subreq = dcerpc_netr_LogonSamLogonEx_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->context->client.computer,
> -+ state->logon_level,
> -+ state->logon,
> -+ state->validation_level,
> -+ state->validation,
> -+ &state->authoritative,
> -+ &state->flags);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_LogonSamLogon_done,
> -+ req);
> -+ return;
> -+ }
> -+
> -+ if (state->lk_creds == NULL) {
> -+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
> -+ state->context);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_LogonSamLogon_done,
> -+ req);
> -+ return;
> -+ }
> -+
> -+ state->tmp_creds = *state->lk_creds;
> -+ netlogon_creds_client_authenticator(&state->tmp_creds,
> -+ &state->req_auth);
> -+ ZERO_STRUCT(state->rep_auth);
> -+
> -+ state->logon = netlogon_creds_shallow_copy_logon(state,
> -+ state->logon_level,
> -+ state->const_logon);
> -+ if (tevent_req_nomem(state->logon, req)) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
> -+ state->logon_level,
> -+ state->logon);
> -+
> -+ state->validation_level = 3;
> -+
> -+ if (state->context->server.try_logon_with) {
> -+ subreq = dcerpc_netr_LogonSamLogonWithFlags_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->context->client.computer,
> -+ &state->req_auth,
> -+ &state->rep_auth,
> -+ state->logon_level,
> -+ state->logon,
> -+ state->validation_level,
> -+ state->validation,
> -+ &state->authoritative,
> -+ &state->flags);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+ } else {
> -+ state->flags = 0;
> -+
> -+ subreq = dcerpc_netr_LogonSamLogon_send(state, state->ev,
> -+ state->binding_handle,
> -+ state->srv_name_slash,
> -+ state->context->client.computer,
> -+ &state->req_auth,
> -+ &state->rep_auth,
> -+ state->logon_level,
> -+ state->logon,
> -+ state->validation_level,
> -+ state->validation,
> -+ &state->authoritative);
> -+ if (tevent_req_nomem(subreq, req)) {
> -+ status = NT_STATUS_NO_MEMORY;
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+ }
> -+
> -+ tevent_req_set_callback(subreq,
> -+ netlogon_creds_cli_LogonSamLogon_done,
> -+ req);
> -+}
> -+
> -+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
> -+{
> -+ struct tevent_req *req =
> -+ tevent_req_callback_data(subreq,
> -+ struct tevent_req);
> -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_LogonSamLogon_state);
> -+ NTSTATUS status;
> -+ NTSTATUS result;
> -+ bool ok;
> -+
> -+ if (state->try_logon_ex) {
> -+ status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
> -+ state->validation,
> -+ &result);
> -+ TALLOC_FREE(subreq);
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -+ state->context->server.try_validation6 = false;
> -+ state->context->server.try_logon_ex = false;
> -+ netlogon_creds_cli_LogonSamLogon_start(req);
> -+ return;
> -+ }
> -+ if (tevent_req_nterror(req, status)) {
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ if ((state->validation_level == 6) &&
> -+ (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
> -+ NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
> -+ NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)))
> -+ {
> -+ state->context->server.try_validation6 = false;
> -+ netlogon_creds_cli_LogonSamLogon_start(req);
> -+ return;
> -+ }
> -+
> -+ if (tevent_req_nterror(req, result)) {
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
> -+ return;
> -+ }
> -+
> -+ if (state->ro_creds == NULL) {
> -+ tevent_req_done(req);
> -+ return;
> -+ }
> -+
> -+ ok = netlogon_creds_cli_validate(state->context, state->ro_creds);
> -+ if (!ok) {
> -+ /*
> -+ * We got a race, lets retry with on authenticator
> -+ * protection.
> -+ */
> -+ TALLOC_FREE(state->ro_creds);
> -+ state->try_logon_ex = false;
> -+ netlogon_creds_cli_LogonSamLogon_start(req);
> -+ return;
> -+ }
> -+
> -+ netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
> -+ state->validation_level,
> -+ state->validation);
> -+
> -+ tevent_req_done(req);
> -+ return;
> -+ }
> -+
> -+ if (state->lk_creds == NULL) {
> -+ status = netlogon_creds_cli_lock_recv(subreq, state,
> -+ &state->lk_creds);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ netlogon_creds_cli_LogonSamLogon_start(req);
> -+ return;
> -+ }
> -+
> -+ if (state->context->server.try_logon_with) {
> -+ status = dcerpc_netr_LogonSamLogonWithFlags_recv(subreq,
> -+ state->validation,
> -+ &result);
> -+ TALLOC_FREE(subreq);
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -+ state->context->server.try_logon_with = false;
> -+ netlogon_creds_cli_LogonSamLogon_start(req);
> -+ return;
> -+ }
> -+ if (tevent_req_nterror(req, status)) {
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+ } else {
> -+ status = dcerpc_netr_LogonSamLogon_recv(subreq,
> -+ state->validation,
> -+ &result);
> -+ TALLOC_FREE(subreq);
> -+ if (tevent_req_nterror(req, status)) {
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+ }
> -+
> -+ ok = netlogon_creds_client_check(&state->tmp_creds,
> -+ &state->rep_auth.cred);
> -+ if (!ok) {
> -+ status = NT_STATUS_ACCESS_DENIED;
> -+ tevent_req_nterror(req, status);
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ *state->lk_creds = state->tmp_creds;
> -+ status = netlogon_creds_cli_store(state->context,
> -+ &state->lk_creds);
> -+ if (tevent_req_nterror(req, status)) {
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ return;
> -+ }
> -+
> -+ if (tevent_req_nterror(req, result)) {
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
> -+ return;
> -+ }
> -+
> -+ netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
> -+ state->validation_level,
> -+ state->validation);
> -+
> -+ tevent_req_done(req);
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
> -+ TALLOC_CTX *mem_ctx,
> -+ uint16_t *validation_level,
> -+ union netr_Validation **validation,
> -+ uint8_t *authoritative,
> -+ uint32_t *flags)
> -+{
> -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> -+ tevent_req_data(req,
> -+ struct netlogon_creds_cli_LogonSamLogon_state);
> -+ NTSTATUS status;
> -+
> -+ /* authoritative is also returned on error */
> -+ *authoritative = state->authoritative;
> -+
> -+ if (tevent_req_is_nterror(req, &status)) {
> -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> -+ tevent_req_received(req);
> -+ return status;
> -+ }
> -+
> -+ *validation_level = state->validation_level;
> -+ *validation = talloc_move(mem_ctx, &state->validation);
> -+ *flags = state->flags;
> -+
> -+ tevent_req_received(req);
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS netlogon_creds_cli_LogonSamLogon(
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ enum netr_LogonInfoClass logon_level,
> -+ const union netr_LogonLevel *logon,
> -+ TALLOC_CTX *mem_ctx,
> -+ uint16_t *validation_level,
> -+ union netr_Validation **validation,
> -+ uint8_t *authoritative,
> -+ uint32_t *flags)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct tevent_context *ev;
> -+ struct tevent_req *req;
> -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> -+
> -+ ev = samba_tevent_context_init(frame);
> -+ if (ev == NULL) {
> -+ goto fail;
> -+ }
> -+ req = netlogon_creds_cli_LogonSamLogon_send(frame, ev, context, b,
> -+ logon_level, logon,
> -+ *flags);
> -+ if (req == NULL) {
> -+ goto fail;
> -+ }
> -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> -+ goto fail;
> -+ }
> -+ status = netlogon_creds_cli_LogonSamLogon_recv(req, mem_ctx,
> -+ validation_level,
> -+ validation,
> -+ authoritative,
> -+ flags);
> -+ fail:
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+}
> -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
> -new file mode 100644
> -index 0000000..f8f2bef
> ---- /dev/null
> -+++ b/libcli/auth/netlogon_creds_cli.h
> -@@ -0,0 +1,138 @@
> -+/*
> -+ Unix SMB/CIFS implementation.
> -+
> -+ module to store/fetch session keys for the schannel client
> -+
> -+ Copyright (C) Stefan Metzmacher 2013
> -+
> -+ This program is free software; you can redistribute it and/or modify
> -+ it under the terms of the GNU General Public License as published by
> -+ the Free Software Foundation; either version 3 of the License, or
> -+ (at your option) any later version.
> -+
> -+ This program is distributed in the hope that it will be useful,
> -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -+ GNU General Public License for more details.
> -+
> -+ You should have received a copy of the GNU General Public License
> -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> -+*/
> -+
> -+#ifndef NETLOGON_CREDS_CLI_H
> -+#define NETLOGON_CREDS_CLI_H
> -+
> -+#include "librpc/gen_ndr/dcerpc.h"
> -+#include "librpc/gen_ndr/schannel.h"
> -+
> -+struct netlogon_creds_cli_context;
> -+struct messaging_context;
> -+struct dcerpc_binding_handle;
> -+
> -+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
> -+
> -+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> -+ struct messaging_context *msg_ctx,
> -+ const char *client_account,
> -+ enum netr_SchannelType type,
> -+ const char *server_computer,
> -+ const char *server_netbios_domain,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **_context);
> -+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> -+ const char *client_account,
> -+ enum netr_SchannelType type,
> -+ enum dcerpc_AuthLevel auth_level,
> -+ uint32_t proposed_flags,
> -+ uint32_t required_flags,
> -+ const char *server_computer,
> -+ const char *server_netbios_domain,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **_context);
> -+NTSTATUS netlogon_creds_cli_context_copy(
> -+ const struct netlogon_creds_cli_context *src,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **_dst);
> -+
> -+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> -+ struct netlogon_creds_cli_context *context);
> -+
> -+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState **_creds);
> -+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
> -+ const struct netlogon_creds_CredentialState *creds1);
> -+
> -+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
> -+ struct netlogon_creds_CredentialState **_creds);
> -+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
> -+ struct netlogon_creds_CredentialState **_creds);
> -+
> -+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context);
> -+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState **creds);
> -+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_CredentialState **creds);
> -+
> -+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ struct samr_Password current_nt_hash,
> -+ const struct samr_Password *previous_nt_hash);
> -+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
> -+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ struct samr_Password current_nt_hash,
> -+ const struct samr_Password *previous_nt_hash);
> -+
> -+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b);
> -+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req);
> -+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b);
> -+
> -+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ const char *new_password,
> -+ const uint32_t *new_version);
> -+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
> -+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ const char *new_password,
> -+ const uint32_t *new_version);
> -+
> -+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
> -+ struct tevent_context *ev,
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ enum netr_LogonInfoClass logon_level,
> -+ const union netr_LogonLevel *logon,
> -+ uint32_t flags);
> -+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
> -+ TALLOC_CTX *mem_ctx,
> -+ uint16_t *validation_level,
> -+ union netr_Validation **validation,
> -+ uint8_t *authoritative,
> -+ uint32_t *flags);
> -+NTSTATUS netlogon_creds_cli_LogonSamLogon(
> -+ struct netlogon_creds_cli_context *context,
> -+ struct dcerpc_binding_handle *b,
> -+ enum netr_LogonInfoClass logon_level,
> -+ const union netr_LogonLevel *logon,
> -+ TALLOC_CTX *mem_ctx,
> -+ uint16_t *validation_level,
> -+ union netr_Validation **validation,
> -+ uint8_t *authoritative,
> -+ uint32_t *flags);
> -+
> -+#endif /* NETLOGON_CREDS_CLI_H */
> -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
> -index ca2be2d..51eb293 100755
> ---- a/libcli/auth/wscript_build
> -+++ b/libcli/auth/wscript_build
> -@@ -28,6 +28,10 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
> - deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
> - )
> -
> -+bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
> -+ source='netlogon_creds_cli.c',
> -+ deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
> -+ )
> -
> - bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
> - source='pam_errors.c',
> ---
> -1.9.3
> -
> -
> -From e4a4e18ea7f9a9742de16e477917da6ae11ac42e Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 13 Dec 2013 17:31:45 +0100
> -Subject: [PATCH 163/249] libcli/auth: use unique key_name values in
> - netlogon_creds_cli_context_common()
> -
> -Until all callers are fixed to pass the same 'server_computer'
> -value, we try to calculate a server_netbios_name and use this
> -as unique identifier for a specific domain controller.
> -
> -Otherwise winbind would use 'hostname.example.com'
> -while 'net rpc testjoin' would use 'HOSTNAME',
> -which leads to 2 records in netlogon_creds_cli.tdb
> -for the same domain controller.
> -
> -Once all callers are fixed we can think about reverting this
> -commit.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit dc96b1ddccfe8eb1a631355f9471ee0b620d682c)
> ----
> - libcli/auth/netlogon_creds_cli.c | 58 +++++++++++++++++++++++++++++++++-------
> - 1 file changed, 48 insertions(+), 10 deletions(-)
> -
> -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> -index 75d6b2c..a872b31 100644
> ---- a/libcli/auth/netlogon_creds_cli.c
> -+++ b/libcli/auth/netlogon_creds_cli.c
> -@@ -106,23 +106,30 @@ static NTSTATUS netlogon_creds_cli_context_common(
> - struct netlogon_creds_cli_context **_context)
> - {
> - struct netlogon_creds_cli_context *context = NULL;
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ char *_key_name = NULL;
> -+ char *server_netbios_name = NULL;
> -+ char *p = NULL;
> -
> - *_context = NULL;
> -
> - context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> - if (context == NULL) {
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> - context->client.computer = talloc_strdup(context, client_computer);
> - if (context->client.computer == NULL) {
> -- talloc_free(context);
> -+ TALLOC_FREE(context);
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> - context->client.account = talloc_strdup(context, client_account);
> - if (context->client.account == NULL) {
> -- talloc_free(context);
> -+ TALLOC_FREE(context);
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -@@ -133,29 +140,60 @@ static NTSTATUS netlogon_creds_cli_context_common(
> -
> - context->server.computer = talloc_strdup(context, server_computer);
> - if (context->server.computer == NULL) {
> -- talloc_free(context);
> -+ TALLOC_FREE(context);
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> - context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
> - if (context->server.netbios_domain == NULL) {
> -- talloc_free(context);
> -+ TALLOC_FREE(context);
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
> -- client_computer,
> -- client_account,
> -- server_computer,
> -- server_netbios_domain);
> -+ /*
> -+ * TODO:
> -+ * Force the callers to provide a unique
> -+ * value for server_computer and use this directly.
> -+ *
> -+ * For now we have to deal with
> -+ * "HOSTNAME" vs. "hostname.example.com".
> -+ */
> -+ server_netbios_name = talloc_strdup(frame, server_computer);
> -+ if (server_netbios_name == NULL) {
> -+ TALLOC_FREE(context);
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ p = strchr(server_netbios_name, '.');
> -+ if (p != NULL) {
> -+ p[0] = '\0';
> -+ }
> -+
> -+ _key_name = talloc_asprintf(frame, "CLI[%s/%s]/SRV[%s/%s]",
> -+ client_computer,
> -+ client_account,
> -+ server_netbios_name,
> -+ server_netbios_domain);
> -+ if (_key_name == NULL) {
> -+ TALLOC_FREE(context);
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ context->db.key_name = talloc_strdup_upper(context, _key_name);
> - if (context->db.key_name == NULL) {
> -- talloc_free(context);
> -+ TALLOC_FREE(context);
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> - context->db.key_data = string_term_tdb_data(context->db.key_name);
> -
> - *_context = context;
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_OK;
> - }
> -
> ---
> -1.9.3
> -
> -
> -From 29bc7cb7a1c0ef62c923ce859cdd07de2846c5f5 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 17 Oct 2013 19:01:28 +0200
> -Subject: [PATCH 164/249] s3:param: set Globals.bWinbindSealedPipes = true
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 99d8653d83aa2e2e3a0ea097ab7cb65d62d76daf)
> ----
> - source3/param/loadparm.c | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> -index 40f3242..7d95256 100644
> ---- a/source3/param/loadparm.c
> -+++ b/source3/param/loadparm.c
> -@@ -834,6 +834,7 @@ static void init_globals(bool reinit_globals)
> - Globals.security = SEC_USER;
> - Globals.bEncryptPasswords = true;
> - Globals.clientSchannel = Auto;
> -+ Globals.bWinbindSealedPipes = true;
> - Globals.serverSchannel = Auto;
> - Globals.bReadRaw = true;
> - Globals.bWriteRaw = true;
> ---
> -1.9.3
> -
> -
> -From 21b9d9847ba236d78156de07dd24032e64f2124d Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 17 Oct 2013 18:39:56 +0200
> -Subject: [PATCH 165/249] lib/param: add "neutralize nt4 emulation" option,
> - defaulting to false
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit b39ca3a2aefdd43a55b9cdd8fa5136254b283927)
> ----
> - .../smbdotconf/winbind/netutralizent4emulation.xml | 19 +++++++++++++++++++
> - lib/param/param_functions.c | 1 +
> - lib/param/param_table.c | 9 +++++++++
> - 3 files changed, 29 insertions(+)
> - create mode 100644 docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
> -
> -diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
> -new file mode 100644
> -index 0000000..8294a90
> ---- /dev/null
> -+++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
> -@@ -0,0 +1,19 @@
> -+<samba:parameter name="neutralize nt4 emulation"
> -+ context="G"
> -+ type="boolean"
> -+ advanced="1" developer="1"
> -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> -+<description>
> -+ <para>This option controls whether winbindd sends
> -+ the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
> -+ the NT4 emulation of a domain controller.</para>
> -+
> -+ <para>Typically you should not need set this.
> -+ It can be useful for upgrades from NT4 to AD domains.</para>
> -+
> -+ <para>The behavior can be controlled per netbios domain
> -+ by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
> -+</description>
> -+
> -+<value type="default">no</value>
> -+</samba:parameter>
> -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> -index 60f9c07..aef091b 100644
> ---- a/lib/param/param_functions.c
> -+++ b/lib/param/param_functions.c
> -@@ -192,6 +192,7 @@ FN_GLOBAL_BOOL(log_writeable_files_on_exit, bLogWriteableFilesOnExit)
> - FN_GLOBAL_BOOL(map_untrusted_to_domain, bMapUntrustedToDomain)
> - FN_GLOBAL_BOOL(ms_add_printer_wizard, bMsAddPrinterWizard)
> - FN_GLOBAL_BOOL(multicast_dns_register, bMulticastDnsRegister)
> -+FN_GLOBAL_BOOL(neutralize_nt4_emulation, bNeutralizeNT4Emulation)
> - FN_GLOBAL_BOOL(nis_home_map, bNISHomeMap)
> - FN_GLOBAL_BOOL(nmbd_bind_explicit_broadcast, bNmbdBindExplicitBroadcast)
> - FN_GLOBAL_BOOL(ntlm_auth, bNTLMAuth)
> -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> -index 8e3f952..edf6829 100644
> ---- a/lib/param/param_table.c
> -+++ b/lib/param/param_table.c
> -@@ -4188,6 +4188,15 @@ static struct parm_struct parm_table[] = {
> - .enum_list = NULL,
> - .flags = FLAG_ADVANCED,
> - },
> -+ {
> -+ .label = "neutralize nt4 emulation",
> -+ .type = P_BOOL,
> -+ .p_class = P_GLOBAL,
> -+ .offset = GLOBAL_VAR(bNeutralizeNT4Emulation),
> -+ .special = NULL,
> -+ .enum_list = NULL,
> -+ .flags = FLAG_ADVANCED,
> -+ },
> -
> - {N_("DNS options"), P_SEP, P_SEPARATOR},
> - {
> ---
> -1.9.3
> -
> -
> -From d1cfe2d0f3f72e8b7700eee01e47b0bb9d3b9ca3 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 17 Oct 2013 18:39:56 +0200
> -Subject: [PATCH 166/249] lib/param: add "reject md5 servers" option,
> - defaulting to false
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit de4f8f0825790452455a9d51e9d84d4d4a5c0d3b)
> ----
> - docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 23 +++++++++++++++++++++++
> - lib/param/param_functions.c | 1 +
> - lib/param/param_table.c | 9 +++++++++
> - 3 files changed, 33 insertions(+)
> - create mode 100644 docs-xml/smbdotconf/winbind/rejectmd5servers.xml
> -
> -diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
> -new file mode 100644
> -index 0000000..18f8bcb
> ---- /dev/null
> -+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
> -@@ -0,0 +1,23 @@
> -+<samba:parameter name="reject md5 servers"
> -+ context="G"
> -+ type="boolean"
> -+ advanced="1"
> -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> -+<description>
> -+ <para>This option controls whether winbindd requires support
> -+ for aes support for the netlogon secure channel.</para>
> -+
> -+ <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
> -+ NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
> -+
> -+ <para>You can set this to yes if all domain controllers support aes.
> -+ This will prevent downgrade attacks.</para>
> -+
> -+ <para>The behavior can be controlled per netbios domain
> -+ by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
> -+
> -+ <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
> -+</description>
> -+
> -+<value type="default">no</value>
> -+</samba:parameter>
> -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> -index aef091b..ecd7f8e 100644
> ---- a/lib/param/param_functions.c
> -+++ b/lib/param/param_functions.c
> -@@ -204,6 +204,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
> - FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
> - FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
> - FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
> -+FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
> - FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
> - FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
> - FN_GLOBAL_BOOL(stat_cache, bStatCache)
> -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> -index edf6829..b53f850 100644
> ---- a/lib/param/param_table.c
> -+++ b/lib/param/param_table.c
> -@@ -4197,6 +4197,15 @@ static struct parm_struct parm_table[] = {
> - .enum_list = NULL,
> - .flags = FLAG_ADVANCED,
> - },
> -+ {
> -+ .label = "reject md5 servers",
> -+ .type = P_BOOL,
> -+ .p_class = P_GLOBAL,
> -+ .offset = GLOBAL_VAR(bRejectMD5Servers),
> -+ .special = NULL,
> -+ .enum_list = NULL,
> -+ .flags = FLAG_ADVANCED,
> -+ },
> -
> - {N_("DNS options"), P_SEP, P_SEPARATOR},
> - {
> ---
> -1.9.3
> -
> -
> -From 2545090f09da279655510f87d02c631c74409eb1 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 17 Oct 2013 18:39:56 +0200
> -Subject: [PATCH 167/249] lib/param: add "require strong key" option,
> - defaulting to true
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 6630c68cce8fbbd700e7d4cd92ec3ebb2a268f06)
> ----
> - docs-xml/smbdotconf/winbind/requirestrongkey.xml | 27 ++++++++++++++++++++++++
> - lib/param/loadparm.c | 1 +
> - lib/param/param_functions.c | 1 +
> - lib/param/param_table.c | 9 ++++++++
> - 4 files changed, 38 insertions(+)
> - create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml
> -
> -diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
> -new file mode 100644
> -index 0000000..de749bb
> ---- /dev/null
> -+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
> -@@ -0,0 +1,27 @@
> -+<samba:parameter name="require strong key"
> -+ context="G"
> -+ type="boolean"
> -+ advanced="1"
> -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> -+<description>
> -+ <para>This option controls whether winbindd requires support
> -+ for md5 strong key support for the netlogon secure channel.</para>
> -+
> -+ <para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
> -+ NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
> -+
> -+ <para>You can set this to no if some domain controllers only support des.
> -+ This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
> -+
> -+ <para>The behavior can be controlled per netbios domain
> -+ by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
> -+
> -+ <para>Note for active directory domain this option is hardcoded to 'yes'</para>
> -+
> -+ <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
> -+
> -+ <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
> -+</description>
> -+
> -+<value type="default">yes</value>
> -+</samba:parameter>
> -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> -index 23b45e2..a84a166 100644
> ---- a/lib/param/loadparm.c
> -+++ b/lib/param/loadparm.c
> -@@ -2183,6 +2183,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
> -
> - lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
> - lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
> -+ lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
> - lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
> - lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
> - lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
> -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> -index ecd7f8e..41b137f 100644
> ---- a/lib/param/param_functions.c
> -+++ b/lib/param/param_functions.c
> -@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
> - FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
> - FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
> - FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
> -+FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
> - FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
> - FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
> - FN_GLOBAL_BOOL(stat_cache, bStatCache)
> -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> -index b53f850..36e8554 100644
> ---- a/lib/param/param_table.c
> -+++ b/lib/param/param_table.c
> -@@ -4206,6 +4206,15 @@ static struct parm_struct parm_table[] = {
> - .enum_list = NULL,
> - .flags = FLAG_ADVANCED,
> - },
> -+ {
> -+ .label = "require strong key",
> -+ .type = P_BOOL,
> -+ .p_class = P_GLOBAL,
> -+ .offset = GLOBAL_VAR(bRequireStrongKey),
> -+ .special = NULL,
> -+ .enum_list = NULL,
> -+ .flags = FLAG_ADVANCED,
> -+ },
> -
> - {N_("DNS options"), P_SEP, P_SEPARATOR},
> - {
> ---
> -1.9.3
> -
> -
> -From 4e604cc566b2854045c5b794a846c1ab1ef4a35f Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 17 Oct 2013 19:01:47 +0200
> -Subject: [PATCH 168/249] s3:param: set Globals.bRequireStrongKey = true
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit e7954bcc04ec6761b2ed6dad08b90c65efafa948)
> ----
> - source3/param/loadparm.c | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> -index 7d95256..ed46e53 100644
> ---- a/source3/param/loadparm.c
> -+++ b/source3/param/loadparm.c
> -@@ -835,6 +835,7 @@ static void init_globals(bool reinit_globals)
> - Globals.bEncryptPasswords = true;
> - Globals.clientSchannel = Auto;
> - Globals.bWinbindSealedPipes = true;
> -+ Globals.bRequireStrongKey = true;
> - Globals.serverSchannel = Auto;
> - Globals.bReadRaw = true;
> - Globals.bWriteRaw = true;
> ---
> -1.9.3
> -
> -
> -From 382f69a0f3762947a3e8cc02e8e9817533073195 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 17 Oct 2013 18:48:15 +0200
> -Subject: [PATCH 169/249] libcli/auth: make use of real options in
> - netlogon_creds_cli_context_global()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit fa3af7c2e8f1bf292e190ba3d933b6e1d552595d)
> ----
> - libcli/auth/netlogon_creds_cli.c | 18 +++---------------
> - 1 file changed, 3 insertions(+), 15 deletions(-)
> -
> -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> -index a872b31..6590b21 100644
> ---- a/libcli/auth/netlogon_creds_cli.c
> -+++ b/libcli/auth/netlogon_creds_cli.c
> -@@ -279,11 +279,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> - * allow overwrite per domain
> - * reject md5 servers:<netbios_domain>
> - */
> -- //TODO: add lpcfp_reject_md5_servers()
> -- reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> -- "__default__",
> -- "reject md5 servers",
> -- reject_md5_servers);
> -+ reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
> - reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> - "reject md5 servers",
> - server_netbios_domain,
> -@@ -293,11 +289,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> - * allow overwrite per domain
> - * require strong key:<netbios_domain>
> - */
> -- //TODO: add lpcfp_require_strong_key()
> -- require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> -- "__default__",
> -- "require strong key",
> -- require_strong_key);
> -+ require_strong_key = lpcfg_require_strong_key(lp_ctx);
> - require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> - "require strong key",
> - server_netbios_domain,
> -@@ -327,11 +319,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> - * allow overwrite per domain
> - * neutralize nt4 emulation:<netbios_domain>
> - */
> -- //TODO: add lpcfp_neutralize_nt4_emulation()
> -- neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> -- "__default__",
> -- "neutralize nt4 emulation",
> -- neutralize_nt4_emulation);
> -+ neutralize_nt4_emulation = lpcfg_neutralize_nt4_emulation(lp_ctx);
> - neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> - "neutralize nt4 emulation",
> - server_netbios_domain,
> ---
> -1.9.3
> -
> -
> -From 79e8c0c97591ed8bc129561e44b0d94757fcc4e1 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 23 Dec 2013 10:45:27 +0100
> -Subject: [PATCH 170/249] docs-xml: explain the interaction between security =
> - ads and other options.
> -
> -It implies 'require strong key = yes' and 'client schannel = yes'.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit f703a37a56e215827dbb2a7ec8da6738bf17f600)
> ----
> - docs-xml/smbdotconf/security/security.xml | 5 ++++-
> - 1 file changed, 4 insertions(+), 1 deletion(-)
> -
> -diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
> -index 406089f..2f5c3f7 100644
> ---- a/docs-xml/smbdotconf/security/security.xml
> -+++ b/docs-xml/smbdotconf/security/security.xml
> -@@ -99,7 +99,10 @@
> -
> - <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
> - Controller. </para>
> --
> -+
> -+ <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
> -+ and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
> -+
> - <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
> - </description>
> -
> ---
> -1.9.3
> -
> -
> -From 27ea332df51e3cd8ed9601633282b688e6f288a7 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 23 Dec 2013 10:46:57 +0100
> -Subject: [PATCH 171/249] docs-xml: explain the interaction of 'client
> - schannel' with 'require strong key = yes'
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 1d69fdddd5287757c2e67b0982d00241a6d75d26)
> ----
> - docs-xml/smbdotconf/security/clientschannel.xml | 5 +++++
> - 1 file changed, 5 insertions(+)
> -
> -diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
> -index e229182..ac4cc59 100644
> ---- a/docs-xml/smbdotconf/security/clientschannel.xml
> -+++ b/docs-xml/smbdotconf/security/clientschannel.xml
> -@@ -12,6 +12,11 @@
> - enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access
> - if the server is not able to speak netlogon schannel.
> - </para>
> -+
> -+ <para>Note that for active directory domains this is hardcoded to
> -+ <smbconfoption name="client schannel">yes</smbconfoption>.</para>
> -+
> -+ <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
> - </description>
> - <value type="default">auto</value>
> - <value type="example">yes</value>
> ---
> -1.9.3
> -
> -
> -From 4853daeffb1916db3b92dc6ba9e5776652ec5f4e Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 17 Oct 2013 19:31:58 +0200
> -Subject: [PATCH 172/249] s3:winbindd: make use of the "winbind sealed pipes"
> - option for all connections
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 225982e1cb6276ed5c6a47c0e4827d75e8ab2fb1)
> ----
> - source3/winbindd/winbindd.h | 3 +++
> - source3/winbindd/winbindd_cm.c | 20 +++++++++++++++++---
> - 2 files changed, 20 insertions(+), 3 deletions(-)
> -
> -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
> -index 72eb3ec..afde685 100644
> ---- a/source3/winbindd/winbindd.h
> -+++ b/source3/winbindd/winbindd.h
> -@@ -25,6 +25,7 @@
> -
> - #include "nsswitch/winbind_struct_protocol.h"
> - #include "nsswitch/libwbclient/wbclient.h"
> -+#include "librpc/gen_ndr/dcerpc.h"
> - #include "librpc/gen_ndr/wbint.h"
> -
> - #include "talloc_dict.h"
> -@@ -105,6 +106,8 @@ struct getpwent_user {
> - struct winbindd_cm_conn {
> - struct cli_state *cli;
> -
> -+ enum dcerpc_AuthLevel auth_level;
> -+
> - struct rpc_pipe_client *samr_pipe;
> - struct policy_handle sam_connect_handle, sam_domain_handle;
> -
> -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> -index c4f59d3..6c1244e 100644
> ---- a/source3/winbindd/winbindd_cm.c
> -+++ b/source3/winbindd/winbindd_cm.c
> -@@ -1722,6 +1722,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
> - }
> -
> - if (NT_STATUS_IS_OK(result)) {
> -+ bool seal_pipes = true;
> -
> - winbindd_set_locator_kdc_envs(domain);
> -
> -@@ -1741,6 +1742,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
> - */
> - store_current_dc_in_gencache(domain->name, domain->dcname,
> - new_conn->cli);
> -+
> -+ seal_pipes = lp_winbind_sealed_pipes();
> -+ seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
> -+ domain->name,
> -+ seal_pipes);
> -+
> -+ if (seal_pipes) {
> -+ new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> -+ } else {
> -+ new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
> -+ }
> - } else {
> - /* Ensure we setup the retry handler. */
> - set_domain_offline(domain);
> -@@ -1813,6 +1825,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
> - }
> - }
> -
> -+ conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> -+
> - if (conn->cli) {
> - cli_shutdown(conn->cli);
> - }
> -@@ -2363,7 +2377,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - &ndr_table_samr,
> - NCACN_NP,
> - GENSEC_OID_NTLMSSP,
> -- DCERPC_AUTH_LEVEL_PRIVACY,
> -+ conn->auth_level,
> - smbXcli_conn_remote_name(conn->cli->conn),
> - domain_name,
> - machine_account,
> -@@ -2534,7 +2548,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> -
> - if (conn->lsa_pipe_tcp &&
> - conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
> -- conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
> -+ conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
> - rpccli_is_connected(conn->lsa_pipe_tcp)) {
> - goto done;
> - }
> -@@ -2602,7 +2616,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - result = cli_rpc_pipe_open_spnego
> - (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> - GENSEC_OID_NTLMSSP,
> -- DCERPC_AUTH_LEVEL_PRIVACY,
> -+ conn->auth_level,
> - smbXcli_conn_remote_name(conn->cli->conn),
> - conn->cli->domain, conn->cli->user_name, conn->cli->password,
> - &conn->lsa_pipe);
> ---
> -1.9.3
> -
> -
> -From c2116e6a1ee32ff36942091287e90b08d1ecf6d1 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 14 Nov 2013 18:53:06 +0100
> -Subject: [PATCH 173/249] docs-xml: update 'winbind sealed pipes' description
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 11aed7cd3dbd967593b34a206f0802fd0002bf27)
> ----
> - docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 6 +++---
> - 1 file changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
> -index 26f446e..63f5588 100644
> ---- a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
> -+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
> -@@ -4,12 +4,12 @@
> - advanced="1" developer="1"
> - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> - <description>
> -- <para>This option controls whether any requests made over the Samba 4 winbind
> -+ <para>This option controls whether any requests from winbindd to domain controllers
> - pipe will be sealed. Disabling sealing can be useful for debugging
> - purposes.</para>
> -
> -- <para>Note that this option only applies to the Samba 4 winbind and not
> -- to the standard winbind.</para>
> -+ <para>The behavior can be controlled per netbios domain
> -+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
> - </description>
> -
> - <value type="default">yes</value>
> ---
> -1.9.3
> -
> -
> -From ea14b4a713a85a2d87cba6ad88127020e1d5e813 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 27 Jul 2013 11:30:13 +0200
> -Subject: [PATCH 174/249] s3:rpc_client: make use of the new
> - netlogon_creds_cli_context
> -
> -This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
> -and lets the secure channel session state be stored in node local database.
> -
> -This is the proper fix for a large number of bugs:
> -https://bugzilla.samba.org/show_bug.cgi?id=6563
> -https://bugzilla.samba.org/show_bug.cgi?id=7944
> -https://bugzilla.samba.org/show_bug.cgi?id=7945
> -https://bugzilla.samba.org/show_bug.cgi?id=7568
> -https://bugzilla.samba.org/show_bug.cgi?id=8599
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 38d4dba37406515181e4d6f1a1faffc18e652e27)
> ----
> - source3/libnet/libnet_join.c | 3 +-
> - source3/libnet/libnet_samsync.c | 19 +-
> - source3/rpc_client/cli_netlogon.c | 436 ++++++++-------------------------
> - source3/rpc_client/cli_pipe.c | 139 +++--------
> - source3/rpc_client/cli_pipe.h | 2 +-
> - source3/rpc_client/cli_pipe_schannel.c | 3 +-
> - source3/rpc_client/rpc_client.h | 2 +-
> - source3/rpcclient/cmd_netlogon.c | 57 ++++-
> - source3/winbindd/winbindd.h | 9 -
> - source3/winbindd/winbindd_cm.c | 36 +--
> - source3/winbindd/winbindd_pam.c | 136 ++--------
> - source3/wscript_build | 6 +-
> - 12 files changed, 250 insertions(+), 598 deletions(-)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index c1eccda..5dc620f 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -1279,7 +1279,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> - status = cli_rpc_pipe_open_schannel_with_key(
> - cli, &ndr_table_netlogon, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY,
> -- netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
> -+ netbios_domain_name,
> -+ netlogon_pipe->netlogon_creds, &pipe_hnd);
> -
> - cli_shutdown(cli);
> -
> -diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
> -index a103785..02d3fc6 100644
> ---- a/source3/libnet/libnet_samsync.c
> -+++ b/source3/libnet/libnet_samsync.c
> -@@ -30,6 +30,7 @@
> - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> - #include "../libcli/security/security.h"
> - #include "messages.h"
> -+#include "../libcli/auth/netlogon_creds_cli.h"
> -
> - /**
> - * Fix up the delta, dealing with encryption issues so that the final
> -@@ -213,8 +214,15 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
> -
> - do {
> - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -
> -- netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
> -+ status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
> -+ mem_ctx, &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ netlogon_creds_client_authenticator(creds, &credential);
> -
> - if (ctx->single_object_replication &&
> - !ctx->force_full_replication) {
> -@@ -254,28 +262,33 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
> - }
> -
> - if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(creds);
> - return status;
> - }
> -
> - /* Check returned credentials. */
> -- if (!netlogon_creds_client_check(ctx->cli->dc,
> -+ if (!netlogon_creds_client_check(creds,
> - &return_authenticator.cred)) {
> -+ TALLOC_FREE(creds);
> - DEBUG(0,("credentials chain check failed\n"));
> - return NT_STATUS_ACCESS_DENIED;
> - }
> -
> - if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
> -+ TALLOC_FREE(creds);
> - return result;
> - }
> -
> - if (NT_STATUS_IS_ERR(result)) {
> -+ TALLOC_FREE(creds);
> - break;
> - }
> -
> - samsync_fix_delta_array(mem_ctx,
> -- ctx->cli->dc,
> -+ creds,
> - database_id,
> - delta_enum_array);
> -+ TALLOC_FREE(creds);
> -
> - /* Process results */
> - callback_status = ctx->ops->process_objects(mem_ctx, database_id,
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 5e8a2fc..fcd24d6 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -23,11 +23,13 @@
> - #include "includes.h"
> - #include "rpc_client/rpc_client.h"
> - #include "../libcli/auth/libcli_auth.h"
> -+#include "../libcli/auth/netlogon_creds_cli.h"
> - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> - #include "rpc_client/cli_netlogon.h"
> - #include "rpc_client/init_netlogon.h"
> - #include "rpc_client/util_netlogon.h"
> - #include "../libcli/security/security.h"
> -+#include "lib/param/param.h"
> -
> - /****************************************************************************
> - Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
> -@@ -44,113 +46,81 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> - enum netr_SchannelType sec_chan_type,
> - uint32_t *neg_flags_inout)
> - {
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct loadparm_context *lp_ctx;
> - NTSTATUS status;
> -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> -- struct netr_Credential clnt_chal_send;
> -- struct netr_Credential srv_chal_recv;
> - struct samr_Password password;
> -- bool retried = false;
> - fstring mach_acct;
> -- uint32_t neg_flags = *neg_flags_inout;
> - struct dcerpc_binding_handle *b = cli->binding_handle;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -
> - if (!ndr_syntax_id_equal(&cli->abstract_syntax,
> - &ndr_table_netlogon.syntax_id)) {
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_INVALID_PARAMETER;
> - }
> -
> -- TALLOC_FREE(cli->dc);
> --
> -- /* Store the machine account password we're going to use. */
> -- memcpy(password.hash, machine_pwd, 16);
> --
> -- fstr_sprintf( mach_acct, "%s$", machine_account);
> --
> -- again:
> -- /* Create the client challenge. */
> -- generate_random_buffer(clnt_chal_send.data, 8);
> --
> -- /* Get the server challenge. */
> -- status = dcerpc_netr_ServerReqChallenge(b, talloc_tos(),
> -- cli->srv_name_slash,
> -- clnt_name,
> -- &clnt_chal_send,
> -- &srv_chal_recv,
> -- &result);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> -- if (!NT_STATUS_IS_OK(result)) {
> -- return result;
> -+ if (!strequal(lp_netbios_name(), clnt_name)) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_INVALID_PARAMETER;
> - }
> -
> -- /* Calculate the session key and client credentials */
> -+ TALLOC_FREE(cli->netlogon_creds);
> -
> -- cli->dc = netlogon_creds_client_init(cli,
> -- mach_acct,
> -- clnt_name,
> -- sec_chan_type,
> -- &clnt_chal_send,
> -- &srv_chal_recv,
> -- &password,
> -- &clnt_chal_send,
> -- neg_flags);
> -+ fstr_sprintf( mach_acct, "%s$", machine_account);
> -
> -- if (!cli->dc) {
> -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> -+ if (lp_ctx == NULL) {
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> - }
> --
> -- /*
> -- * Send client auth-2 challenge and receive server repy.
> -- */
> --
> -- status = dcerpc_netr_ServerAuthenticate2(b, talloc_tos(),
> -- cli->srv_name_slash,
> -- cli->dc->account_name,
> -- sec_chan_type,
> -- cli->dc->computer_name,
> -- &clnt_chal_send, /* input. */
> -- &srv_chal_recv, /* output. */
> -- &neg_flags,
> -- &result);
> -+ status = netlogon_creds_cli_context_global(lp_ctx,
> -+ NULL, /* msg_ctx */
> -+ mach_acct,
> -+ sec_chan_type,
> -+ server_name,
> -+ domain,
> -+ cli, &cli->netlogon_creds);
> -+ talloc_unlink(frame, lp_ctx);
> - if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> - return status;
> - }
> -- /* we might be talking to NT4, so let's downgrade in that case and retry
> -- * with the returned neg_flags - gd */
> -
> -- if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
> -- retried = true;
> -- TALLOC_FREE(cli->dc);
> -- goto again;
> -+ status = netlogon_creds_cli_get(cli->netlogon_creds,
> -+ frame, &creds);
> -+ if (NT_STATUS_IS_OK(status)) {
> -+ DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
> -+ "cached credential\n",
> -+ cli->desthost));
> -+ *neg_flags_inout = creds->negotiate_flags;
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_OK;
> - }
> -
> -- if (!NT_STATUS_IS_OK(result)) {
> -- return result;
> -- }
> --
> -- /*
> -- * Check the returned value using the initial
> -- * server received challenge.
> -- */
> --
> -- if (!netlogon_creds_client_check(cli->dc, &srv_chal_recv)) {
> -- /*
> -- * Server replied with bad credential. Fail.
> -- */
> -- DEBUG(0,("rpccli_netlogon_setup_creds: server %s "
> -- "replied with bad credential\n",
> -- cli->desthost ));
> -- return NT_STATUS_ACCESS_DENIED;
> -- }
> -+ /* Store the machine account password we're going to use. */
> -+ memcpy(password.hash, machine_pwd, 16);
> -
> - DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
> - "chain established.\n",
> - cli->desthost ));
> -
> -- cli->dc->negotiate_flags = neg_flags;
> -- *neg_flags_inout = neg_flags;
> -+ status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
> -+ password, NULL);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ status = netlogon_creds_cli_get(cli->netlogon_creds,
> -+ frame, &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_INTERNAL_ERROR;
> -+ }
> -
> -+ *neg_flags_inout = creds->negotiate_flags;
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_OK;
> - }
> -
> -@@ -163,20 +133,16 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> - const char *username,
> - const char *password,
> - const char *workstation,
> -- uint16_t validation_level,
> -+ uint16_t _ignored_validation_level,
> - int logon_type)
> - {
> -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> - NTSTATUS status;
> -- struct netr_Authenticator clnt_creds;
> -- struct netr_Authenticator ret_creds;
> - union netr_LogonLevel *logon;
> -- union netr_Validation validation;
> -- uint8_t authoritative;
> -+ uint16_t validation_level = 0;
> -+ union netr_Validation *validation = NULL;
> -+ uint8_t authoritative = 0;
> -+ uint32_t flags = 0;
> - fstring clnt_name_slash;
> -- struct dcerpc_binding_handle *b = cli->binding_handle;
> --
> -- ZERO_STRUCT(ret_creds);
> -
> - logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> - if (!logon) {
> -@@ -191,8 +157,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> -
> - /* Initialise input parameters */
> -
> -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> --
> - switch (logon_type) {
> - case NetlogonInteractiveInformation: {
> -
> -@@ -208,17 +172,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> -
> - nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
> -
> -- if (cli->dc->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- netlogon_creds_aes_encrypt(cli->dc, lmpassword.hash, 16);
> -- netlogon_creds_aes_encrypt(cli->dc, ntpassword.hash, 16);
> -- } else if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> -- netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16);
> -- netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16);
> -- } else {
> -- netlogon_creds_des_encrypt(cli->dc, &lmpassword);
> -- netlogon_creds_des_encrypt(cli->dc, &ntpassword);
> -- }
> --
> - password_info->identity_info.domain_name.string = domain;
> - password_info->identity_info.parameter_control = logon_parameters;
> - password_info->identity_info.logon_id_low = 0xdead;
> -@@ -281,28 +234,20 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> - return NT_STATUS_INVALID_INFO_CLASS;
> - }
> -
> -- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
> -- cli->srv_name_slash,
> -- lp_netbios_name(),
> -- &clnt_creds,
> -- &ret_creds,
> -- logon_type,
> -- logon,
> -- validation_level,
> -- &validation,
> -- &authoritative,
> -- &result);
> -+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> -+ cli->binding_handle,
> -+ logon_type,
> -+ logon,
> -+ mem_ctx,
> -+ &validation_level,
> -+ &validation,
> -+ &authoritative,
> -+ &flags);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -
> -- /* Always check returned credentials */
> -- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
> -- DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n"));
> -- return NT_STATUS_ACCESS_DENIED;
> -- }
> --
> -- return result;
> -+ return NT_STATUS_OK;
> - }
> -
> - static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> -@@ -366,29 +311,24 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> - const char *domain,
> - const char *workstation,
> - const uint8 chal[8],
> -- uint16_t validation_level,
> -+ uint16_t _ignored_validation_level,
> - DATA_BLOB lm_response,
> - DATA_BLOB nt_response,
> - struct netr_SamInfo3 **info3)
> - {
> -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> - NTSTATUS status;
> - const char *workstation_name_slash;
> -- const char *server_name_slash;
> -- struct netr_Authenticator clnt_creds;
> -- struct netr_Authenticator ret_creds;
> - union netr_LogonLevel *logon = NULL;
> - struct netr_NetworkInfo *network_info;
> -- uint8_t authoritative;
> -- union netr_Validation validation;
> -+ uint16_t validation_level = 0;
> -+ union netr_Validation *validation = NULL;
> -+ uint8_t authoritative = 0;
> -+ uint32_t flags = 0;
> - struct netr_ChallengeResponse lm;
> - struct netr_ChallengeResponse nt;
> -- struct dcerpc_binding_handle *b = cli->binding_handle;
> -
> - *info3 = NULL;
> -
> -- ZERO_STRUCT(ret_creds);
> --
> - ZERO_STRUCT(lm);
> - ZERO_STRUCT(nt);
> -
> -@@ -402,21 +342,13 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> --
> -- if (server[0] != '\\' && server[1] != '\\') {
> -- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
> -- } else {
> -- server_name_slash = server;
> -- }
> --
> - if (workstation[0] != '\\' && workstation[1] != '\\') {
> - workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> - } else {
> - workstation_name_slash = workstation;
> - }
> -
> -- if (!workstation_name_slash || !server_name_slash) {
> -+ if (!workstation_name_slash) {
> - DEBUG(0, ("talloc_asprintf failed!\n"));
> - return NT_STATUS_NO_MEMORY;
> - }
> -@@ -443,40 +375,27 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> -
> - /* Marshall data and send request */
> -
> -- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
> -- server_name_slash,
> -- lp_netbios_name(),
> -- &clnt_creds,
> -- &ret_creds,
> -- NetlogonNetworkInformation,
> -- logon,
> -- validation_level,
> -- &validation,
> -- &authoritative,
> -- &result);
> -+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> -+ cli->binding_handle,
> -+ NetlogonNetworkInformation,
> -+ logon,
> -+ mem_ctx,
> -+ &validation_level,
> -+ &validation,
> -+ &authoritative,
> -+ &flags);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -
> -- /* Always check returned credentials. */
> -- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
> -- DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n"));
> -- return NT_STATUS_ACCESS_DENIED;
> -- }
> --
> -- if (!NT_STATUS_IS_OK(result)) {
> -- return result;
> -- }
> --
> -- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
> -- &validation);
> --
> -- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
> -- if (!NT_STATUS_IS_OK(result)) {
> -- return result;
> -+ status = map_validation_to_info3(mem_ctx,
> -+ validation_level, validation,
> -+ info3);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> - }
> -
> -- return result;
> -+ return NT_STATUS_OK;
> - }
> -
> - NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> -@@ -492,100 +411,18 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> - DATA_BLOB nt_response,
> - struct netr_SamInfo3 **info3)
> - {
> -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> -- NTSTATUS status;
> -- const char *workstation_name_slash;
> -- const char *server_name_slash;
> -- union netr_LogonLevel *logon = NULL;
> -- struct netr_NetworkInfo *network_info;
> -- uint8_t authoritative;
> -- union netr_Validation validation;
> -- struct netr_ChallengeResponse lm;
> -- struct netr_ChallengeResponse nt;
> -- uint32_t flags = 0;
> -- struct dcerpc_binding_handle *b = cli->binding_handle;
> --
> -- *info3 = NULL;
> --
> -- ZERO_STRUCT(lm);
> -- ZERO_STRUCT(nt);
> --
> -- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> -- if (!logon) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> -- if (!network_info) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- if (server[0] != '\\' && server[1] != '\\') {
> -- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
> -- } else {
> -- server_name_slash = server;
> -- }
> --
> -- if (workstation[0] != '\\' && workstation[1] != '\\') {
> -- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> -- } else {
> -- workstation_name_slash = workstation;
> -- }
> --
> -- if (!workstation_name_slash || !server_name_slash) {
> -- DEBUG(0, ("talloc_asprintf failed!\n"));
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- /* Initialise input parameters */
> --
> -- lm.data = lm_response.data;
> -- lm.length = lm_response.length;
> -- nt.data = nt_response.data;
> -- nt.length = nt_response.length;
> --
> -- network_info->identity_info.domain_name.string = domain;
> -- network_info->identity_info.parameter_control = logon_parameters;
> -- network_info->identity_info.logon_id_low = 0xdead;
> -- network_info->identity_info.logon_id_high = 0xbeef;
> -- network_info->identity_info.account_name.string = username;
> -- network_info->identity_info.workstation.string = workstation_name_slash;
> --
> -- memcpy(network_info->challenge, chal, 8);
> -- network_info->nt = nt;
> -- network_info->lm = lm;
> --
> -- logon->network = network_info;
> --
> -- /* Marshall data and send request */
> --
> -- status = dcerpc_netr_LogonSamLogonEx(b, mem_ctx,
> -- server_name_slash,
> -- lp_netbios_name(),
> -- NetlogonNetworkInformation,
> -- logon,
> -- validation_level,
> -- &validation,
> -- &authoritative,
> -- &flags,
> -- &result);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- if (!NT_STATUS_IS_OK(result)) {
> -- return result;
> -- }
> --
> -- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
> -- &validation);
> --
> -- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
> -- if (!NT_STATUS_IS_OK(result)) {
> -- return result;
> -- }
> --
> -- return result;
> -+ return rpccli_netlogon_sam_network_logon(cli,
> -+ mem_ctx,
> -+ logon_parameters,
> -+ server,
> -+ username,
> -+ domain,
> -+ workstation,
> -+ chal,
> -+ validation_level,
> -+ lm_response,
> -+ nt_response,
> -+ info3);
> - }
> -
> - /*********************************************************
> -@@ -605,11 +442,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> - const unsigned char new_trust_passwd_hash[16],
> - enum netr_SchannelType sec_channel_type)
> - {
> -- NTSTATUS result, status;
> -- struct netr_Authenticator clnt_creds, srv_cred;
> -- struct dcerpc_binding_handle *b = cli->binding_handle;
> -+ NTSTATUS result;
> -
> -- if (!cli->dc) {
> -+ if (cli->netlogon_creds == NULL) {
> - uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> - NETLOGON_NEG_SUPPORTS_AES;
> - result = rpccli_netlogon_setup_creds(cli,
> -@@ -627,77 +462,16 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> - }
> - }
> -
> -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> --
> -- if (cli->dc->negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
> --
> -- struct netr_CryptPassword new_password;
> -- uint32_t old_timeout;
> --
> -- init_netr_CryptPassword(new_trust_pwd_cleartext,
> -- cli->dc,
> -- &new_password);
> --
> -- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
> --
> -- status = dcerpc_netr_ServerPasswordSet2(b, mem_ctx,
> -- cli->srv_name_slash,
> -- cli->dc->account_name,
> -- sec_channel_type,
> -- cli->dc->computer_name,
> -- &clnt_creds,
> -- &srv_cred,
> -- &new_password,
> -- &result);
> --
> -- dcerpc_binding_handle_set_timeout(b, old_timeout);
> --
> -- if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0,("dcerpc_netr_ServerPasswordSet2 failed: %s\n",
> -- nt_errstr(status)));
> -- return status;
> -- }
> -- } else {
> --
> -- struct samr_Password new_password;
> -- uint32_t old_timeout;
> --
> -- memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash));
> -- netlogon_creds_des_encrypt(cli->dc, &new_password);
> --
> -- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
> --
> -- status = dcerpc_netr_ServerPasswordSet(b, mem_ctx,
> -- cli->srv_name_slash,
> -- cli->dc->account_name,
> -- sec_channel_type,
> -- cli->dc->computer_name,
> -- &clnt_creds,
> -- &srv_cred,
> -- &new_password,
> -- &result);
> --
> -- dcerpc_binding_handle_set_timeout(b, old_timeout);
> --
> -- if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0,("dcerpc_netr_ServerPasswordSet failed: %s\n",
> -- nt_errstr(status)));
> -- return status;
> -- }
> -- }
> --
> -- /* Always check returned credentials. */
> -- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
> -- DEBUG(0,("credentials chain check failed\n"));
> -- return NT_STATUS_ACCESS_DENIED;
> -- }
> --
> -+ result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
> -+ cli->binding_handle,
> -+ new_trust_pwd_cleartext,
> -+ NULL); /* new_version */
> - if (!NT_STATUS_IS_OK(result)) {
> -- DEBUG(0,("dcerpc_netr_ServerPasswordSet{2} failed: %s\n",
> -+ DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
> - nt_errstr(result)));
> - return result;
> - }
> -
> -- return result;
> -+ return NT_STATUS_OK;
> - }
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index a45023f..fe1613d 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -24,6 +24,7 @@
> - #include "librpc/gen_ndr/ndr_epmapper_c.h"
> - #include "../librpc/gen_ndr/ndr_dssetup.h"
> - #include "../libcli/auth/schannel.h"
> -+#include "../libcli/auth/netlogon_creds_cli.h"
> - #include "auth_generic.h"
> - #include "librpc/gen_ndr/ndr_dcerpc.h"
> - #include "librpc/gen_ndr/ndr_netlogon_c.h"
> -@@ -3024,34 +3025,39 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -- struct netlogon_creds_CredentialState **pdc,
> -+ struct netlogon_creds_cli_context *netlogon_creds,
> - struct rpc_pipe_client **_rpccli)
> - {
> - struct rpc_pipe_client *rpccli;
> - struct pipe_auth_data *rpcauth;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> - NTSTATUS status;
> -- NTSTATUS result;
> -- struct netlogon_creds_CredentialState save_creds;
> -- struct netr_Authenticator auth;
> -- struct netr_Authenticator return_auth;
> -- union netr_Capabilities capabilities;
> - const char *target_service = table->authservices->names[0];
> -+ int rpc_pipe_bind_dbglvl = 0;
> -
> - status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -
> -+ status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
> -+ nt_errstr(status)));
> -+ TALLOC_FREE(rpccli);
> -+ return status;
> -+ }
> -+
> - status = rpccli_generic_bind_data(rpccli,
> - DCERPC_AUTH_TYPE_SCHANNEL,
> - auth_level,
> - NULL,
> - target_service,
> - domain,
> -- (*pdc)->computer_name,
> -+ creds->computer_name,
> - NULL,
> - CRED_AUTO_USE_KERBEROS,
> -- *pdc,
> -+ creds,
> - &rpcauth);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> -@@ -3060,120 +3066,43 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - return status;
> - }
> -
> -- /*
> -- * The credentials on a new netlogon pipe are the ones we are passed
> -- * in - copy them over
> -- *
> -- * This may get overwritten... in rpc_pipe_bind()...
> -- */
> -- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> -- if (rpccli->dc == NULL) {
> -- TALLOC_FREE(rpccli);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> - status = rpc_pipe_bind(rpccli, rpcauth);
> -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
> -+ rpc_pipe_bind_dbglvl = 1;
> -+ netlogon_creds_cli_delete(netlogon_creds, &creds);
> -+ }
> - if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
> -- "cli_rpc_pipe_bind failed with error %s\n",
> -- nt_errstr(status) ));
> -+ DEBUG(rpc_pipe_bind_dbglvl,
> -+ ("cli_rpc_pipe_open_schannel_with_key: "
> -+ "rpc_pipe_bind failed with error %s\n",
> -+ nt_errstr(status)));
> - TALLOC_FREE(rpccli);
> - return status;
> - }
> -
> -- if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
> -- goto done;
> -- }
> --
> -- save_creds = *rpccli->dc;
> -- ZERO_STRUCT(return_auth);
> -- ZERO_STRUCT(capabilities);
> -+ TALLOC_FREE(creds);
> -
> -- netlogon_creds_client_authenticator(&save_creds, &auth);
> --
> -- status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
> -- talloc_tos(),
> -- rpccli->srv_name_slash,
> -- save_creds.computer_name,
> -- &auth, &return_auth,
> -- 1, &capabilities,
> -- &result);
> -- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- DEBUG(5, ("AES was negotiated and the error was %s - "
> -- "downgrade detected\n",
> -- nt_errstr(status)));
> -- TALLOC_FREE(rpccli);
> -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -- }
> --
> -- /* This is probably an old Samba Version */
> -- DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
> -- nt_errstr(status)));
> -+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
> - goto done;
> - }
> -
> -+ status = netlogon_creds_cli_check(netlogon_creds,
> -+ rpccli->binding_handle);
> - if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> -+ DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
> - nt_errstr(status)));
> - TALLOC_FREE(rpccli);
> - return status;
> - }
> -
> -- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
> -- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- /* This means AES isn't supported. */
> -- DEBUG(5, ("AES was negotiated and the result was %s - "
> -- "downgrade detected\n",
> -- nt_errstr(result)));
> -- TALLOC_FREE(rpccli);
> -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -- }
> --
> -- /* This is probably an old Windows version */
> -- DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
> -- nt_errstr(result)));
> -- goto done;
> -- }
> --
> -- /*
> -- * We need to check the credential state here, cause win2k3 and earlier
> -- * returns NT_STATUS_NOT_IMPLEMENTED
> -- */
> -- if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
> -- /*
> -- * Server replied with bad credential. Fail.
> -- */
> -- DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
> -- "replied with bad credential\n",
> -- rpccli->desthost));
> -- TALLOC_FREE(rpccli);
> -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -- }
> -- *rpccli->dc = save_creds;
> --
> -- if (!NT_STATUS_IS_OK(result)) {
> -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> -- nt_errstr(result)));
> -- TALLOC_FREE(rpccli);
> -- return result;
> -- }
> --
> -- if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> -- /* This means AES isn't supported. */
> -- DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
> -- "was OK - downgrade detected\n"));
> -- TALLOC_FREE(rpccli);
> -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -- }
> --
> -- if (save_creds.negotiate_flags != capabilities.server_capabilities) {
> -- DEBUG(0, ("The client capabilities don't match the server "
> -- "capabilities: local[0x%08X] remote[0x%08X]\n",
> -- save_creds.negotiate_flags,
> -- capabilities.server_capabilities));
> -+ status = netlogon_creds_cli_context_copy(netlogon_creds,
> -+ rpccli,
> -+ &rpccli->netlogon_creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
> -+ nt_errstr(status)));
> - TALLOC_FREE(rpccli);
> -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -+ return status;
> - }
> -
> - done:
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index 826f9bf..cf0c5c6 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -96,7 +96,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -- struct netlogon_creds_CredentialState **pdc,
> -+ struct netlogon_creds_cli_context *netlogon_creds,
> - struct rpc_pipe_client **presult);
> -
> - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index aaae44b..e3d65c8 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -112,7 +112,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> - }
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> -- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> -+ cli, table, transport, auth_level, domain,
> -+ netlogon_pipe->netlogon_creds,
> - &result);
> -
> - /* Now we've bound using the session key we can close the netlog pipe. */
> -diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
> -index 8024f01..7c4cceb 100644
> ---- a/source3/rpc_client/rpc_client.h
> -+++ b/source3/rpc_client/rpc_client.h
> -@@ -50,7 +50,7 @@ struct rpc_pipe_client {
> - struct pipe_auth_data *auth;
> -
> - /* The following is only non-null on a netlogon client pipe. */
> -- struct netlogon_creds_CredentialState *dc;
> -+ struct netlogon_creds_cli_context *netlogon_creds;
> - };
> -
> - #endif /* _RPC_CLIENT_H */
> -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> -index d92434b..2e0b5e5 100644
> ---- a/source3/rpcclient/cmd_netlogon.c
> -+++ b/source3/rpcclient/cmd_netlogon.c
> -@@ -26,6 +26,7 @@
> - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> - #include "rpc_client/cli_netlogon.h"
> - #include "secrets.h"
> -+#include "../libcli/auth/netlogon_creds_cli.h"
> -
> - static WERROR cmd_netlogon_logon_ctrl2(struct rpc_pipe_client *cli,
> - TALLOC_CTX *mem_ctx, int argc,
> -@@ -630,8 +631,15 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
> -
> - do {
> - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -
> -- netlogon_creds_client_authenticator(cli->dc, &credential);
> -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> -+ mem_ctx, &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ netlogon_creds_client_authenticator(creds, &credential);
> -
> - status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
> - logon_server,
> -@@ -645,15 +653,18 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
> - 0xffff,
> - &result);
> - if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(creds);
> - return status;
> - }
> -
> - /* Check returned credentials. */
> -- if (!netlogon_creds_client_check(cli->dc,
> -+ if (!netlogon_creds_client_check(creds,
> - &return_authenticator.cred)) {
> - DEBUG(0,("credentials chain check failed\n"));
> -+ TALLOC_FREE(creds);
> - return NT_STATUS_ACCESS_DENIED;
> - }
> -+ TALLOC_FREE(creds);
> -
> - if (NT_STATUS_IS_ERR(result)) {
> - break;
> -@@ -699,8 +710,15 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
> -
> - do {
> - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -+
> -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> -+ mem_ctx, &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -
> -- netlogon_creds_client_authenticator(cli->dc, &credential);
> -+ netlogon_creds_client_authenticator(creds, &credential);
> -
> - status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
> - logon_server,
> -@@ -713,15 +731,18 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
> - 0xffff,
> - &result);
> - if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(creds);
> - return status;
> - }
> -
> - /* Check returned credentials. */
> -- if (!netlogon_creds_client_check(cli->dc,
> -+ if (!netlogon_creds_client_check(creds,
> - &return_authenticator.cred)) {
> - DEBUG(0,("credentials chain check failed\n"));
> -+ TALLOC_FREE(creds);
> - return NT_STATUS_ACCESS_DENIED;
> - }
> -+ TALLOC_FREE(creds);
> -
> - if (NT_STATUS_IS_ERR(result)) {
> - break;
> -@@ -1129,6 +1150,7 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> - struct netr_ChangeLogEntry e;
> - uint32_t rid = 500;
> - struct dcerpc_binding_handle *b = cli->binding_handle;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -
> - if (argc > 2) {
> - fprintf(stderr, "Usage: %s <user rid>\n", argv[0]);
> -@@ -1158,7 +1180,13 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> - return status;
> - }
> -
> -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> -+ mem_ctx, &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ netlogon_creds_client_authenticator(creds, &clnt_creds);
> -
> - ZERO_STRUCT(e);
> -
> -@@ -1176,13 +1204,16 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> - &delta_enum_array,
> - &result);
> - if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(creds);
> - return status;
> - }
> -
> -- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
> -+ if (!netlogon_creds_client_check(creds, &srv_cred.cred)) {
> - DEBUG(0,("credentials chain check failed\n"));
> -+ TALLOC_FREE(creds);
> - return NT_STATUS_ACCESS_DENIED;
> - }
> -+ TALLOC_FREE(creds);
> -
> - return result;
> - }
> -@@ -1198,6 +1229,7 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> - union netr_Capabilities capabilities;
> - uint32_t level = 1;
> - struct dcerpc_binding_handle *b = cli->binding_handle;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -
> - if (argc > 2) {
> - fprintf(stderr, "Usage: %s <level>\n", argv[0]);
> -@@ -1210,7 +1242,13 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> -
> - ZERO_STRUCT(return_authenticator);
> -
> -- netlogon_creds_client_authenticator(cli->dc, &credential);
> -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> -+ mem_ctx, &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ netlogon_creds_client_authenticator(creds, &credential);
> -
> - status = dcerpc_netr_LogonGetCapabilities(b, mem_ctx,
> - cli->desthost,
> -@@ -1221,14 +1259,17 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> - &capabilities,
> - &result);
> - if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(creds);
> - return status;
> - }
> -
> -- if (!netlogon_creds_client_check(cli->dc,
> -+ if (!netlogon_creds_client_check(creds,
> - &return_authenticator.cred)) {
> - DEBUG(0,("credentials chain check failed\n"));
> -+ TALLOC_FREE(creds);
> - return NT_STATUS_ACCESS_DENIED;
> - }
> -+ TALLOC_FREE(creds);
> -
> - printf("capabilities: 0x%08x\n", capabilities.server_capabilities);
> -
> -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
> -index afde685..b5fc010 100644
> ---- a/source3/winbindd/winbindd.h
> -+++ b/source3/winbindd/winbindd.h
> -@@ -165,16 +165,7 @@ struct winbindd_domain {
> - time_t startup_time; /* When we set "startup" true. monotonic clock */
> - bool startup; /* are we in the first 30 seconds after startup_time ? */
> -
> -- bool can_do_samlogon_ex; /* Due to the lack of finer control what type
> -- * of DC we have, let us try to do a
> -- * credential-chain less samlogon_ex call
> -- * with AD and schannel. If this fails with
> -- * DCERPC_FAULT_OP_RNG_ERROR, then set this
> -- * to False. This variable is around so that
> -- * we don't have to try _ex every time. */
> --
> - bool can_do_ncacn_ip_tcp;
> -- bool can_do_validation6;
> -
> - /* Lookup methods for this domain (LDAP or RPC) */
> - struct winbindd_methods *methods;
> -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> -index 6c1244e..e0d1d0c 100644
> ---- a/source3/winbindd/winbindd_cm.c
> -+++ b/source3/winbindd/winbindd_cm.c
> -@@ -2047,7 +2047,6 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
> - domain->active_directory ? "" : "NOT "));
> -
> - domain->can_do_ncacn_ip_tcp = domain->active_directory;
> -- domain->can_do_validation6 = domain->active_directory;
> -
> - domain->initialized = True;
> -
> -@@ -2248,7 +2247,6 @@ done:
> - domain->name, domain->active_directory ? "" : "NOT "));
> -
> - domain->can_do_ncacn_ip_tcp = domain->active_directory;
> -- domain->can_do_validation6 = domain->active_directory;
> -
> - TALLOC_FREE(cli);
> -
> -@@ -2289,7 +2287,7 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
> - ***********************************************************************/
> -
> - static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> -- struct netlogon_creds_CredentialState **ppdc)
> -+ struct netlogon_creds_cli_context **ppdc)
> - {
> - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> - struct rpc_pipe_client *netlogon_pipe;
> -@@ -2306,11 +2304,11 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> - /* Return a pointer to the struct netlogon_creds_CredentialState from the
> - netlogon pipe. */
> -
> -- if (!domain->conn.netlogon_pipe->dc) {
> -+ if (!domain->conn.netlogon_pipe->netlogon_creds) {
> - return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
> - }
> -
> -- *ppdc = domain->conn.netlogon_pipe->dc;
> -+ *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
> - return NT_STATUS_OK;
> - }
> -
> -@@ -2319,7 +2317,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - {
> - struct winbindd_cm_conn *conn;
> - NTSTATUS status, result;
> -- struct netlogon_creds_CredentialState *p_creds;
> -+ struct netlogon_creds_cli_context *p_creds;
> - char *machine_password = NULL;
> - char *machine_account = NULL;
> - const char *domain_name = NULL;
> -@@ -2431,7 +2429,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - status = cli_rpc_pipe_open_schannel_with_key
> - (conn->cli, &ndr_table_samr, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY,
> -- domain->name, &p_creds, &conn->samr_pipe);
> -+ domain->name, p_creds, &conn->samr_pipe);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
> -@@ -2534,7 +2532,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> - struct rpc_pipe_client **cli)
> - {
> - struct winbindd_cm_conn *conn;
> -- struct netlogon_creds_CredentialState *creds;
> -+ struct netlogon_creds_cli_context *creds;
> - NTSTATUS status;
> -
> - DEBUG(10,("cm_connect_lsa_tcp\n"));
> -@@ -2565,7 +2563,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> - NCACN_IP_TCP,
> - DCERPC_AUTH_LEVEL_PRIVACY,
> - domain->name,
> -- &creds,
> -+ creds,
> - &conn->lsa_pipe_tcp);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
> -@@ -2589,7 +2587,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - {
> - struct winbindd_cm_conn *conn;
> - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> -- struct netlogon_creds_CredentialState *p_creds;
> -+ struct netlogon_creds_cli_context *p_creds;
> -
> - result = init_dc_connection_rpc(domain);
> - if (!NT_STATUS_IS_OK(result))
> -@@ -2662,7 +2660,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - result = cli_rpc_pipe_open_schannel_with_key
> - (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY,
> -- domain->name, &p_creds, &conn->lsa_pipe);
> -+ domain->name, p_creds, &conn->lsa_pipe);
> -
> - if (!NT_STATUS_IS_OK(result)) {
> - DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
> -@@ -2826,10 +2824,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> - no_schannel:
> - if ((lp_client_schannel() == False) ||
> - ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
> -- /*
> -- * NetSamLogonEx only works for schannel
> -- */
> -- domain->can_do_samlogon_ex = False;
> -
> - /* We're done - just keep the existing connection to NETLOGON
> - * open */
> -@@ -2845,7 +2839,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> -
> - result = cli_rpc_pipe_open_schannel_with_key(
> - conn->cli, &ndr_table_netlogon, NCACN_NP,
> -- DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
> -+ DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
> -+ netlogon_pipe->netlogon_creds,
> - &conn->netlogon_pipe);
> -
> - /* We can now close the initial netlogon pipe. */
> -@@ -2859,15 +2854,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> - return result;
> - }
> -
> -- /*
> -- * Always try netr_LogonSamLogonEx. We will fall back for NT4
> -- * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
> -- * supported). We used to only try SamLogonEx for AD, but
> -- * Samba DCs can also do it. And because we don't distinguish
> -- * between Samba and NT4, always try it once.
> -- */
> -- domain->can_do_samlogon_ex = true;
> --
> - *cli = conn->netlogon_pipe;
> - return NT_STATUS_OK;
> - }
> -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> -index c356686..39483a5 100644
> ---- a/source3/winbindd/winbindd_pam.c
> -+++ b/source3/winbindd/winbindd_pam.c
> -@@ -1228,8 +1228,6 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> -
> - do {
> - struct rpc_pipe_client *netlogon_pipe;
> -- const struct pipe_auth_data *auth;
> -- uint32_t neg_flags = 0;
> -
> - ZERO_STRUCTP(info3);
> - retry = false;
> -@@ -1278,75 +1276,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> - }
> - netr_attempts = 0;
> -
> -- auth = netlogon_pipe->auth;
> -- if (netlogon_pipe->dc) {
> -- neg_flags = netlogon_pipe->dc->negotiate_flags;
> -- }
> --
> -- /* It is really important to try SamLogonEx here,
> -- * because in a clustered environment, we want to use
> -- * one machine account from multiple physical
> -- * computers.
> -- *
> -- * With a normal SamLogon call, we must keep the
> -- * credentials chain updated and intact between all
> -- * users of the machine account (which would imply
> -- * cross-node communication for every NTLM logon).
> -- *
> -- * (The credentials chain is not per NETLOGON pipe
> -- * connection, but globally on the server/client pair
> -- * by machine name).
> -- *
> -- * When using SamLogonEx, the credentials are not
> -- * supplied, but the session key is implied by the
> -- * wrapping SamLogon context.
> -- *
> -- * -- abartlet 21 April 2008
> -- *
> -- * It's also important to use NetlogonValidationSamInfo4 (6),
> -- * because it relies on the rpc transport encryption
> -- * and avoids using the global netlogon schannel
> -- * session key to en/decrypt secret information
> -- * like the user_session_key for network logons.
> -- *
> -- * [MS-APDS] 3.1.5.2 NTLM Network Logon
> -- * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
> -- * NETLOGON_NEG_AUTHENTICATED_RPC set together
> -- * are the indication that the server supports
> -- * NetlogonValidationSamInfo4 (6). And it must only
> -- * be used if "SealSecureChannel" is used.
> -- *
> -- * -- metze 4 February 2011
> -- */
> --
> -- if (auth == NULL) {
> -- domain->can_do_validation6 = false;
> -- } else if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
> -- domain->can_do_validation6 = false;
> -- } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
> -- domain->can_do_validation6 = false;
> -- } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
> -- domain->can_do_validation6 = false;
> -- } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> -- domain->can_do_validation6 = false;
> -- }
> --
> -- if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
> -- result = rpccli_netlogon_sam_network_logon_ex(
> -- netlogon_pipe,
> -- mem_ctx,
> -- logon_parameters,
> -- server, /* server name */
> -- username, /* user name */
> -- domainname, /* target domain */
> -- workstation, /* workstation */
> -- chal,
> -- 6,
> -- lm_response,
> -- nt_response,
> -- info3);
> -- } else {
> -- result = rpccli_netlogon_sam_network_logon(
> -+ result = rpccli_netlogon_sam_network_logon(
> - netlogon_pipe,
> - mem_ctx,
> - logon_parameters,
> -@@ -1355,48 +1285,10 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> - domainname, /* target domain */
> - workstation, /* workstation */
> - chal,
> -- domain->can_do_validation6 ? 6 : 3,
> -+ -1, /* ignored */
> - lm_response,
> - nt_response,
> - info3);
> -- }
> --
> -- if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> --
> -- /*
> -- * It's likely that the server also does not support
> -- * validation level 6
> -- */
> -- domain->can_do_validation6 = false;
> --
> -- if (domain->can_do_samlogon_ex) {
> -- DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
> -- "retrying with NetSamLogon\n"));
> -- domain->can_do_samlogon_ex = false;
> -- retry = true;
> -- continue;
> -- }
> --
> --
> -- /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
> -- * (no Ex). This happens against old Samba
> -- * DCs. Drop the connection.
> -- */
> -- invalidate_cm_connection(&domain->conn);
> -- result = NT_STATUS_LOGON_FAILURE;
> -- break;
> -- }
> --
> -- if (domain->can_do_validation6 &&
> -- (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
> -- NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
> -- NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
> -- DEBUG(3,("Got a DC that can not do validation level 6, "
> -- "retrying with level 3\n"));
> -- domain->can_do_validation6 = false;
> -- retry = true;
> -- continue;
> -- }
> -
> - /*
> - * we increment this after the "feature negotiation"
> -@@ -1428,6 +1320,30 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> - retry = true;
> - }
> -
> -+ if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> -+ /*
> -+ * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
> -+ * (no Ex). This happens against old Samba
> -+ * DCs, if LogonSamLogonEx() fails with an error
> -+ * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
> -+ *
> -+ * The server will log something like this:
> -+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
> -+ *
> -+ * This sets the whole connection into a fault_state mode
> -+ * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> -+ *
> -+ * This also happens to our retry with LogonSamLogonWithFlags()
> -+ * and LogonSamLogon().
> -+ *
> -+ * In order to recover from this situation, we need to
> -+ * drop the connection.
> -+ */
> -+ invalidate_cm_connection(&domain->conn);
> -+ result = NT_STATUS_LOGON_FAILURE;
> -+ break;
> -+ }
> -+
> - } while ( (attempts < 2) && retry );
> -
> - if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
> -diff --git a/source3/wscript_build b/source3/wscript_build
> -index 13d15c3..0d3ba8e 100755
> ---- a/source3/wscript_build
> -+++ b/source3/wscript_build
> -@@ -671,8 +671,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
> - deps='''ndr ndr-standard
> - RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
> - LIBTSOCKET gse dcerpc-binding
> -- libsmb
> -- ndr-table''',
> -+ libsmb ndr-table NETLOGON_CREDS_CLI
> -+ ''',
> - vars=locals(),
> - private_library=True)
> -
> -@@ -1114,7 +1114,7 @@ bld.SAMBA3_LIBRARY('libcli_lsa3',
> -
> - bld.SAMBA3_LIBRARY('libcli_netlogon3',
> - source=LIBCLI_NETLOGON_SRC,
> -- deps='RPC_NDR_NETLOGON INIT_NETLOGON cliauth param',
> -+ deps='msrpc3 RPC_NDR_NETLOGON INIT_NETLOGON cliauth param NETLOGON_CREDS_CLI',
> - private_library=True)
> -
> - bld.SAMBA3_LIBRARY('cli_spoolss',
> ---
> -1.9.3
> -
> -
> -From 0b489bffb452e05d595abc2894532100162a4e8c Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 17 Oct 2013 17:03:00 +0200
> -Subject: [PATCH 175/249] s3:rpc_client: use netlogon_creds_cli_auth_level() in
> - cli_rpc_pipe_open_schannel_with_key()
> -
> -This means the auth level is now based on the "winbindd sealed pipes" option,
> -defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 5adfc5f9f737c003b84b0187fa17b9fc3784442e)
> ----
> - source3/libnet/libnet_join.c | 1 -
> - source3/rpc_client/cli_pipe.c | 4 +++-
> - source3/rpc_client/cli_pipe.h | 1 -
> - source3/rpc_client/cli_pipe_schannel.c | 2 +-
> - source3/winbindd/winbindd_cm.c | 5 +----
> - 5 files changed, 5 insertions(+), 8 deletions(-)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index 5dc620f..b2805ee 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -1278,7 +1278,6 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> - cli, &ndr_table_netlogon, NCACN_NP,
> -- DCERPC_AUTH_LEVEL_PRIVACY,
> - netbios_domain_name,
> - netlogon_pipe->netlogon_creds, &pipe_hnd);
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index fe1613d..31cd7f5 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -3023,7 +3023,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> -- enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> - struct netlogon_creds_cli_context *netlogon_creds,
> - struct rpc_pipe_client **_rpccli)
> -@@ -3031,6 +3030,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - struct rpc_pipe_client *rpccli;
> - struct pipe_auth_data *rpcauth;
> - struct netlogon_creds_CredentialState *creds = NULL;
> -+ enum dcerpc_AuthLevel auth_level;
> - NTSTATUS status;
> - const char *target_service = table->authservices->names[0];
> - int rpc_pipe_bind_dbglvl = 0;
> -@@ -3048,6 +3048,8 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - return status;
> - }
> -
> -+ auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
> -+
> - status = rpccli_generic_bind_data(rpccli,
> - DCERPC_AUTH_TYPE_SCHANNEL,
> - auth_level,
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index cf0c5c6..c21c55d 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -94,7 +94,6 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> -- enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> - struct netlogon_creds_cli_context *netlogon_creds,
> - struct rpc_pipe_client **presult);
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index e3d65c8..8f9161f 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -112,7 +112,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> - }
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> -- cli, table, transport, auth_level, domain,
> -+ cli, table, transport, domain,
> - netlogon_pipe->netlogon_creds,
> - &result);
> -
> -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> -index e0d1d0c..1546002 100644
> ---- a/source3/winbindd/winbindd_cm.c
> -+++ b/source3/winbindd/winbindd_cm.c
> -@@ -2428,7 +2428,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - }
> - status = cli_rpc_pipe_open_schannel_with_key
> - (conn->cli, &ndr_table_samr, NCACN_NP,
> -- DCERPC_AUTH_LEVEL_PRIVACY,
> - domain->name, p_creds, &conn->samr_pipe);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> -@@ -2561,7 +2560,6 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> - status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
> - &ndr_table_lsarpc,
> - NCACN_IP_TCP,
> -- DCERPC_AUTH_LEVEL_PRIVACY,
> - domain->name,
> - creds,
> - &conn->lsa_pipe_tcp);
> -@@ -2659,7 +2657,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> - }
> - result = cli_rpc_pipe_open_schannel_with_key
> - (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> -- DCERPC_AUTH_LEVEL_PRIVACY,
> - domain->name, p_creds, &conn->lsa_pipe);
> -
> - if (!NT_STATUS_IS_OK(result)) {
> -@@ -2839,7 +2836,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> -
> - result = cli_rpc_pipe_open_schannel_with_key(
> - conn->cli, &ndr_table_netlogon, NCACN_NP,
> -- DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
> -+ domain->name,
> - netlogon_pipe->netlogon_creds,
> - &conn->netlogon_pipe);
> -
> ---
> -1.9.3
> -
> -
> -From 0f19f3b64e4f0b969eec4f2048df7c40be661e82 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 7 Aug 2013 11:27:25 +0200
> -Subject: [PATCH 176/249] s3:rpc_client: add
> - rpccli_{create,setup}_netlogon_creds()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 14ceb7b501fce6623be284cbcceb573fd2e10d3a)
> ----
> - source3/rpc_client/cli_netlogon.c | 105 ++++++++++++++++++++++++++++++++++++++
> - source3/rpc_client/cli_netlogon.h | 16 ++++++
> - 2 files changed, 121 insertions(+)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index fcd24d6..89aec37 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -21,15 +21,19 @@
> - */
> -
> - #include "includes.h"
> -+#include "libsmb/libsmb.h"
> - #include "rpc_client/rpc_client.h"
> -+#include "rpc_client/cli_pipe.h"
> - #include "../libcli/auth/libcli_auth.h"
> - #include "../libcli/auth/netlogon_creds_cli.h"
> - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> -+#include "../librpc/gen_ndr/schannel.h"
> - #include "rpc_client/cli_netlogon.h"
> - #include "rpc_client/init_netlogon.h"
> - #include "rpc_client/util_netlogon.h"
> - #include "../libcli/security/security.h"
> - #include "lib/param/param.h"
> -+#include "libcli/smb/smbXcli_base.h"
> -
> - /****************************************************************************
> - Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
> -@@ -124,6 +128,107 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> - return NT_STATUS_OK;
> - }
> -
> -+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> -+ const char *server_netbios_domain,
> -+ const char *client_account,
> -+ enum netr_SchannelType sec_chan_type,
> -+ struct messaging_context *msg_ctx,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **netlogon_creds)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct loadparm_context *lp_ctx;
> -+ NTSTATUS status;
> -+
> -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> -+ if (lp_ctx == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ status = netlogon_creds_cli_context_global(lp_ctx,
> -+ msg_ctx,
> -+ client_account,
> -+ sec_chan_type,
> -+ server_computer,
> -+ server_netbios_domain,
> -+ mem_ctx, netlogon_creds);
> -+ TALLOC_FREE(frame);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> -+ struct netlogon_creds_cli_context *netlogon_creds,
> -+ bool force_reauth,
> -+ struct samr_Password current_nt_hash,
> -+ const struct samr_Password *previous_nt_hash)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct rpc_pipe_client *netlogon_pipe = NULL;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -+ NTSTATUS status;
> -+
> -+ status = netlogon_creds_cli_get(netlogon_creds,
> -+ frame, &creds);
> -+ if (NT_STATUS_IS_OK(status)) {
> -+ const char *action = "using";
> -+
> -+ if (force_reauth) {
> -+ action = "overwrite";
> -+ }
> -+
> -+ DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
> -+ __FUNCTION__, action,
> -+ creds->account_name, creds->computer_name,
> -+ smbXcli_conn_remote_name(cli->conn)));
> -+ if (!force_reauth) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_OK;
> -+ }
> -+ TALLOC_FREE(creds);
> -+ }
> -+
> -+ status = cli_rpc_pipe_open_noauth(cli,
> -+ &ndr_table_netlogon,
> -+ &netlogon_pipe);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
> -+ __FUNCTION__,
> -+ smbXcli_conn_remote_name(cli->conn),
> -+ nt_errstr(status)));
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+ talloc_steal(frame, netlogon_pipe);
> -+
> -+ status = netlogon_creds_cli_auth(netlogon_creds,
> -+ netlogon_pipe->binding_handle,
> -+ current_nt_hash,
> -+ previous_nt_hash);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ status = netlogon_creds_cli_get(netlogon_creds,
> -+ frame, &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_INTERNAL_ERROR;
> -+ }
> -+
> -+ DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
> -+ __FUNCTION__,
> -+ creds->account_name, creds->computer_name,
> -+ smbXcli_conn_remote_name(cli->conn)));
> -+
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_OK;
> -+}
> -+
> - /* Logon domain user */
> -
> - NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index ad59d5b..82e0923 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -23,6 +23,10 @@
> - #ifndef _RPC_CLIENT_CLI_NETLOGON_H_
> - #define _RPC_CLIENT_CLI_NETLOGON_H_
> -
> -+struct cli_state;
> -+struct messaging_context;
> -+struct netlogon_creds_cli_context;
> -+
> - /* The following definitions come from rpc_client/cli_netlogon.c */
> -
> - NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> -@@ -33,6 +37,18 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> - const unsigned char machine_pwd[16],
> - enum netr_SchannelType sec_chan_type,
> - uint32_t *neg_flags_inout);
> -+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> -+ const char *server_netbios_domain,
> -+ const char *client_account,
> -+ enum netr_SchannelType sec_chan_type,
> -+ struct messaging_context *msg_ctx,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **netlogon_creds);
> -+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> -+ struct netlogon_creds_cli_context *netlogon_creds,
> -+ bool force_reauth,
> -+ struct samr_Password current_nt_hash,
> -+ const struct samr_Password *previous_nt_hash);
> - NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> - TALLOC_CTX *mem_ctx,
> - uint32 logon_parameters,
> ---
> -1.9.3
> -
> -
> -From de0ed0882a458e52ef232e7d44234bf393311fc0 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 17 Dec 2013 20:05:56 +0100
> -Subject: [PATCH 177/249] s3:rpc_client: add rpccli_pre_open_netlogon_creds()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3c025af657899c9a2ff14f868c03ff72ab74cf8e)
> ----
> - source3/rpc_client/cli_netlogon.c | 21 +++++++++++++++++++++
> - source3/rpc_client/cli_netlogon.h | 1 +
> - 2 files changed, 22 insertions(+)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 89aec37..9342fc3 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -128,6 +128,27 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> - return NT_STATUS_OK;
> - }
> -
> -+NTSTATUS rpccli_pre_open_netlogon_creds(void)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct loadparm_context *lp_ctx;
> -+ NTSTATUS status;
> -+
> -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> -+ if (lp_ctx == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ status = netlogon_creds_cli_open_global_db(lp_ctx);
> -+ TALLOC_FREE(frame);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> - NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> - const char *server_netbios_domain,
> - const char *client_account,
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index 82e0923..3096c48 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -37,6 +37,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> - const unsigned char machine_pwd[16],
> - enum netr_SchannelType sec_chan_type,
> - uint32_t *neg_flags_inout);
> -+NTSTATUS rpccli_pre_open_netlogon_creds(void);
> - NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> - const char *server_netbios_domain,
> - const char *client_account,
> ---
> -1.9.3
> -
> -
> -From f4f7df785d1641f1e21ad8374140715fd41be07a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 27 Aug 2013 14:07:43 +0200
> -Subject: [PATCH 178/249] s3:rpc_client: remove unused
> - rpccli_netlogon_sam_network_logon_ex()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a07cc9a1c6ab8fee516e069a6f90bb48a7abf875)
> ----
> - source3/rpc_client/cli_netlogon.c | 27 ---------------------------
> - source3/rpc_client/cli_netlogon.h | 12 ------------
> - 2 files changed, 39 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 9342fc3..253d060 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -524,33 +524,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> - return NT_STATUS_OK;
> - }
> -
> --NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- uint32 logon_parameters,
> -- const char *server,
> -- const char *username,
> -- const char *domain,
> -- const char *workstation,
> -- const uint8 chal[8],
> -- uint16_t validation_level,
> -- DATA_BLOB lm_response,
> -- DATA_BLOB nt_response,
> -- struct netr_SamInfo3 **info3)
> --{
> -- return rpccli_netlogon_sam_network_logon(cli,
> -- mem_ctx,
> -- logon_parameters,
> -- server,
> -- username,
> -- domain,
> -- workstation,
> -- chal,
> -- validation_level,
> -- lm_response,
> -- nt_response,
> -- info3);
> --}
> --
> - /*********************************************************
> - Change the domain password on the PDC.
> -
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index 3096c48..f10e5c7 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -71,18 +71,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> - DATA_BLOB lm_response,
> - DATA_BLOB nt_response,
> - struct netr_SamInfo3 **info3);
> --NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- uint32 logon_parameters,
> -- const char *server,
> -- const char *username,
> -- const char *domain,
> -- const char *workstation,
> -- const uint8 chal[8],
> -- uint16_t validation_level,
> -- DATA_BLOB lm_response,
> -- DATA_BLOB nt_response,
> -- struct netr_SamInfo3 **info3);
> - NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> - TALLOC_CTX *mem_ctx,
> - const char *account_name,
> ---
> -1.9.3
> -
> -
> -From b250859baf6c720e636c2435b0593af83acf6acc Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 27 Aug 2013 14:36:24 +0200
> -Subject: [PATCH 179/249] s3:rpc_client: add rpccli_netlogon_network_logon()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 5196493c9e599b741417b119b48188ba0d646a37)
> ----
> - source3/rpc_client/cli_netlogon.c | 103 ++++++++++++++++++++++++++++++++++++++
> - source3/rpc_client/cli_netlogon.h | 14 ++++++
> - 2 files changed, 117 insertions(+)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 253d060..e335423 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -524,6 +524,109 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> - return NT_STATUS_OK;
> - }
> -
> -+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> -+ struct dcerpc_binding_handle *binding_handle,
> -+ TALLOC_CTX *mem_ctx,
> -+ uint32_t logon_parameters,
> -+ const char *username,
> -+ const char *domain,
> -+ const char *workstation,
> -+ const uint8 chal[8],
> -+ DATA_BLOB lm_response,
> -+ DATA_BLOB nt_response,
> -+ uint8_t *authoritative,
> -+ uint32_t *flags,
> -+ struct netr_SamInfo3 **info3)
> -+{
> -+ NTSTATUS status;
> -+ const char *workstation_name_slash;
> -+ union netr_LogonLevel *logon = NULL;
> -+ struct netr_NetworkInfo *network_info;
> -+ uint16_t validation_level = 0;
> -+ union netr_Validation *validation = NULL;
> -+ uint8_t _authoritative = 0;
> -+ uint32_t _flags = 0;
> -+ struct netr_ChallengeResponse lm;
> -+ struct netr_ChallengeResponse nt;
> -+
> -+ *info3 = NULL;
> -+
> -+ if (authoritative == NULL) {
> -+ authoritative = &_authoritative;
> -+ }
> -+ if (flags == NULL) {
> -+ flags = &_flags;
> -+ }
> -+
> -+ ZERO_STRUCT(lm);
> -+ ZERO_STRUCT(nt);
> -+
> -+ logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> -+ if (!logon) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> -+ if (!network_info) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ if (workstation[0] != '\\' && workstation[1] != '\\') {
> -+ workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> -+ } else {
> -+ workstation_name_slash = workstation;
> -+ }
> -+
> -+ if (!workstation_name_slash) {
> -+ DEBUG(0, ("talloc_asprintf failed!\n"));
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ /* Initialise input parameters */
> -+
> -+ lm.data = lm_response.data;
> -+ lm.length = lm_response.length;
> -+ nt.data = nt_response.data;
> -+ nt.length = nt_response.length;
> -+
> -+ network_info->identity_info.domain_name.string = domain;
> -+ network_info->identity_info.parameter_control = logon_parameters;
> -+ network_info->identity_info.logon_id_low = 0xdead;
> -+ network_info->identity_info.logon_id_high = 0xbeef;
> -+ network_info->identity_info.account_name.string = username;
> -+ network_info->identity_info.workstation.string = workstation_name_slash;
> -+
> -+ memcpy(network_info->challenge, chal, 8);
> -+ network_info->nt = nt;
> -+ network_info->lm = lm;
> -+
> -+ logon->network = network_info;
> -+
> -+ /* Marshall data and send request */
> -+
> -+ status = netlogon_creds_cli_LogonSamLogon(creds,
> -+ binding_handle,
> -+ NetlogonNetworkInformation,
> -+ logon,
> -+ mem_ctx,
> -+ &validation_level,
> -+ &validation,
> -+ authoritative,
> -+ flags);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ status = map_validation_to_info3(mem_ctx,
> -+ validation_level, validation,
> -+ info3);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> - /*********************************************************
> - Change the domain password on the PDC.
> -
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index f10e5c7..54ed7ae 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -26,6 +26,7 @@
> - struct cli_state;
> - struct messaging_context;
> - struct netlogon_creds_cli_context;
> -+struct dcerpc_binding_handle;
> -
> - /* The following definitions come from rpc_client/cli_netlogon.c */
> -
> -@@ -71,6 +72,19 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> - DATA_BLOB lm_response,
> - DATA_BLOB nt_response,
> - struct netr_SamInfo3 **info3);
> -+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> -+ struct dcerpc_binding_handle *binding_handle,
> -+ TALLOC_CTX *mem_ctx,
> -+ uint32_t logon_parameters,
> -+ const char *username,
> -+ const char *domain,
> -+ const char *workstation,
> -+ const uint8 chal[8],
> -+ DATA_BLOB lm_response,
> -+ DATA_BLOB nt_response,
> -+ uint8_t *authoritative,
> -+ uint32_t *flags,
> -+ struct netr_SamInfo3 **info3);
> - NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> - TALLOC_CTX *mem_ctx,
> - const char *account_name,
> ---
> -1.9.3
> -
> -
> -From 2488e78fdf3058bf3a48c2086afd0f3248a43417 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 27 Aug 2013 14:56:06 +0200
> -Subject: [PATCH 180/249] s3:rpc_client: add rpccli_netlogon_password_logon()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit b7dc3fb20468aa67ea7ddc1cea21fbe458e74565)
> ----
> - source3/rpc_client/cli_netlogon.c | 133 ++++++++++++++++++++++++++++++++++++++
> - source3/rpc_client/cli_netlogon.h | 8 +++
> - 2 files changed, 141 insertions(+)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index e335423..a9f8604 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -376,6 +376,139 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> - return NT_STATUS_OK;
> - }
> -
> -+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> -+ struct dcerpc_binding_handle *binding_handle,
> -+ uint32_t logon_parameters,
> -+ const char *domain,
> -+ const char *username,
> -+ const char *password,
> -+ const char *workstation,
> -+ enum netr_LogonInfoClass logon_type)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ NTSTATUS status;
> -+ union netr_LogonLevel *logon;
> -+ uint16_t validation_level = 0;
> -+ union netr_Validation *validation = NULL;
> -+ uint8_t authoritative = 0;
> -+ uint32_t flags = 0;
> -+ char *workstation_slash = NULL;
> -+
> -+ logon = talloc_zero(frame, union netr_LogonLevel);
> -+ if (logon == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ if (workstation == NULL) {
> -+ workstation = lp_netbios_name();
> -+ }
> -+
> -+ workstation_slash = talloc_asprintf(frame, "\\\\%s", workstation);
> -+ if (workstation_slash == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ /* Initialise input parameters */
> -+
> -+ switch (logon_type) {
> -+ case NetlogonInteractiveInformation: {
> -+
> -+ struct netr_PasswordInfo *password_info;
> -+
> -+ struct samr_Password lmpassword;
> -+ struct samr_Password ntpassword;
> -+
> -+ password_info = talloc_zero(frame, struct netr_PasswordInfo);
> -+ if (password_info == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
> -+
> -+ password_info->identity_info.domain_name.string = domain;
> -+ password_info->identity_info.parameter_control = logon_parameters;
> -+ password_info->identity_info.logon_id_low = 0xdead;
> -+ password_info->identity_info.logon_id_high = 0xbeef;
> -+ password_info->identity_info.account_name.string = username;
> -+ password_info->identity_info.workstation.string = workstation_slash;
> -+
> -+ password_info->lmpassword = lmpassword;
> -+ password_info->ntpassword = ntpassword;
> -+
> -+ logon->password = password_info;
> -+
> -+ break;
> -+ }
> -+ case NetlogonNetworkInformation: {
> -+ struct netr_NetworkInfo *network_info;
> -+ uint8 chal[8];
> -+ unsigned char local_lm_response[24];
> -+ unsigned char local_nt_response[24];
> -+ struct netr_ChallengeResponse lm;
> -+ struct netr_ChallengeResponse nt;
> -+
> -+ ZERO_STRUCT(lm);
> -+ ZERO_STRUCT(nt);
> -+
> -+ network_info = talloc_zero(frame, struct netr_NetworkInfo);
> -+ if (network_info == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ generate_random_buffer(chal, 8);
> -+
> -+ SMBencrypt(password, chal, local_lm_response);
> -+ SMBNTencrypt(password, chal, local_nt_response);
> -+
> -+ lm.length = 24;
> -+ lm.data = local_lm_response;
> -+
> -+ nt.length = 24;
> -+ nt.data = local_nt_response;
> -+
> -+ network_info->identity_info.domain_name.string = domain;
> -+ network_info->identity_info.parameter_control = logon_parameters;
> -+ network_info->identity_info.logon_id_low = 0xdead;
> -+ network_info->identity_info.logon_id_high = 0xbeef;
> -+ network_info->identity_info.account_name.string = username;
> -+ network_info->identity_info.workstation.string = workstation_slash;
> -+
> -+ memcpy(network_info->challenge, chal, 8);
> -+ network_info->nt = nt;
> -+ network_info->lm = lm;
> -+
> -+ logon->network = network_info;
> -+
> -+ break;
> -+ }
> -+ default:
> -+ DEBUG(0, ("switch value %d not supported\n",
> -+ logon_type));
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_INVALID_INFO_CLASS;
> -+ }
> -+
> -+ status = netlogon_creds_cli_LogonSamLogon(creds,
> -+ binding_handle,
> -+ logon_type,
> -+ logon,
> -+ frame,
> -+ &validation_level,
> -+ &validation,
> -+ &authoritative,
> -+ &flags);
> -+ TALLOC_FREE(frame);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> - static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> - uint16_t validation_level,
> - union netr_Validation *validation,
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index 54ed7ae..d4c6670 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -60,6 +60,14 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> - const char *workstation,
> - uint16_t validation_level,
> - int logon_type);
> -+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> -+ struct dcerpc_binding_handle *binding_handle,
> -+ uint32_t logon_parameters,
> -+ const char *domain,
> -+ const char *username,
> -+ const char *password,
> -+ const char *workstation,
> -+ enum netr_LogonInfoClass logon_type);
> - NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> - TALLOC_CTX *mem_ctx,
> - uint32 logon_parameters,
> ---
> -1.9.3
> -
> -
> -From 10c272f991643913358efd5fefb28fc1ce307c70 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 17 Dec 2013 20:06:14 +0100
> -Subject: [PATCH 181/249] s3:winbindd: call rpccli_pre_open_netlogon_creds() in
> - the parent
> -
> -This opens the CLEAR_IF_FIRST tdb in the long living parent.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 07126b6fb22cebce660d1d1a4f0f9fb905064aa0)
> ----
> - source3/winbindd/winbindd.c | 8 ++++++++
> - 1 file changed, 8 insertions(+)
> -
> -diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
> -index 69a17bf..a90c8fe 100644
> ---- a/source3/winbindd/winbindd.c
> -+++ b/source3/winbindd/winbindd.c
> -@@ -31,6 +31,7 @@
> - #include "../librpc/gen_ndr/srv_lsa.h"
> - #include "../librpc/gen_ndr/srv_samr.h"
> - #include "secrets.h"
> -+#include "rpc_client/cli_netlogon.h"
> - #include "idmap.h"
> - #include "lib/addrchange.h"
> - #include "serverid.h"
> -@@ -1538,6 +1539,13 @@ int main(int argc, char **argv, char **envp)
> - return False;
> - }
> -
> -+ status = rpccli_pre_open_netlogon_creds();
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ DEBUG(0, ("rpccli_pre_open_netlogon_creds() - %s\n",
> -+ nt_errstr(status)));
> -+ exit(1);
> -+ }
> -+
> - /* Unblock all signals we are interested in as they may have been
> - blocked by the parent process. */
> -
> ---
> -1.9.3
> -
> -
> -From 4cb4ec2065f1f8b3598eb37ca24ce0f8fdf567aa Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 7 Aug 2013 11:32:44 +0200
> -Subject: [PATCH 182/249] s3:winbindd: make use of
> - rpccli_{create,setup}_netlogon_creds()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 22e4e2c1d1252e434cb928d4530c378a62a64138)
> ----
> - source3/winbindd/winbindd.h | 3 +
> - source3/winbindd/winbindd_cm.c | 125 ++++++++++++++++++++---------------
> - source3/winbindd/winbindd_dual_srv.c | 1 +
> - 3 files changed, 77 insertions(+), 52 deletions(-)
> -
> -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
> -index b5fc010..8f89e27 100644
> ---- a/source3/winbindd/winbindd.h
> -+++ b/source3/winbindd/winbindd.h
> -@@ -116,6 +116,9 @@ struct winbindd_cm_conn {
> - struct policy_handle lsa_policy;
> -
> - struct rpc_pipe_client *netlogon_pipe;
> -+ struct netlogon_creds_cli_context *netlogon_creds;
> -+ uint32_t netlogon_flags;
> -+ bool netlogon_force_reauth;
> - };
> -
> - /* Async child */
> -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> -index 1546002..7b6cc96 100644
> ---- a/source3/winbindd/winbindd_cm.c
> -+++ b/source3/winbindd/winbindd_cm.c
> -@@ -79,6 +79,7 @@
> - #include "auth/gensec/gensec.h"
> - #include "../libcli/smb/smbXcli_base.h"
> - #include "lib/param/loadparm.h"
> -+#include "libcli/auth/netlogon_creds_cli.h"
> -
> - #undef DBGC_CLASS
> - #define DBGC_CLASS DBGC_WINBIND
> -@@ -1826,6 +1827,9 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
> - }
> -
> - conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> -+ conn->netlogon_force_reauth = false;
> -+ conn->netlogon_flags = 0;
> -+ TALLOC_FREE(conn->netlogon_creds);
> -
> - if (conn->cli) {
> - cli_shutdown(conn->cli);
> -@@ -2292,8 +2296,18 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> - struct rpc_pipe_client *netlogon_pipe;
> -
> -- if (lp_client_schannel() == False) {
> -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> -+ *ppdc = NULL;
> -+
> -+ if ((!IS_DC) && (!domain->primary)) {
> -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> -+ }
> -+
> -+ if (domain->conn.netlogon_creds != NULL) {
> -+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> -+ }
> -+ *ppdc = domain->conn.netlogon_creds;
> -+ return NT_STATUS_OK;
> - }
> -
> - result = cm_connect_netlogon(domain, &netlogon_pipe);
> -@@ -2301,14 +2315,15 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> - return result;
> - }
> -
> -- /* Return a pointer to the struct netlogon_creds_CredentialState from the
> -- netlogon pipe. */
> -+ if (domain->conn.netlogon_creds == NULL) {
> -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> -+ }
> -
> -- if (!domain->conn.netlogon_pipe->netlogon_creds) {
> -- return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
> -+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> - }
> -
> -- *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
> -+ *ppdc = domain->conn.netlogon_creds;
> - return NT_STATUS_OK;
> - }
> -
> -@@ -2747,14 +2762,16 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
> - NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> - struct rpc_pipe_client **cli)
> - {
> -+ struct messaging_context *msg_ctx = winbind_messaging_context();
> - struct winbindd_cm_conn *conn;
> - NTSTATUS result;
> --
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
> -- uint8_t mach_pwd[16];
> - enum netr_SchannelType sec_chan_type;
> -+ const char *_account_name;
> - const char *account_name;
> -- struct rpc_pipe_client *netlogon_pipe = NULL;
> -+ struct samr_Password current_nt_hash;
> -+ struct samr_Password *previous_nt_hash = NULL;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -+ bool ok;
> -
> - *cli = NULL;
> -
> -@@ -2771,60 +2788,68 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> - }
> -
> - TALLOC_FREE(conn->netlogon_pipe);
> --
> -- result = cli_rpc_pipe_open_noauth(conn->cli,
> -- &ndr_table_netlogon,
> -- &netlogon_pipe);
> -- if (!NT_STATUS_IS_OK(result)) {
> -- return result;
> -- }
> -+ conn->netlogon_flags = 0;
> -+ TALLOC_FREE(conn->netlogon_creds);
> -
> - if ((!IS_DC) && (!domain->primary)) {
> -- /* Clear the schannel request bit and drop down */
> -- neg_flags &= ~NETLOGON_NEG_SCHANNEL;
> - goto no_schannel;
> - }
> -
> -- if (lp_client_schannel() != False) {
> -- neg_flags |= NETLOGON_NEG_SCHANNEL;
> -+ ok = get_trust_pw_hash(domain->name,
> -+ current_nt_hash.hash,
> -+ &_account_name,
> -+ &sec_chan_type);
> -+ if (!ok) {
> -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - }
> -
> -- if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
> -- &sec_chan_type))
> -- {
> -- TALLOC_FREE(netlogon_pipe);
> -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> -+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
> -+ if (account_name == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> - }
> -
> -- result = rpccli_netlogon_setup_creds(
> -- netlogon_pipe,
> -- domain->dcname, /* server name. */
> -- domain->name, /* domain name */
> -- lp_netbios_name(), /* client name */
> -- account_name, /* machine account */
> -- mach_pwd, /* machine password */
> -- sec_chan_type, /* from get_trust_pw */
> -- &neg_flags);
> -+ result = rpccli_create_netlogon_creds(domain->dcname,
> -+ domain->name,
> -+ account_name,
> -+ sec_chan_type,
> -+ msg_ctx,
> -+ domain,
> -+ &conn->netlogon_creds);
> -+ if (!NT_STATUS_IS_OK(result)) {
> -+ SAFE_FREE(previous_nt_hash);
> -+ return result;
> -+ }
> -
> -+ result = rpccli_setup_netlogon_creds(conn->cli,
> -+ conn->netlogon_creds,
> -+ conn->netlogon_force_reauth,
> -+ current_nt_hash,
> -+ previous_nt_hash);
> -+ conn->netlogon_force_reauth = false;
> -+ SAFE_FREE(previous_nt_hash);
> - if (!NT_STATUS_IS_OK(result)) {
> -- TALLOC_FREE(netlogon_pipe);
> - return result;
> - }
> -
> -- if ((lp_client_schannel() == True) &&
> -- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
> -- DEBUG(3, ("Server did not offer schannel\n"));
> -- TALLOC_FREE(netlogon_pipe);
> -- return NT_STATUS_ACCESS_DENIED;
> -+ result = netlogon_creds_cli_get(conn->netlogon_creds,
> -+ talloc_tos(),
> -+ &creds);
> -+ if (!NT_STATUS_IS_OK(result)) {
> -+ return result;
> - }
> -+ conn->netlogon_flags = creds->negotiate_flags;
> -+ TALLOC_FREE(creds);
> -
> - no_schannel:
> -- if ((lp_client_schannel() == False) ||
> -- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
> -+ if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> -+ result = cli_rpc_pipe_open_noauth(conn->cli,
> -+ &ndr_table_netlogon,
> -+ &conn->netlogon_pipe);
> -+ if (!NT_STATUS_IS_OK(result)) {
> -+ invalidate_cm_connection(conn);
> -+ return result;
> -+ }
> -
> -- /* We're done - just keep the existing connection to NETLOGON
> -- * open */
> -- conn->netlogon_pipe = netlogon_pipe;
> - *cli = conn->netlogon_pipe;
> - return NT_STATUS_OK;
> - }
> -@@ -2837,12 +2862,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> - result = cli_rpc_pipe_open_schannel_with_key(
> - conn->cli, &ndr_table_netlogon, NCACN_NP,
> - domain->name,
> -- netlogon_pipe->netlogon_creds,
> -+ conn->netlogon_creds,
> - &conn->netlogon_pipe);
> --
> -- /* We can now close the initial netlogon pipe. */
> -- TALLOC_FREE(netlogon_pipe);
> --
> - if (!NT_STATUS_IS_OK(result)) {
> - DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
> - "was %s\n", nt_errstr(result)));
> -diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
> -index b873655..001591a 100644
> ---- a/source3/winbindd/winbindd_dual_srv.c
> -+++ b/source3/winbindd/winbindd_dual_srv.c
> -@@ -580,6 +580,7 @@ NTSTATUS _wbint_CheckMachineAccount(struct pipes_struct *p,
> -
> - again:
> - invalidate_cm_connection(&domain->conn);
> -+ domain->conn.netlogon_force_reauth = true;
> -
> - {
> - struct rpc_pipe_client *netlogon_pipe;
> ---
> -1.9.3
> -
> -
> -From dc77edf0b74a88950f4de2472c05a73fcc629dc1 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 27 Aug 2013 13:07:45 +0200
> -Subject: [PATCH 183/249] s3:auth_domain: simplify
> - connect_to_domain_password_server()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit d9d55f5406949187901476d673c7d6ff0fc165c2)
> ----
> - source3/auth/auth_domain.c | 31 ++++++++++++-------------------
> - 1 file changed, 12 insertions(+), 19 deletions(-)
> -
> -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> -index 9f88c4a..ae27bf0 100644
> ---- a/source3/auth/auth_domain.c
> -+++ b/source3/auth/auth_domain.c
> -@@ -47,16 +47,17 @@ static struct named_mutex *mutex;
> - *
> - **/
> -
> --static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> -+static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> - const char *domain,
> - const char *dc_name,
> - const struct sockaddr_storage *dc_ss,
> - struct rpc_pipe_client **pipe_ret)
> - {
> -- NTSTATUS result;
> -+ NTSTATUS result;
> -+ struct cli_state *cli = NULL;
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> -
> -- *cli = NULL;
> -+ *cli_ret = NULL;
> -
> - *pipe_ret = NULL;
> -
> -@@ -80,7 +81,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> - }
> -
> - /* Attempt connection */
> -- result = cli_full_connection(cli, lp_netbios_name(), dc_name, dc_ss, 0,
> -+ result = cli_full_connection(&cli, lp_netbios_name(), dc_name, dc_ss, 0,
> - "IPC$", "IPC", "", "", "", 0, SMB_SIGNING_DEFAULT);
> -
> - if (!NT_STATUS_IS_OK(result)) {
> -@@ -89,11 +90,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> - result = NT_STATUS_NO_LOGON_SERVERS;
> - }
> -
> -- if (*cli) {
> -- cli_shutdown(*cli);
> -- *cli = NULL;
> -- }
> --
> - TALLOC_FREE(mutex);
> - return result;
> - }
> -@@ -115,18 +111,17 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> - if (lp_client_schannel()) {
> - /* We also setup the creds chain in the open_schannel call. */
> - result = cli_rpc_pipe_open_schannel(
> -- *cli, &ndr_table_netlogon, NCACN_NP,
> -+ cli, &ndr_table_netlogon, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> - } else {
> - result = cli_rpc_pipe_open_noauth(
> -- *cli, &ndr_table_netlogon, &netlogon_pipe);
> -+ cli, &ndr_table_netlogon, &netlogon_pipe);
> - }
> -
> - if (!NT_STATUS_IS_OK(result)) {
> - DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
> - machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> -- cli_shutdown(*cli);
> -- *cli = NULL;
> -+ cli_shutdown(cli);
> - TALLOC_FREE(mutex);
> - return result;
> - }
> -@@ -145,8 +140,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> - DEBUG(0, ("connect_to_domain_password_server: could not fetch "
> - "trust account password for domain '%s'\n",
> - domain));
> -- cli_shutdown(*cli);
> -- *cli = NULL;
> -+ cli_shutdown(cli);
> - TALLOC_FREE(mutex);
> - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - }
> -@@ -161,8 +155,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> - &neg_flags);
> -
> - if (!NT_STATUS_IS_OK(result)) {
> -- cli_shutdown(*cli);
> -- *cli = NULL;
> -+ cli_shutdown(cli);
> - TALLOC_FREE(mutex);
> - return result;
> - }
> -@@ -172,14 +165,14 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> - DEBUG(0, ("connect_to_domain_password_server: unable to open "
> - "the domain client session to machine %s. Error "
> - "was : %s.\n", dc_name, nt_errstr(result)));
> -- cli_shutdown(*cli);
> -- *cli = NULL;
> -+ cli_shutdown(cli);
> - TALLOC_FREE(mutex);
> - return NT_STATUS_NO_LOGON_SERVERS;
> - }
> -
> - /* We exit here with the mutex *locked*. JRA */
> -
> -+ *cli_ret = cli;
> - *pipe_ret = netlogon_pipe;
> -
> - return NT_STATUS_OK;
> ---
> -1.9.3
> -
> -
> -From 8fc2ffafd545dbc4af4c1ebab5fb631da18cade4 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 27 Aug 2013 15:01:10 +0200
> -Subject: [PATCH 184/249] s3:auth_domain: make use of
> - rpccli_{create,setup}_netlogon_creds()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 34e66780e573bebf4b971fb96e1ed8680c1488a9)
> ----
> - source3/auth/auth_domain.c | 136 ++++++++++++++++++++++++++++-----------------
> - 1 file changed, 85 insertions(+), 51 deletions(-)
> -
> -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> -index ae27bf0..bf2671c 100644
> ---- a/source3/auth/auth_domain.c
> -+++ b/source3/auth/auth_domain.c
> -@@ -27,6 +27,7 @@
> - #include "secrets.h"
> - #include "passdb.h"
> - #include "libsmb/libsmb.h"
> -+#include "libcli/auth/netlogon_creds_cli.h"
> -
> - #undef DBGC_CLASS
> - #define DBGC_CLASS DBGC_AUTH
> -@@ -53,9 +54,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> - const struct sockaddr_storage *dc_ss,
> - struct rpc_pipe_client **pipe_ret)
> - {
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct messaging_context *msg_ctx = server_messaging_context();
> - NTSTATUS result;
> - struct cli_state *cli = NULL;
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -+ uint32_t netlogon_flags = 0;
> -+ enum netr_SchannelType sec_chan_type = 0;
> -+ const char *_account_name = NULL;
> -+ const char *account_name = NULL;
> -+ struct samr_Password current_nt_hash;
> -+ struct samr_Password *previous_nt_hash = NULL;
> -+ bool ok;
> -
> - *cli_ret = NULL;
> -
> -@@ -77,6 +89,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> -
> - mutex = grab_named_mutex(NULL, dc_name, 10);
> - if (mutex == NULL) {
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_NO_LOGON_SERVERS;
> - }
> -
> -@@ -91,6 +104,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> - }
> -
> - TALLOC_FREE(mutex);
> -+ TALLOC_FREE(frame);
> - return result;
> - }
> -
> -@@ -98,67 +112,85 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> - * We now have an anonymous connection to IPC$ on the domain password server.
> - */
> -
> -- /*
> -- * Even if the connect succeeds we need to setup the netlogon
> -- * pipe here. We do this as we may just have changed the domain
> -- * account password on the PDC and yet we may be talking to
> -- * a BDC that doesn't have this replicated yet. In this case
> -- * a successful connect to a DC needs to take the netlogon connect
> -- * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
> -- */
> -+ ok = get_trust_pw_hash(domain,
> -+ current_nt_hash.hash,
> -+ &_account_name,
> -+ &sec_chan_type);
> -+ if (!ok) {
> -+ cli_shutdown(cli);
> -+ TALLOC_FREE(mutex);
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> -+ }
> -
> -- /* open the netlogon pipe. */
> -- if (lp_client_schannel()) {
> -- /* We also setup the creds chain in the open_schannel call. */
> -- result = cli_rpc_pipe_open_schannel(
> -- cli, &ndr_table_netlogon, NCACN_NP,
> -- DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> -- } else {
> -- result = cli_rpc_pipe_open_noauth(
> -- cli, &ndr_table_netlogon, &netlogon_pipe);
> -+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
> -+ if (account_name == NULL) {
> -+ cli_shutdown(cli);
> -+ TALLOC_FREE(mutex);
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> - }
> -
> -+ result = rpccli_create_netlogon_creds(dc_name,
> -+ domain,
> -+ account_name,
> -+ sec_chan_type,
> -+ msg_ctx,
> -+ talloc_tos(),
> -+ &netlogon_creds);
> - if (!NT_STATUS_IS_OK(result)) {
> -- DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
> --machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> - cli_shutdown(cli);
> - TALLOC_FREE(mutex);
> -+ TALLOC_FREE(frame);
> -+ SAFE_FREE(previous_nt_hash);
> - return result;
> - }
> -
> -- if (!lp_client_schannel()) {
> -- /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -- NETLOGON_NEG_SUPPORTS_AES;
> -- enum netr_SchannelType sec_chan_type = 0;
> -- unsigned char machine_pwd[16];
> -- const char *account_name;
> --
> -- if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
> -- &sec_chan_type))
> -- {
> -- DEBUG(0, ("connect_to_domain_password_server: could not fetch "
> -- "trust account password for domain '%s'\n",
> -- domain));
> -- cli_shutdown(cli);
> -- TALLOC_FREE(mutex);
> -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> -- }
> -+ result = rpccli_setup_netlogon_creds(cli,
> -+ netlogon_creds,
> -+ false, /* force_reauth */
> -+ current_nt_hash,
> -+ previous_nt_hash);
> -+ SAFE_FREE(previous_nt_hash);
> -+ if (!NT_STATUS_IS_OK(result)) {
> -+ cli_shutdown(cli);
> -+ TALLOC_FREE(mutex);
> -+ TALLOC_FREE(frame);
> -+ return result;
> -+ }
> -
> -- result = rpccli_netlogon_setup_creds(netlogon_pipe,
> -- dc_name, /* server name */
> -- domain, /* domain */
> -- lp_netbios_name(), /* client name */
> -- account_name, /* machine account name */
> -- machine_pwd,
> -- sec_chan_type,
> -- &neg_flags);
> --
> -- if (!NT_STATUS_IS_OK(result)) {
> -- cli_shutdown(cli);
> -- TALLOC_FREE(mutex);
> -- return result;
> -- }
> -+ result = netlogon_creds_cli_get(netlogon_creds,
> -+ talloc_tos(),
> -+ &creds);
> -+ if (!NT_STATUS_IS_OK(result)) {
> -+ cli_shutdown(cli);
> -+ TALLOC_FREE(mutex);
> -+ TALLOC_FREE(frame);
> -+ return result;
> -+ }
> -+ netlogon_flags = creds->negotiate_flags;
> -+ TALLOC_FREE(creds);
> -+
> -+ if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
> -+ result = cli_rpc_pipe_open_schannel_with_key(
> -+ cli, &ndr_table_netlogon, NCACN_NP,
> -+ domain, netlogon_creds, &netlogon_pipe);
> -+ } else {
> -+ result = cli_rpc_pipe_open_noauth(cli,
> -+ &ndr_table_netlogon,
> -+ &netlogon_pipe);
> -+ }
> -+
> -+ if (!NT_STATUS_IS_OK(result)) {
> -+ DEBUG(0,("connect_to_domain_password_server: "
> -+ "unable to open the domain client session to "
> -+ "machine %s. Flags[0x%08X] Error was : %s.\n",
> -+ dc_name, (unsigned)netlogon_flags,
> -+ nt_errstr(result)));
> -+ cli_shutdown(cli);
> -+ TALLOC_FREE(mutex);
> -+ TALLOC_FREE(frame);
> -+ return result;
> - }
> -
> - if(!netlogon_pipe) {
> -@@ -167,6 +199,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> - "was : %s.\n", dc_name, nt_errstr(result)));
> - cli_shutdown(cli);
> - TALLOC_FREE(mutex);
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_NO_LOGON_SERVERS;
> - }
> -
> -@@ -175,6 +208,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> - *cli_ret = cli;
> - *pipe_ret = netlogon_pipe;
> -
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_OK;
> - }
> -
> ---
> -1.9.3
> -
> -
> -From 5cc57e577bc7d144176ffe6f21ed24a95661a861 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 27 Aug 2013 15:02:26 +0200
> -Subject: [PATCH 185/249] s3:auth_domain: make use of
> - rpccli_netlogon_network_logon()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 531bbf3aff3fb08aaf112b21038f20544db60b69)
> ----
> - source3/auth/auth_domain.c | 36 ++++++++++++++++++++++--------------
> - 1 file changed, 22 insertions(+), 14 deletions(-)
> -
> -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> -index bf2671c..937841c 100644
> ---- a/source3/auth/auth_domain.c
> -+++ b/source3/auth/auth_domain.c
> -@@ -52,7 +52,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> - const char *domain,
> - const char *dc_name,
> - const struct sockaddr_storage *dc_ss,
> -- struct rpc_pipe_client **pipe_ret)
> -+ struct rpc_pipe_client **pipe_ret,
> -+ struct netlogon_creds_cli_context **creds_ret)
> - {
> - TALLOC_CTX *frame = talloc_stackframe();
> - struct messaging_context *msg_ctx = server_messaging_context();
> -@@ -72,6 +73,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> - *cli_ret = NULL;
> -
> - *pipe_ret = NULL;
> -+ *creds_ret = NULL;
> -
> - /* TODO: Send a SAMLOGON request to determine whether this is a valid
> - logonserver. We can avoid a 30-second timeout if the DC is down
> -@@ -207,6 +209,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> -
> - *cli_ret = cli;
> - *pipe_ret = netlogon_pipe;
> -+ *creds_ret = netlogon_creds;
> -
> - TALLOC_FREE(frame);
> - return NT_STATUS_OK;
> -@@ -230,8 +233,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
> - struct netr_SamInfo3 *info3 = NULL;
> - struct cli_state *cli = NULL;
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> - NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
> - int i;
> -+ uint8_t authoritative = 0;
> -+ uint32_t flags = 0;
> -
> - /*
> - * At this point, smb_apasswd points to the lanman response to
> -@@ -248,7 +254,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
> - domain,
> - dc_name,
> - dc_ss,
> -- &netlogon_pipe);
> -+ &netlogon_pipe,
> -+ &netlogon_creds);
> - }
> -
> - if ( !NT_STATUS_IS_OK(nt_status) ) {
> -@@ -268,18 +275,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
> - * in the info3 structure.
> - */
> -
> -- nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
> -- mem_ctx,
> -- user_info->logon_parameters, /* flags such as 'allow workstation logon' */
> -- dc_name, /* server name */
> -- user_info->client.account_name, /* user name logging on. */
> -- user_info->client.domain_name, /* domain name */
> -- user_info->workstation_name, /* workstation name */
> -- chal, /* 8 byte challenge. */
> -- 3, /* validation level */
> -- user_info->password.response.lanman, /* lanman 24 byte response */
> -- user_info->password.response.nt, /* nt 24 byte response */
> -- &info3); /* info3 out */
> -+ nt_status = rpccli_netlogon_network_logon(netlogon_creds,
> -+ netlogon_pipe->binding_handle,
> -+ mem_ctx,
> -+ user_info->logon_parameters, /* flags such as 'allow workstation logon' */
> -+ user_info->client.account_name, /* user name logging on. */
> -+ user_info->client.domain_name, /* domain name */
> -+ user_info->workstation_name, /* workstation name */
> -+ chal, /* 8 byte challenge. */
> -+ user_info->password.response.lanman, /* lanman 24 byte response */
> -+ user_info->password.response.nt, /* nt 24 byte response */
> -+ &authoritative,
> -+ &flags,
> -+ &info3); /* info3 out */
> -
> - /* Let go as soon as possible so we avoid any potential deadlocks
> - with winbind lookup up users or groups. */
> ---
> -1.9.3
> -
> -
> -From 5da4eca4d30b3894426a4f7cb0512ae61c097cbc Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 2 Sep 2013 19:32:23 +0200
> -Subject: [PATCH 186/249] s3:libnet_join: make use of
> - rpccli_{create,setup}_netlogon_creds()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 963800539cea7487fc6258f8ac8f7cacc3426b83)
> ----
> - source3/libnet/libnet_join.c | 110 +++++++++++++++++++++++++++++++------------
> - source3/libnet/libnet_join.h | 5 +-
> - source3/utils/net_rpc.c | 4 +-
> - 3 files changed, 86 insertions(+), 33 deletions(-)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index b2805ee..6e653c3 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -40,6 +40,8 @@
> - #include "libsmb/libsmb.h"
> - #include "../libcli/smb/smbXcli_base.h"
> - #include "lib/param/loadparm.h"
> -+#include "libcli/auth/netlogon_creds_cli.h"
> -+#include "auth/credentials/credentials.h"
> -
> - /****************************************************************
> - ****************************************************************/
> -@@ -1189,38 +1191,52 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
> - /****************************************************************
> - ****************************************************************/
> -
> --NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> -- const char *machine_name,
> -+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
> -+ const char *netbios_domain_name,
> - const char *dc_name,
> - const bool use_kerberos)
> - {
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -- NETLOGON_NEG_SUPPORTS_AES;
> -+ TALLOC_CTX *frame = talloc_stackframe();
> - struct cli_state *cli = NULL;
> -- struct rpc_pipe_client *pipe_hnd = NULL;
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -+ uint32_t netlogon_flags = 0;
> -+ enum netr_SchannelType sec_chan_type = 0;
> - NTSTATUS status;
> - char *machine_password = NULL;
> -- char *machine_account = NULL;
> -+ const char *machine_name = NULL;
> -+ const char *machine_account = NULL;
> - int flags = 0;
> -+ struct samr_Password current_nt_hash;
> -+ struct samr_Password *previous_nt_hash = NULL;
> -+ bool ok;
> -
> - if (!dc_name) {
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_INVALID_PARAMETER;
> - }
> -
> - if (!secrets_init()) {
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - }
> -
> -- machine_password = secrets_fetch_machine_password(netbios_domain_name,
> -- NULL, NULL);
> -- if (!machine_password) {
> -- return NT_STATUS_NO_TRUST_LSA_SECRET;
> -+ ok = get_trust_pw_clear(netbios_domain_name,
> -+ &machine_password,
> -+ &machine_name,
> -+ &sec_chan_type);
> -+ if (!ok) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - }
> -
> -- if (asprintf(&machine_account, "%s$", machine_name) == -1) {
> -+ machine_account = talloc_asprintf(frame, "%s$", machine_name);
> -+ if (machine_account == NULL) {
> - SAFE_FREE(machine_password);
> -- return NT_STATUS_NO_MEMORY;
> -+ SAFE_FREE(previous_nt_hash);
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - }
> -
> - if (use_kerberos) {
> -@@ -1232,12 +1248,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> - NULL, 0,
> - "IPC$", "IPC",
> - machine_account,
> -- NULL,
> -+ netbios_domain_name,
> - machine_password,
> - flags,
> - SMB_SIGNING_DEFAULT);
> -- free(machine_account);
> -- free(machine_password);
> -+
> -+ E_md4hash(machine_password, current_nt_hash.hash);
> -+ SAFE_FREE(machine_password);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> - status = cli_full_connection(&cli, NULL,
> -@@ -1252,36 +1269,65 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> - }
> -
> - if (!NT_STATUS_IS_OK(status)) {
> -+ SAFE_FREE(previous_nt_hash);
> -+ TALLOC_FREE(frame);
> - return status;
> - }
> -
> -- status = get_schannel_session_key(cli, netbios_domain_name,
> -- &neg_flags, &netlogon_pipe);
> -+ status = rpccli_create_netlogon_creds(dc_name,
> -+ netbios_domain_name,
> -+ machine_account,
> -+ sec_chan_type,
> -+ msg_ctx,
> -+ frame,
> -+ &netlogon_creds);
> - if (!NT_STATUS_IS_OK(status)) {
> -- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
> -- cli_shutdown(cli);
> -- return NT_STATUS_OK;
> -- }
> -+ SAFE_FREE(previous_nt_hash);
> -+ cli_shutdown(cli);
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -
> -- DEBUG(0,("libnet_join_ok: failed to get schannel session "
> -- "key from server %s for domain %s. Error was %s\n",
> -- smbXcli_conn_remote_name(cli->conn),
> -- netbios_domain_name, nt_errstr(status)));
> -+ status = rpccli_setup_netlogon_creds(cli,
> -+ netlogon_creds,
> -+ true, /* force_reauth */
> -+ current_nt_hash,
> -+ previous_nt_hash);
> -+ SAFE_FREE(previous_nt_hash);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ DEBUG(0,("connect_to_domain_password_server: "
> -+ "unable to open the domain client session to "
> -+ "machine %s. Flags[0x%08X] Error was : %s.\n",
> -+ dc_name, (unsigned)netlogon_flags,
> -+ nt_errstr(status)));
> -+ cli_shutdown(cli);
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ status = netlogon_creds_cli_get(netlogon_creds,
> -+ talloc_tos(),
> -+ &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> - cli_shutdown(cli);
> -+ TALLOC_FREE(frame);
> - return status;
> - }
> -+ netlogon_flags = creds->negotiate_flags;
> -+ TALLOC_FREE(creds);
> -
> -- if (!lp_client_schannel()) {
> -+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> - cli_shutdown(cli);
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_OK;
> - }
> -
> - status = cli_rpc_pipe_open_schannel_with_key(
> - cli, &ndr_table_netlogon, NCACN_NP,
> - netbios_domain_name,
> -- netlogon_pipe->netlogon_creds, &pipe_hnd);
> -+ netlogon_creds, &netlogon_pipe);
> -
> -- cli_shutdown(cli);
> -+ TALLOC_FREE(netlogon_pipe);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(0,("libnet_join_ok: failed to open schannel session "
> -@@ -1289,9 +1335,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> - "Error was %s\n",
> - smbXcli_conn_remote_name(cli->conn),
> - netbios_domain_name, nt_errstr(status)));
> -+ cli_shutdown(cli);
> -+ TALLOC_FREE(frame);
> - return status;
> - }
> -
> -+ cli_shutdown(cli);
> -+ TALLOC_FREE(frame);
> - return NT_STATUS_OK;
> - }
> -
> -@@ -1303,8 +1353,8 @@ static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
> - {
> - NTSTATUS status;
> -
> -- status = libnet_join_ok(r->out.netbios_domain_name,
> -- r->in.machine_name,
> -+ status = libnet_join_ok(r->in.msg_ctx,
> -+ r->out.netbios_domain_name,
> - r->in.dc_name,
> - r->in.use_kerberos);
> - if (!NT_STATUS_IS_OK(status)) {
> -diff --git a/source3/libnet/libnet_join.h b/source3/libnet/libnet_join.h
> -index 58c33b2..b7e2f0b 100644
> ---- a/source3/libnet/libnet_join.h
> -+++ b/source3/libnet/libnet_join.h
> -@@ -23,8 +23,9 @@
> -
> - /* The following definitions come from libnet/libnet_join.c */
> -
> --NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> -- const char *machine_name,
> -+struct messaging_context;
> -+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
> -+ const char *netbios_domain_name,
> - const char *dc_name,
> - const bool use_kerberos);
> - WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index dff8801..9de74c0 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -493,7 +493,9 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> - }
> -
> - /* Display success or failure */
> -- status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
> -+ status = libnet_join_ok(c->msg_ctx,
> -+ c->opt_workgroup,
> -+ dc,
> - c->opt_kerberos);
> - if (!NT_STATUS_IS_OK(status)) {
> - fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
> ---
> -1.9.3
> -
> -
> -From 0da8c0a71d08de50b614e5df69a61e00d0a9cd99 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 5 Sep 2013 20:57:02 +0200
> -Subject: [PATCH 187/249] s3:libnet: use rpccli_{create,setup}_netlogon_creds()
> - in libnet_join_joindomain_rpc_unsecure
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3a89eee03a95d4b142bf0830f40debc75bfa2e26)
> ----
> - source3/libnet/libnet_join.c | 66 ++++++++++++++++++++++++++++++++++----------
> - 1 file changed, 51 insertions(+), 15 deletions(-)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index 6e653c3..a87eb38 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -817,14 +817,17 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> - struct libnet_JoinCtx *r,
> - struct cli_state *cli)
> - {
> -- struct rpc_pipe_client *pipe_hnd = NULL;
> -- unsigned char orig_trust_passwd_hash[16];
> -- unsigned char new_trust_passwd_hash[16];
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct rpc_pipe_client *netlogon_pipe = NULL;
> -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> -+ struct samr_Password current_nt_hash;
> -+ const char *account_name = NULL;
> - NTSTATUS status;
> -
> - status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> -- &pipe_hnd);
> -+ &netlogon_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> - return status;
> - }
> -
> -@@ -832,22 +835,55 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> - r->in.machine_password = generate_random_password(mem_ctx,
> - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
> - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
> -- NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
> -+ if (r->in.machine_password == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> - }
> -
> -- E_md4hash(r->in.machine_password, new_trust_passwd_hash);
> --
> - /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
> -- E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
> -+ E_md4hash(r->in.admin_password, current_nt_hash.hash);
> -
> -- status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
> -- r->in.machine_name,
> -- orig_trust_passwd_hash,
> -- r->in.machine_password,
> -- new_trust_passwd_hash,
> -- r->in.secure_channel_type);
> -+ account_name = talloc_asprintf(frame, "%s$",
> -+ r->in.machine_name);
> -+ if (account_name == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -
> -- return status;
> -+ status = rpccli_create_netlogon_creds(netlogon_pipe->desthost,
> -+ r->in.domain_name,
> -+ account_name,
> -+ r->in.secure_channel_type,
> -+ r->in.msg_ctx,
> -+ frame,
> -+ &netlogon_creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ status = rpccli_setup_netlogon_creds(cli,
> -+ netlogon_creds,
> -+ true, /* force_reauth */
> -+ current_nt_hash,
> -+ NULL); /* previous_nt_hash */
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
> -+ netlogon_pipe->binding_handle,
> -+ r->in.machine_password,
> -+ NULL); /* new_version */
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_OK;
> - }
> -
> - /****************************************************************
> ---
> -1.9.3
> -
> -
> -From 9d192bc1d2dd06efada55792203aaed58b349ab9 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 11 Sep 2013 10:06:41 +0200
> -Subject: [PATCH 188/249] s3:rpc_client: use
> - rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 94caf7e190563423914b653d0c2fc4a4abf1f899)
> ----
> - source3/rpc_client/cli_pipe.h | 7 --
> - source3/rpc_client/cli_pipe_schannel.c | 162 ++++++++++++++-------------------
> - 2 files changed, 66 insertions(+), 103 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index c21c55d..2a76130 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -109,13 +109,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> - struct rpc_pipe_client *cli,
> - DATA_BLOB *session_key);
> -
> --/* The following definitions come from rpc_client/cli_pipe_schannel.c */
> --
> --NTSTATUS get_schannel_session_key(struct cli_state *cli,
> -- const char *domain,
> -- uint32 *pneg_flags,
> -- struct rpc_pipe_client **presult);
> --
> - #endif /* _CLI_PIPE_H */
> -
> - /* vim: set ts=8 sw=8 noet cindent ft=c.doxygen: */
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index 8f9161f..1fcf62e 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -23,67 +23,15 @@
> - #include "../libcli/auth/schannel.h"
> - #include "rpc_client/cli_netlogon.h"
> - #include "rpc_client/cli_pipe.h"
> --#include "librpc/gen_ndr/ndr_dcerpc.h"
> - #include "librpc/rpc/dcerpc.h"
> - #include "passdb.h"
> - #include "libsmb/libsmb.h"
> --#include "auth/gensec/gensec.h"
> - #include "../libcli/smb/smbXcli_base.h"
> -+#include "libcli/auth/netlogon_creds_cli.h"
> -
> - #undef DBGC_CLASS
> - #define DBGC_CLASS DBGC_RPC_CLI
> -
> --
> --/****************************************************************************
> -- Get a the schannel session key out of an already opened netlogon pipe.
> -- ****************************************************************************/
> --static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
> -- struct cli_state *cli,
> -- const char *domain,
> -- uint32 *pneg_flags)
> --{
> -- enum netr_SchannelType sec_chan_type = 0;
> -- unsigned char machine_pwd[16];
> -- const char *machine_account;
> -- NTSTATUS status;
> --
> -- /* Get the machine account credentials from secrets.tdb. */
> -- if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
> -- &sec_chan_type))
> -- {
> -- DEBUG(0, ("get_schannel_session_key: could not fetch "
> -- "trust account password for domain '%s'\n",
> -- domain));
> -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> -- }
> --
> -- status = rpccli_netlogon_setup_creds(netlogon_pipe,
> -- smbXcli_conn_remote_name(cli->conn), /* server name */
> -- domain, /* domain */
> -- lp_netbios_name(), /* client name */
> -- machine_account, /* machine account name */
> -- machine_pwd,
> -- sec_chan_type,
> -- pneg_flags);
> --
> -- if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(3, ("get_schannel_session_key_common: "
> -- "rpccli_netlogon_setup_creds failed with result %s "
> -- "to server %s, domain %s, machine account %s.\n",
> -- nt_errstr(status), smbXcli_conn_remote_name(cli->conn), domain,
> -- machine_account ));
> -- return status;
> -- }
> --
> -- if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
> -- DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
> -- smbXcli_conn_remote_name(cli->conn)));
> -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> -- }
> --
> -- return NT_STATUS_OK;
> --}
> --
> - /****************************************************************************
> - Open a named pipe to an SMB server and bind using schannel (bind type 68).
> - Fetch the session key ourselves using a temporary netlogon pipe.
> -@@ -96,63 +44,85 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> - const char *domain,
> - struct rpc_pipe_client **presult)
> - {
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -- NETLOGON_NEG_SUPPORTS_AES;
> -- struct rpc_pipe_client *netlogon_pipe = NULL;
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct messaging_context *msg_ctx = NULL;
> -+ const char *dc_name = smbXcli_conn_remote_name(cli->conn);
> - struct rpc_pipe_client *result = NULL;
> - NTSTATUS status;
> -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> -+ struct netlogon_creds_CredentialState *creds = NULL;
> -+ uint32_t netlogon_flags = 0;
> -+ enum netr_SchannelType sec_chan_type = 0;
> -+ const char *_account_name = NULL;
> -+ const char *account_name = NULL;
> -+ struct samr_Password current_nt_hash;
> -+ struct samr_Password *previous_nt_hash = NULL;
> -+ bool ok;
> -+
> -+ ok = get_trust_pw_hash(domain,
> -+ current_nt_hash.hash,
> -+ &_account_name,
> -+ &sec_chan_type);
> -+ if (!ok) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> -+ }
> -+
> -+ account_name = talloc_asprintf(frame, "%s$", _account_name);
> -+ if (account_name == NULL) {
> -+ SAFE_FREE(previous_nt_hash);
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ status = rpccli_create_netlogon_creds(dc_name,
> -+ domain,
> -+ account_name,
> -+ sec_chan_type,
> -+ msg_ctx,
> -+ frame,
> -+ &netlogon_creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ SAFE_FREE(previous_nt_hash);
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -
> -- status = get_schannel_session_key(cli, domain, &neg_flags,
> -- &netlogon_pipe);
> -+ status = rpccli_setup_netlogon_creds(cli,
> -+ netlogon_creds,
> -+ false, /* force_reauth */
> -+ current_nt_hash,
> -+ previous_nt_hash);
> -+ SAFE_FREE(previous_nt_hash);
> - if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
> -- "key from server %s for domain %s.\n",
> -- smbXcli_conn_remote_name(cli->conn), domain ));
> -+ TALLOC_FREE(frame);
> - return status;
> - }
> -
> -+ status = netlogon_creds_cli_get(netlogon_creds,
> -+ frame,
> -+ &creds);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+ netlogon_flags = creds->negotiate_flags;
> -+ TALLOC_FREE(creds);
> -+
> -+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_DOWNGRADE_DETECTED;
> -+ }
> -+
> - status = cli_rpc_pipe_open_schannel_with_key(
> - cli, table, transport, domain,
> -- netlogon_pipe->netlogon_creds,
> -+ netlogon_creds,
> - &result);
> -
> -- /* Now we've bound using the session key we can close the netlog pipe. */
> -- TALLOC_FREE(netlogon_pipe);
> --
> - if (NT_STATUS_IS_OK(status)) {
> - *presult = result;
> - }
> -
> -+ TALLOC_FREE(frame);
> - return status;
> - }
> --
> --/****************************************************************************
> -- Open a netlogon pipe and get the schannel session key.
> -- Now exposed to external callers.
> -- ****************************************************************************/
> --
> --
> --NTSTATUS get_schannel_session_key(struct cli_state *cli,
> -- const char *domain,
> -- uint32 *pneg_flags,
> -- struct rpc_pipe_client **presult)
> --{
> -- struct rpc_pipe_client *netlogon_pipe = NULL;
> -- NTSTATUS status;
> --
> -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> -- &netlogon_pipe);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
> -- pneg_flags);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- TALLOC_FREE(netlogon_pipe);
> -- return status;
> -- }
> --
> -- *presult = netlogon_pipe;
> -- return NT_STATUS_OK;
> --}
> ---
> -1.9.3
> -
> -
> -From 5fba6641f79a14c208c5947886c005a87b9f3256 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 18:24:44 +0200
> -Subject: [PATCH 189/249] s3:rpcclient: add rpcclient_msg_ctx
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a1c468e1d75d490f0e531feb08188ddc3f0d77b5)
> ----
> - source3/rpcclient/rpcclient.c | 5 +++++
> - source3/rpcclient/rpcclient.h | 2 ++
> - 2 files changed, 7 insertions(+)
> -
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index 0cbec20..39bf613 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -33,6 +33,7 @@
> - #include "libsmb/libsmb.h"
> - #include "auth/gensec/gensec.h"
> - #include "../libcli/smb/smbXcli_base.h"
> -+#include "messages.h"
> -
> - enum pipe_auth_type_spnego {
> - PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
> -@@ -48,6 +49,7 @@ static enum dcerpc_AuthLevel pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
> - static unsigned int timeout = 0;
> - static enum dcerpc_transport_t default_transport = NCACN_NP;
> -
> -+struct messaging_context *rpcclient_msg_ctx;
> - struct user_auth_info *rpcclient_auth_info;
> -
> - /* List to hold groups of commands.
> -@@ -985,6 +987,9 @@ out_free:
> - /* We must load interfaces after we load the smb.conf */
> - load_interfaces();
> -
> -+ rpcclient_msg_ctx = messaging_init(talloc_autofree_context(),
> -+ samba_tevent_context_init(talloc_autofree_context()));
> -+
> - /*
> - * Get password
> - * from stdin if necessary
> -diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
> -index 762c54a..219da2a 100644
> ---- a/source3/rpcclient/rpcclient.h
> -+++ b/source3/rpcclient/rpcclient.h
> -@@ -41,4 +41,6 @@ struct cmd_set {
> - const char *usage;
> - };
> -
> -+extern struct messaging_context *rpcclient_msg_ctx;
> -+
> - #endif /* RPCCLIENT_H */
> ---
> -1.9.3
> -
> -
> -From c6e02d60ef12431cd1a5615fcf514548e86d6dc8 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 18:29:30 +0200
> -Subject: [PATCH 190/249] s3:rpcclient: add rpcclient_netlogon_creds
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 1696b127c61fea76fce3d992632a822ed78de07c)
> ----
> - source3/rpcclient/rpcclient.c | 3 +++
> - source3/rpcclient/rpcclient.h | 1 +
> - 2 files changed, 4 insertions(+)
> -
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index 39bf613..a875ff5 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -51,6 +51,7 @@ static enum dcerpc_transport_t default_transport = NCACN_NP;
> -
> - struct messaging_context *rpcclient_msg_ctx;
> - struct user_auth_info *rpcclient_auth_info;
> -+struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
> -
> - /* List to hold groups of commands.
> - *
> -@@ -797,6 +798,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - }
> - }
> -
> -+ rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
> -+
> - /* Run command */
> -
> - if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
> -diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
> -index 219da2a..9288249 100644
> ---- a/source3/rpcclient/rpcclient.h
> -+++ b/source3/rpcclient/rpcclient.h
> -@@ -42,5 +42,6 @@ struct cmd_set {
> - };
> -
> - extern struct messaging_context *rpcclient_msg_ctx;
> -+extern struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
> -
> - #endif /* RPCCLIENT_H */
> ---
> -1.9.3
> -
> -
> -From 849cb578d3aa38e7d6508353914d39501cd6b2c8 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 18:57:09 +0200
> -Subject: [PATCH 191/249] s3:rpcclient: remove unused
> - rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
> -
> -rpccli_netlogon_setup_creds() is already called in the main do_cmd()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit fb13b002d599049f229d2014e1b94f82952b7150)
> ----
> - source3/rpcclient/cmd_netlogon.c | 21 +--------------------
> - 1 file changed, 1 insertion(+), 20 deletions(-)
> -
> -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> -index 2e0b5e5..8a865a9 100644
> ---- a/source3/rpcclient/cmd_netlogon.c
> -+++ b/source3/rpcclient/cmd_netlogon.c
> -@@ -1141,12 +1141,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> - NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
> - NTSTATUS result;
> - const char *server_name = cli->desthost;
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -- NETLOGON_NEG_SUPPORTS_AES;
> - struct netr_Authenticator clnt_creds, srv_cred;
> - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> -- unsigned char trust_passwd_hash[16];
> -- enum netr_SchannelType sec_channel_type = 0;
> - struct netr_ChangeLogEntry e;
> - uint32_t rid = 500;
> - struct dcerpc_binding_handle *b = cli->binding_handle;
> -@@ -1161,25 +1157,10 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> - sscanf(argv[1], "%d", &rid);
> - }
> -
> -- if (!secrets_fetch_trust_account_password(lp_workgroup(),
> -- trust_passwd_hash,
> -- NULL, &sec_channel_type)) {
> -+ if (cli->netlogon_creds == NULL) {
> - return NT_STATUS_UNSUCCESSFUL;
> - }
> -
> -- status = rpccli_netlogon_setup_creds(cli,
> -- server_name, /* server name */
> -- lp_workgroup(), /* domain */
> -- lp_netbios_name(), /* client name */
> -- lp_netbios_name(), /* machine account name */
> -- trust_passwd_hash,
> -- sec_channel_type,
> -- &neg_flags);
> --
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> - status = netlogon_creds_cli_lock(cli->netlogon_creds,
> - mem_ctx, &creds);
> - if (!NT_STATUS_IS_OK(status)) {
> ---
> -1.9.3
> -
> -
> -From df5ce2ceb4c41e2a952cd9f011626028f8d230ff Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 19:00:22 +0200
> -Subject: [PATCH 192/249] s3:rpcclient: make use of rpcclient_netlogon_creds
> - instead of cli->netlogon_creds
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3bf77812e80b50f254af64e4935301719f78987e)
> ----
> - source3/rpcclient/cmd_netlogon.c | 22 +++++++++++++++++-----
> - 1 file changed, 17 insertions(+), 5 deletions(-)
> -
> -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> -index 8a865a9..59e1e4e 100644
> ---- a/source3/rpcclient/cmd_netlogon.c
> -+++ b/source3/rpcclient/cmd_netlogon.c
> -@@ -633,7 +633,11 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
> - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> - struct netlogon_creds_CredentialState *creds = NULL;
> -
> -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> -+ if (rpcclient_netlogon_creds == NULL) {
> -+ return NT_STATUS_UNSUCCESSFUL;
> -+ }
> -+
> -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> - mem_ctx, &creds);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> -@@ -712,7 +716,11 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
> - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> - struct netlogon_creds_CredentialState *creds = NULL;
> -
> -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> -+ if (rpcclient_netlogon_creds == NULL) {
> -+ return NT_STATUS_UNSUCCESSFUL;
> -+ }
> -+
> -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> - mem_ctx, &creds);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> -@@ -1157,11 +1165,11 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> - sscanf(argv[1], "%d", &rid);
> - }
> -
> -- if (cli->netlogon_creds == NULL) {
> -+ if (rpcclient_netlogon_creds == NULL) {
> - return NT_STATUS_UNSUCCESSFUL;
> - }
> -
> -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> - mem_ctx, &creds);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> -@@ -1223,7 +1231,11 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> -
> - ZERO_STRUCT(return_authenticator);
> -
> -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> -+ if (rpcclient_netlogon_creds == NULL) {
> -+ return NT_STATUS_UNSUCCESSFUL;
> -+ }
> -+
> -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> - mem_ctx, &creds);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> ---
> -1.9.3
> -
> -
> -From 4e9d9abc0bae5ca08c3a91cc5d1b2bacffc6cbfc Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 19:59:11 +0200
> -Subject: [PATCH 193/249] s3:net_rpc: add net_context->netlogon_creds
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit d1340c20b0900f54e2c73c4a363f45988b1ba097)
> ----
> - source3/utils/net.h | 1 +
> - source3/utils/net_rpc.c | 1 +
> - 2 files changed, 2 insertions(+)
> -
> -diff --git a/source3/utils/net.h b/source3/utils/net.h
> -index e97734a..ce19c57 100644
> ---- a/source3/utils/net.h
> -+++ b/source3/utils/net.h
> -@@ -90,6 +90,7 @@ struct net_context {
> - bool smb_encrypt;
> - struct libnetapi_ctx *netapi_ctx;
> - struct messaging_context *msg_ctx;
> -+ struct netlogon_creds_cli_context *netlogon_creds;
> -
> - bool display_usage;
> - void *private_data;
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index 9de74c0..3bf3f30 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -201,6 +201,7 @@ int run_rpc_command(struct net_context *c,
> - nt_errstr(nt_status) ));
> - goto fail;
> - }
> -+ c->netlogon_creds = pipe_hnd->netlogon_creds;
> - } else {
> - if (conn_flags & NET_FLAGS_SEAL) {
> - nt_status = cli_rpc_pipe_open_generic_auth(
> ---
> -1.9.3
> -
> -
> -From 7a4535c1e61de498230abd1f99bfe875ae59c2e0 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sun, 15 Sep 2013 13:19:52 +0200
> -Subject: [PATCH 194/249] s3:libsmb: add trust_pw_change()
> -
> -This protects the password change using a domain specific g_lock,
> -so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
> -even on multiple cluster nodes doesn't race anymore.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 16c6e4992fa882207eeaff0a1c4d9fe217be48b7)
> ----
> - source3/include/proto.h | 8 ++
> - source3/libsmb/trusts_util.c | 179 +++++++++++++++++++++++++++++++++++++++++++
> - 2 files changed, 187 insertions(+)
> -
> -diff --git a/source3/include/proto.h b/source3/include/proto.h
> -index 216a377..edda119 100644
> ---- a/source3/include/proto.h
> -+++ b/source3/include/proto.h
> -@@ -984,6 +984,14 @@ void update_trustdom_cache( void );
> - NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> - TALLOC_CTX *mem_ctx,
> - const char *domain) ;
> -+struct netlogon_creds_cli_context;
> -+struct messaging_context;
> -+struct dcerpc_binding_handle;
> -+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
> -+ struct messaging_context *msg_ctx,
> -+ struct dcerpc_binding_handle *b,
> -+ const char *domain,
> -+ bool force);
> -
> - /* The following definitions come from param/loadparm.c */
> -
> -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> -index 52fb481..b1bc006 100644
> ---- a/source3/libsmb/trusts_util.c
> -+++ b/source3/libsmb/trusts_util.c
> -@@ -20,12 +20,15 @@
> -
> - #include "includes.h"
> - #include "../libcli/auth/libcli_auth.h"
> -+#include "../libcli/auth/netlogon_creds_cli.h"
> - #include "rpc_client/cli_netlogon.h"
> - #include "rpc_client/cli_pipe.h"
> - #include "../librpc/gen_ndr/ndr_netlogon.h"
> - #include "secrets.h"
> - #include "passdb.h"
> - #include "libsmb/libsmb.h"
> -+#include "source3/include/messages.h"
> -+#include "source3/include/g_lock.h"
> -
> - /*********************************************************
> - Change the domain password on the PDC.
> -@@ -113,3 +116,179 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> -
> - return nt_status;
> - }
> -+
> -+struct trust_pw_change_state {
> -+ struct g_lock_ctx *g_ctx;
> -+ char *g_lock_key;
> -+};
> -+
> -+static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
> -+{
> -+ g_lock_unlock(state->g_ctx, state->g_lock_key);
> -+ return 0;
> -+}
> -+
> -+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
> -+ struct messaging_context *msg_ctx,
> -+ struct dcerpc_binding_handle *b,
> -+ const char *domain,
> -+ bool force)
> -+{
> -+ TALLOC_CTX *frame = talloc_stackframe();
> -+ struct trust_pw_change_state *state;
> -+ struct samr_Password current_nt_hash;
> -+ const struct samr_Password *previous_nt_hash = NULL;
> -+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> -+ const char *account_name;
> -+ char *new_trust_passwd;
> -+ char *pwd;
> -+ struct dom_sid sid;
> -+ time_t pass_last_set_time;
> -+ struct timeval g_timeout = { 0, };
> -+ int timeout = 0;
> -+ struct timeval tv = { 0, };
> -+ NTSTATUS status;
> -+
> -+ state = talloc_zero(frame, struct trust_pw_change_state);
> -+ if (state == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ state->g_ctx = g_lock_ctx_init(state, msg_ctx);
> -+ if (state->g_ctx == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ state->g_lock_key = talloc_asprintf(state,
> -+ "trust_password_change_%s",
> -+ domain);
> -+ if (state->g_lock_key == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ g_timeout = timeval_current_ofs(10, 0);
> -+ status = g_lock_lock(state->g_ctx,
> -+ state->g_lock_key,
> -+ G_LOCK_WRITE, g_timeout);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ DEBUG(1, ("could not get g_lock on [%s]!\n",
> -+ state->g_lock_key));
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ talloc_set_destructor(state, trust_pw_change_state_destructor);
> -+
> -+ if (!get_trust_pw_hash(domain, current_nt_hash.hash,
> -+ &account_name,
> -+ &sec_channel_type)) {
> -+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> -+ }
> -+
> -+ switch (sec_channel_type) {
> -+ case SEC_CHAN_WKSTA:
> -+ pwd = secrets_fetch_machine_password(domain,
> -+ &pass_last_set_time,
> -+ NULL);
> -+ if (pwd == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> -+ }
> -+ break;
> -+ case SEC_CHAN_DOMAIN:
> -+ if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> -+ }
> -+ break;
> -+ default:
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NOT_SUPPORTED;
> -+ }
> -+
> -+ timeout = lp_machine_password_timeout();
> -+ if (timeout == 0) {
> -+ if (!force) {
> -+ DEBUG(10,("machine password never expires\n"));
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_OK;
> -+ }
> -+ }
> -+
> -+ tv.tv_sec = pass_last_set_time;
> -+ DEBUG(10, ("password last changed %s\n",
> -+ timeval_string(talloc_tos(), &tv, false)));
> -+ tv.tv_sec += timeout;
> -+ DEBUGADD(10, ("password valid until %s\n",
> -+ timeval_string(talloc_tos(), &tv, false)));
> -+
> -+ if (!force && !timeval_expired(&tv)) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ /* Create a random machine account password */
> -+ new_trust_passwd = generate_random_password(frame,
> -+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
> -+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
> -+ if (new_trust_passwd == NULL) {
> -+ DEBUG(0, ("generate_random_password failed\n"));
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ status = netlogon_creds_cli_auth(context, b,
> -+ current_nt_hash,
> -+ previous_nt_hash);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ status = netlogon_creds_cli_ServerPasswordSet(context, b,
> -+ new_trust_passwd, NULL);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> -+ DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
> -+ current_timestring(talloc_tos(), False)));
> -+
> -+ /*
> -+ * Return the result of trying to write the new password
> -+ * back into the trust account file.
> -+ */
> -+
> -+ switch (sec_channel_type) {
> -+
> -+ case SEC_CHAN_WKSTA:
> -+ if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
> -+ }
> -+ break;
> -+
> -+ case SEC_CHAN_DOMAIN:
> -+ /*
> -+ * we need to get the sid first for the
> -+ * pdb_set_trusteddom_pw call
> -+ */
> -+ if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
> -+ }
> -+ break;
> -+
> -+ default:
> -+ break;
> -+ }
> -+
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_OK;
> -+}
> ---
> -1.9.3
> -
> -
> -From 09dae290b1d49a30eef5b93f5260dc44fb628437 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 18:33:51 +0200
> -Subject: [PATCH 195/249] s3:rpcclient: make use of trust_pw_change()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a9281e6570fcc5ff5abe3149615bed7029d1cf71)
> ----
> - source3/rpcclient/cmd_netlogon.c | 10 +++++-----
> - 1 file changed, 5 insertions(+), 5 deletions(-)
> -
> -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> -index 59e1e4e..000d65c 100644
> ---- a/source3/rpcclient/cmd_netlogon.c
> -+++ b/source3/rpcclient/cmd_netlogon.c
> -@@ -829,11 +829,11 @@ static NTSTATUS cmd_netlogon_change_trust_pw(struct rpc_pipe_client *cli,
> - return NT_STATUS_OK;
> - }
> -
> -- /* Perform the sam logon */
> --
> -- result = trust_pw_find_change_and_store_it(cli, mem_ctx,
> -- lp_workgroup());
> --
> -+ result = trust_pw_change(rpcclient_netlogon_creds,
> -+ rpcclient_msg_ctx,
> -+ cli->binding_handle,
> -+ lp_workgroup(),
> -+ true); /* force */
> - if (!NT_STATUS_IS_OK(result))
> - goto done;
> -
> ---
> -1.9.3
> -
> -
> -From 3731b2163f6bb88922a9fa84e60fa48afbbbda9a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 18:34:48 +0200
> -Subject: [PATCH 196/249] s3:net_rpc: make use of trust_pw_change()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit cfd139347c21f4f4ddd16026c2c8c221feabd6c5)
> ----
> - source3/utils/net_rpc.c | 6 +++++-
> - 1 file changed, 5 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index 3bf3f30..ba49f3e 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -279,7 +279,11 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
> - {
> - NTSTATUS status;
> -
> -- status = trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup);
> -+ status = trust_pw_change(c->netlogon_creds,
> -+ c->msg_ctx,
> -+ pipe_hnd->binding_handle,
> -+ c->opt_target_workgroup,
> -+ true); /* force */
> - if (!NT_STATUS_IS_OK(status)) {
> - d_fprintf(stderr, _("Failed to change machine account password: %s\n"),
> - nt_errstr(status));
> ---
> -1.9.3
> -
> -
> -From cd8fdfc923adcc5b6c700ec52d1bba4643079247 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 18:35:39 +0200
> -Subject: [PATCH 197/249] s3:winbindd: use invalidate_cm_connection() to kill
> - the netlogon connection
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit dbd49d90bbf175525557eaa983ad57ca5076d710)
> ----
> - source3/winbindd/winbindd_dual.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
> -index 64af571..b26cdca 100644
> ---- a/source3/winbindd/winbindd_dual.c
> -+++ b/source3/winbindd/winbindd_dual.c
> -@@ -1056,7 +1056,7 @@ static void machine_password_change_handler(struct tevent_context *ctx,
> - "password was changed and we didn't know it. "
> - "Killing connections to domain %s\n",
> - child->domain->name));
> -- TALLOC_FREE(child->domain->conn.netlogon_pipe);
> -+ invalidate_cm_connection(&child->domain->conn);
> - }
> -
> - if (!calculate_next_machine_pwd_change(child->domain->name,
> ---
> -1.9.3
> -
> -
> -From 6369757af75412746c0d9950971a77be72826b92 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 18:36:43 +0200
> -Subject: [PATCH 198/249] s3:winbindd: make use of trust_pw_change() for
> - periodic password changes
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 57741dd4ba5a9ed3abf7aad35a2a69fd66b49b4b)
> ----
> - source3/winbindd/winbindd_dual.c | 16 ++++++++--------
> - 1 file changed, 8 insertions(+), 8 deletions(-)
> -
> -diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
> -index b26cdca..1d6a5ba 100644
> ---- a/source3/winbindd/winbindd_dual.c
> -+++ b/source3/winbindd/winbindd_dual.c
> -@@ -29,6 +29,7 @@
> -
> - #include "includes.h"
> - #include "winbindd.h"
> -+#include "rpc_client/rpc_client.h"
> - #include "nsswitch/wb_reqtrans.h"
> - #include "secrets.h"
> - #include "../lib/util/select.h"
> -@@ -999,10 +1000,10 @@ static void machine_password_change_handler(struct tevent_context *ctx,
> - struct timeval now,
> - void *private_data)
> - {
> -+ struct messaging_context *msg_ctx = winbind_messaging_context();
> - struct winbindd_child *child =
> - (struct winbindd_child *)private_data;
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> -- TALLOC_CTX *frame;
> - NTSTATUS result;
> - struct timeval next_change;
> -
> -@@ -1039,15 +1040,14 @@ static void machine_password_change_handler(struct tevent_context *ctx,
> - return;
> - }
> -
> -- frame = talloc_stackframe();
> --
> -- result = trust_pw_find_change_and_store_it(netlogon_pipe,
> -- frame,
> -- child->domain->name);
> -- TALLOC_FREE(frame);
> -+ result = trust_pw_change(child->domain->conn.netlogon_creds,
> -+ msg_ctx,
> -+ netlogon_pipe->binding_handle,
> -+ child->domain->name,
> -+ false); /* force */
> -
> - DEBUG(10, ("machine_password_change_handler: "
> -- "trust_pw_find_change_and_store_it returned %s\n",
> -+ "trust_pw_change returned %s\n",
> - nt_errstr(result)));
> -
> - if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
> ---
> -1.9.3
> -
> -
> -From 5fe11c760d853dff63ad9b3505f3d3721b7e14f6 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 18:37:34 +0200
> -Subject: [PATCH 199/249] s3:winbindd: make use of trust_pw_change() in
> - _wbint_ChangeMachineAccount()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3c30e19c4a0e60e355b2f1d35edbb0a3b7688089)
> ----
> - source3/winbindd/winbindd_dual_srv.c | 35 +++++++----------------------------
> - 1 file changed, 7 insertions(+), 28 deletions(-)
> -
> -diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
> -index 001591a..f064467 100644
> ---- a/source3/winbindd/winbindd_dual_srv.c
> -+++ b/source3/winbindd/winbindd_dual_srv.c
> -@@ -622,48 +622,27 @@ again:
> - NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
> - struct wbint_ChangeMachineAccount *r)
> - {
> -+ struct messaging_context *msg_ctx = winbind_messaging_context();
> - struct winbindd_domain *domain;
> -- int num_retries = 0;
> - NTSTATUS status;
> - struct rpc_pipe_client *netlogon_pipe;
> -- TALLOC_CTX *tmp_ctx;
> -
> --again:
> - domain = wb_child_domain();
> - if (domain == NULL) {
> - return NT_STATUS_REQUEST_NOT_ACCEPTED;
> - }
> -
> -- invalidate_cm_connection(&domain->conn);
> --
> -- {
> -- status = cm_connect_netlogon(domain, &netlogon_pipe);
> -- }
> --
> -- /* There is a race condition between fetching the trust account
> -- password and the periodic machine password change. So it's
> -- possible that the trust account password has been changed on us.
> -- We are returned NT_STATUS_ACCESS_DENIED if this happens. */
> --
> --#define MAX_RETRIES 3
> --
> -- if ((num_retries < MAX_RETRIES)
> -- && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
> -- num_retries++;
> -- goto again;
> -- }
> --
> -+ status = cm_connect_netlogon(domain, &netlogon_pipe);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
> - goto done;
> - }
> -
> -- tmp_ctx = talloc_new(p->mem_ctx);
> --
> -- status = trust_pw_find_change_and_store_it(netlogon_pipe,
> -- tmp_ctx,
> -- domain->name);
> -- talloc_destroy(tmp_ctx);
> -+ status = trust_pw_change(domain->conn.netlogon_creds,
> -+ msg_ctx,
> -+ netlogon_pipe->binding_handle,
> -+ domain->name,
> -+ true); /* force */
> -
> - /* Pass back result code - zero for success, other values for
> - specific failures. */
> ---
> -1.9.3
> -
> -
> -From 9956ea8b561da89fb79739dd8a8552116c7867f7 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 18:39:52 +0200
> -Subject: [PATCH 200/249] s3:libsmb: remove unused
> - trust_pw_find_change_and_store_it()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a8ecebe3e840005c81df043cb07773972aaa2371)
> ----
> - source3/include/proto.h | 3 --
> - source3/libsmb/trusts_util.c | 81 --------------------------------------------
> - 2 files changed, 84 deletions(-)
> -
> -diff --git a/source3/include/proto.h b/source3/include/proto.h
> -index edda119..18348e5 100644
> ---- a/source3/include/proto.h
> -+++ b/source3/include/proto.h
> -@@ -981,9 +981,6 @@ void update_trustdom_cache( void );
> -
> - /* The following definitions come from libsmb/trusts_util.c */
> -
> --NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- const char *domain) ;
> - struct netlogon_creds_cli_context;
> - struct messaging_context;
> - struct dcerpc_binding_handle;
> -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> -index b1bc006..b38aec6 100644
> ---- a/source3/libsmb/trusts_util.c
> -+++ b/source3/libsmb/trusts_util.c
> -@@ -36,87 +36,6 @@
> - already setup the connection to the NETLOGON pipe
> - **********************************************************/
> -
> --NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- const char *domain)
> --{
> -- unsigned char old_trust_passwd_hash[16];
> -- unsigned char new_trust_passwd_hash[16];
> -- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> -- const char *account_name;
> -- char *new_trust_passwd;
> -- NTSTATUS nt_status;
> --
> -- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
> -- &sec_channel_type)) {
> -- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> -- return NT_STATUS_UNSUCCESSFUL;
> -- }
> --
> -- switch (sec_channel_type) {
> -- case SEC_CHAN_WKSTA:
> -- case SEC_CHAN_DOMAIN:
> -- break;
> -- default:
> -- return NT_STATUS_NOT_SUPPORTED;
> -- }
> --
> -- /* Create a random machine account password */
> -- new_trust_passwd = generate_random_password(mem_ctx,
> -- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
> -- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
> -- if (new_trust_passwd == NULL) {
> -- DEBUG(0, ("generate_random_password failed\n"));
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- E_md4hash(new_trust_passwd, new_trust_passwd_hash);
> --
> -- nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
> -- account_name,
> -- old_trust_passwd_hash,
> -- new_trust_passwd,
> -- new_trust_passwd_hash,
> -- sec_channel_type);
> --
> -- if (NT_STATUS_IS_OK(nt_status)) {
> -- DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
> -- current_timestring(talloc_tos(), False)));
> -- /*
> -- * Return the result of trying to write the new password
> -- * back into the trust account file.
> -- */
> --
> -- switch (sec_channel_type) {
> --
> -- case SEC_CHAN_WKSTA:
> -- if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
> -- nt_status = NT_STATUS_UNSUCCESSFUL;
> -- }
> -- break;
> --
> -- case SEC_CHAN_DOMAIN: {
> -- char *pwd;
> -- struct dom_sid sid;
> -- time_t pass_last_set_time;
> --
> -- /* we need to get the sid first for the
> -- * pdb_set_trusteddom_pw call */
> --
> -- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
> -- nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> -- }
> -- if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
> -- nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
> -- }
> -- break;
> -- }
> -- }
> -- }
> --
> -- return nt_status;
> --}
> --
> - struct trust_pw_change_state {
> - struct g_lock_ctx *g_ctx;
> - char *g_lock_key;
> ---
> -1.9.3
> -
> -
> -From f71cb73d7f034165802aad97e9be6f45ba32d519 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 19:19:39 +0200
> -Subject: [PATCH 201/249] s3:libnet: pass in struct netlogon_creds_cli_context
> - from the caller.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 77defb175e3ffd1b096485ac7de38ad161594b72)
> ----
> - source3/libnet/libnet_samsync.c | 2 +-
> - source3/libnet/libnet_samsync.h | 1 +
> - source3/utils/net_rpc_samsync.c | 1 +
> - 3 files changed, 3 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
> -index 02d3fc6..e7e1393 100644
> ---- a/source3/libnet/libnet_samsync.c
> -+++ b/source3/libnet/libnet_samsync.c
> -@@ -216,7 +216,7 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
> - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> - struct netlogon_creds_CredentialState *creds = NULL;
> -
> -- status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
> -+ status = netlogon_creds_cli_lock(ctx->netlogon_creds,
> - mem_ctx, &creds);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> -diff --git a/source3/libnet/libnet_samsync.h b/source3/libnet/libnet_samsync.h
> -index efdbb37..e1d66ec 100644
> ---- a/source3/libnet/libnet_samsync.h
> -+++ b/source3/libnet/libnet_samsync.h
> -@@ -75,6 +75,7 @@ struct samsync_context {
> - struct samsync_object *objects;
> -
> - struct rpc_pipe_client *cli;
> -+ struct netlogon_creds_cli_context *netlogon_creds;
> - struct messaging_context *msg_ctx;
> -
> - const struct samsync_ops *ops;
> -diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
> -index 772651f..6377ad4 100644
> ---- a/source3/utils/net_rpc_samsync.c
> -+++ b/source3/utils/net_rpc_samsync.c
> -@@ -129,6 +129,7 @@ NTSTATUS rpc_samdump_internals(struct net_context *c,
> -
> - ctx->mode = NET_SAMSYNC_MODE_DUMP;
> - ctx->cli = pipe_hnd;
> -+ ctx->netlogon_creds = c->netlogon_creds;
> - ctx->ops = &libnet_samsync_display_ops;
> - ctx->domain_name = domain_name;
> -
> ---
> -1.9.3
> -
> -
> -From acb678ce415403e1442116b32eb8b8b32b677f4a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 20:51:25 +0200
> -Subject: [PATCH 202/249] s3:rpcclient: make use of
> - rpccli_{create,setup}_netlogon_creds()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 5107ca02a41673739a1fc4a1c2a0fbe8465f211a)
> ----
> - source3/rpcclient/rpcclient.c | 59 ++++++++++++++++++++++++++++++-------------
> - 1 file changed, 41 insertions(+), 18 deletions(-)
> -
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index a875ff5..490f8df 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -676,6 +676,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - {
> - NTSTATUS ntresult;
> - WERROR wresult;
> -+ bool ok;
> -
> - TALLOC_CTX *mem_ctx;
> -
> -@@ -759,17 +760,20 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - return ntresult;
> - }
> -
> -- if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> -- &ndr_table_netlogon.syntax_id)) {
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -- NETLOGON_NEG_SUPPORTS_AES;
> -- enum netr_SchannelType sec_channel_type;
> -- uchar trust_password[16];
> -- const char *machine_account;
> -+ ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> -+ &ndr_table_netlogon.syntax_id);
> -+ if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
> -+ const char *dc_name = cmd_entry->rpc_pipe->desthost;
> -+ const char *domain = get_cmdline_auth_info_domain(auth_info);
> -+ enum netr_SchannelType sec_chan_type = 0;
> -+ const char *_account_name = NULL;
> -+ const char *account_name = NULL;
> -+ struct samr_Password current_nt_hash;
> -+ struct samr_Password *previous_nt_hash = NULL;
> -
> - if (!get_trust_pw_hash(get_cmdline_auth_info_domain(auth_info),
> -- trust_password, &machine_account,
> -- &sec_channel_type))
> -+ current_nt_hash.hash, &_account_name,
> -+ &sec_chan_type))
> - {
> - DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
> - get_cmdline_auth_info_domain(auth_info),
> -@@ -779,22 +783,41 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - }
> -
> -- ntresult = rpccli_netlogon_setup_creds(cmd_entry->rpc_pipe,
> -- cmd_entry->rpc_pipe->desthost, /* server name */
> -- get_cmdline_auth_info_domain(auth_info), /* domain */
> -- lp_netbios_name(), /* client name */
> -- machine_account, /* machine account name */
> -- trust_password,
> -- sec_channel_type,
> -- &neg_flags);
> -+ account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
> -+ if (account_name == NULL) {
> -+ SAFE_FREE(previous_nt_hash);
> -+ TALLOC_FREE(mem_ctx);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ ntresult = rpccli_create_netlogon_creds(dc_name,
> -+ domain,
> -+ account_name,
> -+ sec_chan_type,
> -+ rpcclient_msg_ctx,
> -+ talloc_autofree_context(),
> -+ &rpcclient_netlogon_creds);
> -+ if (!NT_STATUS_IS_OK(ntresult)) {
> -+ SAFE_FREE(previous_nt_hash);
> -+ TALLOC_FREE(mem_ctx);
> -+ return ntresult;
> -+ }
> -
> -+ ntresult = rpccli_setup_netlogon_creds(cli,
> -+ rpcclient_netlogon_creds,
> -+ false, /* force_reauth */
> -+ current_nt_hash,
> -+ previous_nt_hash);
> -+ SAFE_FREE(previous_nt_hash);
> - if (!NT_STATUS_IS_OK(ntresult)) {
> - DEBUG(0, ("Could not initialise credentials for %s.\n",
> - cmd_entry->table->name));
> - TALLOC_FREE(cmd_entry->rpc_pipe);
> -- talloc_free(mem_ctx);
> -+ TALLOC_FREE(rpcclient_netlogon_creds);
> -+ TALLOC_FREE(mem_ctx);
> - return ntresult;
> - }
> -+ cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
> - }
> - }
> -
> ---
> -1.9.3
> -
> -
> -From b04744971aa9cc696aa4a3c56dd46d58db8dda75 Mon Sep 17 00:00:00 2001
> -From: Garming Sam <garming@catalyst.net.nz>
> -Date: Fri, 29 Nov 2013 14:45:20 +1300
> -Subject: [PATCH 203/249] s3:rpcclient: give errors and clean up correctly
> - after failing to obtain secret
> -
> -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a012e2fdd6733e871ddeb68874a2df8413ad91ed)
> ----
> - source3/rpcclient/rpcclient.c | 6 ++++++
> - 1 file changed, 6 insertions(+)
> -
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index 490f8df..fd3ebdf 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -785,6 +785,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> -
> - account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
> - if (account_name == NULL) {
> -+ DEBUG(0, ("Out of memory creating account name to connect to %s.\n",
> -+ cmd_entry->table->name));
> -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> - SAFE_FREE(previous_nt_hash);
> - TALLOC_FREE(mem_ctx);
> - return NT_STATUS_NO_MEMORY;
> -@@ -798,6 +801,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - talloc_autofree_context(),
> - &rpcclient_netlogon_creds);
> - if (!NT_STATUS_IS_OK(ntresult)) {
> -+ DEBUG(0, ("Could not initialise credentials for %s.\n",
> -+ cmd_entry->table->name));
> -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> - SAFE_FREE(previous_nt_hash);
> - TALLOC_FREE(mem_ctx);
> - return ntresult;
> ---
> -1.9.3
> -
> -
> -From 564e6df9361025ff7da6fa92d83491cfd9e60b2b Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 17 Sep 2013 00:46:09 +0200
> -Subject: [PATCH 204/249] s3:rpcclient: remove optional auth_level parameter of
> - the 'samlogon' cmd
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 4c99e49898151a514e334a07f38eed83fe608c05)
> ----
> - source3/rpcclient/cmd_netlogon.c | 11 ++++-------
> - 1 file changed, 4 insertions(+), 7 deletions(-)
> -
> -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> -index 000d65c..97b79cb 100644
> ---- a/source3/rpcclient/cmd_netlogon.c
> -+++ b/source3/rpcclient/cmd_netlogon.c
> -@@ -782,9 +782,9 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> -
> - /* Check arguments */
> -
> -- if (argc < 3 || argc > 7) {
> -+ if (argc < 3 || argc > 6) {
> - fprintf(stderr, "Usage: samlogon <username> <password> [workstation]"
> -- "[logon_type (1 or 2)] [auth level (2 or 3)] [logon_parameter]\n");
> -+ "[logon_type (1 or 2)] [logon_parameter]\n");
> - return NT_STATUS_OK;
> - }
> -
> -@@ -797,11 +797,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> - if (argc >= 5)
> - sscanf(argv[4], "%i", &logon_type);
> -
> -- if (argc >= 6)
> -- validation_level = atoi(argv[5]);
> --
> -- if (argc == 7)
> -- sscanf(argv[6], "%x", &logon_param);
> -+ if (argc == 6)
> -+ sscanf(argv[5], "%x", &logon_param);
> -
> - /* Perform the sam logon */
> -
> ---
> -1.9.3
> -
> -
> -From a61d399c13c9f46e283f85f3d076b0607c2729f3 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 17 Sep 2013 00:48:31 +0200
> -Subject: [PATCH 205/249] s3:rpcclient: make use of
> - rpccli_netlogon_password_logon() in the 'samlogon' cmd
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit c6bb47f2f199cc13101dccf656ac36e9eb879201)
> ----
> - source3/rpcclient/cmd_netlogon.c | 11 ++++++++---
> - 1 file changed, 8 insertions(+), 3 deletions(-)
> -
> -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> -index 97b79cb..b637b3e 100644
> ---- a/source3/rpcclient/cmd_netlogon.c
> -+++ b/source3/rpcclient/cmd_netlogon.c
> -@@ -776,7 +776,6 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> - int logon_type = NetlogonNetworkInformation;
> - const char *username, *password;
> -- uint16_t validation_level = 3;
> - uint32 logon_param = 0;
> - const char *workstation = NULL;
> -
> -@@ -802,8 +801,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> -
> - /* Perform the sam logon */
> -
> -- result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type);
> --
> -+ result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
> -+ cli->binding_handle,
> -+ logon_param,
> -+ lp_workgroup(),
> -+ username,
> -+ password,
> -+ workstation,
> -+ logon_type);
> - if (!NT_STATUS_IS_OK(result))
> - goto done;
> -
> ---
> -1.9.3
> -
> -
> -From fbe0154a63d401acd47c5190be37b8d69d3d64ba Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 17 Sep 2013 00:56:15 +0200
> -Subject: [PATCH 206/249] s3:winbindd: make use of
> - rpccli_netlogon_network_logon()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a34c837fdb59df1e66be9b5f23a07990e34fea1c)
> ----
> - source3/winbindd/winbindd_pam.c | 28 +++++++++++++++-------------
> - 1 file changed, 15 insertions(+), 13 deletions(-)
> -
> -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> -index 39483a5..3f3ec70 100644
> ---- a/source3/winbindd/winbindd_pam.c
> -+++ b/source3/winbindd/winbindd_pam.c
> -@@ -1228,6 +1228,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> -
> - do {
> - struct rpc_pipe_client *netlogon_pipe;
> -+ uint8_t authoritative = 0;
> -+ uint32_t flags = 0;
> -
> - ZERO_STRUCTP(info3);
> - retry = false;
> -@@ -1276,19 +1278,19 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> - }
> - netr_attempts = 0;
> -
> -- result = rpccli_netlogon_sam_network_logon(
> -- netlogon_pipe,
> -- mem_ctx,
> -- logon_parameters,
> -- server, /* server name */
> -- username, /* user name */
> -- domainname, /* target domain */
> -- workstation, /* workstation */
> -- chal,
> -- -1, /* ignored */
> -- lm_response,
> -- nt_response,
> -- info3);
> -+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
> -+ netlogon_pipe->binding_handle,
> -+ mem_ctx,
> -+ logon_parameters,
> -+ username,
> -+ domainname,
> -+ workstation,
> -+ chal,
> -+ lm_response,
> -+ nt_response,
> -+ &authoritative,
> -+ &flags,
> -+ info3);
> -
> - /*
> - * we increment this after the "feature negotiation"
> ---
> -1.9.3
> -
> -
> -From cfcb681d6f80253b6f2db769f5c5be1ffb54cc0e Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 20:53:51 +0200
> -Subject: [PATCH 207/249] s3:rpc_client: make cli_rpc_pipe_open_schannel() more
> - flexible
> -
> -It expects a messaging_context now
> -and returns a netlogon_creds_cli_context.
> -
> -This way we can finally avoid having a rpc_pipe_client->netlogon_creds.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 660150b12a637da7f9ebb820e687f27ac22fb93a)
> ----
> - source3/rpc_client/cli_pipe.h | 5 ++++-
> - source3/rpc_client/cli_pipe_schannel.c | 9 +++++++--
> - source3/rpcclient/rpcclient.c | 13 +++++++------
> - source3/utils/net_rpc.c | 6 +++---
> - 4 files changed, 21 insertions(+), 12 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> -index 2a76130..b704d8a 100644
> ---- a/source3/rpc_client/cli_pipe.h
> -+++ b/source3/rpc_client/cli_pipe.h
> -@@ -99,11 +99,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - struct rpc_pipe_client **presult);
> -
> - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> -+ struct messaging_context *msg_ctx,
> - const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -- struct rpc_pipe_client **presult);
> -+ struct rpc_pipe_client **presult,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **pcreds);
> -
> - NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> - struct rpc_pipe_client *cli,
> -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> -index 1fcf62e..a842333 100644
> ---- a/source3/rpc_client/cli_pipe_schannel.c
> -+++ b/source3/rpc_client/cli_pipe_schannel.c
> -@@ -38,14 +38,16 @@
> - ****************************************************************************/
> -
> - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> -+ struct messaging_context *msg_ctx,
> - const struct ndr_interface_table *table,
> - enum dcerpc_transport_t transport,
> - enum dcerpc_AuthLevel auth_level,
> - const char *domain,
> -- struct rpc_pipe_client **presult)
> -+ struct rpc_pipe_client **presult,
> -+ TALLOC_CTX *mem_ctx,
> -+ struct netlogon_creds_cli_context **pcreds)
> - {
> - TALLOC_CTX *frame = talloc_stackframe();
> -- struct messaging_context *msg_ctx = NULL;
> - const char *dc_name = smbXcli_conn_remote_name(cli->conn);
> - struct rpc_pipe_client *result = NULL;
> - NTSTATUS status;
> -@@ -121,6 +123,9 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> -
> - if (NT_STATUS_IS_OK(status)) {
> - *presult = result;
> -+ if (pcreds != NULL) {
> -+ *pcreds = talloc_move(mem_ctx, &netlogon_creds);
> -+ }
> - }
> -
> - TALLOC_FREE(frame);
> -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> -index fd3ebdf..43343e8 100644
> ---- a/source3/rpcclient/rpcclient.c
> -+++ b/source3/rpcclient/rpcclient.c
> -@@ -737,12 +737,16 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - &cmd_entry->rpc_pipe);
> - break;
> - case DCERPC_AUTH_TYPE_SCHANNEL:
> -+ TALLOC_FREE(rpcclient_netlogon_creds);
> - ntresult = cli_rpc_pipe_open_schannel(
> -- cli, cmd_entry->table,
> -+ cli, rpcclient_msg_ctx,
> -+ cmd_entry->table,
> - default_transport,
> - pipe_default_auth_level,
> - get_cmdline_auth_info_domain(auth_info),
> -- &cmd_entry->rpc_pipe);
> -+ &cmd_entry->rpc_pipe,
> -+ talloc_autofree_context(),
> -+ &rpcclient_netlogon_creds);
> - break;
> - default:
> - DEBUG(0, ("Could not initialise %s. Invalid "
> -@@ -762,7 +766,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> -
> - ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> - &ndr_table_netlogon.syntax_id);
> -- if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
> -+ if (rpcclient_netlogon_creds == NULL && ok) {
> - const char *dc_name = cmd_entry->rpc_pipe->desthost;
> - const char *domain = get_cmdline_auth_info_domain(auth_info);
> - enum netr_SchannelType sec_chan_type = 0;
> -@@ -823,12 +827,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> - TALLOC_FREE(mem_ctx);
> - return ntresult;
> - }
> -- cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
> - }
> - }
> -
> -- rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
> --
> - /* Run command */
> -
> - if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
> -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> -index ba49f3e..d0f699a 100644
> ---- a/source3/utils/net_rpc.c
> -+++ b/source3/utils/net_rpc.c
> -@@ -192,16 +192,16 @@ int run_rpc_command(struct net_context *c,
> - && (ndr_syntax_id_equal(&table->syntax_id,
> - &ndr_table_netlogon.syntax_id))) {
> - /* Always try and create an schannel netlogon pipe. */
> -+ TALLOC_FREE(c->netlogon_creds);
> - nt_status = cli_rpc_pipe_open_schannel(
> -- cli, table, NCACN_NP,
> -+ cli, c->msg_ctx, table, NCACN_NP,
> - DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
> -- &pipe_hnd);
> -+ &pipe_hnd, c, &c->netlogon_creds);
> - if (!NT_STATUS_IS_OK(nt_status)) {
> - DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
> - nt_errstr(nt_status) ));
> - goto fail;
> - }
> -- c->netlogon_creds = pipe_hnd->netlogon_creds;
> - } else {
> - if (conn_flags & NET_FLAGS_SEAL) {
> - nt_status = cli_rpc_pipe_open_generic_auth(
> ---
> -1.9.3
> -
> -
> -From 603b40eeee3cf21de94f11471889d0443713ba4f Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 6 Sep 2013 13:54:30 +0200
> -Subject: [PATCH 208/249] s3:rpc_client: remove unused
> - rpccli_netlogon_set_trust_password()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 6d457ad9c156cf86d99e58dea21dba170defad1b)
> ----
> - source3/rpc_client/cli_netlogon.c | 51 ---------------------------------------
> - source3/rpc_client/cli_netlogon.h | 7 ------
> - 2 files changed, 58 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index a9f8604..2f23d1b 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -759,54 +759,3 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> -
> - return NT_STATUS_OK;
> - }
> --
> --/*********************************************************
> -- Change the domain password on the PDC.
> --
> -- Just changes the password betwen the two values specified.
> --
> -- Caller must have the cli connected to the netlogon pipe
> -- already.
> --**********************************************************/
> --
> --NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- const char *account_name,
> -- const unsigned char orig_trust_passwd_hash[16],
> -- const char *new_trust_pwd_cleartext,
> -- const unsigned char new_trust_passwd_hash[16],
> -- enum netr_SchannelType sec_channel_type)
> --{
> -- NTSTATUS result;
> --
> -- if (cli->netlogon_creds == NULL) {
> -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> -- NETLOGON_NEG_SUPPORTS_AES;
> -- result = rpccli_netlogon_setup_creds(cli,
> -- cli->desthost, /* server name */
> -- lp_workgroup(), /* domain */
> -- lp_netbios_name(), /* client name */
> -- account_name, /* machine account name */
> -- orig_trust_passwd_hash,
> -- sec_channel_type,
> -- &neg_flags);
> -- if (!NT_STATUS_IS_OK(result)) {
> -- DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
> -- nt_errstr(result)));
> -- return result;
> -- }
> -- }
> --
> -- result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
> -- cli->binding_handle,
> -- new_trust_pwd_cleartext,
> -- NULL); /* new_version */
> -- if (!NT_STATUS_IS_OK(result)) {
> -- DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
> -- nt_errstr(result)));
> -- return result;
> -- }
> --
> -- return NT_STATUS_OK;
> --}
> --
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index d4c6670..8547db6 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -93,12 +93,5 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> - uint8_t *authoritative,
> - uint32_t *flags,
> - struct netr_SamInfo3 **info3);
> --NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- const char *account_name,
> -- const unsigned char orig_trust_passwd_hash[16],
> -- const char *new_trust_pwd_cleartext,
> -- const unsigned char new_trust_passwd_hash[16],
> -- enum netr_SchannelType sec_channel_type);
> -
> - #endif /* _RPC_CLIENT_CLI_NETLOGON_H_ */
> ---
> -1.9.3
> -
> -
> -From c9dc23d434bc7015f400b1969a055b95faac6594 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 6 Sep 2013 13:06:53 +0200
> -Subject: [PATCH 209/249] s3:rpc_client: remove unused
> - rpccli_netlogon_setup_creds()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit a4faf57b47095bfc0f4370ac093c8c4cef17584f)
> ----
> - source3/rpc_client/cli_netlogon.c | 92 ---------------------------------------
> - source3/rpc_client/cli_netlogon.h | 8 ----
> - 2 files changed, 100 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 2f23d1b..687d0c2 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -35,98 +35,6 @@
> - #include "lib/param/param.h"
> - #include "libcli/smb/smbXcli_base.h"
> -
> --/****************************************************************************
> -- Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
> -- credentials chain. Stores the credentials in the struct dcinfo in the
> -- netlogon pipe struct.
> --****************************************************************************/
> --
> --NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> -- const char *server_name,
> -- const char *domain,
> -- const char *clnt_name,
> -- const char *machine_account,
> -- const unsigned char machine_pwd[16],
> -- enum netr_SchannelType sec_chan_type,
> -- uint32_t *neg_flags_inout)
> --{
> -- TALLOC_CTX *frame = talloc_stackframe();
> -- struct loadparm_context *lp_ctx;
> -- NTSTATUS status;
> -- struct samr_Password password;
> -- fstring mach_acct;
> -- struct dcerpc_binding_handle *b = cli->binding_handle;
> -- struct netlogon_creds_CredentialState *creds = NULL;
> --
> -- if (!ndr_syntax_id_equal(&cli->abstract_syntax,
> -- &ndr_table_netlogon.syntax_id)) {
> -- TALLOC_FREE(frame);
> -- return NT_STATUS_INVALID_PARAMETER;
> -- }
> --
> -- if (!strequal(lp_netbios_name(), clnt_name)) {
> -- TALLOC_FREE(frame);
> -- return NT_STATUS_INVALID_PARAMETER;
> -- }
> --
> -- TALLOC_FREE(cli->netlogon_creds);
> --
> -- fstr_sprintf( mach_acct, "%s$", machine_account);
> --
> -- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> -- if (lp_ctx == NULL) {
> -- TALLOC_FREE(frame);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- status = netlogon_creds_cli_context_global(lp_ctx,
> -- NULL, /* msg_ctx */
> -- mach_acct,
> -- sec_chan_type,
> -- server_name,
> -- domain,
> -- cli, &cli->netlogon_creds);
> -- talloc_unlink(frame, lp_ctx);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- TALLOC_FREE(frame);
> -- return status;
> -- }
> --
> -- status = netlogon_creds_cli_get(cli->netlogon_creds,
> -- frame, &creds);
> -- if (NT_STATUS_IS_OK(status)) {
> -- DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
> -- "cached credential\n",
> -- cli->desthost));
> -- *neg_flags_inout = creds->negotiate_flags;
> -- TALLOC_FREE(frame);
> -- return NT_STATUS_OK;
> -- }
> --
> -- /* Store the machine account password we're going to use. */
> -- memcpy(password.hash, machine_pwd, 16);
> --
> -- DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
> -- "chain established.\n",
> -- cli->desthost ));
> --
> -- status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
> -- password, NULL);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- TALLOC_FREE(frame);
> -- return status;
> -- }
> --
> -- status = netlogon_creds_cli_get(cli->netlogon_creds,
> -- frame, &creds);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- TALLOC_FREE(frame);
> -- return NT_STATUS_INTERNAL_ERROR;
> -- }
> --
> -- *neg_flags_inout = creds->negotiate_flags;
> -- TALLOC_FREE(frame);
> -- return NT_STATUS_OK;
> --}
> -
> - NTSTATUS rpccli_pre_open_netlogon_creds(void)
> - {
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index 8547db6..0de836a 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -30,14 +30,6 @@ struct dcerpc_binding_handle;
> -
> - /* The following definitions come from rpc_client/cli_netlogon.c */
> -
> --NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> -- const char *server_name,
> -- const char *domain,
> -- const char *clnt_name,
> -- const char *machine_account,
> -- const unsigned char machine_pwd[16],
> -- enum netr_SchannelType sec_chan_type,
> -- uint32_t *neg_flags_inout);
> - NTSTATUS rpccli_pre_open_netlogon_creds(void);
> - NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> - const char *server_netbios_domain,
> ---
> -1.9.3
> -
> -
> -From 2a072da1cc18acc7eb6d82769dc96b7e94ec57fe Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 19:23:18 +0200
> -Subject: [PATCH 210/249] s3:rpc_client: remove unused
> - rpccli_netlogon_sam_logon()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit e4fea80693b49e79a96acdac09d5ea292756635c)
> ----
> - source3/rpc_client/cli_netlogon.c | 124 --------------------------------------
> - source3/rpc_client/cli_netlogon.h | 9 ---
> - 2 files changed, 133 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 687d0c2..171337a 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -160,130 +160,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> -
> - /* Logon domain user */
> -
> --NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- uint32 logon_parameters,
> -- const char *domain,
> -- const char *username,
> -- const char *password,
> -- const char *workstation,
> -- uint16_t _ignored_validation_level,
> -- int logon_type)
> --{
> -- NTSTATUS status;
> -- union netr_LogonLevel *logon;
> -- uint16_t validation_level = 0;
> -- union netr_Validation *validation = NULL;
> -- uint8_t authoritative = 0;
> -- uint32_t flags = 0;
> -- fstring clnt_name_slash;
> --
> -- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> -- if (!logon) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- if (workstation) {
> -- fstr_sprintf( clnt_name_slash, "\\\\%s", workstation );
> -- } else {
> -- fstr_sprintf( clnt_name_slash, "\\\\%s", lp_netbios_name() );
> -- }
> --
> -- /* Initialise input parameters */
> --
> -- switch (logon_type) {
> -- case NetlogonInteractiveInformation: {
> --
> -- struct netr_PasswordInfo *password_info;
> --
> -- struct samr_Password lmpassword;
> -- struct samr_Password ntpassword;
> --
> -- password_info = talloc_zero(mem_ctx, struct netr_PasswordInfo);
> -- if (!password_info) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
> --
> -- password_info->identity_info.domain_name.string = domain;
> -- password_info->identity_info.parameter_control = logon_parameters;
> -- password_info->identity_info.logon_id_low = 0xdead;
> -- password_info->identity_info.logon_id_high = 0xbeef;
> -- password_info->identity_info.account_name.string = username;
> -- password_info->identity_info.workstation.string = clnt_name_slash;
> --
> -- password_info->lmpassword = lmpassword;
> -- password_info->ntpassword = ntpassword;
> --
> -- logon->password = password_info;
> --
> -- break;
> -- }
> -- case NetlogonNetworkInformation: {
> -- struct netr_NetworkInfo *network_info;
> -- uint8 chal[8];
> -- unsigned char local_lm_response[24];
> -- unsigned char local_nt_response[24];
> -- struct netr_ChallengeResponse lm;
> -- struct netr_ChallengeResponse nt;
> --
> -- ZERO_STRUCT(lm);
> -- ZERO_STRUCT(nt);
> --
> -- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> -- if (!network_info) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- generate_random_buffer(chal, 8);
> --
> -- SMBencrypt(password, chal, local_lm_response);
> -- SMBNTencrypt(password, chal, local_nt_response);
> --
> -- lm.length = 24;
> -- lm.data = local_lm_response;
> --
> -- nt.length = 24;
> -- nt.data = local_nt_response;
> --
> -- network_info->identity_info.domain_name.string = domain;
> -- network_info->identity_info.parameter_control = logon_parameters;
> -- network_info->identity_info.logon_id_low = 0xdead;
> -- network_info->identity_info.logon_id_high = 0xbeef;
> -- network_info->identity_info.account_name.string = username;
> -- network_info->identity_info.workstation.string = clnt_name_slash;
> --
> -- memcpy(network_info->challenge, chal, 8);
> -- network_info->nt = nt;
> -- network_info->lm = lm;
> --
> -- logon->network = network_info;
> --
> -- break;
> -- }
> -- default:
> -- DEBUG(0, ("switch value %d not supported\n",
> -- logon_type));
> -- return NT_STATUS_INVALID_INFO_CLASS;
> -- }
> --
> -- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> -- cli->binding_handle,
> -- logon_type,
> -- logon,
> -- mem_ctx,
> -- &validation_level,
> -- &validation,
> -- &authoritative,
> -- &flags);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- return NT_STATUS_OK;
> --}
> --
> - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> - struct dcerpc_binding_handle *binding_handle,
> - uint32_t logon_parameters,
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index 0de836a..eaa5b0c 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -43,15 +43,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> - bool force_reauth,
> - struct samr_Password current_nt_hash,
> - const struct samr_Password *previous_nt_hash);
> --NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- uint32 logon_parameters,
> -- const char *domain,
> -- const char *username,
> -- const char *password,
> -- const char *workstation,
> -- uint16_t validation_level,
> -- int logon_type);
> - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> - struct dcerpc_binding_handle *binding_handle,
> - uint32_t logon_parameters,
> ---
> -1.9.3
> -
> -
> -From 4092fca5daf42e1cd26af8069b09b97a7d01df9c Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 19:23:54 +0200
> -Subject: [PATCH 211/249] s3:rpc_client: remove unused
> - rpccli_netlogon_sam_network_logon()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3f41b583840ffa2220f61eea61833bf3c6bd33db)
> ----
> - source3/rpc_client/cli_netlogon.c | 94 ---------------------------------------
> - source3/rpc_client/cli_netlogon.h | 12 -----
> - 2 files changed, 106 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 171337a..ca2d9bf 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -346,100 +346,6 @@ static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> - * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
> - **/
> -
> --NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- uint32 logon_parameters,
> -- const char *server,
> -- const char *username,
> -- const char *domain,
> -- const char *workstation,
> -- const uint8 chal[8],
> -- uint16_t _ignored_validation_level,
> -- DATA_BLOB lm_response,
> -- DATA_BLOB nt_response,
> -- struct netr_SamInfo3 **info3)
> --{
> -- NTSTATUS status;
> -- const char *workstation_name_slash;
> -- union netr_LogonLevel *logon = NULL;
> -- struct netr_NetworkInfo *network_info;
> -- uint16_t validation_level = 0;
> -- union netr_Validation *validation = NULL;
> -- uint8_t authoritative = 0;
> -- uint32_t flags = 0;
> -- struct netr_ChallengeResponse lm;
> -- struct netr_ChallengeResponse nt;
> --
> -- *info3 = NULL;
> --
> -- ZERO_STRUCT(lm);
> -- ZERO_STRUCT(nt);
> --
> -- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> -- if (!logon) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> -- if (!network_info) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- if (workstation[0] != '\\' && workstation[1] != '\\') {
> -- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> -- } else {
> -- workstation_name_slash = workstation;
> -- }
> --
> -- if (!workstation_name_slash) {
> -- DEBUG(0, ("talloc_asprintf failed!\n"));
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- /* Initialise input parameters */
> --
> -- lm.data = lm_response.data;
> -- lm.length = lm_response.length;
> -- nt.data = nt_response.data;
> -- nt.length = nt_response.length;
> --
> -- network_info->identity_info.domain_name.string = domain;
> -- network_info->identity_info.parameter_control = logon_parameters;
> -- network_info->identity_info.logon_id_low = 0xdead;
> -- network_info->identity_info.logon_id_high = 0xbeef;
> -- network_info->identity_info.account_name.string = username;
> -- network_info->identity_info.workstation.string = workstation_name_slash;
> --
> -- memcpy(network_info->challenge, chal, 8);
> -- network_info->nt = nt;
> -- network_info->lm = lm;
> --
> -- logon->network = network_info;
> --
> -- /* Marshall data and send request */
> --
> -- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> -- cli->binding_handle,
> -- NetlogonNetworkInformation,
> -- logon,
> -- mem_ctx,
> -- &validation_level,
> -- &validation,
> -- &authoritative,
> -- &flags);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- status = map_validation_to_info3(mem_ctx,
> -- validation_level, validation,
> -- info3);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- return status;
> -- }
> --
> -- return NT_STATUS_OK;
> --}
> -
> - NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> - struct dcerpc_binding_handle *binding_handle,
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index eaa5b0c..61fed4a 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -51,18 +51,6 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
> - const char *password,
> - const char *workstation,
> - enum netr_LogonInfoClass logon_type);
> --NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> -- TALLOC_CTX *mem_ctx,
> -- uint32 logon_parameters,
> -- const char *server,
> -- const char *username,
> -- const char *domain,
> -- const char *workstation,
> -- const uint8 chal[8],
> -- uint16_t validation_level,
> -- DATA_BLOB lm_response,
> -- DATA_BLOB nt_response,
> -- struct netr_SamInfo3 **info3);
> - NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> - struct dcerpc_binding_handle *binding_handle,
> - TALLOC_CTX *mem_ctx,
> ---
> -1.9.3
> -
> -
> -From bdfc02fd5830ed6e2f14aaf90456e572028ada6a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 16 Sep 2013 19:25:27 +0200
> -Subject: [PATCH 212/249] s3:rpc_client: finally remove unused
> - rpc_pipe_client->netlogon_creds
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit c0761c3eae34175d772476006caf5caad68bd8c6)
> ----
> - source3/rpc_client/cli_pipe.c | 9 ---------
> - source3/rpc_client/rpc_client.h | 3 ---
> - 2 files changed, 12 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> -index 31cd7f5..8613a21 100644
> ---- a/source3/rpc_client/cli_pipe.c
> -+++ b/source3/rpc_client/cli_pipe.c
> -@@ -3097,15 +3097,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> - return status;
> - }
> -
> -- status = netlogon_creds_cli_context_copy(netlogon_creds,
> -- rpccli,
> -- &rpccli->netlogon_creds);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
> -- nt_errstr(status)));
> -- TALLOC_FREE(rpccli);
> -- return status;
> -- }
> -
> - done:
> - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> -diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
> -index 7c4cceb..7c5ff0e 100644
> ---- a/source3/rpc_client/rpc_client.h
> -+++ b/source3/rpc_client/rpc_client.h
> -@@ -48,9 +48,6 @@ struct rpc_pipe_client {
> - uint16 max_recv_frag;
> -
> - struct pipe_auth_data *auth;
> --
> -- /* The following is only non-null on a netlogon client pipe. */
> -- struct netlogon_creds_cli_context *netlogon_creds;
> - };
> -
> - #endif /* _RPC_CLIENT_H */
> ---
> -1.9.3
> -
> -
> -From 710124dca6a97d9148d62bc9aa727568d5284e45 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Thu, 17 Oct 2013 19:17:12 +0200
> -Subject: [PATCH 213/249] libcli/auth: remove unused
> - netlogon_creds_cli_context_copy()
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3d45d4dc3c69557bf1d1fe6d4a880ad74a2a41f1)
> ----
> - libcli/auth/netlogon_creds_cli.c | 47 ----------------------------------------
> - libcli/auth/netlogon_creds_cli.h | 4 ----
> - 2 files changed, 51 deletions(-)
> -
> -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> -index 6590b21..1724064 100644
> ---- a/libcli/auth/netlogon_creds_cli.c
> -+++ b/libcli/auth/netlogon_creds_cli.c
> -@@ -488,53 +488,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> - return NT_STATUS_OK;
> - }
> -
> --NTSTATUS netlogon_creds_cli_context_copy(
> -- const struct netlogon_creds_cli_context *src,
> -- TALLOC_CTX *mem_ctx,
> -- struct netlogon_creds_cli_context **_dst)
> --{
> -- struct netlogon_creds_cli_context *dst;
> --
> -- dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> -- if (dst == NULL) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- *dst = *src;
> --
> -- dst->client.computer = talloc_strdup(dst, src->client.computer);
> -- if (dst->client.computer == NULL) {
> -- TALLOC_FREE(dst);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- dst->client.account = talloc_strdup(dst, src->client.account);
> -- if (dst->client.account == NULL) {
> -- TALLOC_FREE(dst);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- dst->server.computer = talloc_strdup(dst, src->server.computer);
> -- if (dst->server.computer == NULL) {
> -- TALLOC_FREE(dst);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
> -- if (dst->server.netbios_domain == NULL) {
> -- TALLOC_FREE(dst);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- dst->db.key_name = talloc_strdup(dst, src->db.key_name);
> -- if (dst->db.key_name == NULL) {
> -- TALLOC_FREE(dst);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> --
> -- dst->db.key_data = string_term_tdb_data(dst->db.key_name);
> --
> -- *_dst = dst;
> -- return NT_STATUS_OK;
> --}
> --
> - enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> - struct netlogon_creds_cli_context *context)
> - {
> -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
> -index f8f2bef..5bd8bd3 100644
> ---- a/libcli/auth/netlogon_creds_cli.h
> -+++ b/libcli/auth/netlogon_creds_cli.h
> -@@ -49,10 +49,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> - const char *server_netbios_domain,
> - TALLOC_CTX *mem_ctx,
> - struct netlogon_creds_cli_context **_context);
> --NTSTATUS netlogon_creds_cli_context_copy(
> -- const struct netlogon_creds_cli_context *src,
> -- TALLOC_CTX *mem_ctx,
> -- struct netlogon_creds_cli_context **_dst);
> -
> - enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> - struct netlogon_creds_cli_context *context);
> ---
> -1.9.3
> -
> -
> -From aa3a65e9770bb81e73b30e71b49855b18d012e68 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 6 Dec 2013 11:38:21 +0100
> -Subject: [PATCH 214/249] lib/param: add "allow nt4 crypto" option, defaulting
> - to false
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 87bdc88328568359e51af6615b378ba8dc67f647)
> ----
> - docs-xml/smbdotconf/logon/allownt4crypto.xml | 26 ++++++++++++++++++++++++++
> - lib/param/param_functions.c | 1 +
> - lib/param/param_table.c | 9 +++++++++
> - 3 files changed, 36 insertions(+)
> - create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml
> -
> -diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
> -new file mode 100644
> -index 0000000..4d417c7
> ---- /dev/null
> -+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
> -@@ -0,0 +1,26 @@
> -+<samba:parameter name="allow nt4 crypto"
> -+ context="G"
> -+ type="boolean"
> -+ advanced="1"
> -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> -+<description>
> -+ <para>This option controls whether the netlogon server (currently
> -+ only in 'active directory domain controller' mode), will
> -+ reject clients which does not support NETLOGON_NEG_STRONG_KEYS
> -+ nor NETLOGON_NEG_SUPPORTS_AES.</para>
> -+
> -+ <para>This option was added with Samba 4.2.0. It may lock out clients
> -+ which worked fine with Samba versions up to 4.1.x. as the effective default
> -+ was "yes" there, while it is "no" now.</para>
> -+
> -+ <para>If you have clients without RequireStrongKey = 1 in the registry,
> -+ you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
> -+ </para>
> -+
> -+ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
> -+
> -+ <para>This option yields precedence to the 'reject md5 clients' option.</para>
> -+</description>
> -+
> -+<value type="default">no</value>
> -+</samba:parameter>
> -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> -index 41b137f..bf931c6 100644
> ---- a/lib/param/param_functions.c
> -+++ b/lib/param/param_functions.c
> -@@ -154,6 +154,7 @@ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
> - FN_LOCAL_BOOL(durable_handles, bDurableHandles)
> -
> - FN_GLOBAL_BOOL(allow_insecure_widelinks, bAllowInsecureWidelinks)
> -+FN_GLOBAL_BOOL(allow_nt4_crypto, bAllowNT4Crypto)
> - FN_GLOBAL_BOOL(allow_trusted_domains, bAllowTrustedDomains)
> - FN_GLOBAL_BOOL(async_smb_echo_handler, bAsyncSMBEchoHandler)
> - FN_GLOBAL_BOOL(bind_interfaces_only, bBindInterfacesOnly)
> -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> -index 36e8554..5ef78de 100644
> ---- a/lib/param/param_table.c
> -+++ b/lib/param/param_table.c
> -@@ -4324,6 +4324,15 @@ static struct parm_struct parm_table[] = {
> - .special = NULL,
> - .enum_list = NULL
> - },
> -+ {
> -+ .label = "allow nt4 crypto",
> -+ .type = P_BOOL,
> -+ .p_class = P_GLOBAL,
> -+ .offset = GLOBAL_VAR(bAllowNT4Crypto),
> -+ .special = NULL,
> -+ .enum_list = NULL,
> -+ .flags = FLAG_ADVANCED,
> -+ },
> -
> - {N_("TLS options"), P_SEP, P_SEPARATOR},
> -
> ---
> -1.9.3
> -
> -
> -From 51323c0574963065e2edf9346f310f08ce2b59e8 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 6 Dec 2013 11:39:15 +0100
> -Subject: [PATCH 215/249] lib/param: add "reject md5 client" option, defaulting
> - to false
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 807bcb4981fb20a9b97e69f01c3545ea7e85666e)
> ----
> - docs-xml/smbdotconf/logon/rejectmd5clients.xml | 18 ++++++++++++++++++
> - lib/param/param_functions.c | 1 +
> - lib/param/param_table.c | 9 +++++++++
> - 3 files changed, 28 insertions(+)
> - create mode 100644 docs-xml/smbdotconf/logon/rejectmd5clients.xml
> -
> -diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
> -new file mode 100644
> -index 0000000..04a5b4d
> ---- /dev/null
> -+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
> -@@ -0,0 +1,18 @@
> -+<samba:parameter name="reject md5 clients"
> -+ context="G"
> -+ type="boolean"
> -+ advanced="1"
> -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> -+<description>
> -+ <para>This option controls whether the netlogon server (currently
> -+ only in 'active directory domain controller' mode), will
> -+ reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
> -+
> -+ <para>You can set this to yes if all domain members support aes.
> -+ This will prevent downgrade attacks.</para>
> -+
> -+ <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
> -+</description>
> -+
> -+<value type="default">no</value>
> -+</samba:parameter>
> -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> -index bf931c6..99f0b7f 100644
> ---- a/lib/param/param_functions.c
> -+++ b/lib/param/param_functions.c
> -@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
> - FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
> - FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
> - FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
> -+FN_GLOBAL_BOOL(reject_md5_clients, bRejectMD5Clients)
> - FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
> - FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
> - FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
> -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> -index 5ef78de..4850324 100644
> ---- a/lib/param/param_table.c
> -+++ b/lib/param/param_table.c
> -@@ -4333,6 +4333,15 @@ static struct parm_struct parm_table[] = {
> - .enum_list = NULL,
> - .flags = FLAG_ADVANCED,
> - },
> -+ {
> -+ .label = "reject md5 clients",
> -+ .type = P_BOOL,
> -+ .p_class = P_GLOBAL,
> -+ .offset = GLOBAL_VAR(bRejectMD5Clients),
> -+ .special = NULL,
> -+ .enum_list = NULL,
> -+ .flags = FLAG_ADVANCED,
> -+ },
> -
> - {N_("TLS options"), P_SEP, P_SEPARATOR},
> -
> ---
> -1.9.3
> -
> -
> -From 4f3cd17f89ddedaf6e34bc17b220f6ae6993d0c0 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 6 Dec 2013 13:41:43 +0100
> -Subject: [PATCH 216/249] selftest/Samba4: use "allow nt4 crypto = yes" for
> - testing
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 0d4806f9f056c3e37f5aed1ef19e2924aa8f4151)
> ----
> - selftest/target/Samba4.pm | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> -index ac2fdd9..ee6a365 100644
> ---- a/selftest/target/Samba4.pm
> -+++ b/selftest/target/Samba4.pm
> -@@ -776,6 +776,7 @@ sub provision($$$$$$$$$)
> - server max protocol = SMB2
> - host msdfs = $msdfs
> - lanman auth = yes
> -+ allow nt4 crypto = yes
> -
> - $extra_smbconf_options
> -
> ---
> -1.9.3
> -
> -
> -From 32f88ae5a3d254c6e1b94ea2aaa45febf475af9e Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 23 Dec 2013 10:12:24 +0100
> -Subject: [PATCH 217/249] s4:netlogon: correctly calculate the negotiate_flags
> -
> -We need to bit-wise AND the client and server flags.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 3b77b804cdc9e7621f026ef9bc8e7059f471348e)
> ----
> - source4/rpc_server/netlogon/dcerpc_netlogon.c | 59 +++++++++++++--------------
> - 1 file changed, 28 insertions(+), 31 deletions(-)
> -
> -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -index c41cd02..b001cb5 100644
> ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -@@ -120,6 +120,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> -
> - const char *trust_dom_attrs[] = {"flatname", NULL};
> - const char *account_name;
> -+ uint32_t server_flags = 0;
> - uint32_t negotiate_flags = 0;
> -
> - ZERO_STRUCTP(r->out.return_credentials);
> -@@ -176,37 +177,33 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> - memcache_delete(global_challenge_table,
> - SINGLETON_CACHE, challenge_key);
> -
> -- negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
> -- NETLOGON_NEG_PERSISTENT_SAMREPL |
> -- NETLOGON_NEG_ARCFOUR |
> -- NETLOGON_NEG_PROMOTION_COUNT |
> -- NETLOGON_NEG_CHANGELOG_BDC |
> -- NETLOGON_NEG_FULL_SYNC_REPL |
> -- NETLOGON_NEG_MULTIPLE_SIDS |
> -- NETLOGON_NEG_REDO |
> -- NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
> -- NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
> -- NETLOGON_NEG_GENERIC_PASSTHROUGH |
> -- NETLOGON_NEG_CONCURRENT_RPC |
> -- NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
> -- NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
> -- NETLOGON_NEG_TRANSITIVE_TRUSTS |
> -- NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
> -- NETLOGON_NEG_PASSWORD_SET2 |
> -- NETLOGON_NEG_GETDOMAININFO |
> -- NETLOGON_NEG_CROSS_FOREST_TRUSTS |
> -- NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
> -- NETLOGON_NEG_RODC_PASSTHROUGH |
> -- NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
> -- NETLOGON_NEG_AUTHENTICATED_RPC;
> --
> -- if (*r->in.negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
> -- negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
> -- }
> --
> -- if (*r->in.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -- negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
> -- }
> -+ server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
> -+ NETLOGON_NEG_PERSISTENT_SAMREPL |
> -+ NETLOGON_NEG_ARCFOUR |
> -+ NETLOGON_NEG_PROMOTION_COUNT |
> -+ NETLOGON_NEG_CHANGELOG_BDC |
> -+ NETLOGON_NEG_FULL_SYNC_REPL |
> -+ NETLOGON_NEG_MULTIPLE_SIDS |
> -+ NETLOGON_NEG_REDO |
> -+ NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
> -+ NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
> -+ NETLOGON_NEG_GENERIC_PASSTHROUGH |
> -+ NETLOGON_NEG_CONCURRENT_RPC |
> -+ NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
> -+ NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
> -+ NETLOGON_NEG_STRONG_KEYS |
> -+ NETLOGON_NEG_TRANSITIVE_TRUSTS |
> -+ NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
> -+ NETLOGON_NEG_PASSWORD_SET2 |
> -+ NETLOGON_NEG_GETDOMAININFO |
> -+ NETLOGON_NEG_CROSS_FOREST_TRUSTS |
> -+ NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
> -+ NETLOGON_NEG_RODC_PASSTHROUGH |
> -+ NETLOGON_NEG_SUPPORTS_AES |
> -+ NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
> -+ NETLOGON_NEG_AUTHENTICATED_RPC;
> -+
> -+ negotiate_flags = *r->in.negotiate_flags & server_flags;
> -
> - /*
> - * According to Microsoft (see bugid #6099)
> ---
> -1.9.3
> -
> -
> -From ce8c9b651d9da88a13a8cd0fe02e5f3e2f1f6b51 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Mon, 23 Dec 2013 10:10:17 +0100
> -Subject: [PATCH 218/249] s4:netlogon: don't generate a debug message for
> - SEC_CHAN_NULL.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 2e36fbc77dc43f31ec78cdbef23b94bd00d6f565)
> ----
> - source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++
> - 1 file changed, 2 insertions(+)
> -
> -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -index b001cb5..45a7262 100644
> ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -@@ -220,6 +220,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> - case SEC_CHAN_BDC:
> - case SEC_CHAN_RODC:
> - break;
> -+ case SEC_CHAN_NULL:
> -+ return NT_STATUS_INVALID_PARAMETER;
> - default:
> - DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
> - r->in.secure_channel_type));
> ---
> -1.9.3
> -
> -
> -From b4d5ace784d207f8562a4c93b55de415a81cec42 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 6 Dec 2013 12:08:50 +0100
> -Subject: [PATCH 219/249] s4:netlogon: implement "allow nt4 crypto" and "reject
> - md5 clients" features.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -
> -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> -Autobuild-Date(master): Tue Jan 7 16:53:31 CET 2014 on sn-devel-104
> -(cherry picked from commit 7d2abf520df1ff46d79dfd8ff579c230f2bc3c2a)
> ----
> - source4/rpc_server/netlogon/dcerpc_netlogon.c | 20 ++++++++++++++++++++
> - 1 file changed, 20 insertions(+)
> -
> -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -index 45a7262..6b57cda 100644
> ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -@@ -122,6 +122,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> - const char *account_name;
> - uint32_t server_flags = 0;
> - uint32_t negotiate_flags = 0;
> -+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
> -+ bool reject_des_client = !allow_nt4_crypto;
> -+ bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
> -
> - ZERO_STRUCTP(r->out.return_credentials);
> - *r->out.rid = 0;
> -@@ -205,6 +208,23 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> -
> - negotiate_flags = *r->in.negotiate_flags & server_flags;
> -
> -+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
> -+ reject_des_client = false;
> -+ }
> -+
> -+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> -+ reject_des_client = false;
> -+ reject_md5_client = false;
> -+ }
> -+
> -+ if (reject_des_client || reject_md5_client) {
> -+ /*
> -+ * Here we match Windows 2012 and return no flags.
> -+ */
> -+ *r->out.negotiate_flags = 0;
> -+ return NT_STATUS_DOWNGRADE_DETECTED;
> -+ }
> -+
> - /*
> - * According to Microsoft (see bugid #6099)
> - * Windows 7 looks at the negotiate_flags
> ---
> -1.9.3
> -
> -
> -From ff28e17cdcbe8e1ec4a275d80b3e749da4920c6d Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Wed, 8 Jan 2014 12:04:22 +0100
> -Subject: [PATCH 220/249] libcli/auth: fix usage of an uninitialized variable
> - in netlogon_creds_cli_check_caps()
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Günther Deschner <gd@samba.org>
> -(cherry picked from commit 0e62f3279525ea864590f713f334f4dc5f5d3a32)
> ----
> - libcli/auth/netlogon_creds_cli.c | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> -index 1724064..51b30a1 100644
> ---- a/libcli/auth/netlogon_creds_cli.c
> -+++ b/libcli/auth/netlogon_creds_cli.c
> -@@ -1390,7 +1390,7 @@ struct netlogon_creds_cli_check_state {
> - };
> -
> - static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
> -- NTSTATUS status);
> -+ NTSTATUS status);
> - static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
> -
> - struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
> -@@ -1582,7 +1582,7 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
> - * with the next request as the sequence number processing
> - * gets out of sync.
> - */
> -- netlogon_creds_cli_check_cleanup(req, result);
> -+ netlogon_creds_cli_check_cleanup(req, status);
> - tevent_req_done(req);
> - return;
> - }
> ---
> -1.9.3
> -
> -
> -From d4902881482eeecf5a219342b3862ac0fbb7b7a9 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 17 Jan 2014 14:00:27 +0100
> -Subject: [PATCH 221/249] libcli/auth: add netlogon_creds_cli_set_global_db()
> -
> -This can be used to inject a db_context from dbwrap_ctdb.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit ece3ba10a16138a75b207a0cf9fe299759253d99)
> ----
> - libcli/auth/netlogon_creds_cli.c | 10 ++++++++++
> - libcli/auth/netlogon_creds_cli.h | 2 ++
> - 2 files changed, 12 insertions(+)
> -
> -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> -index 51b30a1..37bdf74 100644
> ---- a/libcli/auth/netlogon_creds_cli.c
> -+++ b/libcli/auth/netlogon_creds_cli.c
> -@@ -199,6 +199,16 @@ static NTSTATUS netlogon_creds_cli_context_common(
> -
> - static struct db_context *netlogon_creds_cli_global_db;
> -
> -+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
> -+{
> -+ if (netlogon_creds_cli_global_db != NULL) {
> -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> -+ }
> -+
> -+ netlogon_creds_cli_global_db = talloc_move(talloc_autofree_context(), db);
> -+ return NT_STATUS_OK;
> -+}
> -+
> - NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
> - {
> - char *fname;
> -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
> -index 5bd8bd3..90d0182 100644
> ---- a/libcli/auth/netlogon_creds_cli.h
> -+++ b/libcli/auth/netlogon_creds_cli.h
> -@@ -28,7 +28,9 @@
> - struct netlogon_creds_cli_context;
> - struct messaging_context;
> - struct dcerpc_binding_handle;
> -+struct db_context;
> -
> -+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
> - NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
> -
> - NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> ---
> -1.9.3
> -
> -
> -From 80407a74da35cac64bef252698a2477787f0997d Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 17 Jan 2014 14:07:37 +0100
> -Subject: [PATCH 222/249] s3:rpc_client: use db_open() to open
> - "netlogon_creds_cli.tdb"
> -
> -This uses dbwrap_ctdb if running in a cluster.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 8cf4eff201aa9e1ba8127311bcfc2a357fb4ef03)
> ----
> - source3/rpc_client/cli_netlogon.c | 38 ++++++++++++++++++++++++++++++++++++--
> - 1 file changed, 36 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index ca2d9bf..b7b490f 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -21,6 +21,7 @@
> - */
> -
> - #include "includes.h"
> -+#include "system/filesys.h"
> - #include "libsmb/libsmb.h"
> - #include "rpc_client/rpc_client.h"
> - #include "rpc_client/cli_pipe.h"
> -@@ -34,26 +35,53 @@
> - #include "../libcli/security/security.h"
> - #include "lib/param/param.h"
> - #include "libcli/smb/smbXcli_base.h"
> -+#include "dbwrap/dbwrap.h"
> -+#include "dbwrap/dbwrap_open.h"
> -+#include "util_tdb.h"
> -
> -
> - NTSTATUS rpccli_pre_open_netlogon_creds(void)
> - {
> -- TALLOC_CTX *frame = talloc_stackframe();
> -+ static bool already_open = false;
> -+ TALLOC_CTX *frame;
> - struct loadparm_context *lp_ctx;
> -+ char *fname;
> -+ struct db_context *global_db;
> - NTSTATUS status;
> -
> -+ if (already_open) {
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ frame = talloc_stackframe();
> -+
> - lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> - if (lp_ctx == NULL) {
> - TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> -- status = netlogon_creds_cli_open_global_db(lp_ctx);
> -+ fname = lpcfg_private_db_path(frame, lp_ctx, "netlogon_creds_cli");
> -+ if (fname == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ global_db = db_open(talloc_autofree_context(), fname,
> -+ 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
> -+ if (global_db == NULL) {
> -+ TALLOC_FREE(frame);
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+
> -+ status = netlogon_creds_cli_set_global_db(&global_db);
> - TALLOC_FREE(frame);
> - if (!NT_STATUS_IS_OK(status)) {
> - return status;
> - }
> -
> -+ already_open = true;
> - return NT_STATUS_OK;
> - }
> -
> -@@ -69,6 +97,12 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> - struct loadparm_context *lp_ctx;
> - NTSTATUS status;
> -
> -+ status = rpccli_pre_open_netlogon_creds();
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> -+ return status;
> -+ }
> -+
> - lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> - if (lp_ctx == NULL) {
> - TALLOC_FREE(frame);
> ---
> -1.9.3
> -
> -
> -From 2ed3041405f5808031f2d5fd0e42f48246d22b7b Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 17 Jan 2014 14:08:59 +0100
> -Subject: [PATCH 223/249] libcli/auth: don't alter the computer_name in cluster
> - mode.
> -
> -This breaks NTLMv2 authentication.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 387ed2e15df085274f72cebda341040a1e767a4b)
> ----
> - libcli/auth/netlogon_creds_cli.c | 22 +++-------------------
> - 1 file changed, 3 insertions(+), 19 deletions(-)
> -
> -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> -index 37bdf74..88893ad 100644
> ---- a/libcli/auth/netlogon_creds_cli.c
> -+++ b/libcli/auth/netlogon_creds_cli.c
> -@@ -261,28 +261,12 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> - bool seal_secure_channel = true;
> - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
> - bool neutralize_nt4_emulation = false;
> -- struct server_id self = {
> -- .vnn = NONCLUSTER_VNN,
> -- .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
> -- };
> --
> -- if (msg_ctx != NULL) {
> -- self = messaging_server_id(msg_ctx);
> -- }
> -
> - *_context = NULL;
> -
> -- if (self.vnn != NONCLUSTER_VNN) {
> -- client_computer = talloc_asprintf(frame,
> -- "%s_cluster_vnn_%u",
> -- lpcfg_netbios_name(lp_ctx),
> -- (unsigned)self.vnn);
> -- if (client_computer == NULL) {
> -- TALLOC_FREE(frame);
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- } else {
> -- client_computer = lpcfg_netbios_name(lp_ctx);
> -+ client_computer = lpcfg_netbios_name(lp_ctx);
> -+ if (strlen(client_computer) > 15) {
> -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> - }
> -
> - /*
> ---
> -1.9.3
> -
> -
> -From 8257c3a5d6e8319578d224e544242da81b043a54 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Fri, 10 Jan 2014 13:13:40 +0100
> -Subject: [PATCH 224/249] libcli/auth: reject computer_name longer than 15
> - chars
> -
> -This matches Windows, it seems they use a fixed size field to store
> -netlogon_creds_CredentialState.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit b8fdeb8ca7ce362058bb86a4e58b34fb6340867e)
> ----
> - libcli/auth/schannel_state_tdb.c | 8 ++++++++
> - 1 file changed, 8 insertions(+)
> -
> -diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
> -index 8f9c1f0..b91e242 100644
> ---- a/libcli/auth/schannel_state_tdb.c
> -+++ b/libcli/auth/schannel_state_tdb.c
> -@@ -78,6 +78,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
> - char *name_upper;
> - NTSTATUS status;
> -
> -+ if (strlen(creds->computer_name) > 15) {
> -+ /*
> -+ * We may want to check for a completely
> -+ * valid netbios name.
> -+ */
> -+ return STATUS_BUFFER_OVERFLOW;
> -+ }
> -+
> - name_upper = strupper_talloc(mem_ctx, creds->computer_name);
> - if (!name_upper) {
> - return NT_STATUS_NO_MEMORY;
> ---
> -1.9.3
> -
> -
> -From d6af8ed76f728621a8ba7515cf1180d6654c8d83 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 11 Jan 2014 17:13:04 +0100
> -Subject: [PATCH 225/249] s3:rpc_server/netlogon: return a zero
> - return_authenticator on error
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit dcc2c8362df9af088613722ebd8a6261fb098a5c)
> ----
> - source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
> -index 09857b6..7bb9dd6 100644
> ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
> -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
> -@@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
> - talloc_unlink(p->mem_ctx, lp_ctx);
> -
> - if (!NT_STATUS_IS_OK(status)) {
> -+ ZERO_STRUCTP(r->out.return_credentials);
> - goto out;
> - }
> -
> ---
> -1.9.3
> -
> -
> -From be06629b25f8340ac54a9e674e6a5da1eb01e733 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Sat, 11 Jan 2014 17:13:04 +0100
> -Subject: [PATCH 226/249] s4:rpc_server/netlogon: return a zero
> - return_authenticator and rid on error
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> -(cherry picked from commit 25fb73f2821821630dde4cc263794e754ca03d68)
> ----
> - source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++++----
> - 1 file changed, 8 insertions(+), 4 deletions(-)
> -
> -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -index 6b57cda..afa15d8 100644
> ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> -@@ -348,9 +348,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> - return NT_STATUS_INTERNAL_ERROR;
> - }
> -
> -- *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
> -- "objectSid", 0);
> --
> - mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
> - if (mach_pwd == NULL) {
> - return NT_STATUS_ACCESS_DENIED;
> -@@ -383,8 +380,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> - nt_status = schannel_save_creds_state(mem_ctx,
> - dce_call->conn->dce_ctx->lp_ctx,
> - creds);
> -+ if (!NT_STATUS_IS_OK(nt_status)) {
> -+ ZERO_STRUCTP(r->out.return_credentials);
> -+ return nt_status;
> -+ }
> -
> -- return nt_status;
> -+ *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
> -+ "objectSid", 0);
> -+
> -+ return NT_STATUS_OK;
> - }
> -
> - static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
> ---
> -1.9.3
> -
> -
> -From f5fe58d49fc66867db743393a92e1cd8e4cb293b Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Wed, 29 Jan 2014 16:58:37 +0100
> -Subject: [PATCH 227/249] dbwrap_tool: remove the short form "-p" of
> - "--persistent"
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 6dd1008c4e8b0b798d589959021c9b578db74ff4)
> ----
> - source3/utils/dbwrap_tool.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
> -index 79b40d2..406e89e 100644
> ---- a/source3/utils/dbwrap_tool.c
> -+++ b/source3/utils/dbwrap_tool.c
> -@@ -420,7 +420,7 @@ int main(int argc, const char **argv)
> - struct poptOption popt_options[] = {
> - POPT_AUTOHELP
> - POPT_COMMON_SAMBA
> -- { "persistent", 'p', POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
> -+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
> - POPT_TABLEEND
> - };
> - int opt;
> ---
> -1.9.3
> -
> -
> -From 209b5ec86620f8caadcc714db0cbec4789db0377 Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Thu, 30 Jan 2014 10:33:00 +0100
> -Subject: [PATCH 228/249] docs: remove short form "-p" of --persistent from
> - dbwrap_tool manpage
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 6f748fef652bbea3c8dbbbfb96b95270e6f1dcfc)
> ----
> - docs-xml/manpages/dbwrap_tool.1.xml | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
> -index 074d819..94ae281 100644
> ---- a/docs-xml/manpages/dbwrap_tool.1.xml
> -+++ b/docs-xml/manpages/dbwrap_tool.1.xml
> -@@ -19,7 +19,7 @@
> - <refsynopsisdiv>
> - <cmdsynopsis>
> - <command>dbwrap_tool</command>
> -- <arg choice="opt">-p|--persistent</arg>
> -+ <arg choice="opt">--persistent</arg>
> - <arg choice="opt">-d <debug level></arg>
> - <arg choice="opt">-s <config file></arg>
> - <arg choice="opt">-l <log file base></arg>
> -@@ -70,7 +70,7 @@
> -
> - <variablelist>
> - <varlistentry>
> -- <term>-p|--persistent</term>
> -+ <term>--persistent</term>
> - <listitem><para>Open the database as a persistent database.
> - If this option is not specified, the database is opened as
> - non-persistent.
> ---
> -1.9.3
> -
> -
> -From f3b8b74ff6d74fe9a0047256074e21c3363b112f Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Thu, 30 Jan 2014 10:29:49 +0100
> -Subject: [PATCH 229/249] dbwrap_tool: add option "--non-persistent" and force
> - excatly one of "--[non-]persistent"
> -
> -We want to force users of dbwrap_tool to explicitly specify
> -persistent or non-persistent. Otherwise, one could easily
> -by accident wipe a whole database that is actually persistent
> -but not currently opened by a samba process, just by openeing
> -the DB with the default non-persistent mode...
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit c3f93271ef447f9f16cd3002307c630c5f149f5a)
> ----
> - source3/utils/dbwrap_tool.c | 23 ++++++++++++++++++-----
> - 1 file changed, 18 insertions(+), 5 deletions(-)
> -
> -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
> -index 406e89e..ffca6b6 100644
> ---- a/source3/utils/dbwrap_tool.c
> -+++ b/source3/utils/dbwrap_tool.c
> -@@ -411,6 +411,7 @@ int main(int argc, const char **argv)
> - enum dbwrap_type type;
> - const char *valuestr = "0";
> - int persistent = 0;
> -+ int non_persistent = 0;
> - int tdb_flags = TDB_DEFAULT;
> -
> - TALLOC_CTX *mem_ctx = talloc_stackframe();
> -@@ -420,7 +421,13 @@ int main(int argc, const char **argv)
> - struct poptOption popt_options[] = {
> - POPT_AUTOHELP
> - POPT_COMMON_SAMBA
> -- { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
> -+ { "non-persistent", 0, POPT_ARG_NONE, &non_persistent, 0,
> -+ "treat the database as non-persistent "
> -+ "(CAVEAT: This mode might wipe your database!)",
> -+ NULL },
> -+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0,
> -+ "treat the database as persistent",
> -+ NULL },
> - POPT_TABLEEND
> - };
> - int opt;
> -@@ -463,6 +470,16 @@ int main(int argc, const char **argv)
> - goto done;
> - }
> -
> -+ if ((persistent == 0 && non_persistent == 0) ||
> -+ (persistent == 1 && non_persistent == 1))
> -+ {
> -+ d_fprintf(stderr, "ERROR: you must specify exactly one "
> -+ "of --persistent and --non-persistent\n");
> -+ goto done;
> -+ } else if (non_persistent == 1) {
> -+ tdb_flags |= TDB_CLEAR_IF_FIRST;
> -+ }
> -+
> - dbname = extra_argv[0];
> - opname = extra_argv[1];
> -
> -@@ -563,10 +580,6 @@ int main(int argc, const char **argv)
> - goto done;
> - }
> -
> -- if (persistent == 0) {
> -- tdb_flags |= TDB_CLEAR_IF_FIRST;
> -- }
> --
> - switch (op) {
> - case OP_FETCH:
> - case OP_STORE:
> ---
> -1.9.3
> -
> -
> -From 7209e84e02c722365bec4e2a473c24217cbeb22b Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Thu, 30 Jan 2014 10:36:46 +0100
> -Subject: [PATCH 230/249] docs: document new --non-persistent option to
> - dbwrap_tool
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 1e3b352f799038ec25437db53e051dadb9d97c95)
> ----
> - docs-xml/manpages/dbwrap_tool.1.xml | 20 ++++++++++++++++++--
> - 1 file changed, 18 insertions(+), 2 deletions(-)
> -
> -diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
> -index 94ae281..ff0e478 100644
> ---- a/docs-xml/manpages/dbwrap_tool.1.xml
> -+++ b/docs-xml/manpages/dbwrap_tool.1.xml
> -@@ -20,6 +20,7 @@
> - <cmdsynopsis>
> - <command>dbwrap_tool</command>
> - <arg choice="opt">--persistent</arg>
> -+ <arg choice="opt">--non-persistent</arg>
> - <arg choice="opt">-d <debug level></arg>
> - <arg choice="opt">-s <config file></arg>
> - <arg choice="opt">-l <log file base></arg>
> -@@ -72,8 +73,23 @@
> - <varlistentry>
> - <term>--persistent</term>
> - <listitem><para>Open the database as a persistent database.
> -- If this option is not specified, the database is opened as
> -- non-persistent.
> -+ </para>
> -+ <para>
> -+ Exactly one of --persistent and --non-persistent must be
> -+ specified.
> -+ </para></listitem>
> -+ </varlistentry>
> -+ <varlistentry>
> -+ <term>--non-persistent</term>
> -+ <listitem><para>Open the database as a non-persistent database.
> -+ </para>
> -+ <para>
> -+ Caveat: opening a database as non-persistent when there
> -+ is currently no other opener will wipe the database.
> -+ </para>
> -+ <para>
> -+ Exactly one of --persistent and --non-persistent must be
> -+ specified.
> - </para></listitem>
> - </varlistentry>
> - &popt.common.samba.client;
> ---
> -1.9.3
> -
> -
> -From accf5a617055c161540384fdfe195ad9c43cd048 Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Thu, 30 Jan 2014 10:47:15 +0100
> -Subject: [PATCH 231/249] docs: remove extra spaces in synopsis of dbwrap_tool
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit e93f052e37e736e5776fe7f7c7d246f9ecc4b4c8)
> ----
> - docs-xml/manpages/dbwrap_tool.1.xml | 4 +---
> - 1 file changed, 1 insertion(+), 3 deletions(-)
> -
> -diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
> -index ff0e478..68a88df 100644
> ---- a/docs-xml/manpages/dbwrap_tool.1.xml
> -+++ b/docs-xml/manpages/dbwrap_tool.1.xml
> -@@ -30,9 +30,7 @@
> - <arg choice="req"><operation></arg>
> - <arg choice="opt"><key>
> - <arg choice="opt"><type>
> -- <arg choice="opt"><value></arg>
> -- </arg>
> -- </arg>
> -+ <arg choice="opt"><value></arg></arg></arg>
> - </cmdsynopsis>
> - </refsynopsisdiv>
> -
> ---
> -1.9.3
> -
> -
> -From 0e193981caa2ad9458e758a46076664d2efdb70e Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Fri, 24 Jan 2014 00:09:50 +0100
> -Subject: [PATCH 232/249] smbd:smb2: fix durable reconnect: set fsp->fnum from
> - the smbXsrv_open->local_id
> -
> -Originally, fsp->fnum was left at the INVALID fnum value.
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 6b2d67a345e90306f0d35402d0f4e3067a014057)
> ----
> - source3/smbd/durable.c | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c
> -index c3d0a6f..471c5b9 100644
> ---- a/source3/smbd/durable.c
> -+++ b/source3/smbd/durable.c
> -@@ -703,6 +703,7 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
> - fsp->share_access = e->share_access;
> - fsp->can_read = ((fsp->access_mask & (FILE_READ_DATA)) != 0);
> - fsp->can_write = ((fsp->access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) != 0);
> -+ fsp->fnum = op->local_id;
> -
> - /*
> - * TODO:
> ---
> -1.9.3
> -
> -
> -From dbc1d6f8479cf84c714c4ed6b69df2a3673d0a46 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 24 Dec 2013 09:00:01 +0100
> -Subject: [PATCH 233/249] s3:smbd: skip empty records in smbXsrv_open_cleanup()
> -
> -This should avoid scary ndr_pull errors, if there's
> -a cleanup race.
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Michael Adam <obnox@samba.org>
> -
> -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> -Autobuild-Date(master): Thu Jan 30 18:49:37 CET 2014 on sn-devel-104
> -(cherry picked from commit 0b23345676c6f02d5bb1a327174d8456705ec0c7)
> ----
> - source3/smbd/smbXsrv_open.c | 9 +++++++++
> - 1 file changed, 9 insertions(+)
> -
> -diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
> -index 27dd50c..29c172c 100644
> ---- a/source3/smbd/smbXsrv_open.c
> -+++ b/source3/smbd/smbXsrv_open.c
> -@@ -1380,6 +1380,7 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
> - struct smbXsrv_open_global0 *op = NULL;
> - uint8_t key_buf[SMBXSRV_OPEN_GLOBAL_TDB_KEY_SIZE];
> - TDB_DATA key;
> -+ TDB_DATA val;
> - struct db_record *rec;
> - bool delete_open = false;
> - uint32_t global_id = persistent_id & UINT32_MAX;
> -@@ -1395,6 +1396,14 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
> - goto done;
> - }
> -
> -+ val = dbwrap_record_get_value(rec);
> -+ if (val.dsize == 0) {
> -+ DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
> -+ "empty record in %s, skipping...\n",
> -+ global_id, dbwrap_name(smbXsrv_open_global_db_ctx)));
> -+ goto done;
> -+ }
> -+
> - status = smbXsrv_open_global_parse_record(talloc_tos(), rec, &op);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(1, ("smbXsrv_open_cleanup[global: 0x%08x] "
> ---
> -1.9.3
> -
> -
> -From 838d9da4a7fe6c90ba7cae6563f0af5d8b6cf6d5 Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Mon, 27 Jan 2014 13:38:51 +0100
> -Subject: [PATCH 234/249] dbwrap: add flags DBWRAP_FLAG_NONE
> -
> -This is in preparation of adding a dbwrap_flags argument to db_open
> -and firends.
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 229dcfd3501e4743d5d9aea5c9f7a97d7612a499)
> ----
> - lib/dbwrap/dbwrap.h | 2 ++
> - 1 file changed, 2 insertions(+)
> -
> -diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
> -index 8bf3286..4064ba2 100644
> ---- a/lib/dbwrap/dbwrap.h
> -+++ b/lib/dbwrap/dbwrap.h
> -@@ -32,6 +32,8 @@ enum dbwrap_lock_order {
> - };
> - #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
> -
> -+#define DBWRAP_FLAG_NONE 0x0000000000000000ULL
> -+
> - /* The following definitions come from lib/dbwrap.c */
> -
> - TDB_DATA dbwrap_record_get_key(const struct db_record *rec);
> ---
> -1.9.3
> -
> -
> -From 868d8e2fa389ab0c697e9a70a4373908aa7df80b Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Mon, 27 Jan 2014 14:49:12 +0100
> -Subject: [PATCH 235/249] dbwrap: add a dbwrap_flags argument to db_open()
> -
> -This is in preparation to support handing flags to backends,
> -in particular activating read only record support for ctdb
> -databases. For a start, this does nothing but adding the
> -parameter, and all databases use DBWRAP_FLAG_NONE.
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -(similar to commit cf0cb0add9ed47b8974272237fee0e1a4ba7bf68)
> ----
> - source3/groupdb/mapping_tdb.c | 2 +-
> - source3/lib/dbwrap/dbwrap_open.c | 3 ++-
> - source3/lib/dbwrap/dbwrap_open.h | 3 ++-
> - source3/lib/dbwrap/dbwrap_watch.c | 3 ++-
> - source3/lib/g_lock.c | 3 ++-
> - source3/lib/serverid.c | 3 ++-
> - source3/lib/sharesec.c | 2 +-
> - source3/locking/brlock.c | 2 +-
> - source3/locking/share_mode_lock.c | 2 +-
> - source3/modules/vfs_acl_tdb.c | 2 +-
> - source3/modules/vfs_xattr_tdb.c | 2 +-
> - source3/passdb/account_pol.c | 4 ++--
> - source3/passdb/pdb_tdb.c | 6 +++---
> - source3/passdb/secrets.c | 2 +-
> - source3/printing/printer_list.c | 3 ++-
> - source3/registry/reg_backend_db.c | 6 +++---
> - source3/rpc_client/cli_netlogon.c | 3 ++-
> - source3/smbd/notify_internal.c | 2 +-
> - source3/smbd/smbXsrv_open.c | 3 ++-
> - source3/smbd/smbXsrv_session.c | 3 ++-
> - source3/smbd/smbXsrv_tcon.c | 3 ++-
> - source3/smbd/smbXsrv_version.c | 3 ++-
> - source3/torture/test_dbwrap_watch.c | 3 ++-
> - source3/torture/test_idmap_tdb_common.c | 2 +-
> - source3/torture/torture.c | 3 ++-
> - source3/utils/dbwrap_tool.c | 2 +-
> - source3/utils/dbwrap_torture.c | 2 +-
> - source3/utils/net_idmap.c | 6 +++---
> - source3/utils/net_idmap_check.c | 2 +-
> - source3/utils/net_registry_check.c | 4 ++--
> - source3/utils/status.c | 2 +-
> - source3/winbindd/idmap_autorid.c | 2 +-
> - source3/winbindd/idmap_tdb.c | 2 +-
> - source3/winbindd/idmap_tdb2.c | 2 +-
> - 34 files changed, 55 insertions(+), 42 deletions(-)
> -
> -diff --git a/source3/groupdb/mapping_tdb.c b/source3/groupdb/mapping_tdb.c
> -index 088874f..0863187 100644
> ---- a/source3/groupdb/mapping_tdb.c
> -+++ b/source3/groupdb/mapping_tdb.c
> -@@ -54,7 +54,7 @@ static bool init_group_mapping(void)
> -
> - db = db_open(NULL, state_path("group_mapping.tdb"), 0,
> - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (db == NULL) {
> - DEBUG(0, ("Failed to open group mapping database: %s\n",
> - strerror(errno)));
> -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
> -index 515b4bf..6c9280c 100644
> ---- a/source3/lib/dbwrap/dbwrap_open.c
> -+++ b/source3/lib/dbwrap/dbwrap_open.c
> -@@ -60,7 +60,8 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> - const char *name,
> - int hash_size, int tdb_flags,
> - int open_flags, mode_t mode,
> -- enum dbwrap_lock_order lock_order)
> -+ enum dbwrap_lock_order lock_order,
> -+ uint64_t dbwrap_flags)
> - {
> - struct db_context *result = NULL;
> - #ifdef CLUSTER_SUPPORT
> -diff --git a/source3/lib/dbwrap/dbwrap_open.h b/source3/lib/dbwrap/dbwrap_open.h
> -index 51c7dfd..d14794e 100644
> ---- a/source3/lib/dbwrap/dbwrap_open.h
> -+++ b/source3/lib/dbwrap/dbwrap_open.h
> -@@ -39,6 +39,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> - const char *name,
> - int hash_size, int tdb_flags,
> - int open_flags, mode_t mode,
> -- enum dbwrap_lock_order lock_order);
> -+ enum dbwrap_lock_order lock_order,
> -+ uint64_t dbwrap_flags);
> -
> - #endif /* __DBWRAP_OPEN_H__ */
> -diff --git a/source3/lib/dbwrap/dbwrap_watch.c b/source3/lib/dbwrap/dbwrap_watch.c
> -index 7bdcd99..5f3d17d 100644
> ---- a/source3/lib/dbwrap/dbwrap_watch.c
> -+++ b/source3/lib/dbwrap/dbwrap_watch.c
> -@@ -34,7 +34,8 @@ static struct db_context *dbwrap_record_watchers_db(void)
> - watchers_db = db_open(
> - NULL, lock_path("dbwrap_watchers.tdb"), 0,
> - TDB_CLEAR_IF_FIRST | TDB_INCOMPATIBLE_HASH,
> -- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3);
> -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3,
> -+ DBWRAP_FLAG_NONE);
> - }
> - return watchers_db;
> - }
> -diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
> -index 8c7a6c2..6813f06 100644
> ---- a/source3/lib/g_lock.c
> -+++ b/source3/lib/g_lock.c
> -@@ -61,7 +61,8 @@ struct g_lock_ctx *g_lock_ctx_init(TALLOC_CTX *mem_ctx,
> - result->db = db_open(result, lock_path("g_lock.tdb"), 0,
> - TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> - O_RDWR|O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_2);
> -+ DBWRAP_LOCK_ORDER_2,
> -+ DBWRAP_FLAG_NONE);
> - if (result->db == NULL) {
> - DEBUG(1, ("g_lock_init: Could not open g_lock.tdb\n"));
> - TALLOC_FREE(result);
> -diff --git a/source3/lib/serverid.c b/source3/lib/serverid.c
> -index cb49520..4259887 100644
> ---- a/source3/lib/serverid.c
> -+++ b/source3/lib/serverid.c
> -@@ -77,7 +77,8 @@ static struct db_context *serverid_db(void)
> - }
> - db = db_open(NULL, lock_path("serverid.tdb"), 0,
> - TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> -- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2);
> -+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2,
> -+ DBWRAP_FLAG_NONE);
> - return db;
> - }
> -
> -diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
> -index c7a8e51..095c851 100644
> ---- a/source3/lib/sharesec.c
> -+++ b/source3/lib/sharesec.c
> -@@ -149,7 +149,7 @@ bool share_info_db_init(void)
> -
> - share_db = db_open(NULL, state_path("share_info.tdb"), 0,
> - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (share_db == NULL) {
> - DEBUG(0,("Failed to open share info database %s (%s)\n",
> - state_path("share_info.tdb"), strerror(errno) ));
> -diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
> -index 5d683dd..d88aa2d 100644
> ---- a/source3/locking/brlock.c
> -+++ b/source3/locking/brlock.c
> -@@ -292,7 +292,7 @@ void brl_init(bool read_only)
> - brlock_db = db_open(NULL, lock_path("brlock.tdb"),
> - lp_open_files_db_hash_size(), tdb_flags,
> - read_only?O_RDONLY:(O_RDWR|O_CREAT), 0644,
> -- DBWRAP_LOCK_ORDER_2);
> -+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
> - if (!brlock_db) {
> - DEBUG(0,("Failed to open byte range locking database %s\n",
> - lock_path("brlock.tdb")));
> -diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
> -index 4f049bd..22f8d9a 100644
> ---- a/source3/locking/share_mode_lock.c
> -+++ b/source3/locking/share_mode_lock.c
> -@@ -67,7 +67,7 @@ static bool locking_init_internal(bool read_only)
> - lp_open_files_db_hash_size(),
> - TDB_DEFAULT|TDB_VOLATILE|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> - read_only?O_RDONLY:O_RDWR|O_CREAT, 0644,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> -
> - if (!lock_db) {
> - DEBUG(0,("ERROR: Failed to initialise locking database\n"));
> -diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
> -index 80839e3..8ee4bd5 100644
> ---- a/source3/modules/vfs_acl_tdb.c
> -+++ b/source3/modules/vfs_acl_tdb.c
> -@@ -60,7 +60,7 @@ static bool acl_tdb_init(void)
> -
> - become_root();
> - acl_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - unbecome_root();
> -
> - if (acl_db == NULL) {
> -diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c
> -index 43456cf..63a12fd 100644
> ---- a/source3/modules/vfs_xattr_tdb.c
> -+++ b/source3/modules/vfs_xattr_tdb.c
> -@@ -320,7 +320,7 @@ static bool xattr_tdb_init(int snum, TALLOC_CTX *mem_ctx, struct db_context **p_
> -
> - become_root();
> - db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_2);
> -+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
> - unbecome_root();
> -
> - if (db == NULL) {
> -diff --git a/source3/passdb/account_pol.c b/source3/passdb/account_pol.c
> -index c94df29..09a2d20 100644
> ---- a/source3/passdb/account_pol.c
> -+++ b/source3/passdb/account_pol.c
> -@@ -220,13 +220,13 @@ bool init_account_policy(void)
> - }
> -
> - db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
> -- O_RDWR, 0600, DBWRAP_LOCK_ORDER_1);
> -+ O_RDWR, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> -
> - if (db == NULL) { /* the account policies files does not exist or open
> - * failed, try to create a new one */
> - db = db_open(NULL, state_path("account_policy.tdb"), 0,
> - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (db == NULL) {
> - DEBUG(0,("Failed to open account policy database\n"));
> - return False;
> -diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
> -index f256e6c..162083f 100644
> ---- a/source3/passdb/pdb_tdb.c
> -+++ b/source3/passdb/pdb_tdb.c
> -@@ -226,7 +226,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
> -
> - tmp_db = db_open(NULL, tmp_fname, 0,
> - TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (tmp_db == NULL) {
> - DEBUG(0, ("tdbsam_convert_backup: Failed to create backup TDB passwd "
> - "[%s]\n", tmp_fname));
> -@@ -293,7 +293,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
> -
> - orig_db = db_open(NULL, dbname, 0,
> - TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (orig_db == NULL) {
> - DEBUG(0, ("tdbsam_convert_backup: Failed to re-open "
> - "converted passdb TDB [%s]\n", dbname));
> -@@ -444,7 +444,7 @@ static bool tdbsam_open( const char *name )
> - /* Try to open tdb passwd. Create a new one if necessary */
> -
> - db_sam = db_open(NULL, name, 0, TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (db_sam == NULL) {
> - DEBUG(0, ("tdbsam_open: Failed to open/create TDB passwd "
> - "[%s]\n", name));
> -diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
> -index 548b030..bff9a0d 100644
> ---- a/source3/passdb/secrets.c
> -+++ b/source3/passdb/secrets.c
> -@@ -79,7 +79,7 @@ bool secrets_init_path(const char *private_dir, bool use_ntdb)
> -
> - db_ctx = db_open(NULL, fname, 0,
> - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> -
> - if (db_ctx == NULL) {
> - DEBUG(0,("Failed to open %s\n", fname));
> -diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c
> -index 815f89f..9a9fa0b 100644
> ---- a/source3/printing/printer_list.c
> -+++ b/source3/printing/printer_list.c
> -@@ -40,7 +40,8 @@ static struct db_context *get_printer_list_db(void)
> - }
> - db = db_open(NULL, PL_DB_NAME(), 0,
> - TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> -- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1);
> -+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1,
> -+ DBWRAP_FLAG_NONE);
> - return db;
> - }
> -
> -diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c
> -index 3e561eb..fdaf576 100644
> ---- a/source3/registry/reg_backend_db.c
> -+++ b/source3/registry/reg_backend_db.c
> -@@ -732,11 +732,11 @@ WERROR regdb_init(void)
> -
> - regdb = db_open(NULL, state_path("registry.tdb"), 0,
> - REG_TDB_FLAGS, O_RDWR, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (!regdb) {
> - regdb = db_open(NULL, state_path("registry.tdb"), 0,
> - REG_TDB_FLAGS, O_RDWR|O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (!regdb) {
> - werr = ntstatus_to_werror(map_nt_error_from_unix(errno));
> - DEBUG(1,("regdb_init: Failed to open registry %s (%s)\n",
> -@@ -852,7 +852,7 @@ WERROR regdb_open( void )
> -
> - regdb = db_open(NULL, state_path("registry.tdb"), 0,
> - REG_TDB_FLAGS, O_RDWR, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if ( !regdb ) {
> - result = ntstatus_to_werror( map_nt_error_from_unix( errno ) );
> - DEBUG(0,("regdb_open: Failed to open %s! (%s)\n",
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index b7b490f..9e3c1bd 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -69,7 +69,8 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
> -
> - global_db = db_open(talloc_autofree_context(), fname,
> - 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> -- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
> -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
> -+ DBWRAP_FLAG_NONE);
> - if (global_db == NULL) {
> - TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> -diff --git a/source3/smbd/notify_internal.c b/source3/smbd/notify_internal.c
> -index 2dc8674..67d8774 100644
> ---- a/source3/smbd/notify_internal.c
> -+++ b/source3/smbd/notify_internal.c
> -@@ -145,7 +145,7 @@ struct notify_context *notify_init(TALLOC_CTX *mem_ctx,
> - notify->db_index = db_open(
> - notify, lock_path("notify_index.tdb"),
> - 0, TDB_SEQNUM|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> -- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3);
> -+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3, DBWRAP_FLAG_NONE);
> - if (notify->db_index == NULL) {
> - goto fail;
> - }
> -diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
> -index 29c172c..830c7aa 100644
> ---- a/source3/smbd/smbXsrv_open.c
> -+++ b/source3/smbd/smbXsrv_open.c
> -@@ -64,7 +64,8 @@ NTSTATUS smbXsrv_open_global_init(void)
> - TDB_CLEAR_IF_FIRST |
> - TDB_INCOMPATIBLE_HASH,
> - O_RDWR | O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1,
> -+ DBWRAP_FLAG_NONE);
> - if (db_ctx == NULL) {
> - NTSTATUS status;
> -
> -diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
> -index 017880c..a1ba52d 100644
> ---- a/source3/smbd/smbXsrv_session.c
> -+++ b/source3/smbd/smbXsrv_session.c
> -@@ -75,7 +75,8 @@ NTSTATUS smbXsrv_session_global_init(void)
> - TDB_CLEAR_IF_FIRST |
> - TDB_INCOMPATIBLE_HASH,
> - O_RDWR | O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1,
> -+ DBWRAP_FLAG_NONE);
> - if (db_ctx == NULL) {
> - NTSTATUS status;
> -
> -diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c
> -index b6e2058..2cbd761 100644
> ---- a/source3/smbd/smbXsrv_tcon.c
> -+++ b/source3/smbd/smbXsrv_tcon.c
> -@@ -62,7 +62,8 @@ NTSTATUS smbXsrv_tcon_global_init(void)
> - TDB_CLEAR_IF_FIRST |
> - TDB_INCOMPATIBLE_HASH,
> - O_RDWR | O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1,
> -+ DBWRAP_FLAG_NONE);
> - if (db_ctx == NULL) {
> - NTSTATUS status;
> -
> -diff --git a/source3/smbd/smbXsrv_version.c b/source3/smbd/smbXsrv_version.c
> -index 8ba5e1f..b24dae9 100644
> ---- a/source3/smbd/smbXsrv_version.c
> -+++ b/source3/smbd/smbXsrv_version.c
> -@@ -80,7 +80,8 @@ NTSTATUS smbXsrv_version_global_init(const struct server_id *server_id)
> - TDB_CLEAR_IF_FIRST |
> - TDB_INCOMPATIBLE_HASH,
> - O_RDWR | O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1,
> -+ DBWRAP_FLAG_NONE);
> - if (db_ctx == NULL) {
> - status = map_nt_error_from_unix_common(errno);
> - DEBUG(0,("smbXsrv_version_global_init: "
> -diff --git a/source3/torture/test_dbwrap_watch.c b/source3/torture/test_dbwrap_watch.c
> -index 9c2a679..4e699fe 100644
> ---- a/source3/torture/test_dbwrap_watch.c
> -+++ b/source3/torture/test_dbwrap_watch.c
> -@@ -48,7 +48,8 @@ bool run_dbwrap_watch1(int dummy)
> - goto fail;
> - }
> - db = db_open(msg, "test_watch.tdb", 0, TDB_DEFAULT,
> -- O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1);
> -+ O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1,
> -+ DBWRAP_FLAG_NONE);
> - if (db == NULL) {
> - fprintf(stderr, "db_open failed: %s\n", strerror(errno));
> - goto fail;
> -diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
> -index 6f5f3c5..f7262a2 100644
> ---- a/source3/torture/test_idmap_tdb_common.c
> -+++ b/source3/torture/test_idmap_tdb_common.c
> -@@ -86,7 +86,7 @@ static bool open_db(struct idmap_tdb_common_context *ctx)
> -
> - ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT,
> - O_RDWR | O_CREAT, 0600,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> -
> - if(!ctx->db) {
> - DEBUG(0, ("Failed to open database: %s\n", strerror(errno)));
> -diff --git a/source3/torture/torture.c b/source3/torture/torture.c
> -index 2e66912..1dc3eaf 100644
> ---- a/source3/torture/torture.c
> -+++ b/source3/torture/torture.c
> -@@ -9011,7 +9011,8 @@ static bool run_local_dbtrans(int dummy)
> - TDB_DATA value;
> -
> - db = db_open(talloc_tos(), "transtest.tdb", 0, TDB_DEFAULT,
> -- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1);
> -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1,
> -+ DBWRAP_FLAG_NONE);
> - if (db == NULL) {
> - printf("Could not open transtest.db\n");
> - return false;
> -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
> -index ffca6b6..b56e07a 100644
> ---- a/source3/utils/dbwrap_tool.c
> -+++ b/source3/utils/dbwrap_tool.c
> -@@ -588,7 +588,7 @@ int main(int argc, const char **argv)
> - case OP_LISTKEYS:
> - case OP_EXISTS:
> - db = db_open(mem_ctx, dbname, 0, tdb_flags, O_RDWR | O_CREAT,
> -- 0644, DBWRAP_LOCK_ORDER_1);
> -+ 0644, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (db == NULL) {
> - d_fprintf(stderr, "ERROR: could not open dbname\n");
> - goto done;
> -diff --git a/source3/utils/dbwrap_torture.c b/source3/utils/dbwrap_torture.c
> -index 2741820..f748ac2 100644
> ---- a/source3/utils/dbwrap_torture.c
> -+++ b/source3/utils/dbwrap_torture.c
> -@@ -309,7 +309,7 @@ int main(int argc, const char *argv[])
> - }
> -
> - db = db_open(mem_ctx, db_name, 0, tdb_flags, O_RDWR | O_CREAT, 0644,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> -
> - if (db == NULL) {
> - d_fprintf(stderr, "failed to open db '%s': %s\n", db_name,
> -diff --git a/source3/utils/net_idmap.c b/source3/utils/net_idmap.c
> -index fbeca3e..6fc07e7 100644
> ---- a/source3/utils/net_idmap.c
> -+++ b/source3/utils/net_idmap.c
> -@@ -210,7 +210,7 @@ static int net_idmap_dump(struct net_context *c, int argc, const char **argv)
> - d_fprintf(stderr, _("dumping id mapping from %s\n"), dbfile);
> -
> - db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDONLY, 0,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (db == NULL) {
> - d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
> - dbfile, strerror(errno));
> -@@ -336,7 +336,7 @@ static int net_idmap_restore(struct net_context *c, int argc, const char **argv)
> - }
> -
> - db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (db == NULL) {
> - d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
> - dbfile, strerror(errno));
> -@@ -546,7 +546,7 @@ static int net_idmap_delete(struct net_context *c, int argc, const char **argv)
> - d_fprintf(stderr, _("deleting id mapping from %s\n"), dbfile);
> -
> - db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR, 0,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (db == NULL) {
> - d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
> - dbfile, strerror(errno));
> -diff --git a/source3/utils/net_idmap_check.c b/source3/utils/net_idmap_check.c
> -index e75c890..4b82871 100644
> ---- a/source3/utils/net_idmap_check.c
> -+++ b/source3/utils/net_idmap_check.c
> -@@ -790,7 +790,7 @@ static bool check_open_db(struct check_ctx* ctx, const char* name, int oflags)
> - }
> -
> - ctx->db = db_open(ctx, name, 0, TDB_DEFAULT, oflags, 0,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (ctx->db == NULL) {
> - d_fprintf(stderr,
> - _("Could not open idmap db (%s) for writing: %s\n"),
> -diff --git a/source3/utils/net_registry_check.c b/source3/utils/net_registry_check.c
> -index 8cdb8fa..d57c2aa 100644
> ---- a/source3/utils/net_registry_check.c
> -+++ b/source3/utils/net_registry_check.c
> -@@ -338,7 +338,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
> - }
> -
> - ctx->odb = db_open(ctx, ctx->opt.output, 0, TDB_DEFAULT, oflags, 0644,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (ctx->odb == NULL) {
> - d_fprintf(stderr,
> - _("Could not open db (%s) for writing: %s\n"),
> -@@ -351,7 +351,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
> -
> - static bool check_ctx_open_input(struct check_ctx *ctx) {
> - ctx->idb = db_open(ctx, ctx->fname, 0, TDB_DEFAULT, O_RDONLY, 0,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (ctx->idb == NULL) {
> - d_fprintf(stderr,
> - _("Could not open db (%s) for reading: %s\n"),
> -diff --git a/source3/utils/status.c b/source3/utils/status.c
> -index be7c52f..1ff0e36 100644
> ---- a/source3/utils/status.c
> -+++ b/source3/utils/status.c
> -@@ -508,7 +508,7 @@ static void print_notify_recs(const char *path,
> - struct db_context *db;
> - db = db_open(NULL, lock_path("locking.tdb"), 0,
> - TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH, O_RDONLY, 0,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> -
> - if (!db) {
> - d_printf("%s not initialised\n",
> -diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
> -index 57d952e..0bd2938 100644
> ---- a/source3/winbindd/idmap_autorid.c
> -+++ b/source3/winbindd/idmap_autorid.c
> -@@ -728,7 +728,7 @@ static NTSTATUS idmap_autorid_db_init(void)
> - /* Open idmap repository */
> - autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
> - TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> -
> - if (!autorid_db) {
> - DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
> -diff --git a/source3/winbindd/idmap_tdb.c b/source3/winbindd/idmap_tdb.c
> -index cc930ff..ebff347 100644
> ---- a/source3/winbindd/idmap_tdb.c
> -+++ b/source3/winbindd/idmap_tdb.c
> -@@ -321,7 +321,7 @@ static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
> -
> - /* Open idmap repository */
> - db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (!db) {
> - DEBUG(0, ("Unable to open idmap database\n"));
> - ret = NT_STATUS_UNSUCCESSFUL;
> -diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
> -index 4a9c2fe..942490d 100644
> ---- a/source3/winbindd/idmap_tdb2.c
> -+++ b/source3/winbindd/idmap_tdb2.c
> -@@ -114,7 +114,7 @@ static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
> -
> - /* Open idmap repository */
> - ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
> -- DBWRAP_LOCK_ORDER_1);
> -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - TALLOC_FREE(db_path);
> -
> - if (ctx->db == NULL) {
> ---
> -1.9.3
> -
> -
> -From b904731a81df57b3d33fe0c35663bc47d061d744 Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Tue, 28 Jan 2014 12:53:24 +0100
> -Subject: [PATCH 236/249] dbwrap: add a dbwrap_flags argument to db_open_ctdb()
> -
> -This is in preparation of directly supporting ctdb read only
> -record copies when opening a ctdb database from samba.
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 6def1c3f6e145abcc81ea69505133bbe128eacac)
> ----
> - source3/lib/dbwrap/dbwrap_ctdb.c | 6 ++++--
> - source3/lib/dbwrap/dbwrap_ctdb.h | 3 ++-
> - source3/lib/dbwrap/dbwrap_open.c | 2 +-
> - source3/torture/test_dbwrap_ctdb.c | 2 +-
> - 4 files changed, 8 insertions(+), 5 deletions(-)
> -
> -diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
> -index 5a473f9..af7a72f 100644
> ---- a/source3/lib/dbwrap/dbwrap_ctdb.c
> -+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
> -@@ -1498,7 +1498,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> - const char *name,
> - int hash_size, int tdb_flags,
> - int open_flags, mode_t mode,
> -- enum dbwrap_lock_order lock_order)
> -+ enum dbwrap_lock_order lock_order,
> -+ uint64_t dbwrap_flags)
> - {
> - struct db_context *result;
> - struct db_ctdb_ctx *db_ctdb;
> -@@ -1624,7 +1625,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> - const char *name,
> - int hash_size, int tdb_flags,
> - int open_flags, mode_t mode,
> -- enum dbwrap_lock_order lock_order)
> -+ enum dbwrap_lock_order lock_order,
> -+ uint64_t dbwrap_flags)
> - {
> - DEBUG(3, ("db_open_ctdb: no cluster support!\n"));
> - errno = ENOSYS;
> -diff --git a/source3/lib/dbwrap/dbwrap_ctdb.h b/source3/lib/dbwrap/dbwrap_ctdb.h
> -index bfbe3bd..3196b91 100644
> ---- a/source3/lib/dbwrap/dbwrap_ctdb.h
> -+++ b/source3/lib/dbwrap/dbwrap_ctdb.h
> -@@ -31,6 +31,7 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> - const char *name,
> - int hash_size, int tdb_flags,
> - int open_flags, mode_t mode,
> -- enum dbwrap_lock_order lock_order);
> -+ enum dbwrap_lock_order lock_order,
> -+ uint64_t dbwrap_flags);
> -
> - #endif /* __DBWRAP_CTDB_H__ */
> -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
> -index 6c9280c..61324f7 100644
> ---- a/source3/lib/dbwrap/dbwrap_open.c
> -+++ b/source3/lib/dbwrap/dbwrap_open.c
> -@@ -104,7 +104,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> - if (lp_parm_bool(-1, "ctdb", partname, True)) {
> - result = db_open_ctdb(mem_ctx, partname, hash_size,
> - tdb_flags, open_flags, mode,
> -- lock_order);
> -+ lock_order, dbwrap_flags);
> - if (result == NULL) {
> - DEBUG(0,("failed to attach to ctdb %s\n",
> - partname));
> -diff --git a/source3/torture/test_dbwrap_ctdb.c b/source3/torture/test_dbwrap_ctdb.c
> -index f7672ba..d7380b1 100644
> ---- a/source3/torture/test_dbwrap_ctdb.c
> -+++ b/source3/torture/test_dbwrap_ctdb.c
> -@@ -32,7 +32,7 @@ bool run_local_dbwrap_ctdb(int dummy)
> - uint32_t val;
> -
> - db = db_open_ctdb(talloc_tos(), "torture.tdb", 0, TDB_DEFAULT,
> -- O_RDWR, 0755, DBWRAP_LOCK_ORDER_1);
> -+ O_RDWR, 0755, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> - if (db == NULL) {
> - perror("db_open_ctdb failed");
> - goto fail;
> ---
> -1.9.3
> -
> -
> -From 4f2d14112981d03000b533458e2e60a032d052de Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Tue, 28 Jan 2014 11:31:44 +0100
> -Subject: [PATCH 237/249] dbwrap: add DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 56bd4040889dfe492ff820497b7a6d76624a6048)
> ----
> - lib/dbwrap/dbwrap.h | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
> -index 4064ba2..02b4405 100644
> ---- a/lib/dbwrap/dbwrap.h
> -+++ b/lib/dbwrap/dbwrap.h
> -@@ -33,6 +33,7 @@ enum dbwrap_lock_order {
> - #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
> -
> - #define DBWRAP_FLAG_NONE 0x0000000000000000ULL
> -+#define DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS 0x0000000000000001ULL
> -
> - /* The following definitions come from lib/dbwrap.c */
> -
> ---
> -1.9.3
> -
> -
> -From a007f8f7f627c4347f48bd2446637aab137e0608 Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 28 Jan 2014 21:24:22 +0100
> -Subject: [PATCH 238/249] dbwrap_ctdb: implement
> - DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
> -
> -For non-persistent databases we try to use CTDB_CONTROL_SET_DB_READONLY
> -in order to make use of readonly records.
> -
> -Pair-Programmed-With: Michael Adam <obnox@samba.org>
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -(cherry picked from commit a97b588b63f437d25c4344c76014326dbf0cbdb0)
> ----
> - source3/lib/dbwrap/dbwrap_ctdb.c | 21 +++++++++++++++++++++
> - 1 file changed, 21 insertions(+)
> -
> -diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
> -index af7a72f..3dc86d1 100644
> ---- a/source3/lib/dbwrap/dbwrap_ctdb.c
> -+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
> -@@ -1578,6 +1578,27 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> - return NULL;
> - }
> -
> -+#ifdef HAVE_CTDB_WANT_READONLY_DECL
> -+ if (!result->persistent &&
> -+ (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS))
> -+ {
> -+ TDB_DATA indata;
> -+
> -+ indata = make_tdb_data((uint8_t *)&db_ctdb->db_id,
> -+ sizeof(db_ctdb->db_id));
> -+
> -+ status = ctdbd_control_local(
> -+ conn, CTDB_CONTROL_SET_DB_READONLY, 0, 0, indata,
> -+ NULL, NULL, &cstatus);
> -+ if (!NT_STATUS_IS_OK(status) || (cstatus != 0)) {
> -+ DEBUG(1, ("CTDB_CONTROL_SET_DB_READONLY failed: "
> -+ "%s, %d\n", nt_errstr(status), cstatus));
> -+ TALLOC_FREE(result);
> -+ return NULL;
> -+ }
> -+ }
> -+#endif
> -+
> - lp_ctx = loadparm_init_s3(db_path, loadparm_s3_helpers());
> -
> - db_ctdb->wtdb = tdb_wrap_open(db_ctdb, db_path, hash_size, tdb_flags,
> ---
> -1.9.3
> -
> -
> -From d1ea222d46a594d45422eacccbd655d7e488792a Mon Sep 17 00:00:00 2001
> -From: Stefan Metzmacher <metze@samba.org>
> -Date: Tue, 28 Jan 2014 21:31:17 +0100
> -Subject: [PATCH 239/249] dbwrap_open: add 'dbwrap_optimize_readonly:* = yes'
> - option
> -
> -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> -Reviewed-by: Michael Adam <obnox@samba.org>
> -(cherry picked from commit a20c977c7a58a0c09d01bfa046c00fcd3f1462de)
> ----
> - source3/lib/dbwrap/dbwrap_open.c | 25 +++++++++++++++++++++++++
> - 1 file changed, 25 insertions(+)
> -
> -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
> -index 61324f7..7f3cddf 100644
> ---- a/source3/lib/dbwrap/dbwrap_open.c
> -+++ b/source3/lib/dbwrap/dbwrap_open.c
> -@@ -81,6 +81,31 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> - return NULL;
> - }
> -
> -+ if (tdb_flags & TDB_CLEAR_IF_FIRST) {
> -+ const char *base;
> -+ bool try_readonly = false;
> -+
> -+ base = strrchr_m(name, '/');
> -+ if (base != NULL) {
> -+ base += 1;
> -+ } else {
> -+ base = name;
> -+ }
> -+
> -+ if (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS) {
> -+ try_readonly = true;
> -+ }
> -+
> -+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", "*", try_readonly);
> -+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", base, try_readonly);
> -+
> -+ if (try_readonly) {
> -+ dbwrap_flags |= DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
> -+ } else {
> -+ dbwrap_flags &= ~DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
> -+ }
> -+ }
> -+
> - #ifdef CLUSTER_SUPPORT
> - sockname = lp_ctdbd_socket();
> -
> ---
> -1.9.3
> -
> -
> -From ce06399f9fab90623a2166d69f1bbfc46f124d73 Mon Sep 17 00:00:00 2001
> -From: Michael Adam <obnox@samba.org>
> -Date: Mon, 27 Jan 2014 16:21:14 +0100
> -Subject: [PATCH 240/249] s3:rpc_client: optimize the netlogon_creds_cli.tdb
> - for read-only access
> -
> -Usually a record in this DB will be written once and then read
> -many times by winbindd processes on multiple nodes (when run in
> -a cluster). In order not to introduce a big performance penalty
> -with the increased correctness achieved by storing the netlogon
> -creds, in a cluster setup, we should activate ctdb's read only
> -record copies on this db.
> -
> -Signed-off-by: Michael Adam <obnox@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -(cherry picked from commit 020fab300d2f4f19301eff19ad810c71f77bbb78)
> ----
> - source3/rpc_client/cli_netlogon.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 9e3c1bd..746c7b6 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -70,7 +70,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
> - global_db = db_open(talloc_autofree_context(), fname,
> - 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> - O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
> -- DBWRAP_FLAG_NONE);
> -+ DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS);
> - if (global_db == NULL) {
> - TALLOC_FREE(frame);
> - return NT_STATUS_NO_MEMORY;
> ---
> -1.9.3
> -
> -
> -From e39b8c0e22e609db117285d47cdbd1d854fe8d02 Mon Sep 17 00:00:00 2001
> -From: Ira Cooper <ira@samba.org>
> -Date: Thu, 13 Feb 2014 14:45:23 -0500
> -Subject: [PATCH 241/249] libcli: Overflow array index read possible, in auth
> - code.
> -
> -Changed the if condtion to detect when we'd improperly overflow.
> -
> -Coverity-Id: 1167990
> -Signed-off-by: Ira Cooper <ira@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> -
> -Autobuild-User(master): Ira Cooper <ira@samba.org>
> -Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
> -
> -(cherry picked from commit 8cd8aa6686c21e8c43a6d14c0ae1a21954d6e8cd)
> ----
> - libcli/auth/netlogon_creds_cli.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> -index 88893ad..e3cf91c 100644
> ---- a/libcli/auth/netlogon_creds_cli.c
> -+++ b/libcli/auth/netlogon_creds_cli.c
> -@@ -1769,7 +1769,7 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
> - uint32_t ofs = 512 - len;
> - uint8_t *p;
> -
> -- if (ofs < 12) {
> -+ if (len > 500) {
> - tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> - return tevent_req_post(req, ev);
> - }
> ---
> -1.9.3
> -
> -
> -From 4e15aa86c44e906ca30cfa4589e4f45f23625953 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Tue, 15 Jul 2014 08:28:42 +0200
> -Subject: [PATCH 242/249] s3-rpc_client: return info3 in
> - rpccli_netlogon_password_logon().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/rpc_client/cli_netlogon.c | 103 +++++++++++++++++++++-----------------
> - source3/rpc_client/cli_netlogon.h | 4 +-
> - source3/rpcclient/cmd_netlogon.c | 5 +-
> - 3 files changed, 64 insertions(+), 48 deletions(-)
> -
> -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> -index 746c7b6..7063351 100644
> ---- a/source3/rpc_client/cli_netlogon.c
> -+++ b/source3/rpc_client/cli_netlogon.c
> -@@ -193,16 +193,65 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> - return NT_STATUS_OK;
> - }
> -
> -+static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> -+ uint16_t validation_level,
> -+ union netr_Validation *validation,
> -+ struct netr_SamInfo3 **info3_p)
> -+{
> -+ struct netr_SamInfo3 *info3;
> -+ NTSTATUS status;
> -+
> -+ if (validation == NULL) {
> -+ return NT_STATUS_INVALID_PARAMETER;
> -+ }
> -+
> -+ switch (validation_level) {
> -+ case 3:
> -+ if (validation->sam3 == NULL) {
> -+ return NT_STATUS_INVALID_PARAMETER;
> -+ }
> -+
> -+ info3 = talloc_move(mem_ctx, &validation->sam3);
> -+ break;
> -+ case 6:
> -+ if (validation->sam6 == NULL) {
> -+ return NT_STATUS_INVALID_PARAMETER;
> -+ }
> -+
> -+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
> -+ if (info3 == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(info3);
> -+ return status;
> -+ }
> -+
> -+ info3->sidcount = validation->sam6->sidcount;
> -+ info3->sids = talloc_move(info3, &validation->sam6->sids);
> -+ break;
> -+ default:
> -+ return NT_STATUS_BAD_VALIDATION_CLASS;
> -+ }
> -+
> -+ *info3_p = info3;
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> - /* Logon domain user */
> -
> - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> - struct dcerpc_binding_handle *binding_handle,
> -+ TALLOC_CTX *mem_ctx,
> - uint32_t logon_parameters,
> - const char *domain,
> - const char *username,
> - const char *password,
> - const char *workstation,
> -- enum netr_LogonInfoClass logon_type)
> -+ enum netr_LogonInfoClass logon_type,
> -+ struct netr_SamInfo3 **info3)
> - {
> - TALLOC_CTX *frame = talloc_stackframe();
> - NTSTATUS status;
> -@@ -320,57 +369,19 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
> - &validation,
> - &authoritative,
> - &flags);
> -- TALLOC_FREE(frame);
> - if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(frame);
> - return status;
> - }
> -
> -- return NT_STATUS_OK;
> --}
> --
> --static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> -- uint16_t validation_level,
> -- union netr_Validation *validation,
> -- struct netr_SamInfo3 **info3_p)
> --{
> -- struct netr_SamInfo3 *info3;
> -- NTSTATUS status;
> --
> -- if (validation == NULL) {
> -- return NT_STATUS_INVALID_PARAMETER;
> -- }
> --
> -- switch (validation_level) {
> -- case 3:
> -- if (validation->sam3 == NULL) {
> -- return NT_STATUS_INVALID_PARAMETER;
> -- }
> --
> -- info3 = talloc_move(mem_ctx, &validation->sam3);
> -- break;
> -- case 6:
> -- if (validation->sam6 == NULL) {
> -- return NT_STATUS_INVALID_PARAMETER;
> -- }
> --
> -- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
> -- if (info3 == NULL) {
> -- return NT_STATUS_NO_MEMORY;
> -- }
> -- status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
> -- if (!NT_STATUS_IS_OK(status)) {
> -- TALLOC_FREE(info3);
> -- return status;
> -- }
> --
> -- info3->sidcount = validation->sam6->sidcount;
> -- info3->sids = talloc_move(info3, &validation->sam6->sids);
> -- break;
> -- default:
> -- return NT_STATUS_BAD_VALIDATION_CLASS;
> -+ status = map_validation_to_info3(mem_ctx,
> -+ validation_level, validation,
> -+ info3);
> -+ TALLOC_FREE(frame);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> - }
> -
> -- *info3_p = info3;
> -
> - return NT_STATUS_OK;
> - }
> -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> -index 61fed4a..fee0801 100644
> ---- a/source3/rpc_client/cli_netlogon.h
> -+++ b/source3/rpc_client/cli_netlogon.h
> -@@ -45,12 +45,14 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> - const struct samr_Password *previous_nt_hash);
> - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> - struct dcerpc_binding_handle *binding_handle,
> -+ TALLOC_CTX *mem_ctx,
> - uint32_t logon_parameters,
> - const char *domain,
> - const char *username,
> - const char *password,
> - const char *workstation,
> -- enum netr_LogonInfoClass logon_type);
> -+ enum netr_LogonInfoClass logon_type,
> -+ struct netr_SamInfo3 **info3);
> - NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> - struct dcerpc_binding_handle *binding_handle,
> - TALLOC_CTX *mem_ctx,
> -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> -index b637b3e..2d1c351 100644
> ---- a/source3/rpcclient/cmd_netlogon.c
> -+++ b/source3/rpcclient/cmd_netlogon.c
> -@@ -778,6 +778,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> - const char *username, *password;
> - uint32 logon_param = 0;
> - const char *workstation = NULL;
> -+ struct netr_SamInfo3 *info3 = NULL;
> -
> - /* Check arguments */
> -
> -@@ -803,12 +804,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> -
> - result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
> - cli->binding_handle,
> -+ mem_ctx,
> - logon_param,
> - lp_workgroup(),
> - username,
> - password,
> - workstation,
> -- logon_type);
> -+ logon_type,
> -+ &info3);
> - if (!NT_STATUS_IS_OK(result))
> - goto done;
> -
> ---
> -1.9.3
> -
> -
> -From 3459fada96951a57a787944aedc01caabe873c9d Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Tue, 15 Jul 2014 08:29:55 +0200
> -Subject: [PATCH 243/249] s3-winbindd: call interactive samlogon via
> - rpccli_netlogon_password_logon.
> -
> -Guenther
> -
> -Signed-off-by: Guenther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -
> -Conflicts:
> - source3/winbindd/winbindd_pam.c
> ----
> - source3/winbindd/winbindd_pam.c | 45 +++++++++++++++++++++++++++++------------
> - 1 file changed, 32 insertions(+), 13 deletions(-)
> -
> -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> -index 3f3ec70..2a1b74a 100644
> ---- a/source3/winbindd/winbindd_pam.c
> -+++ b/source3/winbindd/winbindd_pam.c
> -@@ -1214,11 +1214,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> - uint32_t logon_parameters,
> - const char *server,
> - const char *username,
> -+ const char *password,
> - const char *domainname,
> - const char *workstation,
> - const uint8_t chal[8],
> - DATA_BLOB lm_response,
> - DATA_BLOB nt_response,
> -+ bool interactive,
> - struct netr_SamInfo3 **info3)
> - {
> - int attempts = 0;
> -@@ -1278,19 +1280,32 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> - }
> - netr_attempts = 0;
> -
> -- result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
> -- netlogon_pipe->binding_handle,
> -- mem_ctx,
> -- logon_parameters,
> -- username,
> -- domainname,
> -- workstation,
> -- chal,
> -- lm_response,
> -- nt_response,
> -- &authoritative,
> -- &flags,
> -- info3);
> -+ if (interactive && username != NULL && password != NULL) {
> -+ result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
> -+ netlogon_pipe->binding_handle,
> -+ mem_ctx,
> -+ logon_parameters,
> -+ domainname,
> -+ username,
> -+ password,
> -+ workstation,
> -+ NetlogonInteractiveInformation,
> -+ info3);
> -+ } else {
> -+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
> -+ netlogon_pipe->binding_handle,
> -+ mem_ctx,
> -+ logon_parameters,
> -+ username,
> -+ domainname,
> -+ workstation,
> -+ chal,
> -+ lm_response,
> -+ nt_response,
> -+ &authoritative,
> -+ &flags,
> -+ info3);
> -+ }
> -
> - /*
> - * we increment this after the "feature negotiation"
> -@@ -1433,11 +1448,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
> - 0,
> - domain->dcname,
> - name_user,
> -+ pass,
> - name_domain,
> - lp_netbios_name(),
> - chal,
> - lm_resp,
> - nt_resp,
> -+ true, /* interactive */
> - &my_info3);
> - if (!NT_STATUS_IS_OK(result)) {
> - goto done;
> -@@ -1856,12 +1873,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
> - state->request->data.auth_crap.logon_parameters,
> - domain->dcname,
> - name_user,
> -+ NULL, /* password */
> - name_domain,
> - /* Bug #3248 - found by Stefan Burkei. */
> - workstation, /* We carefully set this above so use it... */
> - state->request->data.auth_crap.chal,
> - lm_resp,
> - nt_resp,
> -+ false, /* interactive */
> - &info3);
> - if (!NT_STATUS_IS_OK(result)) {
> - goto done;
> ---
> -1.9.3
> -
> -
> -From ad27b750ea3766581e528a41c132bb57927cc64c Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Mon, 7 Jul 2014 17:14:37 +0200
> -Subject: [PATCH 244/249] s3-winbindd: add wcache_query_user_fullname().
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -This helper function is used to query the full name of a cached user object (for
> -further gecos processing).
> -
> -Thanks to Matt Rogers <mrogers@redhat.com>.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> -
> -Guenther
> -
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++++++++
> - source3/winbindd/winbindd_proto.h | 4 ++++
> - 2 files changed, 38 insertions(+)
> -
> -diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
> -index 59ce515..d1e10e6c 100644
> ---- a/source3/winbindd/winbindd_cache.c
> -+++ b/source3/winbindd/winbindd_cache.c
> -@@ -2309,6 +2309,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
> - return status;
> - }
> -
> -+
> -+/**
> -+* @brief Query a fullname from the username cache (for further gecos processing)
> -+*
> -+* @param domain A pointer to the winbindd_domain struct.
> -+* @param mem_ctx The talloc context.
> -+* @param user_sid The user sid.
> -+* @param full_name A pointer to the full_name string.
> -+*
> -+* @return NTSTATUS code
> -+*/
> -+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
> -+ TALLOC_CTX *mem_ctx,
> -+ const struct dom_sid *user_sid,
> -+ const char **full_name)
> -+{
> -+ NTSTATUS status;
> -+ struct wbint_userinfo info;
> -+
> -+ status = wcache_query_user(domain, mem_ctx, user_sid, &info);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ if (info.full_name != NULL) {
> -+ *full_name = talloc_strdup(mem_ctx, info.full_name);
> -+ if (*full_name == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> - /* Lookup user information from a rid */
> - static NTSTATUS query_user(struct winbindd_domain *domain,
> - TALLOC_CTX *mem_ctx,
> -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
> -index cfc19d0..cfb7812 100644
> ---- a/source3/winbindd/winbindd_proto.h
> -+++ b/source3/winbindd/winbindd_proto.h
> -@@ -105,6 +105,10 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
> - TALLOC_CTX *mem_ctx,
> - const struct dom_sid *user_sid,
> - struct wbint_userinfo *info);
> -+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
> -+ TALLOC_CTX *mem_ctx,
> -+ const struct dom_sid *user_sid,
> -+ const char **full_name);
> - NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
> - TALLOC_CTX *mem_ctx,
> - uint32 num_sids, const struct dom_sid *sids,
> ---
> -1.9.3
> -
> -
> -From e89ca0b90887930a2f86dcaa4f6d3d05565f919c Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Mon, 7 Jul 2014 17:16:32 +0200
> -Subject: [PATCH 245/249] s3-winbindd: use wcache_query_user_fullname after
> - inspecting samlogon cache.
> -
> -The reason for this followup query is that very often the samlogon cache only
> -contains a info3 netlogon user structure that has been retrieved during a
> -netlogon samlogon authentication using "network" logon level. With that logon
> -level only a few info3 fields are filled in; the user's fullname is never filled
> -in that case. This is problematic when the cache is used to fill in the user's
> -gecos field (for NSS queries). When we have retrieved the user's fullname during
> -other queries, reuse it from the other caches.
> -
> -Thanks to Matt Rogers <mrogers@redhat.com>.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> -
> -Guenther
> -
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Signed-off-by: Guenther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/winbindd/winbindd_ads.c | 8 ++++++++
> - source3/winbindd/winbindd_msrpc.c | 8 ++++++++
> - source3/winbindd/winbindd_pam.c | 20 ++++++++++++++++++++
> - 3 files changed, 36 insertions(+)
> -
> -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> -index 4c26389..a20fba5 100644
> ---- a/source3/winbindd/winbindd_ads.c
> -+++ b/source3/winbindd/winbindd_ads.c
> -@@ -619,6 +619,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> -
> - TALLOC_FREE(user);
> -
> -+ if (info->full_name == NULL) {
> -+ /* this might fail so we dont check the return code */
> -+ wcache_query_user_fullname(domain,
> -+ mem_ctx,
> -+ sid,
> -+ &info->full_name);
> -+ }
> -+
> - return NT_STATUS_OK;
> - }
> -
> -diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
> -index 426d64c..c097bf3 100644
> ---- a/source3/winbindd/winbindd_msrpc.c
> -+++ b/source3/winbindd/winbindd_msrpc.c
> -@@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
> - user_info->full_name = talloc_strdup(user_info,
> - user->base.full_name.string);
> -
> -+ if (user_info->full_name == NULL) {
> -+ /* this might fail so we dont check the return code */
> -+ wcache_query_user_fullname(domain,
> -+ mem_ctx,
> -+ user_sid,
> -+ &user_info->full_name);
> -+ }
> -+
> - status = NT_STATUS_OK;
> - goto done;
> - }
> -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> -index 2a1b74a..bf71d97 100644
> ---- a/source3/winbindd/winbindd_pam.c
> -+++ b/source3/winbindd/winbindd_pam.c
> -@@ -1720,6 +1720,26 @@ process_result:
> - sid_compose(&user_sid, info3->base.domain_sid,
> - info3->base.rid);
> -
> -+ if (info3->base.full_name.string == NULL) {
> -+ struct netr_SamInfo3 *cached_info3;
> -+
> -+ cached_info3 = netsamlogon_cache_get(state->mem_ctx,
> -+ &user_sid);
> -+ if (cached_info3 != NULL &&
> -+ cached_info3->base.full_name.string != NULL) {
> -+ info3->base.full_name.string =
> -+ talloc_strdup(info3,
> -+ cached_info3->base.full_name.string);
> -+ } else {
> -+
> -+ /* this might fail so we dont check the return code */
> -+ wcache_query_user_fullname(domain,
> -+ info3,
> -+ &user_sid,
> -+ &info3->base.full_name.string);
> -+ }
> -+ }
> -+
> - wcache_invalidate_samlogon(find_domain_from_name(name_domain),
> - &user_sid);
> - netsamlogon_cache_store(name_user, info3);
> ---
> -1.9.3
> -
> -
> -From aa042d490b2cccb7b6cc394e024004321a6c156c Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 9 Jul 2014 13:36:06 +0200
> -Subject: [PATCH 246/249] samlogon_cache: use a talloc_stackframe inside
> - netsamlogon_cache_store.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/libsmb/samlogon_cache.c | 13 ++++---------
> - 1 file changed, 4 insertions(+), 9 deletions(-)
> -
> -diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
> -index b04cf0a..f7457ae 100644
> ---- a/source3/libsmb/samlogon_cache.c
> -+++ b/source3/libsmb/samlogon_cache.c
> -@@ -125,7 +125,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> - bool result = false;
> - struct dom_sid user_sid;
> - time_t t = time(NULL);
> -- TALLOC_CTX *mem_ctx;
> -+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
> - DATA_BLOB blob;
> - enum ndr_err_code ndr_err;
> - struct netsamlogoncache_entry r;
> -@@ -149,11 +149,6 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> -
> - /* Prepare data */
> -
> -- if (!(mem_ctx = talloc( NULL, int))) {
> -- DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
> -- return false;
> -- }
> --
> - /* only Samba fills in the username, not sure why NT doesn't */
> - /* so we fill it in since winbindd_getpwnam() makes use of it */
> -
> -@@ -168,11 +163,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> - NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
> - }
> -
> -- ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
> -+ ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
> - (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
> - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> - DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
> -- TALLOC_FREE(mem_ctx);
> -+ TALLOC_FREE(tmp_ctx);
> - return false;
> - }
> -
> -@@ -183,7 +178,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> - result = true;
> - }
> -
> -- TALLOC_FREE(mem_ctx);
> -+ TALLOC_FREE(tmp_ctx);
> -
> - return result;
> - }
> ---
> -1.9.3
> -
> -
> -From 8283d1acec0c0afd17197339a4986975d05abf29 Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Thu, 3 Jul 2014 16:17:46 +0200
> -Subject: [PATCH 247/249] samlogon_cache: avoid overwriting
> - info3->base.full_name.string.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -This field servers as a source for the gecos field. We should not overwrite it
> -when a info3 struct from a samlogon network level gets saved in which case this
> -field is always NULL.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Guenther Deschner <gd@samba.org>
> -
> -Autobuild-User(master): Günther Deschner <gd@samba.org>
> -Autobuild-Date(master): Tue Jul 15 18:25:28 CEST 2014 on sn-devel-104
> ----
> - source3/libsmb/samlogon_cache.c | 14 ++++++++++++++
> - 1 file changed, 14 insertions(+)
> -
> -diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
> -index f7457ae..0a157d4 100644
> ---- a/source3/libsmb/samlogon_cache.c
> -+++ b/source3/libsmb/samlogon_cache.c
> -@@ -149,6 +149,20 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> -
> - /* Prepare data */
> -
> -+ if (info3->base.full_name.string == NULL) {
> -+ struct netr_SamInfo3 *cached_info3;
> -+ const char *full_name = NULL;
> -+
> -+ cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
> -+ if (cached_info3 != NULL) {
> -+ full_name = cached_info3->base.full_name.string;
> -+ }
> -+
> -+ if (full_name != NULL) {
> -+ info3->base.full_name.string = talloc_strdup(info3, full_name);
> -+ }
> -+ }
> -+
> - /* only Samba fills in the username, not sure why NT doesn't */
> - /* so we fill it in since winbindd_getpwnam() makes use of it */
> -
> ---
> -1.9.3
> -
> -
> -From fe9d7458001a952d1df23dcd584a1835df5d43d1 Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Thu, 3 Jul 2014 16:19:42 +0200
> -Subject: [PATCH 248/249] s3-winbind: Don't set the gecos field to NULL.
> -
> -The value is loaded from the cache anyway. So it will be set to NULL if
> -it is not available.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Guenther Deschner <gd@samba.org>
> ----
> - source3/winbindd/nss_info_template.c | 1 -
> - 1 file changed, 1 deletion(-)
> -
> -diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
> -index 5fdfd9b..de93803 100644
> ---- a/source3/winbindd/nss_info_template.c
> -+++ b/source3/winbindd/nss_info_template.c
> -@@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
> - username */
> - *homedir = talloc_strdup( ctx, lp_template_homedir() );
> - *shell = talloc_strdup( ctx, lp_template_shell() );
> -- *gecos = NULL;
> -
> - if ( !*homedir || !*shell ) {
> - return NT_STATUS_NO_MEMORY;
> ---
> -1.9.3
> -
> -
> -From d2f3347a264bb7b8b0335404348990f52320b672 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Mon, 14 Jul 2014 18:22:26 +0200
> -Subject: [PATCH 249/249] s3-winbindd: prefer "displayName" over "name" in ads
> - user queries for the fullname.
> -
> -This makes use more consistent with security=domain as well where the gecos
> -field is also filled using the displayName field.
> -
> -Guenther
> -
> -Signed-off-by: Guenther Deschner <gd@samba.org>
> -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/winbindd/winbindd_ads.c | 16 +++++++++++-----
> - 1 file changed, 11 insertions(+), 5 deletions(-)
> -
> -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> -index a20fba5..4b5b2fa 100644
> ---- a/source3/winbindd/winbindd_ads.c
> -+++ b/source3/winbindd/winbindd_ads.c
> -@@ -327,7 +327,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
> - }
> -
> - info->acct_name = ads_pull_username(ads, mem_ctx, msg);
> -- info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
> -+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
> -+ if (info->full_name == NULL) {
> -+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
> -+ }
> - info->homedir = NULL;
> - info->shell = NULL;
> - info->primary_gid = (gid_t)-1;
> -@@ -592,7 +595,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> - struct netr_SamInfo3 *user = NULL;
> - gid_t gid = -1;
> - int ret;
> -- char *ads_name;
> -+ char *full_name;
> -
> - DEBUG(3,("ads: query_user\n"));
> -
> -@@ -704,7 +707,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> - * nss_get_info_cached call. nss_get_info_cached might destroy
> - * the ads struct, potentially invalidating the ldap message.
> - */
> -- ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
> -+ full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
> -+ if (full_name == NULL) {
> -+ full_name = ads_pull_string(ads, mem_ctx, msg, "name");
> -+ }
> -
> - ads_msgfree(ads, msg);
> - msg = NULL;
> -@@ -720,9 +726,9 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> - }
> -
> - if (info->full_name == NULL) {
> -- info->full_name = ads_name;
> -+ info->full_name = full_name;
> - } else {
> -- TALLOC_FREE(ads_name);
> -+ TALLOC_FREE(full_name);
> - }
> -
> - status = NT_STATUS_OK;
> ---
> -1.9.3
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> deleted file mode 100644
> index 7a7bdf5..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> +++ /dev/null
> @@ -1,97 +0,0 @@
> -From f73c906237aa0c9d45900d69d31c9b39261f062a Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Tue, 16 Sep 2014 18:02:30 +0200
> -Subject: [PATCH 1/2] lib: Add daemon_status() to util library.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> -(cherry picked from commit 9f5f5fa8ebf845c53b7a92557d7aec56ed820320)
> ----
> - lib/util/become_daemon.c | 11 +++++++++++
> - lib/util/samba_util.h | 6 ++++++
> - 2 files changed, 17 insertions(+)
> -
> -diff --git a/lib/util/become_daemon.c b/lib/util/become_daemon.c
> -index 35c8b32..688bedd 100644
> ---- a/lib/util/become_daemon.c
> -+++ b/lib/util/become_daemon.c
> -@@ -135,3 +135,14 @@ _PUBLIC_ void daemon_ready(const char *daemon)
> - #endif
> - DEBUG(0, ("STATUS=daemon '%s' finished starting up and ready to serve connections", daemon));
> - }
> -+
> -+_PUBLIC_ void daemon_status(const char *name, const char *msg)
> -+{
> -+ if (name == NULL) {
> -+ name = "Samba";
> -+ }
> -+#ifdef HAVE_SYSTEMD
> -+ sd_notifyf(0, "\nSTATUS=%s: %s", name, msg);
> -+#endif
> -+ DEBUG(0, ("STATUS=daemon '%s' : %s", name, msg));
> -+}
> -diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
> -index e3fe6a6..f4216d8 100644
> ---- a/lib/util/samba_util.h
> -+++ b/lib/util/samba_util.h
> -@@ -853,6 +853,12 @@ _PUBLIC_ void exit_daemon(const char *msg, int error);
> - **/
> - _PUBLIC_ void daemon_ready(const char *daemon);
> -
> -+/*
> -+ * Report the daemon status. For example if it is not ready to serve connections
> -+ * and is waiting for some event to happen.
> -+ */
> -+_PUBLIC_ void daemon_status(const char *name, const char *msg);
> -+
> - /**
> - * @brief Get a password from the console.
> - *
> ---
> -2.1.0
> -
> -
> -From 7fcd74039961fa0fb02934bc87ce41fd98234f1a Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Tue, 16 Sep 2014 18:03:51 +0200
> -Subject: [PATCH 2/2] nmbd: Send waiting status to systemd.
> -
> -This tells the Administrator what's going on and we should log that IPv6
> -is not supported.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> -
> -Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
> -Autobuild-Date(master): Wed Sep 17 13:16:43 CEST 2014 on sn-devel-104
> -
> -(cherry picked from commit 2df601bff0d949e66c79366b8248b9d950c0b430)
> ----
> - source3/nmbd/nmbd_subnetdb.c | 7 +++++--
> - 1 file changed, 5 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c
> -index 311a240..6c483af 100644
> ---- a/source3/nmbd/nmbd_subnetdb.c
> -+++ b/source3/nmbd/nmbd_subnetdb.c
> -@@ -247,8 +247,11 @@ bool create_subnets(void)
> -
> - /* Only count IPv4, non-loopback interfaces. */
> - if (iface_count_v4_nl() == 0) {
> -- DEBUG(0,("create_subnets: No local IPv4 non-loopback interfaces !\n"));
> -- DEBUG(0,("create_subnets: Waiting for an interface to appear ...\n"));
> -+ daemon_status("nmbd",
> -+ "No local IPv4 non-loopback interfaces "
> -+ "available, waiting for interface ...");
> -+ DEBUG(0,("NOTE: NetBIOS name resolution is not supported for "
> -+ "Internet Protocol Version 6 (IPv6).\n"));
> - }
> -
> - /* We only count IPv4, non-loopback interfaces here. */
> ---
> -2.1.0
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> deleted file mode 100644
> index 3215f2c..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> +++ /dev/null
> @@ -1,42 +0,0 @@
> -From 23dfa2e35bec9c0f6c3d579e7dc2e1d0ce636aa2 Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Fri, 19 Sep 2014 13:33:10 +0200
> -Subject: [PATCH] nsswitch: Skip groups we were not able to map.
> -
> -If we have configured the idmap_ad backend it is possible that the user
> -is in a group without a gid set. This will result in (uid_t)-1 as the
> -gid. We return this invalid gid to NSS which is wrong.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: David Disseldorp <ddiss@samba.org>
> -
> -Autobuild-User(master): David Disseldorp <ddiss@samba.org>
> -Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
> -
> -(cherry picked from commit 7f59711f076e98ece099f6b38ff6da8c80fa6d5e)
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> ----
> - nsswitch/winbind_nss_linux.c | 5 +++++
> - 1 file changed, 5 insertions(+)
> -
> -diff --git a/nsswitch/winbind_nss_linux.c b/nsswitch/winbind_nss_linux.c
> -index 8d66a74..70ede3e 100644
> ---- a/nsswitch/winbind_nss_linux.c
> -+++ b/nsswitch/winbind_nss_linux.c
> -@@ -1101,6 +1101,11 @@ _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
> - continue;
> - }
> -
> -+ /* Skip groups without a mapping */
> -+ if (gid_list[i] == (uid_t)-1) {
> -+ continue;
> -+ }
> -+
> - /* Filled buffer ? If so, resize. */
> -
> - if (*start == *size) {
> ---
> -2.1.0
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> deleted file mode 100644
> index 394a640..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> +++ /dev/null
> @@ -1,44 +0,0 @@
> -From dc6b86b93c8f059b0cc96c364ffad05c88b7d92e Mon Sep 17 00:00:00 2001
> -From: Christof Schmitt <cs@samba.org>
> -Date: Fri, 22 Aug 2014 09:15:59 -0700
> -Subject: [PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child
> -
> -When authenticating users in a trusted domain, the idmap_ad module
> -always connects to a local DC instead of one in the trusted domain.
> -
> -Fix this by passing the correct realm to connect to.
> -
> -Also Comment parameters passed to ads_cached_connection_connect
> -
> -Signed-off-by: Christof Schmitt <cs@samba.org>
> -Reviewed-by: Jeremy Allison <jra@samba.org>
> -(cherry picked from commit c203c722e7e22f9146f2ecf6f42452c0e82042e4)
> ----
> - source3/winbindd/winbindd_ads.c | 11 +++++++++--
> - 1 files changed, 9 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> -index 4c26389..e47613e 100644
> ---- a/source3/winbindd/winbindd_ads.c
> -+++ b/source3/winbindd/winbindd_ads.c
> -@@ -187,8 +187,15 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
> - }
> - }
> -
> -- status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
> -- password, realm, 0);
> -+ status = ads_cached_connection_connect(
> -+ adsp, /* Returns ads struct. */
> -+ wb_dom->alt_name, /* realm to connect to. */
> -+ dom_name, /* 'workgroup' name for ads_init */
> -+ ldap_server, /* DNS name to connect to. */
> -+ password, /* password for auth realm. */
> -+ realm, /* realm used for krb5 ticket. */
> -+ 0); /* renewable ticket time. */
> -+
> - SAFE_FREE(realm);
> -
> - return status;
> ---
> -1.7.1
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> deleted file mode 100644
> index a1b05b8..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> +++ /dev/null
> @@ -1,35 +0,0 @@
> -From 0aab8ae3c137e5900d22160555bcef57cd62ca21 Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Wed, 17 Sep 2014 15:17:50 +0200
> -Subject: [PATCH 2/2] libcli: Fix a segfault calling smbXcli_req_set_pending()
> - on NULL.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10817
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Jeremy Allison <jra@samba.org>
> -
> -Autobuild-User(master): Jeremy Allison <jra@samba.org>
> -Autobuild-Date(master): Tue Sep 23 04:23:05 CEST 2014 on sn-devel-104
> -
> -(cherry picked from commit f92086f4a347dcc8fa948aa2614a2c12f1115e5a)
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> ----
> - libcli/smb/smb1cli_echo.c | 1 -
> - 1 file changed, 1 deletion(-)
> -
> -diff --git a/libcli/smb/smb1cli_echo.c b/libcli/smb/smb1cli_echo.c
> -index 4fb7c60..10dff2d 100644
> ---- a/libcli/smb/smb1cli_echo.c
> -+++ b/libcli/smb/smb1cli_echo.c
> -@@ -96,7 +96,6 @@ static void smb1cli_echo_done(struct tevent_req *subreq)
> - NULL, /* pbytes_offset */
> - NULL, /* pinbuf */
> - expected, ARRAY_SIZE(expected));
> -- TALLOC_FREE(subreq);
> - if (!NT_STATUS_IS_OK(status)) {
> - tevent_req_nterror(req, status);
> - return;
> ---
> -2.1.0
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> deleted file mode 100644
> index 35f4d8c..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> +++ /dev/null
> @@ -1,180 +0,0 @@
> -From 579901faf787d8d787c978324bdec87c349e3d9b Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Tue, 23 Sep 2014 14:09:41 +0200
> -Subject: [PATCH] s3-libads: Improve service principle guessing.
> -
> -If the name passed to the net command with the -S options is the long
> -hostname of the domaincontroller and not the 15 char NetBIOS name we
> -should construct a FQDN with the realm to get a Kerberos ticket.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Guenther Deschner <gd@samba.org>
> -(cherry picked from commit 83c62bd3f5945bbe295cbfbd153736d4c709b3a6)
> ----
> - source3/libads/sasl.c | 124 +++++++++++++++++++++++++++-----------------------
> - 1 file changed, 66 insertions(+), 58 deletions(-)
> -
> -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
> -index 33f4e24..1450ff1 100644
> ---- a/source3/libads/sasl.c
> -+++ b/source3/libads/sasl.c
> -@@ -714,88 +714,96 @@ static void ads_free_service_principal(struct ads_service_principal *p)
> - static ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
> - char **returned_principal)
> - {
> -+ ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
> - char *princ = NULL;
> -+ TALLOC_CTX *frame;
> -+ char *server = NULL;
> -+ char *realm = NULL;
> -+ int rc;
> -
> -- if (ads->server.realm && ads->server.ldap_server) {
> -- char *server, *server_realm;
> --
> -- server = SMB_STRDUP(ads->server.ldap_server);
> -- server_realm = SMB_STRDUP(ads->server.realm);
> --
> -- if (!server || !server_realm) {
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -- }
> -+ frame = talloc_stackframe();
> -+ if (frame == NULL) {
> -+ return ADS_ERROR(LDAP_NO_MEMORY);
> -+ }
> -
> -- if (!strlower_m(server)) {
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -+ if (ads->server.realm && ads->server.ldap_server) {
> -+ server = strlower_talloc(frame, ads->server.ldap_server);
> -+ if (server == NULL) {
> -+ goto out;
> - }
> -
> -- if (!strupper_m(server_realm)) {
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -+ realm = strupper_talloc(frame, ads->server.realm);
> -+ if (realm == NULL) {
> -+ goto out;
> - }
> -
> -- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -- }
> -+ /*
> -+ * If we got a name which is bigger than a NetBIOS name,
> -+ * but isn't a FQDN, create one.
> -+ */
> -+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
> -+ char *dnsdomain;
> -
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -+ dnsdomain = strlower_talloc(frame, ads->server.realm);
> -+ if (dnsdomain == NULL) {
> -+ goto out;
> -+ }
> -
> -- if (!princ) {
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -+ server = talloc_asprintf(frame,
> -+ "%s.%s",
> -+ server, dnsdomain);
> -+ if (server == NULL) {
> -+ goto out;
> -+ }
> - }
> - } else if (ads->config.realm && ads->config.ldap_server_name) {
> -- char *server, *server_realm;
> --
> -- server = SMB_STRDUP(ads->config.ldap_server_name);
> -- server_realm = SMB_STRDUP(ads->config.realm);
> --
> -- if (!server || !server_realm) {
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -+ server = strlower_talloc(frame, ads->config.ldap_server_name);
> -+ if (server == NULL) {
> -+ goto out;
> - }
> -
> -- if (!strlower_m(server)) {
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -+ realm = strupper_talloc(frame, ads->config.realm);
> -+ if (realm == NULL) {
> -+ goto out;
> - }
> -
> -- if (!strupper_m(server_realm)) {
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -- }
> -- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -- }
> -+ /*
> -+ * If we got a name which is bigger than a NetBIOS name,
> -+ * but isn't a FQDN, create one.
> -+ */
> -+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
> -+ char *dnsdomain;
> -
> -- SAFE_FREE(server);
> -- SAFE_FREE(server_realm);
> -+ dnsdomain = strlower_talloc(frame, ads->server.realm);
> -+ if (dnsdomain == NULL) {
> -+ goto out;
> -+ }
> -
> -- if (!princ) {
> -- return ADS_ERROR(LDAP_NO_MEMORY);
> -+ server = talloc_asprintf(frame,
> -+ "%s.%s",
> -+ server, dnsdomain);
> -+ if (server == NULL) {
> -+ goto out;
> -+ }
> - }
> - }
> -
> -- if (!princ) {
> -- return ADS_ERROR(LDAP_PARAM_ERROR);
> -+ if (server == NULL || realm == NULL) {
> -+ goto out;
> -+ }
> -+
> -+ rc = asprintf(&princ, "ldap/%s@%s", server, realm);
> -+ if (rc == -1 || princ == NULL) {
> -+ status = ADS_ERROR(LDAP_PARAM_ERROR);
> -+ goto out;
> - }
> -
> - *returned_principal = princ;
> -
> -- return ADS_SUCCESS;
> -+ status = ADS_SUCCESS;
> -+out:
> -+ TALLOC_FREE(frame);
> -+ return status;
> - }
> -
> - static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
> ---
> -2.1.0
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> deleted file mode 100644
> index 5d309f1..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> +++ /dev/null
> @@ -1,329 +0,0 @@
> -From 1925edc67e223d73d672af48c2ebd3e5865e01d9 Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Wed, 24 Sep 2014 09:22:03 +0200
> -Subject: [PATCH 1/4] s3-libads: Add a function to retrieve the SPNs of a
> - computer account.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Guenther Deschner <gd@samba.org>
> -(cherry picked from commit 4eaa4ccbdf279f1ff6d8218b36d92aeea0114cd8)
> ----
> - source3/libads/ads_proto.h | 6 +++++
> - source3/libads/ldap.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++
> - 2 files changed, 66 insertions(+)
> -
> -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
> -index 17a84d1..6a22807 100644
> ---- a/source3/libads/ads_proto.h
> -+++ b/source3/libads/ads_proto.h
> -@@ -87,6 +87,12 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
> - const char *name, const char **vals);
> - uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
> - uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
> -+
> -+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
> -+ ADS_STRUCT *ads,
> -+ const char *machine_name,
> -+ char ***spn_array,
> -+ size_t *num_spns);
> - ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
> - ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
> - const char *my_fqdn, const char *spn);
> -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
> -index fb99132..51a0883 100644
> ---- a/source3/libads/ldap.c
> -+++ b/source3/libads/ldap.c
> -@@ -1927,6 +1927,66 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
> - }
> -
> - /**
> -+ * @brief This gets the service principal names of an existing computer account.
> -+ *
> -+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
> -+ *
> -+ * @param[in] ads The ADS context to use.
> -+ *
> -+ * @param[in] machine_name The NetBIOS name of the computer, which is used to
> -+ * identify the computer account.
> -+ *
> -+ * @param[in] spn_array A pointer to store the array for SPNs.
> -+ *
> -+ * @param[in] num_spns The number of principals stored in the array.
> -+ *
> -+ * @return 0 on success, or a ADS error if a failure occured.
> -+ */
> -+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
> -+ ADS_STRUCT *ads,
> -+ const char *machine_name,
> -+ char ***spn_array,
> -+ size_t *num_spns)
> -+{
> -+ ADS_STATUS status;
> -+ LDAPMessage *res = NULL;
> -+ char *dn;
> -+ int count;
> -+
> -+ status = ads_find_machine_acct(ads,
> -+ &res,
> -+ machine_name);
> -+ if (!ADS_ERR_OK(status)) {
> -+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
> -+ machine_name));
> -+ return status;
> -+ }
> -+
> -+ count = ads_count_replies(ads, res);
> -+ if (count != 1) {
> -+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
> -+ goto done;
> -+ }
> -+
> -+ dn = ads_get_dn(ads, mem_ctx, res);
> -+ if (dn == NULL) {
> -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> -+ goto done;
> -+ }
> -+
> -+ *spn_array = ads_pull_strings(ads,
> -+ mem_ctx,
> -+ res,
> -+ "servicePrincipalName",
> -+ num_spns);
> -+
> -+done:
> -+ ads_msgfree(ads, res);
> -+
> -+ return status;
> -+}
> -+
> -+/**
> - * This adds a service principal name to an existing computer account
> - * (found by hostname) in AD.
> - * @param ads An initialized ADS_STRUCT
> ---
> -2.1.0
> -
> -
> -From ed3b6536e1027a26d7983942f62677aa2bc0e93c Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Wed, 24 Sep 2014 09:23:58 +0200
> -Subject: [PATCH 2/4] s3-libads: Add function to search for an element in an
> - array.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Guenther Deschner <gd@samba.org>
> -(cherry picked from commit e1ee4c8bc7018db7787dd9a0be6d3aa40a477ee2)
> ----
> - source3/libads/ads_proto.h | 2 ++
> - source3/libads/ldap.c | 31 +++++++++++++++++++++++++++++++
> - 2 files changed, 33 insertions(+)
> -
> -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
> -index 6a22807..1e34247 100644
> ---- a/source3/libads/ads_proto.h
> -+++ b/source3/libads/ads_proto.h
> -@@ -88,6 +88,8 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
> - uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
> - uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
> -
> -+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el);
> -+
> - ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
> - ADS_STRUCT *ads,
> - const char *machine_name,
> -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
> -index 51a0883..8d104c2 100644
> ---- a/source3/libads/ldap.c
> -+++ b/source3/libads/ldap.c
> -@@ -1927,6 +1927,37 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
> - }
> -
> - /**
> -+ * @brief Search for an element in a string array.
> -+ *
> -+ * @param[in] el_array The string array to search.
> -+ *
> -+ * @param[in] num_el The number of elements in the string array.
> -+ *
> -+ * @param[in] el The string to search.
> -+ *
> -+ * @return True if found, false if not.
> -+ */
> -+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
> -+{
> -+ size_t i;
> -+
> -+ if (el_array == NULL || num_el == 0 || el == NULL) {
> -+ return false;
> -+ }
> -+
> -+ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
> -+ int cmp;
> -+
> -+ cmp = strcasecmp_m(el_array[i], el);
> -+ if (cmp == 0) {
> -+ return true;
> -+ }
> -+ }
> -+
> -+ return false;
> -+}
> -+
> -+/**
> - * @brief This gets the service principal names of an existing computer account.
> - *
> - * @param[in] mem_ctx The memory context to use to allocate the spn array.
> ---
> -2.1.0
> -
> -
> -From 11700f1398d6197a99c686f1a43b45d6305ceae8 Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Fri, 26 Sep 2014 03:09:08 +0200
> -Subject: [PATCH 3/4] s3-libnet: Add libnet_join_get_machine_spns().
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Guenther Deschner <gd@samba.org>
> -(cherry picked from commit 7e0b8fcce5572c88d50993a1dbd90f65638ba90f)
> ----
> - source3/libnet/libnet_join.c | 20 ++++++++++++++++++++
> - 1 file changed, 20 insertions(+)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index 1418385..3611cc7 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -358,6 +358,26 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
> - return status;
> - }
> -
> -+static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
> -+ struct libnet_JoinCtx *r,
> -+ char ***spn_array,
> -+ size_t *num_spns)
> -+{
> -+ ADS_STATUS status;
> -+
> -+ if (r->in.machine_name == NULL) {
> -+ return ADS_ERROR_SYSTEM(EINVAL);
> -+ }
> -+
> -+ status = ads_get_service_principal_names(mem_ctx,
> -+ r->in.ads,
> -+ r->in.machine_name,
> -+ spn_array,
> -+ num_spns);
> -+
> -+ return status;
> -+}
> -+
> - /****************************************************************
> - Set a machines dNSHostName and servicePrincipalName attributes
> - ****************************************************************/
> ---
> -2.1.0
> -
> -
> -From 472256e27ad5cb5e7657efaece71744269ca8d16 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 26 Sep 2014 03:35:43 +0200
> -Subject: [PATCH 4/4] s3-libnet: Make sure we do not overwrite precreated SPNs.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -
> -Autobuild-User(master): Günther Deschner <gd@samba.org>
> -Autobuild-Date(master): Fri Sep 26 08:22:45 CEST 2014 on sn-devel-104
> -
> -(cherry picked from commit 0aacbe78bb40d76b65087c2a197c92b0101e625e)
> ----
> - source3/libnet/libnet_join.c | 39 ++++++++++++++++++++++++++++++++++++---
> - 1 file changed, 36 insertions(+), 3 deletions(-)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index 3611cc7..aa7b5cb 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -388,8 +388,10 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> - ADS_STATUS status;
> - ADS_MODLIST mods;
> - fstring my_fqdn;
> -- const char *spn_array[3] = {NULL, NULL, NULL};
> -+ const char **spn_array = NULL;
> -+ size_t num_spns = 0;
> - char *spn = NULL;
> -+ bool ok;
> -
> - /* Find our DN */
> -
> -@@ -398,6 +400,14 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> - return status;
> - }
> -
> -+ status = libnet_join_get_machine_spns(mem_ctx,
> -+ r,
> -+ discard_const_p(char **, &spn_array),
> -+ &num_spns);
> -+ if (!ADS_ERR_OK(status)) {
> -+ DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
> -+ }
> -+
> - /* Windows only creates HOST/shortname & HOST/fqdn. */
> -
> - spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
> -@@ -407,7 +417,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> - if (!strupper_m(spn)) {
> - return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> - }
> -- spn_array[0] = spn;
> -+
> -+ ok = ads_element_in_array(spn_array, num_spns, spn);
> -+ if (!ok) {
> -+ ok = add_string_to_array(spn_array, spn,
> -+ &spn_array, (int *)&num_spns);
> -+ if (!ok) {
> -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> -+ }
> -+ }
> -
> - if (!name_to_fqdn(my_fqdn, r->in.machine_name)
> - || (strchr(my_fqdn, '.') == NULL)) {
> -@@ -424,8 +442,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> - if (!spn) {
> - return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> - }
> -- spn_array[1] = spn;
> -+
> -+ ok = ads_element_in_array(spn_array, num_spns, spn);
> -+ if (!ok) {
> -+ ok = add_string_to_array(spn_array, spn,
> -+ &spn_array, (int *)&num_spns);
> -+ if (!ok) {
> -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> -+ }
> -+ }
> -+ }
> -+
> -+ /* make sure to NULL terminate the array */
> -+ spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
> -+ if (spn_array == NULL) {
> -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> - }
> -+ spn_array[num_spns] = NULL;
> -
> - mods = ads_init_mods(mem_ctx);
> - if (!mods) {
> ---
> -2.1.0
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> deleted file mode 100644
> index 2174e15..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> +++ /dev/null
> @@ -1,159 +0,0 @@
> -From 3516236ec6eb42f29eda42542b109fa10217e68c Mon Sep 17 00:00:00 2001
> -From: Andreas Schneider <asn@samba.org>
> -Date: Wed, 24 Sep 2014 10:51:33 +0200
> -Subject: [PATCH] s3-libads: Add all machine account principals to the keytab.
> -
> -This adds all SPNs defined in the DC for the computer account to the
> -keytab using 'net ads keytab create -P'.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985
> -
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Guenther Deschner <gd@samba.org>
> -(cherry picked from commit 5d58b92f8fcbc509f4fe2bd3617bcaeada1806b6)
> ----
> - source3/libads/kerberos_keytab.c | 74 ++++++++++++++++++++++++++++------------
> - 1 file changed, 52 insertions(+), 22 deletions(-)
> -
> -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
> -index 83df088..d13625b 100644
> ---- a/source3/libads/kerberos_keytab.c
> -+++ b/source3/libads/kerberos_keytab.c
> -@@ -507,20 +507,57 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> - krb5_kt_cursor cursor;
> - krb5_keytab_entry kt_entry;
> - krb5_kvno kvno;
> -- int i, found = 0;
> -+ size_t found = 0;
> - char *sam_account_name, *upn;
> - char **oldEntries = NULL, *princ_s[26];
> -- TALLOC_CTX *tmpctx = NULL;
> -+ TALLOC_CTX *frame;
> - char *machine_name;
> -+ char **spn_array;
> -+ size_t num_spns;
> -+ size_t i;
> -+ ADS_STATUS status;
> -
> -- /* these are the main ones we need */
> -- ret = ads_keytab_add_entry(ads, "host");
> -- if (ret != 0) {
> -- DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
> -- "adding 'host' principal.\n"));
> -- return ret;
> -+ frame = talloc_stackframe();
> -+ if (frame == NULL) {
> -+ ret = -1;
> -+ goto done;
> -+ }
> -+
> -+ status = ads_get_service_principal_names(frame,
> -+ ads,
> -+ lp_netbios_name(),
> -+ &spn_array,
> -+ &num_spns);
> -+ if (!ADS_ERR_OK(status)) {
> -+ ret = -1;
> -+ goto done;
> - }
> -
> -+ for (i = 0; i < num_spns; i++) {
> -+ char *srv_princ;
> -+ char *p;
> -+
> -+ srv_princ = strlower_talloc(frame, spn_array[i]);
> -+ if (srv_princ == NULL) {
> -+ ret = -1;
> -+ goto done;
> -+ }
> -+
> -+ p = strchr_m(srv_princ, '/');
> -+ if (p == NULL) {
> -+ continue;
> -+ }
> -+ p[0] = '\0';
> -+
> -+ /* Add the SPNs found on the DC */
> -+ ret = ads_keytab_add_entry(ads, srv_princ);
> -+ if (ret != 0) {
> -+ DEBUG(1, ("ads_keytab_add_entry failed while "
> -+ "adding '%s' principal.\n",
> -+ spn_array[i]));
> -+ goto done;
> -+ }
> -+ }
> -
> - #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
> - really needs them and we will fall back to verifying against
> -@@ -543,24 +580,17 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> - if (ret) {
> - DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
> - error_message(ret)));
> -- return ret;
> -- }
> --
> -- tmpctx = talloc_init(__location__);
> -- if (!tmpctx) {
> -- DEBUG(0, (__location__ ": talloc_init() failed!\n"));
> -- ret = -1;
> - goto done;
> - }
> -
> -- machine_name = talloc_strdup(tmpctx, lp_netbios_name());
> -+ machine_name = talloc_strdup(frame, lp_netbios_name());
> - if (!machine_name) {
> - ret = -1;
> - goto done;
> - }
> -
> - /* now add the userPrincipalName and sAMAccountName entries */
> -- sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
> -+ sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
> - if (!sam_account_name) {
> - DEBUG(0, (__location__ ": unable to determine machine "
> - "account's name in AD!\n"));
> -@@ -584,7 +614,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> - }
> -
> - /* remember that not every machine account will have a upn */
> -- upn = ads_get_upn(ads, tmpctx, machine_name);
> -+ upn = ads_get_upn(ads, frame, machine_name);
> - if (upn) {
> - ret = ads_keytab_add_entry(ads, upn);
> - if (ret != 0) {
> -@@ -596,7 +626,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> -
> - /* Now loop through the keytab and update any other existing entries */
> - kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
> -- if (kvno == -1) {
> -+ if (kvno == (krb5_kvno)-1) {
> - DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
> - "determine the system's kvno.\n"));
> - goto done;
> -@@ -629,12 +659,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> - * have a race condition where someone else could add entries after
> - * we've counted them. Re-open asap to minimise the race. JRA.
> - */
> -- DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
> -+ DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
> - if (!found) {
> - goto done;
> - }
> -
> -- oldEntries = talloc_array(tmpctx, char *, found);
> -+ oldEntries = talloc_array(frame, char *, found);
> - if (!oldEntries) {
> - DEBUG(1, (__location__ ": Failed to allocate space to store "
> - "the old keytab entries (talloc failed?).\n"));
> -@@ -708,7 +738,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> -
> - done:
> - TALLOC_FREE(oldEntries);
> -- TALLOC_FREE(tmpctx);
> -+ TALLOC_FREE(frame);
> -
> - {
> - krb5_keytab_entry zero_kt_entry;
> ---
> -2.1.0
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> deleted file mode 100644
> index a939e70..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> +++ /dev/null
> @@ -1,988 +0,0 @@
> -From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 24 Sep 2014 22:16:20 +0200
> -Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}".
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++
> - 1 file changed, 308 insertions(+)
> -
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index 8b8e719..5f18bf4 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
> - return net_run_function(c, argc, argv, "net ads kerberos", func);
> - }
> -
> -+static int net_ads_enctype_lookup_account(struct net_context *c,
> -+ ADS_STRUCT *ads,
> -+ const char *account,
> -+ LDAPMessage **res,
> -+ const char **enctype_str)
> -+{
> -+ const char *filter;
> -+ const char *attrs[] = {
> -+ "msDS-SupportedEncryptionTypes",
> -+ NULL
> -+ };
> -+ int count;
> -+ int ret = -1;
> -+ ADS_STATUS status;
> -+
> -+ filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
> -+ account);
> -+ if (filter == NULL) {
> -+ goto done;
> -+ }
> -+
> -+ status = ads_search(ads, res, filter, attrs);
> -+ if (!ADS_ERR_OK(status)) {
> -+ d_printf(_("no account found with filter: %s\n"), filter);
> -+ goto done;
> -+ }
> -+
> -+ count = ads_count_replies(ads, *res);
> -+ switch (count) {
> -+ case 1:
> -+ break;
> -+ case 0:
> -+ d_printf(_("no account found with filter: %s\n"), filter);
> -+ goto done;
> -+ default:
> -+ d_printf(_("multiple accounts found with filter: %s\n"), filter);
> -+ goto done;
> -+ }
> -+
> -+ if (enctype_str) {
> -+ *enctype_str = ads_pull_string(ads, c, *res,
> -+ "msDS-SupportedEncryptionTypes");
> -+ if (*enctype_str == NULL) {
> -+ d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
> -+ goto done;
> -+ }
> -+ }
> -+
> -+ ret = 0;
> -+ done:
> -+ return ret;
> -+}
> -+
> -+static void net_ads_enctype_dump_enctypes(const char *username,
> -+ const char *enctype_str)
> -+{
> -+ int enctypes;
> -+
> -+ d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username);
> -+
> -+ enctypes = atoi(enctype_str);
> -+
> -+ printf("[%s] 0x%08x DES-CBC-CRC\n",
> -+ enctypes & ENC_CRC32 ? "X" : " ",
> -+ ENC_CRC32);
> -+ printf("[%s] 0x%08x DES-CBC-MD5\n",
> -+ enctypes & ENC_RSA_MD5 ? "X" : " ",
> -+ ENC_RSA_MD5);
> -+ printf("[%s] 0x%08x RC4-HMAC\n",
> -+ enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
> -+ ENC_RC4_HMAC_MD5);
> -+ printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
> -+ enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
> -+ ENC_HMAC_SHA1_96_AES128);
> -+ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
> -+ enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
> -+ ENC_HMAC_SHA1_96_AES256);
> -+}
> -+
> -+static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
> -+{
> -+ int ret = -1;
> -+ ADS_STATUS status;
> -+ ADS_STRUCT *ads = NULL;
> -+ LDAPMessage *res = NULL;
> -+ const char *str = NULL;
> -+
> -+ if (c->display_usage || (argc < 1)) {
> -+ d_printf( "%s\n"
> -+ "net ads enctypes list\n"
> -+ " %s\n",
> -+ _("Usage:"),
> -+ _("List supported enctypes"));
> -+ return 0;
> -+ }
> -+
> -+ status = ads_startup(c, false, &ads);
> -+ if (!ADS_ERR_OK(status)) {
> -+ printf("startup failed\n");
> -+ return ret;
> -+ }
> -+
> -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
> -+ if (ret) {
> -+ goto done;
> -+ }
> -+
> -+ net_ads_enctype_dump_enctypes(argv[0], str);
> -+
> -+ ret = 0;
> -+ done:
> -+ ads_msgfree(ads, res);
> -+ ads_destroy(&ads);
> -+
> -+ return ret;
> -+}
> -+
> -+static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
> -+{
> -+ int ret = -1;
> -+ ADS_STATUS status;
> -+ ADS_STRUCT *ads;
> -+ LDAPMessage *res = NULL;
> -+ const char *etype_list_str;
> -+ const char *dn;
> -+ ADS_MODLIST mods;
> -+ uint32_t etype_list;
> -+ const char *str;
> -+
> -+ if (c->display_usage || argc < 1) {
> -+ d_printf( "%s\n"
> -+ "net ads enctypes set <sAMAccountName> [enctypes]\n"
> -+ " %s\n",
> -+ _("Usage:"),
> -+ _("Set supported enctypes"));
> -+ return 0;
> -+ }
> -+
> -+ status = ads_startup(c, false, &ads);
> -+ if (!ADS_ERR_OK(status)) {
> -+ printf("startup failed\n");
> -+ return ret;
> -+ }
> -+
> -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
> -+ if (ret) {
> -+ goto done;
> -+ }
> -+
> -+ dn = ads_get_dn(ads, c, res);
> -+ if (dn == NULL) {
> -+ goto done;
> -+ }
> -+
> -+ etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
> -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
> -+ etype_list |= ENC_HMAC_SHA1_96_AES128;
> -+#endif
> -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> -+ etype_list |= ENC_HMAC_SHA1_96_AES256;
> -+#endif
> -+
> -+ if (argv[1] != NULL) {
> -+ sscanf(argv[1], "%i", &etype_list);
> -+ }
> -+
> -+ etype_list_str = talloc_asprintf(c, "%d", etype_list);
> -+ if (!etype_list_str) {
> -+ goto done;
> -+ }
> -+
> -+ mods = ads_init_mods(c);
> -+ if (!mods) {
> -+ goto done;
> -+ }
> -+
> -+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes",
> -+ etype_list_str);
> -+ if (!ADS_ERR_OK(status)) {
> -+ goto done;
> -+ }
> -+
> -+ status = ads_gen_mod(ads, dn, mods);
> -+ if (!ADS_ERR_OK(status)) {
> -+ d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
> -+ ads_errstr(status));
> -+ goto done;
> -+ }
> -+
> -+ ads_msgfree(ads, res);
> -+
> -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
> -+ if (ret) {
> -+ goto done;
> -+ }
> -+
> -+ net_ads_enctype_dump_enctypes(argv[0], str);
> -+
> -+ ret = 0;
> -+ done:
> -+ ads_msgfree(ads, res);
> -+ ads_destroy(&ads);
> -+
> -+ return ret;
> -+}
> -+
> -+static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
> -+{
> -+ int ret = -1;
> -+ ADS_STATUS status;
> -+ ADS_STRUCT *ads;
> -+ LDAPMessage *res = NULL;
> -+ const char *dn;
> -+ ADS_MODLIST mods;
> -+
> -+ if (c->display_usage || argc < 1) {
> -+ d_printf( "%s\n"
> -+ "net ads enctypes delete <sAMAccountName>\n"
> -+ " %s\n",
> -+ _("Usage:"),
> -+ _("Delete supported enctypes"));
> -+ return 0;
> -+ }
> -+
> -+ status = ads_startup(c, false, &ads);
> -+ if (!ADS_ERR_OK(status)) {
> -+ printf("startup failed\n");
> -+ return ret;
> -+ }
> -+
> -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
> -+ if (ret) {
> -+ goto done;
> -+ }
> -+
> -+ dn = ads_get_dn(ads, c, res);
> -+ if (dn == NULL) {
> -+ goto done;
> -+ }
> -+
> -+ mods = ads_init_mods(c);
> -+ if (!mods) {
> -+ goto done;
> -+ }
> -+
> -+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL);
> -+ if (!ADS_ERR_OK(status)) {
> -+ goto done;
> -+ }
> -+
> -+ status = ads_gen_mod(ads, dn, mods);
> -+ if (!ADS_ERR_OK(status)) {
> -+ d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
> -+ ads_errstr(status));
> -+ goto done;
> -+ }
> -+
> -+ ret = 0;
> -+
> -+ done:
> -+ ads_msgfree(ads, res);
> -+ ads_destroy(&ads);
> -+ return ret;
> -+}
> -+
> -+static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
> -+{
> -+ struct functable func[] = {
> -+ {
> -+ "list",
> -+ net_ads_enctypes_list,
> -+ NET_TRANSPORT_ADS,
> -+ N_("List the supported encryption types"),
> -+ N_("net ads enctypes list\n"
> -+ " List the supported encryption types")
> -+ },
> -+ {
> -+ "set",
> -+ net_ads_enctypes_set,
> -+ NET_TRANSPORT_ADS,
> -+ N_("Set the supported encryption types"),
> -+ N_("net ads enctypes set\n"
> -+ " Set the supported encryption types")
> -+ },
> -+ {
> -+ "delete",
> -+ net_ads_enctypes_delete,
> -+ NET_TRANSPORT_ADS,
> -+ N_("Delete the supported encryption types"),
> -+ N_("net ads enctypes delete\n"
> -+ " Delete the supported encryption types")
> -+ },
> -+
> -+ {NULL, NULL, 0, NULL, NULL}
> -+ };
> -+
> -+ return net_run_function(c, argc, argv, "net ads enctypes", func);
> -+}
> -+
> -+
> - int net_ads(struct net_context *c, int argc, const char **argv)
> - {
> - struct functable func[] = {
> -@@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv)
> - N_("net ads kerberos\n"
> - " Manage kerberos keytab")
> - },
> -+ {
> -+ "enctypes",
> -+ net_ads_enctypes,
> -+ NET_TRANSPORT_ADS,
> -+ N_("List/modify supported encryption types"),
> -+ N_("net ads enctypes\n"
> -+ " List/modify enctypes")
> -+ },
> - {NULL, NULL, 0, NULL, NULL}
> - };
> -
> ---
> -1.9.3
> -
> -
> -From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Wed, 24 Sep 2014 23:36:19 +0200
> -Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes".
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++
> - 1 file changed, 53 insertions(+)
> -
> -diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
> -index f39b420..9e982e3 100644
> ---- a/docs-xml/manpages/net.8.xml
> -+++ b/docs-xml/manpages/net.8.xml
> -@@ -1339,6 +1339,59 @@ to show in the result.
> - </refsect2>
> -
> - <refsect2>
> -+ <title>ADS ENCTYPES</title>
> -+
> -+<para>
> -+ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
> -+</para>
> -+
> -+<para>
> -+ This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
> -+</para>
> -+
> -+<para>0x00000001 DES-CBC-CRC</para>
> -+<para>0x00000002 DES-CBC-MD5</para>
> -+<para>0x00000004 RC4-HMAC</para>
> -+<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
> -+<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
> -+
> -+</refsect2>
> -+
> -+<refsect2>
> -+ <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title>
> -+
> -+<para>
> -+ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
> -+</para>
> -+
> -+<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
> -+
> -+</refsect2>
> -+
> -+<refsect2>
> -+ <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title>
> -+
> -+<para>
> -+ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types.
> -+</para>
> -+
> -+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
> -+
> -+</refsect2>
> -+
> -+<refsect2>
> -+ <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title>
> -+
> -+<para>
> -+ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
> -+</para>
> -+
> -+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
> -+
> -+</refsect2>
> -+
> -+
> -+<refsect2>
> - <title>SAM CREATEBUILTINGROUP <NAME></title>
> -
> - <para>
> ---
> -1.9.3
> -
> -
> -From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 23 Nov 2012 12:34:27 +0100
> -Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in
> - AD >= 2008.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> ----
> - source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++
> - 1 file changed, 65 insertions(+)
> -
> -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> -index 381a59c..e70e11a 100644
> ---- a/source3/libnet/libnet_join.c
> -+++ b/source3/libnet/libnet_join.c
> -@@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
> - /****************************************************************
> - ****************************************************************/
> -
> -+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
> -+ struct libnet_JoinCtx *r)
> -+{
> -+ ADS_STATUS status;
> -+ ADS_MODLIST mods;
> -+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
> -+ const char *etype_list_str;
> -+
> -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
> -+ etype_list |= ENC_HMAC_SHA1_96_AES128;
> -+#endif
> -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> -+ etype_list |= ENC_HMAC_SHA1_96_AES256;
> -+#endif
> -+
> -+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
> -+ if (!etype_list_str) {
> -+ return ADS_ERROR(LDAP_NO_MEMORY);
> -+ }
> -+
> -+ /* Find our DN */
> -+
> -+ status = libnet_join_find_machine_acct(mem_ctx, r);
> -+ if (!ADS_ERR_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ /* now do the mods */
> -+
> -+ mods = ads_init_mods(mem_ctx);
> -+ if (!mods) {
> -+ return ADS_ERROR(LDAP_NO_MEMORY);
> -+ }
> -+
> -+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
> -+ etype_list_str);
> -+ if (!ADS_ERR_OK(status)) {
> -+ return status;
> -+ }
> -+
> -+ return ads_gen_mod(r->in.ads, r->out.dn, mods);
> -+}
> -+
> -+/****************************************************************
> -+****************************************************************/
> -+
> - static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
> - struct libnet_JoinCtx *r)
> - {
> -@@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
> - struct libnet_JoinCtx *r)
> - {
> - ADS_STATUS status;
> -+ uint32_t func_level = 0;
> -
> - if (!r->in.ads) {
> - status = libnet_join_connect_ads(mem_ctx, r);
> -@@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
> - return status;
> - }
> -
> -+ status = ads_domain_func_level(r->in.ads, &func_level);
> -+ if (!ADS_ERR_OK(status)) {
> -+ libnet_join_set_error_string(mem_ctx, r,
> -+ "failed to query domain controller functional level: %s",
> -+ ads_errstr(status));
> -+ return status;
> -+ }
> -+
> -+ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
> -+ status = libnet_join_set_etypes(mem_ctx, r);
> -+ if (!ADS_ERR_OK(status)) {
> -+ libnet_join_set_error_string(mem_ctx, r,
> -+ "failed to set machine kerberos encryption types: %s",
> -+ ads_errstr(status));
> -+ return status;
> -+ }
> -+ }
> -+
> - if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
> - return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
> - }
> ---
> -1.9.3
> -
> -
> -From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Fri, 26 Sep 2014 21:06:38 +0200
> -Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure
> - hostname is lowercase.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Found at MS interop event while working on AES kerberos key support.
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> ----
> - source4/auth/kerberos/srv_keytab.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
> -index d81e27d..3baba14 100644
> ---- a/source4/auth/kerberos/srv_keytab.c
> -+++ b/source4/auth/kerberos/srv_keytab.c
> -@@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
> - return ENOMEM;
> - }
> -
> -- machine_username = talloc_strdup(tmp_ctx, samAccountName);
> -+ machine_username = strlower_talloc(tmp_ctx, samAccountName);
> - if (!machine_username) {
> - *error_string = "Cannot duplicate samAccountName";
> - talloc_free(tmp_ctx);
> ---
> -1.9.3
> -
> -From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001
> -From: Jeremy Allison <jra@samba.org>
> -Date: Mon, 16 Jun 2014 22:49:29 -0700
> -Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 *
> - arguments of copy_netr_SamInfo3() and make_server_info_info3()
> -
> -Both functions only read from the struct netr_SamInfo3 * argument.
> -
> -Signed-off-by: Jeremy Allison <jra@samba.org>
> -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> -Reviewed-by: Simo Sorce <idra@samba.org>
> -
> -Conflicts:
> - source3/auth/proto.h
> - source3/auth/server_info.c
> ----
> - source3/auth/auth_util.c | 2 +-
> - source3/auth/proto.h | 4 ++--
> - source3/auth/server_info.c | 2 +-
> - 3 files changed, 4 insertions(+), 4 deletions(-)
> -
> -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> -index ceaa706..afa78ec 100644
> ---- a/source3/auth/auth_util.c
> -+++ b/source3/auth/auth_util.c
> -@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> - const char *sent_nt_username,
> - const char *domain,
> - struct auth_serversupplied_info **server_info,
> -- struct netr_SamInfo3 *info3)
> -+ const struct netr_SamInfo3 *info3)
> - {
> - static const char zeros[16] = {0, };
> -
> -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> -index 76661fc..6ec206e 100644
> ---- a/source3/auth/proto.h
> -+++ b/source3/auth/proto.h
> -@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> - const char *sent_nt_username,
> - const char *domain,
> - struct auth_serversupplied_info **server_info,
> -- struct netr_SamInfo3 *info3);
> -+ const struct netr_SamInfo3 *info3);
> - struct wbcAuthUserInfo;
> - NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
> - const char *sent_nt_username,
> -@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> - const struct passwd *pwd,
> - struct netr_SamInfo3 **pinfo3);
> - struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> -- struct netr_SamInfo3 *orig);
> -+ const struct netr_SamInfo3 *orig);
> - struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> - const struct wbcAuthUserInfo *info);
> -
> -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> -index d2b7d6e..066b9a8 100644
> ---- a/source3/auth/server_info.c
> -+++ b/source3/auth/server_info.c
> -@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> - } } while(0)
> -
> - struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> -- struct netr_SamInfo3 *orig)
> -+ const struct netr_SamInfo3 *orig)
> - {
> - struct netr_SamInfo3 *info3;
> - unsigned int i;
> ---
> -1.9.3
> -
> -
> -From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001
> -From: Jeremy Allison <jra@samba.org>
> -Date: Mon, 16 Jun 2014 22:54:45 -0700
> -Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const
> - struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
> -
> -make_server_info_info3() only reads from the info3 pointer.
> -
> -Signed-off-by: Jeremy Allison <jra@samba.org>
> -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> -Reviewed-by: Simo Sorce <idra@samba.org>
> ----
> - source3/auth/auth_generic.c | 2 +-
> - source3/auth/proto.h | 2 +-
> - source3/auth/user_krb5.c | 8 ++++----
> - 3 files changed, 6 insertions(+), 6 deletions(-)
> -
> -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> -index a2ba4e3..2880bc9 100644
> ---- a/source3/auth/auth_generic.c
> -+++ b/source3/auth/auth_generic.c
> -@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> -
> - status = make_session_info_krb5(mem_ctx,
> - ntuser, ntdomain, username, pw,
> -- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> -+ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> - session_info);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
> -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> -index 6ec206e..75d1097 100644
> ---- a/source3/auth/proto.h
> -+++ b/source3/auth/proto.h
> -@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> - char *ntdomain,
> - char *username,
> - struct passwd *pw,
> -- struct PAC_LOGON_INFO *logon_info,
> -+ const struct netr_SamInfo3 *info3,
> - bool mapped_to_guest, bool username_was_mapped,
> - DATA_BLOB *session_key,
> - struct auth_session_info **session_info);
> -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
> -index 974a8aa..0a538b4 100644
> ---- a/source3/auth/user_krb5.c
> -+++ b/source3/auth/user_krb5.c
> -@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> - char *ntdomain,
> - char *username,
> - struct passwd *pw,
> -- struct PAC_LOGON_INFO *logon_info,
> -+ const struct netr_SamInfo3 *info3,
> - bool mapped_to_guest, bool username_was_mapped,
> - DATA_BLOB *session_key,
> - struct auth_session_info **session_info)
> -@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> - return status;
> - }
> -
> -- } else if (logon_info) {
> -+ } else if (info3) {
> - /* pass the unmapped username here since map_username()
> - will be called again in make_server_info_info3() */
> -
> - status = make_server_info_info3(mem_ctx,
> - ntuser, ntdomain,
> - &server_info,
> -- &logon_info->info3);
> -+ info3);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(1, ("make_server_info_info3 failed: %s!\n",
> - nt_errstr(status)));
> -@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> - char *ntdomain,
> - char *username,
> - struct passwd *pw,
> -- struct PAC_LOGON_INFO *logon_info,
> -+ const struct netr_SamInfo3 *info3,
> - bool mapped_to_guest, bool username_was_mapped,
> - DATA_BLOB *session_key,
> - struct auth_session_info **session_info)
> ---
> -1.9.3
> -
> -
> -From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001
> -From: Jeremy Allison <jra@samba.org>
> -Date: Mon, 16 Jun 2014 23:11:58 -0700
> -Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to
> - create a new info3 and merge resource group SIDs into it.
> -
> -Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
> -
> -Signed-off-by: Jeremy Allison <jra@samba.org>
> -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> -Reviewed-by: Simo Sorce <idra@samba.org>
> ----
> - source3/auth/proto.h | 3 ++
> - source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++
> - 2 files changed, 80 insertions(+)
> -
> -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> -index 75d1097..cc51698 100644
> ---- a/source3/auth/proto.h
> -+++ b/source3/auth/proto.h
> -@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
> - struct netr_SamInfo3 *sam3);
> - NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
> - struct netr_SamInfo6 *sam6);
> -+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
> -+ const struct PAC_LOGON_INFO *logon_info,
> -+ struct netr_SamInfo3 **pp_info3);
> - NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> - struct samu *samu,
> - const char *login_server,
> -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> -index 066b9a8..dc84794 100644
> ---- a/source3/auth/server_info.c
> -+++ b/source3/auth/server_info.c
> -@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
> - return NT_STATUS_OK;
> - }
> -
> -+/*
> -+ * Merge resource SIDs, if any, into the passed in info3 structure.
> -+ */
> -+
> -+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
> -+ struct netr_SamInfo3 *info3)
> -+{
> -+ uint32_t i = 0;
> -+
> -+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
> -+ return NT_STATUS_OK;
> -+ }
> -+
> -+ /*
> -+ * If there are any resource groups (SID Compression) add
> -+ * them to the extra sids portion of the info3 in the PAC.
> -+ *
> -+ * This makes the info3 look like it would if we got the info
> -+ * from the DC rather than the PAC.
> -+ */
> -+
> -+ /*
> -+ * Construct a SID for each RID in the list and then append it
> -+ * to the info3.
> -+ */
> -+ for (i = 0; i < logon_info->res_groups.count; i++) {
> -+ NTSTATUS status;
> -+ struct dom_sid new_sid;
> -+ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
> -+
> -+ sid_compose(&new_sid,
> -+ logon_info->res_group_dom_sid,
> -+ logon_info->res_groups.rids[i].rid);
> -+
> -+ DEBUG(10, ("Adding SID %s to extra SIDS\n",
> -+ sid_string_dbg(&new_sid)));
> -+
> -+ status = append_netr_SidAttr(info3, &info3->sids,
> -+ &info3->sidcount,
> -+ &new_sid,
> -+ attributes);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
> -+ sid_string_dbg(&new_sid),
> -+ nt_errstr(status)));
> -+ return status;
> -+ }
> -+ }
> -+
> -+ return NT_STATUS_OK;
> -+}
> -+
> -+/*
> -+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
> -+ * then merge resource SIDs, if any, into it. If successful return
> -+ * the created info3 struct.
> -+ */
> -+
> -+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
> -+ const struct PAC_LOGON_INFO *logon_info,
> -+ struct netr_SamInfo3 **pp_info3)
> -+{
> -+ NTSTATUS status;
> -+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
> -+ &logon_info->info3);
> -+ if (info3 == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ status = merge_resource_sids(logon_info, info3);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ TALLOC_FREE(info3);
> -+ return status;
> -+ }
> -+ *pp_info3 = info3;
> -+ return NT_STATUS_OK;
> -+}
> -+
> - #define RET_NOMEM(ptr) do { \
> - if (!ptr) { \
> - TALLOC_FREE(info3); \
> ---
> -1.9.3
> -
> -
> -From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001
> -From: Jeremy Allison <jra@samba.org>
> -Date: Mon, 16 Jun 2014 23:15:21 -0700
> -Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use
> - a copy of the info3 struct from the struct PAC_LOGON_INFO.
> -
> -Call create_info3_from_pac_logon_info() to add in any resource SIDs
> -from the struct PAC_LOGON_INFO to the info3.
> -
> -Signed-off-by: Jeremy Allison <jra@samba.org>
> -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> -Reviewed-by: Simo Sorce <idra@samba.org>
> ----
> - source3/auth/auth_generic.c | 11 +++++++++--
> - 1 file changed, 9 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> -index 2880bc9..f841f0c 100644
> ---- a/source3/auth/auth_generic.c
> -+++ b/source3/auth/auth_generic.c
> -@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> - {
> - TALLOC_CTX *tmp_ctx;
> - struct PAC_LOGON_INFO *logon_info = NULL;
> -+ struct netr_SamInfo3 *info3_copy = NULL;
> - bool is_mapped;
> - bool is_guest;
> - char *ntuser;
> -@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> -
> - /* save the PAC data if we have it */
> - if (logon_info) {
> -- netsamlogon_cache_store(ntuser, &logon_info->info3);
> -+ status = create_info3_from_pac_logon_info(tmp_ctx,
> -+ logon_info,
> -+ &info3_copy);
> -+ if (!NT_STATUS_IS_OK(status)) {
> -+ goto done;
> -+ }
> -+ netsamlogon_cache_store(ntuser, info3_copy);
> - }
> -
> - /* setup the string used by %U */
> -@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> -
> - status = make_session_info_krb5(mem_ctx,
> - ntuser, ntdomain, username, pw,
> -- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> -+ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> - session_info);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
> ---
> -1.9.3
> -
> -
> -From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001
> -From: Jeremy Allison <jra@samba.org>
> -Date: Mon, 16 Jun 2014 23:27:35 -0700
> -Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a
> - new info3 and merge in resource groups from a trusted PAC.
> -
> -Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.
> -
> -Signed-off-by: Jeremy Allison <jra@samba.org>
> -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> -Reviewed-by: Simo Sorce <idra@samba.org>
> -
> -Autobuild-User(master): Jeremy Allison <jra@samba.org>
> -Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
> ----
> - source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++--
> - 1 file changed, 22 insertions(+), 2 deletions(-)
> -
> -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> -index c356686..0f1ca28 100644
> ---- a/source3/winbindd/winbindd_pam.c
> -+++ b/source3/winbindd/winbindd_pam.c
> -@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> - struct winbindd_request *req = state->request;
> - DATA_BLOB pac_blob;
> - struct PAC_LOGON_INFO *logon_info = NULL;
> -+ struct netr_SamInfo3 *info3_copy = NULL;
> - NTSTATUS result;
> -
> - pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
> -@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> -
> - if (logon_info) {
> - /* Signature verification succeeded, trust the PAC */
> -- netsamlogon_cache_store(NULL, &logon_info->info3);
> -+ result = create_info3_from_pac_logon_info(state->mem_ctx,
> -+ logon_info,
> -+ &info3_copy);
> -+ if (!NT_STATUS_IS_OK(result)) {
> -+ return result;
> -+ }
> -+ netsamlogon_cache_store(NULL, info3_copy);
> -
> - } else {
> - /* Try without signature verification */
> -@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> - nt_errstr(result)));
> - return result;
> - }
> -+ if (logon_info) {
> -+ /*
> -+ * Don't strictly need to copy here,
> -+ * but it makes it explicit we're
> -+ * returning a copy talloc'ed off
> -+ * the state->mem_ctx.
> -+ */
> -+ info3_copy = copy_netr_SamInfo3(state->mem_ctx,
> -+ &logon_info->info3);
> -+ if (info3_copy == NULL) {
> -+ return NT_STATUS_NO_MEMORY;
> -+ }
> -+ }
> - }
> -
> -- *info3 = &logon_info->info3;
> -+ *info3 = info3_copy;
> -
> - return NT_STATUS_OK;
> - }
> ---
> -1.9.3
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> deleted file mode 100644
> index 071069b..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> +++ /dev/null
> @@ -1,51 +0,0 @@
> -From 3bf805a38a1b901a55b08118ec04097d9787497c Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> -Date: Mon, 29 Sep 2014 17:16:15 +0200
> -Subject: [PATCH] s3-net: Force libkrb5 locator to use the same KDC for join
> - and DNS update.
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Guenther
> -
> -Signed-off-by: Günther Deschner <gd@samba.org>
> ----
> - source3/utils/net_ads.c | 21 +++++++++++++++++++++
> - 1 file changed, 21 insertions(+)
> -
> -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> -index e96377f..efbc3d2 100644
> ---- a/source3/utils/net_ads.c
> -+++ b/source3/utils/net_ads.c
> -@@ -1566,6 +1566,27 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
> - * If the dns update fails, we still consider the join
> - * operation as succeeded if we came this far.
> - */
> -+
> -+ if (r->out.dns_domain_name != NULL) {
> -+
> -+ /* Avoid potential libkrb5 issues finding a good KDC when we
> -+ * already found one during the join. When the locator plugin is
> -+ * installed (but winbind is not yet running) make sure we can
> -+ * force libkrb5 to reuse that KDC. - gd */
> -+
> -+ char *env;
> -+
> -+ env = talloc_asprintf_strupper_m(r,
> -+ "WINBINDD_LOCATOR_KDC_ADDRESS_%s",
> -+ r->out.dns_domain_name);
> -+ if (env == NULL) {
> -+ return -1;
> -+ }
> -+
> -+ setenv(env, r->in.ads->auth.kdc_server, 0);
> -+ setenv("_NO_WINBINDD", "1", 0);
> -+ }
> -+
> - _net_ads_join_dns_updates(c, ctx, r);
> -
> - TALLOC_FREE(r);
> ---
> -1.9.3
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> deleted file mode 100644
> index 9721afa..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> +++ /dev/null
> @@ -1,154 +0,0 @@
> -From 170166b8a0076089c6a8505f53a22f5b72c15786 Mon Sep 17 00:00:00 2001
> -From: Jeremy Allison <jra@samba.org>
> -Date: Tue, 28 Oct 2014 11:55:30 -0700
> -Subject: [PATCH] s3-nmbd: Fix netbios name truncation.
> -
> -Try and cope with truncation more intelligently.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10896
> -
> -Signed-off-by: Jeremy Allison <jra@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -(cherry picked from commit 6adcc7bffd5e1474ecba04d2328955c0b208cabc)
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/nmbd/nmbd_nameregister.c | 76 +++++++++++++++++++++++++++++++++++-----
> - 1 file changed, 68 insertions(+), 8 deletions(-)
> -
> -diff --git a/source3/nmbd/nmbd_nameregister.c b/source3/nmbd/nmbd_nameregister.c
> -index 71c4751..8b078e6 100644
> ---- a/source3/nmbd/nmbd_nameregister.c
> -+++ b/source3/nmbd/nmbd_nameregister.c
> -@@ -482,17 +482,77 @@ void register_name(struct subnet_record *subrec,
> - {
> - struct nmb_name nmbname;
> - nstring nname;
> -+ size_t converted_size;
> -
> - errno = 0;
> -- push_ascii_nstring(nname, name);
> -- if (errno == E2BIG) {
> -- unstring tname;
> -- pull_ascii_nstring(tname, sizeof(tname), nname);
> -- DEBUG(0,("register_name: NetBIOS name %s is too long. Truncating to %s\n",
> -- name, tname));
> -- make_nmb_name(&nmbname, tname, type);
> -- } else {
> -+ converted_size = push_ascii_nstring(nname, name);
> -+ if (converted_size != (size_t)-1) {
> -+ /* Success. */
> - make_nmb_name(&nmbname, name, type);
> -+ } else if (errno == E2BIG) {
> -+ /*
> -+ * Name converted to CH_DOS is too large.
> -+ * try to truncate.
> -+ */
> -+ char *converted_str_dos = NULL;
> -+ char *converted_str_unix = NULL;
> -+ bool ok;
> -+
> -+ converted_size = 0;
> -+
> -+ ok = convert_string_talloc(talloc_tos(),
> -+ CH_UNIX,
> -+ CH_DOS,
> -+ name,
> -+ strlen(name)+1,
> -+ &converted_str_dos,
> -+ &converted_size);
> -+ if (!ok) {
> -+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
> -+ "converted. Failing to register name.\n",
> -+ name));
> -+ return;
> -+ }
> -+
> -+ /*
> -+ * As it's now CH_DOS codepage
> -+ * we truncate by writing '\0' at
> -+ * MAX_NETBIOSNAME_LEN-1 and then
> -+ * convert back to CH_UNIX which we
> -+ * need for the make_nmb_name() call.
> -+ */
> -+ if (converted_size >= MAX_NETBIOSNAME_LEN) {
> -+ converted_str_dos[MAX_NETBIOSNAME_LEN-1] = '\0';
> -+ }
> -+
> -+ ok = convert_string_talloc(talloc_tos(),
> -+ CH_DOS,
> -+ CH_UNIX,
> -+ converted_str_dos,
> -+ strlen(converted_str_dos)+1,
> -+ &converted_str_unix,
> -+ &converted_size);
> -+ if (!ok) {
> -+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
> -+ "converted back to CH_UNIX. "
> -+ "Failing to register name.\n",
> -+ converted_str_dos));
> -+ TALLOC_FREE(converted_str_dos);
> -+ return;
> -+ }
> -+
> -+ make_nmb_name(&nmbname, converted_str_unix, type);
> -+
> -+ TALLOC_FREE(converted_str_dos);
> -+ TALLOC_FREE(converted_str_unix);
> -+ } else {
> -+ /*
> -+ * Generic conversion error. Fail to register.
> -+ */
> -+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
> -+ "converted (%s). Failing to register name.\n",
> -+ name, strerror(errno)));
> -+ return;
> - }
> -
> - /* Always set the NB_ACTIVE flag on the name we are
> ---
> -2.1.2
> -
> -From 653a1c312e6b85f1d8113beec52a27e0ba71ef79 Mon Sep 17 00:00:00 2001
> -From: Jeremy Allison <jra@samba.org>
> -Date: Fri, 31 Oct 2014 11:01:26 -0700
> -Subject: [PATCH] s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
> -
> -This screws up if the name is greater than MAX_NETBIOSNAME_LEN-1 in the
> -unix charset, but less than or equal to MAX_NETBIOSNAME_LEN-1 in the DOS
> -charset, but this is so old we have to live with that.
> -
> -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10920
> -
> -Signed-off-by: Jeremy Allison <jra@samba.org>
> -Reviewed-by: Andreas Schneider <asn@samba.org>
> -
> -(cherry picked from commit 7467f6e72cba214eeca75c34e9d9fba354c7ef31)
> -Signed-off-by: Andreas Schneider <asn@samba.org>
> ----
> - source3/lib/util_names.c | 10 +++++++++-
> - 1 file changed, 9 insertions(+), 1 deletion(-)
> -
> -diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
> -index cf54a0e..1392b48 100644
> ---- a/source3/lib/util_names.c
> -+++ b/source3/lib/util_names.c
> -@@ -60,7 +60,15 @@ static bool set_my_netbios_names(const char *name, int i)
> - {
> - SAFE_FREE(smb_my_netbios_names[i]);
> -
> -- smb_my_netbios_names[i] = SMB_STRDUP(name);
> -+ /*
> -+ * Don't include space for terminating '\0' in strndup,
> -+ * it is automatically added. This screws up if the name
> -+ * is greater than MAX_NETBIOSNAME_LEN-1 in the unix
> -+ * charset, but less than or equal to MAX_NETBIOSNAME_LEN-1
> -+ * in the DOS charset, but this is so old we have to live
> -+ * with that.
> -+ */
> -+ smb_my_netbios_names[i] = SMB_STRNDUP(name, MAX_NETBIOSNAME_LEN-1);
> - if (!smb_my_netbios_names[i])
> - return False;
> - return strupper_m(smb_my_netbios_names[i]);
> ---
> -2.1.2
> -
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> deleted file mode 100644
> index 447e243..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> +++ /dev/null
> @@ -1,52 +0,0 @@
> -Don't check xsltproc manpages
> -
> -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> -
> -diff -Nurp samba-4.1.12.orig/lib/ldb/wscript samba-4.1.12/lib/ldb/wscript
> ---- samba-4.1.12.orig/lib/ldb/wscript 2014-07-28 16:13:45.000000000 +0900
> -+++ samba-4.1.12/lib/ldb/wscript 2015-04-23 17:08:45.277000225 +0900
> -@@ -56,7 +56,7 @@ def configure(conf):
> - conf.define('USING_SYSTEM_PYLDB_UTIL', 1)
> -
> - if conf.env.standalone_ldb:
> -- conf.CHECK_XSLTPROC_MANPAGES()
> -+ #conf.CHECK_XSLTPROC_MANPAGES()
> -
> - # we need this for the ldap backend
> - if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
> -diff -Nurp samba-4.1.12.orig/lib/ntdb/wscript samba-4.1.12/lib/ntdb/wscript
> ---- samba-4.1.12.orig/lib/ntdb/wscript 2013-12-05 18:16:48.000000000 +0900
> -+++ samba-4.1.12/lib/ntdb/wscript 2015-04-23 17:09:17.680000274 +0900
> -@@ -121,7 +121,7 @@ def configure(conf):
> - Logs.warn('Disabling pyntdb as python devel libs not found')
> - conf.env.disable_python = True
> -
> -- conf.CHECK_XSLTPROC_MANPAGES()
> -+ #conf.CHECK_XSLTPROC_MANPAGES()
> -
> - # This make #include <ccan/...> work.
> - conf.ADD_EXTRA_INCLUDES('''#lib''')
> -diff -Nurp samba-4.1.12.orig/lib/talloc/wscript samba-4.1.12/lib/talloc/wscript
> ---- samba-4.1.12.orig/lib/talloc/wscript 2013-12-05 18:16:48.000000000 +0900
> -+++ samba-4.1.12/lib/talloc/wscript 2015-04-23 17:08:21.781000339 +0900
> -@@ -55,7 +55,7 @@ def configure(conf):
> - if conf.env.standalone_talloc:
> - conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
> -
> -- conf.CHECK_XSLTPROC_MANPAGES()
> -+ #conf.CHECK_XSLTPROC_MANPAGES()
> -
> - if not conf.env.disable_python:
> - # also disable if we don't have the python libs installed
> -diff -Nurp samba-4.1.12.orig/lib/tdb/wscript samba-4.1.12/lib/tdb/wscript
> ---- samba-4.1.12.orig/lib/tdb/wscript 2013-12-05 18:16:48.000000000 +0900
> -+++ samba-4.1.12/lib/tdb/wscript 2015-04-23 17:09:02.538000343 +0900
> -@@ -43,7 +43,7 @@ def configure(conf):
> -
> - conf.env.disable_python = getattr(Options.options, 'disable_python', False)
> -
> -- conf.CHECK_XSLTPROC_MANPAGES()
> -+ #conf.CHECK_XSLTPROC_MANPAGES()
> -
> - if not conf.env.disable_python:
> - # also disable if we don't have the python libs installed
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> deleted file mode 100644
> index 1a31e0d..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> +++ /dev/null
> @@ -1,22 +0,0 @@
> -samba: execute prog on target directly is impossible.
> -
> -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> -
> -diff -Nurp samba-4.1.12.orig/lib/ccan/wscript samba-4.1.12/lib/ccan/wscript
> ---- samba-4.1.12.orig/lib/ccan/wscript 2013-06-13 18:21:02.000000000 +0900
> -+++ samba-4.1.12/lib/ccan/wscript 2015-04-27 14:26:25.123000238 +0900
> -@@ -127,10 +127,10 @@ def configure(conf):
> - # Only check for FILE_OFFSET_BITS=64 if off_t is normally small:
> - # use raw routines because wrappers include previous _GNU_SOURCE
> - # or _FILE_OFFSET_BITS defines.
> -- conf.check(fragment="""#include <sys/types.h>
> -- int main(void) { return !(sizeof(off_t) < 8); }""",
> -- execute=True, msg='Checking for small off_t',
> -- define_name='SMALL_OFF_T')
> -+ conf.CHECK_CODE("""#include <sys/types.h>
> -+ int main(void) { return !(sizeof(off_t) < 8); }""",
> -+ link=True, execute=True, addmain=False, msg='Checking for small off_t',
> -+ define='HAVE_SMALL_OFF_T')
> - # Unreliable return value above, hence use define.
> - if conf.CONFIG_SET('SMALL_OFF_T'):
> - conf.check(fragment="""#include <sys/types.h>
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> deleted file mode 100644
> index 83c42eb..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> +++ /dev/null
> @@ -1,22 +0,0 @@
> -waf trys to get package's configuration by native ncurses6-config.
> -it will make native header files and library be used.
> -
> -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> -
> ---- samba-4.1.12.orig/source3/wscript_configure_system_ncurses 2013-12-05 18:16:48.000000000 +0900
> -+++ samba-4.1.12/source3/wscript_configure_system_ncurses 2015-04-29 16:12:22.619000250 +0900
> -@@ -2,14 +2,6 @@ import Logs, Options, sys
> -
> - Logs.info("Looking for ncurses features")
> -
> --conf.find_program('ncurses5-config', var='NCURSES_CONFIG')
> --if not conf.env.NCURSES_CONFIG:
> -- conf.find_program('ncurses6-config', var='NCURSES_CONFIG')
> --
> --if conf.env.NCURSES_CONFIG:
> -- conf.check_cfg(path=conf.env.NCURSES_CONFIG, args="--cflags --libs",
> -- package="", uselib_store="NCURSES")
> --
> - conf.CHECK_HEADERS('ncurses.h menu.h panel.h form.h', lib='ncurses')
> -
> - conf.CHECK_FUNCS_IN('initscr', 'ncurses')
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> deleted file mode 100644
> index 8c4e2ad..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> +++ /dev/null
> @@ -1,42 +0,0 @@
> -systemd-daemon is contained by libsystemd, so we just need link libsystemd to
> -obtain the implementation of systemd-daemon's function.
> -
> -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> -
> -diff -Nurp samba-4.1.12.orig/lib/util/wscript_build samba-4.1.12/lib/util/wscript_build
> ---- samba-4.1.12.orig/lib/util/wscript_build 2014-09-08 18:26:14.000000000 +0900
> -+++ samba-4.1.12/lib/util/wscript_build 2015-04-29 16:16:58.303000207 +0900
> -@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-util',
> - server_id.c dprintf.c parmlist.c bitmap.c pidfile.c
> - tevent_debug.c util_process.c memcache.c''',
> - deps='DYNCONFIG',
> -- public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd-daemon',
> -+ public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd',
> - public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h',
> - header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ],
> - local_include=False,
> -diff -Nurp samba-4.1.12.orig/wscript samba-4.1.12/wscript
> ---- samba-4.1.12.orig/wscript 2014-07-28 16:13:45.000000000 +0900
> -+++ samba-4.1.12/wscript 2015-04-29 16:17:52.338000264 +0900
> -@@ -183,16 +183,16 @@ def configure(conf):
> - conf.env['ENABLE_PIE'] = True
> -
> - if Options.options.enable_systemd != False:
> -- conf.check_cfg(package='libsystemd-daemon', args='--cflags --libs',
> -- msg='Checking for libsystemd-daemon', uselib_store="SYSTEMD-DAEMON")
> -- conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd-daemon')
> -- conf.CHECK_LIB('systemd-daemon', shlib=True)
> -+ conf.check_cfg(package='libsystemd', args='--cflags --libs',
> -+ msg='Checking for libsystemd', uselib_store="SYSTEMD-DAEMON")
> -+ conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd')
> -+ conf.CHECK_LIB('systemd', shlib=True)
> -
> - if conf.CONFIG_SET('HAVE_SYSTEMD_SD_DAEMON_H'):
> - conf.DEFINE('HAVE_SYSTEMD', '1')
> - conf.env['ENABLE_SYSTEMD'] = True
> - else:
> -- conf.SET_TARGET_TYPE('systemd-daemon', 'EMPTY')
> -+ conf.SET_TARGET_TYPE('systemd', 'EMPTY')
> - conf.undefine('HAVE_SYSTEMD')
> -
> - conf.SAMBA_CONFIG_H('include/config.h')
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> deleted file mode 100644
> index 4254e11..0000000
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> +++ /dev/null
> @@ -1,10 +0,0 @@
> ---- ./source4/auth/wscript_configure.orig 2015-11-19 19:53:11.022212181 +0100
> -+++ ./source4/auth/wscript_configure 2015-11-19 19:53:17.466212205 +0100
> -@@ -2,7 +2,3 @@
> -
> - conf.CHECK_HEADERS('security/pam_appl.h')
> - conf.CHECK_FUNCS_IN('pam_start', 'pam', checklibc=True)
> --
> --if (conf.CHECK_HEADERS('sasl/sasl.h') and
> -- conf.CHECK_FUNCS_IN('sasl_client_init', 'sasl2')):
> -- conf.DEFINE('HAVE_SASL', 1)
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/00-fix-typos-in-man-pages.patch
> similarity index 100%
> rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch
> rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/00-fix-typos-in-man-pages.patch
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0006-avoid-using-colon-in-the-checking-msg.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/0006-avoid-using-colon-in-the-checking-msg.patch
> similarity index 100%
> rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/0006-avoid-using-colon-in-the-checking-msg.patch
> rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/0006-avoid-using-colon-in-the-checking-msg.patch
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> new file mode 100644
> index 0000000..c37cfcd
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> @@ -0,0 +1,43 @@
> +Don't check xsltproc manpages
> +
> +Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> +
> +Index: samba-4.4.2/lib/ldb/wscript
> +===================================================================
> +--- samba-4.4.2.orig/lib/ldb/wscript
> ++++ samba-4.4.2/lib/ldb/wscript
> +@@ -65,7 +65,7 @@ def configure(conf):
> + conf.define('USING_SYSTEM_LDB', 1)
> +
> + if conf.env.standalone_ldb:
> +- conf.CHECK_XSLTPROC_MANPAGES()
> ++ #conf.CHECK_XSLTPROC_MANPAGES()
> +
> + # we need this for the ldap backend
> + if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
> +Index: samba-4.4.2/lib/talloc/wscript
> +===================================================================
> +--- samba-4.4.2.orig/lib/talloc/wscript
> ++++ samba-4.4.2/lib/talloc/wscript
> +@@ -56,7 +56,7 @@ def configure(conf):
> + if conf.env.standalone_talloc:
> + conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
> +
> +- conf.CHECK_XSLTPROC_MANPAGES()
> ++ #conf.CHECK_XSLTPROC_MANPAGES()
> +
> + if not conf.env.disable_python:
> + # also disable if we don't have the python libs installed
> +Index: samba-4.4.2/lib/tdb/wscript
> +===================================================================
> +--- samba-4.4.2.orig/lib/tdb/wscript
> ++++ samba-4.4.2/lib/tdb/wscript
> +@@ -92,7 +92,7 @@ def configure(conf):
> + not conf.env.disable_tdb_mutex_locking):
> + conf.define('USE_TDB_MUTEX_LOCKING', 1)
> +
> +- conf.CHECK_XSLTPROC_MANPAGES()
> ++ #conf.CHECK_XSLTPROC_MANPAGES()
> +
> + if not conf.env.disable_python:
> + # also disable if we don't have the python libs installed
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
> old mode 100755
> new mode 100644
> similarity index 79%
> rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
> rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
> index 5c20d31..e112b3b
> --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
> +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
> @@ -3,18 +3,19 @@ we just check whether does the module exist.
>
> Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
>
> ---- samba-4.1.12.orig/buildtools/wafsamba/samba_bundled.py 2013-06-13 17:21:02.000000000 +0800
> -+++ samba-4.1.12/buildtools/wafsamba/samba_bundled.py 2015-07-16 16:57:06.649092158 +0800
> -@@ -1,7 +1,7 @@
> - # functions to support bundled libraries
> +Index: samba-4.4.2/buildtools/wafsamba/samba_bundled.py
> +===================================================================
> +--- samba-4.4.2.orig/buildtools/wafsamba/samba_bundled.py
> ++++ samba-4.4.2/buildtools/wafsamba/samba_bundled.py
> +@@ -2,6 +2,7 @@
>
> + import sys
> + import Build, Options, Logs
> ++import imp, os
> from Configure import conf
> --import sys, Logs
> -+import sys, Logs, imp
> - from samba_utils import *
> + from samba_utils import TO_LIST
>
> - def PRIVATE_NAME(bld, name, private_extension, private_library):
> -@@ -228,17 +228,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
> +@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
> # versions
> minversion = minimum_library_version(conf, libname, minversion)
>
> diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-add-config-option-without-valgrind.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/21-add-config-option-without-valgrind.patch
> similarity index 100%
> rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/21-add-config-option-without-valgrind.patch
> rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/21-add-config-option-without-valgrind.patch
> diff --git a/meta-networking/recipes-connectivity/samba/samba_4.1.12.bb b/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
> similarity index 82%
> rename from meta-networking/recipes-connectivity/samba/samba_4.1.12.bb
> rename to meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
> index ff58dae..585df9d 100644
> --- a/meta-networking/recipes-connectivity/samba/samba_4.1.12.bb
> +++ b/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
> @@ -13,38 +13,14 @@ ${SAMBA_MIRROR} http://www.mirrorservice.org/sites/ftp.samba.org \n \
>
> SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
> file://00-fix-typos-in-man-pages.patch \
> - file://01-fix-force-user-sec-ads.patch \
> - file://02-fix-ipv6-join.patch \
> - file://03-net-ads-kerberos-pac.patch \
> - file://04-ipv6-workaround.patch \
> - file://05-fix-gecos-field-with-samlogon.patch \
> - file://06-fix-nmbd-systemd-status-update.patch \
> - file://07-fix-idmap-ad-getgroups-without-gid.patch \
> - file://08-fix-idmap-ad-sfu-with-trusted-domains.patch \
> - file://09-fix-smbclient-echo-cmd-segfault.patch \
> - file://10-improve-service-principal-guessing-in-net.patch \
> - file://11-fix-overwriting-of-spns-during-net-ads-join.patch \
> - file://12-add-precreated-spns-from-AD-during-keytab-generation.patch \
> - file://13-fix-aes-enctype.patch \
> - file://14-fix-dnsupdate.patch \
> - file://15-fix-netbios-name-truncation.patch \
> file://16-do-not-check-xsltproc-manpages.patch \
> - file://17-execute-prog-by-qemu.patch \
> - file://18-avoid-get-config-by-native-ncurses.patch \
> - file://19-systemd-daemon-is-contained-by-libsystemd.patch \
> file://20-do-not-import-target-module-while-cross-compile.patch \
> file://21-add-config-option-without-valgrind.patch \
> - file://0001-waf-sanitize-and-fix-added-cross-answer.patch \
> - file://0002-Adds-a-new-mode-to-samba-cross-compiling.patch \
> - file://0003-waf-improve-readability-of-cross-answers-generated-b.patch \
> - file://0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch \
> - file://0005-build-unify-and-fix-endian-tests.patch \
> file://0006-avoid-using-colon-in-the-checking-msg.patch \
> - file://0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch \
> "
>
> -SRC_URI[md5sum] = "232016d7581a1ba11e991ec2674553c4"
> -SRC_URI[sha256sum] = "033604674936bf5c77d7df299b0626052b84a41505a6a6afe902f6274fc29898"
> +SRC_URI[md5sum] = "03a65a3adf08ceb1636ad59d234d7f9d"
> +SRC_URI[sha256sum] = "eaecd41a85ebb9507b8db9856ada2a949376e9d53cf75664b5493658f6e5926a"
>
> inherit systemd waf-samba cpan-base perlnative
> # remove default added RDEPENDS on perl
> @@ -59,15 +35,15 @@ PACKAGECONFIG ??= "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)} \
> ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '${SYSVINITTYPE}', '', d)} \
> ${@base_contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
> ${@base_contains('DISTRO_FEATURES', 'zeroconf', 'zeroconf', '', d)} \
> - acl aio cups ldap \
> + acl cups ldap \
> "
>
> RDEPENDS_${PN}-base += "${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'lsb', '', d)}"
> +RDEPENDS_${PN}-ctdb-tests += "bash"
>
> PACKAGECONFIG[acl] = "--with-acl-support,--without-acl-support,acl"
> -PACKAGECONFIG[aio] = "--with-aio-support,--without-aio-support,libaio"
> PACKAGECONFIG[fam] = "--with-fam,--without-fam,gamin"
> -PACKAGECONFIG[pam] = "--with-pam --with-pam_smbpass --with-pammodulesdir=${base_libdir}/security,--without-pam --without-pam_smbpass,libpam"
> +PACKAGECONFIG[pam] = "--with-pam --with-pammodulesdir=${base_libdir}/security,--without-pam --without-pam_smbpass,libpam"
> PACKAGECONFIG[lsb] = ",,lsb"
> PACKAGECONFIG[sysv] = ",,sysvinit"
> PACKAGECONFIG[cups] = "--enable-cups,--disable-cups,cups"
> @@ -78,8 +54,6 @@ PACKAGECONFIG[dmapi] = "--with-dmapi,--without-dmapi,dmapi"
> PACKAGECONFIG[zeroconf] = "--enable-avahi,--disable-avahi,avahi"
> PACKAGECONFIG[valgrind] = ",--without-valgrind,valgrind,"
>
> -SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'sasl', '', 'file://21-avoid-sasl-unless-wanted.patch', d)}"
> -
> SAMBA4_IDMAP_MODULES="idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2"
> SAMBA4_PDB_MODULES="pdb_tdbsam,${@bb.utils.contains('PACKAGECONFIG', 'ldap', 'pdb_ldap,', '', d)}pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4"
> SAMBA4_AUTH_MODULES="auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4"
> @@ -87,15 +61,12 @@ SAMBA4_MODULES="${SAMBA4_IDMAP_MODULES},${SAMBA4_PDB_MODULES},${SAMBA4_AUTH_MODU
>
> SAMBA4_LIBS="heimdal,!zlib,!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb"
>
> -PERL_VERNDORLIB="${libdir}/perl5/vendor_perl/${PERLVERSION}"
> -
> EXTRA_OECONF += "--enable-fhs \
> --with-piddir=/run \
> --with-sockets-dir=/run/samba \
> --with-modulesdir=${libdir}/samba \
> --with-lockdir=${localstatedir}/lib/samba \
> --with-cachedir=${localstatedir}/lib/samba \
> - --with-perl-lib-install-dir=${PERL_VERNDORLIB} \
> --disable-gnutls \
> --disable-rpath-install \
> --with-shared-modules=${SAMBA4_MODULES} \
> @@ -104,7 +75,6 @@ EXTRA_OECONF += "--enable-fhs \
> --without-ad-dc \
> ${@base_conditional('TARGET_ARCH', 'x86_64', '', '--disable-glusterfs', d)} \
> --with-cluster-support \
> - --enable-old-ctdb \
> --with-profiling-data \
> --with-libiconv=${STAGING_DIR_HOST}${prefix} \
> "
> @@ -113,13 +83,6 @@ DISABLE_STATIC = ""
> LDFLAGS += "-Wl,-z,relro,-z,now"
>
> do_install_append() {
> - if [ -d "${D}/run" ]; then
> - if [ -d "${D}/run/samba" ]; then
> - rmdir --ignore-fail-on-non-empty "${D}/run/samba"
> - fi
> - rmdir --ignore-fail-on-non-empty "${D}/run"
> - fi
> -
> if ${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'true', 'false', d)}; then
> install -d ${D}${systemd_unitdir}/system
> for i in nmb smb winbind; do
> @@ -127,20 +90,20 @@ do_install_append() {
> done
> sed -i 's,\(ExecReload=\).*\(/kill\),\1${base_bindir}\2,' ${D}${systemd_unitdir}/system/*.service
>
> - install -d ${D}${sysconfdir}/tmpfiles.d
> + install -d ${D}${sysconfdir}/tmpfiles.d
> install -m644 packaging/systemd/samba.conf.tmp ${D}${sysconfdir}/tmpfiles.d/samba.conf
> echo "d ${localstatedir}/log/samba 0755 root root -" \
> >> ${D}${sysconfdir}/tmpfiles.d/samba.conf
> elif ${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'true', 'false', d)}; then
> - install -d ${D}${sysconfdir}/init.d
> - install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
> - update-rc.d -r ${D} samba.sh start 20 3 5 .
> - update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> + install -d ${D}${sysconfdir}/init.d
> + install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
> + update-rc.d -r ${D} samba.sh start 20 3 5 .
> + update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> elif ${@bb.utils.contains('PACKAGECONFIG', 'sysv', 'true', 'false', d)}; then
> - install -d ${D}${sysconfdir}/init.d
> - install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
> - update-rc.d -r ${D} samba.sh start 20 3 5 .
> - update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> + install -d ${D}${sysconfdir}/init.d
> + install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
> + update-rc.d -r ${D} samba.sh start 20 3 5 .
> + update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> fi
>
> install -d ${D}${sysconfdir}/samba
> @@ -149,11 +112,13 @@ do_install_append() {
>
> install -d ${D}${sysconfdir}/sysconfig/
> install -m644 packaging/systemd/samba.sysconfig ${D}${sysconfdir}/sysconfig/samba
> +
> + rm -rf ${D}/run ${D}${localstatedir}/run
> }
>
> PACKAGES += "${PN}-python ${PN}-python-dbg ${PN}-pidl libwinbind libwinbind-dbg libwinbind-krb5-locator"
> PACKAGES =+ "libwbclient libnss-winbind winbind winbind-dbg libnetapi libsmbsharemodes \
> - libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base"
> + libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base ${PN}-ctdb-tests"
>
> RDEPENDS_${PN} += "${PN}-base"
>
> @@ -166,6 +131,12 @@ FILES_${PN}-base = "${sbindir}/nmbd \
> ${localstatedir}/spool/samba \
> "
>
> +FILES_${PN}-ctdb-tests = "${bindir}/ctdb_run_tests \
> + ${libdir}/ctdb-tests \
> + ${datadir}/ctdb-tests \
> + /run/ctdb \
> + "
> +
> # figured out by
> # FILES="tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/smbd tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/nmbd"
> #
> @@ -312,16 +283,20 @@ FILES_libwinbind-dbg = "${base_libdir}/security/.debug/pam_winbind.so"
> FILES_libwinbind-krb5-locator = "${libdir}/winbind_krb5_locator.so"
>
> FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.so \
> + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/_ldb_text.py \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.py \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.so \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.so \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.py \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/external/* \
> + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/kcc/* \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/netcmd/*.py \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/provision/*.py \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.py \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.so \
> + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/subunit/* \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/tests/* \
> + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/third_party/* \
> ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/web_server/* \
> "
>
> @@ -332,4 +307,4 @@ FILES_${PN}-python-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.d
> "
>
> RDEPENDS_${PN}-pidl_append = " perl"
> -FILES_${PN}-pidl = "${bindir}/pidl ${PERL_VERNDORLIB}/*"
> +FILES_${PN}-pidl = "${bindir}/pidl ${datadir}/perl5/Parse"
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [meta-networking][PATCH 5/5] samba: Update to latest stable
2016-04-19 9:15 ` Martin Jansa
@ 2016-04-19 13:01 ` Joe MacDonald
2016-04-20 9:27 ` Martin Jansa
0 siblings, 1 reply; 16+ messages in thread
From: Joe MacDonald @ 2016-04-19 13:01 UTC (permalink / raw)
To: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 1441400 bytes --]
[Re: [oe] [meta-networking][PATCH 5/5] samba: Update to latest stable] On 16.04.19 (Tue 11:15) Martin Jansa wrote:
> On Mon, Apr 18, 2016 at 05:00:53PM -0400, Joe MacDonald wrote:
> > The previous version of Samba had many critical security updates that
> > would've required significant backporting effort. Update to the latest
> > stable release instead.
>
> Does it fix floating dependency on libpam as well?
It does not, unfortunately. After an embarrassingly long time with this
I thought it would be best to carry it this far, integrate the
outstanding patches against it, then tackle the libpam dependency issue.
Since I know you've sunk a lot of time into this recently I know you
know all too well what a tangle the samba build and dependency checking
system can be.
It at least meets the criteria of "better than I found it", I think.
-J.
>
> > Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
> > ---
> > ...1-waf-sanitize-and-fix-added-cross-answer.patch | 60 -
> > ...-Adds-a-new-mode-to-samba-cross-compiling.patch | 112 -
> > ...-readability-of-cross-answers-generated-b.patch | 66 -
> > ...wafsamba-CHECK_SIZEOF-cross-compile-frien.patch | 72 -
> > .../0005-build-unify-and-fix-endian-tests.patch | 169 -
> > ...sing-of-cross-answers-file-in-case-answer.patch | 36 -
> > .../samba-4.1.12/01-fix-force-user-sec-ads.patch | 1448 -
> > .../samba/samba-4.1.12/02-fix-ipv6-join.patch | 266 -
> > .../samba-4.1.12/03-net-ads-kerberos-pac.patch | 962 -
> > .../samba/samba-4.1.12/04-ipv6-workaround.patch | 211 -
> > .../05-fix-gecos-field-with-samlogon.patch | 29894 -------------------
> > .../06-fix-nmbd-systemd-status-update.patch | 97 -
> > .../07-fix-idmap-ad-getgroups-without-gid.patch | 42 -
> > .../08-fix-idmap-ad-sfu-with-trusted-domains.patch | 44 -
> > .../09-fix-smbclient-echo-cmd-segfault.patch | 35 -
> > ...improve-service-principal-guessing-in-net.patch | 180 -
> > ...x-overwriting-of-spns-during-net-ads-join.patch | 329 -
> > ...ted-spns-from-AD-during-keytab-generation.patch | 159 -
> > .../samba/samba-4.1.12/13-fix-aes-enctype.patch | 988 -
> > .../samba/samba-4.1.12/14-fix-dnsupdate.patch | 51 -
> > .../15-fix-netbios-name-truncation.patch | 154 -
> > .../16-do-not-check-xsltproc-manpages.patch | 52 -
> > .../samba-4.1.12/17-execute-prog-by-qemu.patch | 22 -
> > .../18-avoid-get-config-by-native-ncurses.patch | 22 -
> > ...systemd-daemon-is-contained-by-libsystemd.patch | 42 -
> > .../samba-4.1.12/21-avoid-sasl-unless-wanted.patch | 10 -
> > .../00-fix-typos-in-man-pages.patch | 0
> > ...006-avoid-using-colon-in-the-checking-msg.patch | 0
> > .../16-do-not-check-xsltproc-manpages.patch | 43 +
> > ...-import-target-module-while-cross-compile.patch | 19 +-
> > .../21-add-config-option-without-valgrind.patch | 0
> > .../samba/{samba_4.1.12.bb => samba_4.4.2.bb} | 81 +-
> > 32 files changed, 81 insertions(+), 35585 deletions(-)
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> > rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/00-fix-typos-in-man-pages.patch (100%)
> > rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/0006-avoid-using-colon-in-the-checking-msg.patch (100%)
> > create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> > rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/20-do-not-import-target-module-while-cross-compile.patch (79%)
> > mode change 100755 => 100644
> > rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/21-add-config-option-without-valgrind.patch (100%)
> > rename meta-networking/recipes-connectivity/samba/{samba_4.1.12.bb => samba_4.4.2.bb} (82%)
> >
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> > deleted file mode 100644
> > index 69668c0..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> > +++ /dev/null
> > @@ -1,60 +0,0 @@
> > -From 1b32c7d7f148bcf2598799b21dfa3ba1ed824d32 Mon Sep 17 00:00:00 2001
> > -From: Uri Simchoni <urisimchoni@gmail.com>
> > -Date: Mon, 18 May 2015 21:12:06 +0300
> > -Subject: [PATCH 1/7] waf: sanitize and fix added cross answer
> > -
> > -When configuring samba for cross-compilation using the cross-answers
> > -method, the function add_answer receives the standard output and exit code
> > -of a configuration test and updates the cross-answers file accordingly.
> > -
> > -This patch sanitizes the standard output to conform to the cross-answers
> > -file format - one line of output. It also adds a missing newline.
> > -
> > -(Note - at this point add_answer is only ever called with empty output
> > -but this change is significant for the reminder of this patchset)
> > -
> > -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > -
> > -Upstream-Status: Backport
> > -
> > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > ----
> > - buildtools/wafsamba/samba_cross.py | 13 +++++++++++--
> > - 1 file changed, 11 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> > -index 3838e34..fc1d78e 100644
> > ---- a/buildtools/wafsamba/samba_cross.py
> > -+++ b/buildtools/wafsamba/samba_cross.py
> > -@@ -19,6 +19,16 @@ def add_answer(ca_file, msg, answer):
> > - except:
> > - Logs.error("Unable to open cross-answers file %s" % ca_file)
> > - sys.exit(1)
> > -+ (retcode, retstring) = answer
> > -+ # if retstring is more than one line then we probably
> > -+ # don't care about its actual content (the tests should
> > -+ # yield one-line output in order to comply with the cross-answer
> > -+ # format)
> > -+ retstring = retstring.strip()
> > -+ if len(retstring.split('\n')) > 1:
> > -+ retstring = ''
> > -+ answer = (retcode, retstring)
> > -+
> > - if answer == ANSWER_OK:
> > - f.write('%s: OK\n' % msg)
> > - elif answer == ANSWER_UNKNOWN:
> > -@@ -26,8 +36,7 @@ def add_answer(ca_file, msg, answer):
> > - elif answer == ANSWER_FAIL:
> > - f.write('%s: FAIL\n' % msg)
> > - else:
> > -- (retcode, retstring) = answer
> > -- f.write('%s: (%d, "%s")' % (msg, retcode, retstring))
> > -+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
> > - f.close()
> > -
> > -
> > ---
> > -1.9.1
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> > deleted file mode 100644
> > index fce3abc..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> > +++ /dev/null
> > @@ -1,112 +0,0 @@
> > -From add52538b9a0ccf66ca87c7a691bf59901765849 Mon Sep 17 00:00:00 2001
> > -From: Uri Simchoni <urisimchoni@gmail.com>
> > -Date: Mon, 18 May 2015 21:15:19 +0300
> > -Subject: [PATCH 2/7] Adds a new mode to samba cross-compiling.
> > -
> > -When both --cross-answers and --cross-execute are set, this means:
> > -- Use cross-answers
> > -- If answer is unknown, then instead of adding UNKNOWN to the cross-answers
> > - file and failing configure, the new mode runs cross-execute to determine the
> > - answer and adds that to the cross-answers file.
> > -
> > -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > -
> > -Upstream-Status: Backport
> > -
> > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > ----
> > - buildtools/wafsamba/samba_cross.py | 46 ++++++++++++++++++++++++++++----------
> > - 1 file changed, 34 insertions(+), 12 deletions(-)
> > -
> > -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> > -index fc1d78e..3f1ef12 100644
> > ---- a/buildtools/wafsamba/samba_cross.py
> > -+++ b/buildtools/wafsamba/samba_cross.py
> > -@@ -45,7 +45,6 @@ def cross_answer(ca_file, msg):
> > - try:
> > - f = open(ca_file, 'r')
> > - except:
> > -- add_answer(ca_file, msg, ANSWER_UNKNOWN)
> > - return ANSWER_UNKNOWN
> > - for line in f:
> > - line = line.strip()
> > -@@ -78,7 +77,6 @@ def cross_answer(ca_file, msg):
> > - else:
> > - raise Utils.WafError("Bad answer format '%s' in %s" % (line, ca_file))
> > - f.close()
> > -- add_answer(ca_file, msg, ANSWER_UNKNOWN)
> > - return ANSWER_UNKNOWN
> > -
> > -
> > -@@ -86,24 +84,47 @@ class cross_Popen(Utils.pproc.Popen):
> > - '''cross-compilation wrapper for Popen'''
> > - def __init__(*k, **kw):
> > - (obj, args) = k
> > --
> > -- if '--cross-execute' in args:
> > -- # when --cross-execute is set, then change the arguments
> > -- # to use the cross emulator
> > -- i = args.index('--cross-execute')
> > -- newargs = args[i+1].split()
> > -- newargs.extend(args[0:i])
> > -- args = newargs
> > -- elif '--cross-answers' in args:
> > -+ use_answers = False
> > -+ ans = ANSWER_UNKNOWN
> > -+
> > -+ # Three possibilities:
> > -+ # 1. Only cross-answers - try the cross-answers file, and if
> > -+ # there's no corresponding answer, add to the file and mark
> > -+ # the configure process as unfinished.
> > -+ # 2. Only cross-execute - get the answer from cross-execute
> > -+ # 3. Both - try the cross-answers file, and if there is no
> > -+ # corresponding answer - use cross-execute to get an answer,
> > -+ # and add that answer to the file.
> > -+ if '--cross-answers' in args:
> > - # when --cross-answers is set, then change the arguments
> > - # to use the cross answers if available
> > -+ use_answers = True
> > - i = args.index('--cross-answers')
> > - ca_file = args[i+1]
> > - msg = args[i+2]
> > - ans = cross_answer(ca_file, msg)
> > -+
> > -+ if '--cross-execute' in args and ans == ANSWER_UNKNOWN:
> > -+ # when --cross-execute is set, then change the arguments
> > -+ # to use the cross emulator
> > -+ i = args.index('--cross-execute')
> > -+ newargs = args[i+1].split()
> > -+ newargs.extend(args[0:i])
> > -+ if use_answers:
> > -+ p = real_Popen(newargs,
> > -+ stdout=Utils.pproc.PIPE,
> > -+ stderr=Utils.pproc.PIPE)
> > -+ ce_out, ce_err = p.communicate()
> > -+ ans = (p.returncode, ce_out)
> > -+ add_answer(ca_file, msg, ans)
> > -+ else:
> > -+ args = newargs
> > -+
> > -+ if use_answers:
> > - if ans == ANSWER_UNKNOWN:
> > - global cross_answers_incomplete
> > - cross_answers_incomplete = True
> > -+ add_answer(ca_file, msg, ans)
> > - (retcode, retstring) = ans
> > - args = ['/bin/sh', '-c', "echo -n '%s'; exit %d" % (retstring, retcode)]
> > - real_Popen.__init__(*(obj, args), **kw)
> > -@@ -124,7 +145,8 @@ def SAMBA_CROSS_ARGS(conf, msg=None):
> > -
> > - if conf.env.CROSS_EXECUTE:
> > - ret.extend(['--cross-execute', conf.env.CROSS_EXECUTE])
> > -- elif conf.env.CROSS_ANSWERS:
> > -+
> > -+ if conf.env.CROSS_ANSWERS:
> > - if msg is None:
> > - raise Utils.WafError("Cannot have NULL msg in cross-answers")
> > - ret.extend(['--cross-answers', os.path.join(Options.launch_dir, conf.env.CROSS_ANSWERS), msg])
> > ---
> > -1.9.1
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> > deleted file mode 100644
> > index ec17d9d..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> > +++ /dev/null
> > @@ -1,66 +0,0 @@
> > -From f7052d633396005563e44509428503f42c9faa97 Mon Sep 17 00:00:00 2001
> > -From: Jackie Huang <jackie.huang@windriver.com>
> > -Date: Thu, 12 Nov 2015 01:00:11 -0500
> > -Subject: [PATCH 3/7] waf: improve readability of cross-answers generated by cross-execute
> > -
> > -When generating a result for cross-answers from the (retcode, retstring) tuple:
> > -- (0, "output") indicated as "output"
> > -- 1 is interpreted as generic fail code, instead of 255, because most
> > - if not all tests fail with 1 as exit code rather than 255
> > -- For failing test, use NO instead of FAIL, because that's not
> > - necessarily a failure (it could mean that something is NOT
> > - broken)
> > -
> > -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > -
> > -Upstream-Status: Backport
> > -
> > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > ----
> > - buildtools/wafsamba/samba_cross.py | 13 ++++++++-----
> > - 1 file changed, 8 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> > -index 3f1ef12..d1e7006 100644
> > ---- a/buildtools/wafsamba/samba_cross.py
> > -+++ b/buildtools/wafsamba/samba_cross.py
> > -@@ -6,7 +6,7 @@ from Configure import conf
> > - real_Popen = None
> > -
> > - ANSWER_UNKNOWN = (254, "")
> > --ANSWER_FAIL = (255, "")
> > -+ANSWER_NO = (1, "")
> > - ANSWER_OK = (0, "")
> > -
> > - cross_answers_incomplete = False
> > -@@ -33,10 +33,13 @@ def add_answer(ca_file, msg, answer):
> > - f.write('%s: OK\n' % msg)
> > - elif answer == ANSWER_UNKNOWN:
> > - f.write('%s: UNKNOWN\n' % msg)
> > -- elif answer == ANSWER_FAIL:
> > -- f.write('%s: FAIL\n' % msg)
> > -+ elif answer == ANSWER_NO:
> > -+ f.write('%s: NO\n' % msg)
> > - else:
> > -- f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
> > -+ if retcode == 0:
> > -+ f.write('%s: "%s"\n' % (msg, retstring))
> > -+ else:
> > -+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
> > - f.close()
> > -
> > -
> > -@@ -64,7 +67,7 @@ def cross_answer(ca_file, msg):
> > - return ANSWER_UNKNOWN
> > - elif ans == "FAIL" or ans == "NO":
> > - f.close()
> > -- return ANSWER_FAIL
> > -+ return ANSWER_NO
> > - elif ans[0] == '"':
> > - return (0, ans.strip('"'))
> > - elif ans[0] == "'":
> > ---
> > -1.9.1
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> > deleted file mode 100644
> > index 3fbb770..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> > +++ /dev/null
> > @@ -1,72 +0,0 @@
> > -From 8ffb1892b5c42d8d29124d274aa4b5f1726d7e9f Mon Sep 17 00:00:00 2001
> > -From: Gustavo Zacarias <gustavo@zacarias.com.ar>
> > -Date: Mon, 21 Apr 2014 10:18:16 -0300
> > -Subject: [PATCH 4/7] build: make wafsamba CHECK_SIZEOF cross-compile friendly
> > -
> > -Use the same trick as commit 0d9bb86293c9d39298786df095c73a6251b08b7e
> > -We do the same array trick iteratively starting from 1 (byte) by powers
> > -of 2 up to 32.
> > -
> > -The new 'critical' option is used to make the invocation die or not
> > -according to each test.
> > -The default is True since normally it's expected to find a proper
> > -result and should error out if not.
> > -
> > -Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: David Disseldorp <ddiss@samba.org>
> > -
> > -Upstream-Status: Backport
> > -
> > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > ----
> > - buildtools/wafsamba/samba_autoconf.py | 28 ++++++++++++++++------------
> > - 1 file changed, 16 insertions(+), 12 deletions(-)
> > -
> > -diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
> > -index fe110bd..59953d9 100644
> > ---- a/buildtools/wafsamba/samba_autoconf.py
> > -+++ b/buildtools/wafsamba/samba_autoconf.py
> > -@@ -304,23 +304,27 @@ def CHECK_FUNCS(conf, list, link=True, lib=None, headers=None):
> > -
> > -
> > - @conf
> > --def CHECK_SIZEOF(conf, vars, headers=None, define=None):
> > -+def CHECK_SIZEOF(conf, vars, headers=None, define=None, critical=True):
> > - '''check the size of a type'''
> > -- ret = True
> > - for v in TO_LIST(vars):
> > - v_define = define
> > -+ ret = False
> > - if v_define is None:
> > - v_define = 'SIZEOF_%s' % v.upper().replace(' ', '_')
> > -- if not CHECK_CODE(conf,
> > -- 'printf("%%u", (unsigned)sizeof(%s))' % v,
> > -- define=v_define,
> > -- execute=True,
> > -- define_ret=True,
> > -- quote=False,
> > -- headers=headers,
> > -- local_include=False,
> > -- msg="Checking size of %s" % v):
> > -- ret = False
> > -+ for size in list((1, 2, 4, 8, 16, 32)):
> > -+ if CHECK_CODE(conf,
> > -+ 'static int test_array[1 - 2 * !(((long int)(sizeof(%s))) <= %d)];' % (v, size),
> > -+ define=v_define,
> > -+ quote=False,
> > -+ headers=headers,
> > -+ local_include=False,
> > -+ msg="Checking if size of %s == %d" % (v, size)):
> > -+ conf.DEFINE(v_define, size)
> > -+ ret = True
> > -+ break
> > -+ if not ret and critical:
> > -+ Logs.error("Couldn't determine size of '%s'" % v)
> > -+ sys.exit(1)
> > - return ret
> > -
> > - @conf
> > ---
> > -1.9.1
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> > deleted file mode 100644
> > index 5546b6d..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> > +++ /dev/null
> > @@ -1,169 +0,0 @@
> > -From 81379b6b14ea725c72953be2170b382403ed8728 Mon Sep 17 00:00:00 2001
> > -From: Gustavo Zacarias <gustavo@zacarias.com.ar>
> > -Date: Mon, 21 Apr 2014 10:18:15 -0300
> > -Subject: [PATCH 5/7] build: unify and fix endian tests
> > -
> > -Unify the endian tests out of lib/ccan/wscript into wafsamba since
> > -they're almost cross-compile friendly.
> > -While at it fix them to be so by moving the preprocessor directives out
> > -of main scope since that will fail.
> > -And keep the WORDS_BIGENDIAN, HAVE_LITTLE_ENDIAN and HAVE_BIG_ENDIAN
> > -defines separate because of different codebases.
> > -
> > -Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: David Disseldorp <ddiss@samba.org>
> > -
> > -Upstream-Status: Backport
> > -
> > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > ----
> > - buildtools/wafsamba/wscript | 65 ++++++++++++++++++++++++++++++++++++++++++---
> > - lib/ccan/wscript | 55 --------------------------------------
> > - 2 files changed, 62 insertions(+), 58 deletions(-)
> > -
> > -diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
> > -index 7984227..1a2cfe6 100755
> > ---- a/buildtools/wafsamba/wscript
> > -+++ b/buildtools/wafsamba/wscript
> > -@@ -390,9 +390,68 @@ def configure(conf):
> > - else:
> > - conf.define('SHLIBEXT', "so", quote=True)
> > -
> > -- conf.CHECK_CODE('long one = 1; return ((char *)(&one))[0]',
> > -- execute=True,
> > -- define='WORDS_BIGENDIAN')
> > -+ # First try a header check for cross-compile friendlyness
> > -+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> > -+ #define B __BYTE_ORDER
> > -+ #elif defined(BYTE_ORDER)
> > -+ #define B BYTE_ORDER
> > -+ #endif
> > -+
> > -+ #ifdef __LITTLE_ENDIAN
> > -+ #define LITTLE __LITTLE_ENDIAN
> > -+ #elif defined(LITTLE_ENDIAN)
> > -+ #define LITTLE LITTLE_ENDIAN
> > -+ #endif
> > -+
> > -+ #if !defined(LITTLE) || !defined(B) || LITTLE != B
> > -+ #error Not little endian.
> > -+ #endif
> > -+ int main(void) { return 0; }""",
> > -+ addmain=False,
> > -+ headers="endian.h sys/endian.h",
> > -+ define="HAVE_LITTLE_ENDIAN")
> > -+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> > -+ #define B __BYTE_ORDER
> > -+ #elif defined(BYTE_ORDER)
> > -+ #define B BYTE_ORDER
> > -+ #endif
> > -+
> > -+ #ifdef __BIG_ENDIAN
> > -+ #define BIG __BIG_ENDIAN
> > -+ #elif defined(BIG_ENDIAN)
> > -+ #define BIG BIG_ENDIAN
> > -+ #endif
> > -+
> > -+ #if !defined(BIG) || !defined(B) || BIG != B
> > -+ #error Not big endian.
> > -+ #endif
> > -+ int main(void) { return 0; }""",
> > -+ addmain=False,
> > -+ headers="endian.h sys/endian.h",
> > -+ define="HAVE_BIG_ENDIAN")
> > -+
> > -+ if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> > -+ # That didn't work! Do runtime test.
> > -+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> > -+ u.i = 0x01020304;
> > -+ return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
> > -+ addmain=True, execute=True,
> > -+ define='HAVE_LITTLE_ENDIAN',
> > -+ msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
> > -+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> > -+ u.i = 0x01020304;
> > -+ return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
> > -+ addmain=True, execute=True,
> > -+ define='HAVE_BIG_ENDIAN',
> > -+ msg="Checking for HAVE_BIG_ENDIAN - runtime")
> > -+
> > -+ # Extra sanity check.
> > -+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> > -+ Logs.error("Failed endian determination. The PDP-11 is back?")
> > -+ sys.exit(1)
> > -+ else:
> > -+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN"):
> > -+ conf.DEFINE('WORDS_BIGENDIAN', 1)
> > -
> > - # check if signal() takes a void function
> > - if conf.CHECK_CODE('return *(signal (0, 0)) (0) == 1',
> > -diff --git a/lib/ccan/wscript b/lib/ccan/wscript
> > -index a0b5406..5b3a910 100644
> > ---- a/lib/ccan/wscript
> > -+++ b/lib/ccan/wscript
> > -@@ -25,61 +25,6 @@ def configure(conf):
> > - conf.CHECK_CODE('int __attribute__((used)) func(int x) { return x; }',
> > - addmain=False, link=False, cflags=conf.env['WERROR_CFLAGS'],
> > - define='HAVE_ATTRIBUTE_USED')
> > -- # We try to use headers for a compile-time test.
> > -- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> > -- #define B __BYTE_ORDER
> > -- #elif defined(BYTE_ORDER)
> > -- #define B BYTE_ORDER
> > -- #endif
> > --
> > -- #ifdef __LITTLE_ENDIAN
> > -- #define LITTLE __LITTLE_ENDIAN
> > -- #elif defined(LITTLE_ENDIAN)
> > -- #define LITTLE LITTLE_ENDIAN
> > -- #endif
> > --
> > -- #if !defined(LITTLE) || !defined(B) || LITTLE != B
> > -- #error Not little endian.
> > -- #endif""",
> > -- headers="endian.h sys/endian.h",
> > -- define="HAVE_LITTLE_ENDIAN")
> > -- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> > -- #define B __BYTE_ORDER
> > -- #elif defined(BYTE_ORDER)
> > -- #define B BYTE_ORDER
> > -- #endif
> > --
> > -- #ifdef __BIG_ENDIAN
> > -- #define BIG __BIG_ENDIAN
> > -- #elif defined(BIG_ENDIAN)
> > -- #define BIG BIG_ENDIAN
> > -- #endif
> > --
> > -- #if !defined(BIG) || !defined(B) || BIG != B
> > -- #error Not big endian.
> > -- #endif""",
> > -- headers="endian.h sys/endian.h",
> > -- define="HAVE_BIG_ENDIAN")
> > --
> > -- if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> > -- # That didn't work! Do runtime test.
> > -- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> > -- u.i = 0x01020304;
> > -- return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
> > -- addmain=True, execute=True,
> > -- define='HAVE_LITTLE_ENDIAN',
> > -- msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
> > -- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> > -- u.i = 0x01020304;
> > -- return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
> > -- addmain=True, execute=True,
> > -- define='HAVE_BIG_ENDIAN',
> > -- msg="Checking for HAVE_BIG_ENDIAN - runtime")
> > --
> > -- # Extra sanity check.
> > -- if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> > -- Logs.error("Failed endian determination. The PDP-11 is back?")
> > -- sys.exit(1)
> > -
> > - conf.CHECK_CODE('return __builtin_choose_expr(1, 0, "garbage");',
> > - link=True,
> > ---
> > -1.9.1
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> > deleted file mode 100644
> > index de0d32c..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> > +++ /dev/null
> > @@ -1,36 +0,0 @@
> > -From 649c731526dc1473bd1804d2903d7559e63616da Mon Sep 17 00:00:00 2001
> > -From: Uri Simchoni <urisimchoni@gmail.com>
> > -Date: Mon, 4 May 2015 09:12:45 +0300
> > -Subject: [PATCH 7/7] waf: Fix parsing of cross-answers file in case answer includes a colon
> > -
> > -The answer provided in the cross-answers file may include a colon,
> > -as in:
> > -Checking uname version type: "#57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014"
> > -
> > -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > -
> > -Upstream-Status: Backport
> > -
> > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > ----
> > - buildtools/wafsamba/samba_cross.py | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> > -index d1e7006..7961212 100644
> > ---- a/buildtools/wafsamba/samba_cross.py
> > -+++ b/buildtools/wafsamba/samba_cross.py
> > -@@ -54,7 +54,7 @@ def cross_answer(ca_file, msg):
> > - if line == '' or line[0] == '#':
> > - continue
> > - if line.find(':') != -1:
> > -- a = line.split(':')
> > -+ a = line.split(':', 1)
> > - thismsg = a[0].strip()
> > - if thismsg != msg:
> > - continue
> > ---
> > -1.9.1
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> > deleted file mode 100644
> > index 6c08ccc..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> > +++ /dev/null
> > @@ -1,1448 +0,0 @@
> > -From 80f3551d4f594438dcc93dd82a7953c4a913badd Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Mon, 16 Dec 2013 12:57:20 +0100
> > -Subject: [PATCH 1/7] s3-lib: Add winbind_lookup_usersids().
> > -
> > -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -
> > -(cherry picked from commit 241e98d8ee099f9cc5feb835085b4abd2b1ee663)
> > ----
> > - source3/lib/winbind_util.c | 34 +++++
> > - source3/lib/winbind_util.h | 4 +
> > - source3/passdb/ABI/pdb-0.1.0.sigs | 311 ++++++++++++++++++++++++++++++++++++++
> > - source3/wscript_build | 2 +-
> > - 4 files changed, 350 insertions(+), 1 deletion(-)
> > - create mode 100644 source3/passdb/ABI/pdb-0.1.0.sigs
> > -
> > -diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c
> > -index b458ebe..f62682b 100644
> > ---- a/source3/lib/winbind_util.c
> > -+++ b/source3/lib/winbind_util.c
> > -@@ -342,6 +342,40 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
> > - return true;
> > - }
> > -
> > -+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
> > -+ const struct dom_sid *user_sid,
> > -+ uint32_t *p_num_sids,
> > -+ struct dom_sid **p_sids)
> > -+{
> > -+ wbcErr ret;
> > -+ struct wbcDomainSid dom_sid;
> > -+ struct wbcDomainSid *sid_list = NULL;
> > -+ uint32_t num_sids;
> > -+
> > -+ memcpy(&dom_sid, user_sid, sizeof(dom_sid));
> > -+
> > -+ ret = wbcLookupUserSids(&dom_sid,
> > -+ false,
> > -+ &num_sids,
> > -+ &sid_list);
> > -+ if (ret != WBC_ERR_SUCCESS) {
> > -+ return false;
> > -+ }
> > -+
> > -+ *p_sids = talloc_array(mem_ctx, struct dom_sid, num_sids);
> > -+ if (*p_sids == NULL) {
> > -+ wbcFreeMemory(sid_list);
> > -+ return false;
> > -+ }
> > -+
> > -+ memcpy(*p_sids, sid_list, sizeof(dom_sid) * num_sids);
> > -+
> > -+ *p_num_sids = num_sids;
> > -+ wbcFreeMemory(sid_list);
> > -+
> > -+ return true;
> > -+}
> > -+
> > - #else /* WITH_WINBIND */
> > -
> > - struct passwd * winbind_getpwnam(const char * name)
> > -diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h
> > -index 541bb95..abbc5a9 100644
> > ---- a/source3/lib/winbind_util.h
> > -+++ b/source3/lib/winbind_util.h
> > -@@ -58,5 +58,9 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
> > - size_t num_members,
> > - uint32_t **pp_alias_rids,
> > - size_t *p_num_alias_rids);
> > -+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
> > -+ const struct dom_sid *user_sid,
> > -+ uint32_t *p_num_sids,
> > -+ struct dom_sid **p_sids);
> > -
> > - #endif /* __LIB__WINBIND_UTIL_H__ */
> > -diff --git a/source3/passdb/ABI/pdb-0.1.0.sigs b/source3/passdb/ABI/pdb-0.1.0.sigs
> > -new file mode 100644
> > -index 0000000..f4de9c4
> > ---- /dev/null
> > -+++ b/source3/passdb/ABI/pdb-0.1.0.sigs
> > -@@ -0,0 +1,311 @@
> > -+PDB_secrets_clear_domain_protection: bool (const char *)
> > -+PDB_secrets_fetch_domain_guid: bool (const char *, struct GUID *)
> > -+PDB_secrets_fetch_domain_sid: bool (const char *, struct dom_sid *)
> > -+PDB_secrets_mark_domain_protected: bool (const char *)
> > -+PDB_secrets_store_domain_guid: bool (const char *, struct GUID *)
> > -+PDB_secrets_store_domain_sid: bool (const char *, const struct dom_sid *)
> > -+account_policy_get: bool (enum pdb_policy_type, uint32_t *)
> > -+account_policy_get_default: bool (enum pdb_policy_type, uint32_t *)
> > -+account_policy_get_desc: const char *(enum pdb_policy_type)
> > -+account_policy_name_to_typenum: enum pdb_policy_type (const char *)
> > -+account_policy_names_list: void (TALLOC_CTX *, const char ***, int *)
> > -+account_policy_set: bool (enum pdb_policy_type, uint32_t)
> > -+add_initial_entry: NTSTATUS (gid_t, const char *, enum lsa_SidType, const char *, const char *)
> > -+algorithmic_pdb_gid_to_group_rid: uint32_t (gid_t)
> > -+algorithmic_pdb_rid_is_user: bool (uint32_t)
> > -+algorithmic_pdb_uid_to_user_rid: uint32_t (uid_t)
> > -+algorithmic_pdb_user_rid_to_uid: uid_t (uint32_t)
> > -+algorithmic_rid_base: int (void)
> > -+builtin_domain_name: const char *(void)
> > -+cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *)
> > -+cache_account_policy_set: bool (enum pdb_policy_type, uint32_t)
> > -+create_builtin_administrators: NTSTATUS (const struct dom_sid *)
> > -+create_builtin_users: NTSTATUS (const struct dom_sid *)
> > -+decode_account_policy_name: const char *(enum pdb_policy_type)
> > -+get_account_pol_db: struct db_context *(void)
> > -+get_account_policy_attr: const char *(enum pdb_policy_type)
> > -+get_domain_group_from_sid: bool (struct dom_sid, GROUP_MAP *)
> > -+get_primary_group_sid: NTSTATUS (TALLOC_CTX *, const char *, struct passwd **, struct dom_sid **)
> > -+get_privileges_for_sid_as_set: NTSTATUS (TALLOC_CTX *, PRIVILEGE_SET **, struct dom_sid *)
> > -+get_privileges_for_sids: bool (uint64_t *, struct dom_sid *, int)
> > -+get_trust_pw_clear: bool (const char *, char **, const char **, enum netr_SchannelType *)
> > -+get_trust_pw_hash: bool (const char *, uint8_t *, const char **, enum netr_SchannelType *)
> > -+gid_to_sid: void (struct dom_sid *, gid_t)
> > -+gid_to_unix_groups_sid: void (gid_t, struct dom_sid *)
> > -+grab_named_mutex: struct named_mutex *(TALLOC_CTX *, const char *, int)
> > -+grant_all_privileges: bool (const struct dom_sid *)
> > -+grant_privilege_by_name: bool (const struct dom_sid *, const char *)
> > -+grant_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
> > -+groupdb_tdb_init: const struct mapping_backend *(void)
> > -+init_account_policy: bool (void)
> > -+init_buffer_from_samu: uint32_t (uint8_t **, struct samu *, bool)
> > -+init_samu_from_buffer: bool (struct samu *, uint32_t, uint8_t *, uint32_t)
> > -+initialize_password_db: bool (bool, struct tevent_context *)
> > -+is_dc_trusted_domain_situation: bool (const char *)
> > -+is_privileged_sid: bool (const struct dom_sid *)
> > -+local_password_change: NTSTATUS (const char *, int, const char *, char **, char **)
> > -+login_cache_delentry: bool (const struct samu *)
> > -+login_cache_init: bool (void)
> > -+login_cache_read: bool (struct samu *, struct login_cache *)
> > -+login_cache_shutdown: bool (void)
> > -+login_cache_write: bool (const struct samu *, const struct login_cache *)
> > -+lookup_builtin_name: bool (const char *, uint32_t *)
> > -+lookup_builtin_rid: bool (TALLOC_CTX *, uint32_t, const char **)
> > -+lookup_global_sam_name: bool (const char *, int, uint32_t *, enum lsa_SidType *)
> > -+lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
> > -+lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
> > -+lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
> > -+lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **)
> > -+lookup_unix_group_name: bool (const char *, struct dom_sid *)
> > -+lookup_unix_user_name: bool (const char *, struct dom_sid *)
> > -+lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **)
> > -+lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **)
> > -+make_pdb_method: NTSTATUS (struct pdb_methods **)
> > -+make_pdb_method_name: NTSTATUS (struct pdb_methods **, const char *)
> > -+max_algorithmic_gid: gid_t (void)
> > -+max_algorithmic_uid: uid_t (void)
> > -+my_sam_name: const char *(void)
> > -+pdb_add_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
> > -+pdb_add_group_mapping_entry: NTSTATUS (GROUP_MAP *)
> > -+pdb_add_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
> > -+pdb_add_sam_account: NTSTATUS (struct samu *)
> > -+pdb_build_fields_present: uint32_t (struct samu *)
> > -+pdb_capabilities: uint32_t (void)
> > -+pdb_copy_sam_account: bool (struct samu *, struct samu *)
> > -+pdb_create_alias: NTSTATUS (const char *, uint32_t *)
> > -+pdb_create_builtin: NTSTATUS (uint32_t)
> > -+pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t)
> > -+pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *)
> > -+pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *)
> > -+pdb_decode_acct_ctrl: uint32_t (const char *)
> > -+pdb_default_add_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
> > -+pdb_default_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> > -+pdb_default_alias_memberships: NTSTATUS (struct pdb_methods *, TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
> > -+pdb_default_create_alias: NTSTATUS (struct pdb_methods *, const char *, uint32_t *)
> > -+pdb_default_del_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
> > -+pdb_default_delete_alias: NTSTATUS (struct pdb_methods *, const struct dom_sid *)
> > -+pdb_default_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
> > -+pdb_default_enum_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
> > -+pdb_default_enum_group_mapping: NTSTATUS (struct pdb_methods *, const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
> > -+pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
> > -+pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
> > -+pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
> > -+pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
> > -+pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
> > -+pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> > -+pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
> > -+pdb_del_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
> > -+pdb_del_trusted_domain: NTSTATUS (const char *)
> > -+pdb_del_trusteddom_pw: bool (const char *)
> > -+pdb_delete_alias: NTSTATUS (const struct dom_sid *)
> > -+pdb_delete_dom_group: NTSTATUS (TALLOC_CTX *, uint32_t)
> > -+pdb_delete_group_mapping_entry: NTSTATUS (struct dom_sid)
> > -+pdb_delete_sam_account: NTSTATUS (struct samu *)
> > -+pdb_delete_secret: NTSTATUS (const char *)
> > -+pdb_delete_user: NTSTATUS (TALLOC_CTX *, struct samu *)
> > -+pdb_element_is_changed: bool (const struct samu *, enum pdb_elements)
> > -+pdb_element_is_set_or_changed: bool (const struct samu *, enum pdb_elements)
> > -+pdb_encode_acct_ctrl: char *(uint32_t, size_t)
> > -+pdb_enum_alias_memberships: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
> > -+pdb_enum_aliasmem: NTSTATUS (const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
> > -+pdb_enum_group_mapping: bool (const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
> > -+pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t **, size_t *)
> > -+pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *)
> > -+pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***)
> > -+pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
> > -+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***)
> > -+pdb_find_backend_entry: struct pdb_init_function_entry *(const char *)
> > -+pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *)
> > -+pdb_get_acct_ctrl: uint32_t (const struct samu *)
> > -+pdb_get_acct_desc: const char *(const struct samu *)
> > -+pdb_get_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
> > -+pdb_get_backend_private_data: void *(const struct samu *, const struct pdb_methods *)
> > -+pdb_get_backends: const struct pdb_init_function_entry *(void)
> > -+pdb_get_bad_password_count: uint16_t (const struct samu *)
> > -+pdb_get_bad_password_time: time_t (const struct samu *)
> > -+pdb_get_code_page: uint16_t (const struct samu *)
> > -+pdb_get_comment: const char *(const struct samu *)
> > -+pdb_get_country_code: uint16_t (const struct samu *)
> > -+pdb_get_dir_drive: const char *(const struct samu *)
> > -+pdb_get_domain: const char *(const struct samu *)
> > -+pdb_get_domain_info: struct pdb_domain_info *(TALLOC_CTX *)
> > -+pdb_get_fullname: const char *(const struct samu *)
> > -+pdb_get_group_rid: uint32_t (struct samu *)
> > -+pdb_get_group_sid: const struct dom_sid *(struct samu *)
> > -+pdb_get_homedir: const char *(const struct samu *)
> > -+pdb_get_hours: const uint8_t *(const struct samu *)
> > -+pdb_get_hours_len: uint32_t (const struct samu *)
> > -+pdb_get_init_flags: enum pdb_value_state (const struct samu *, enum pdb_elements)
> > -+pdb_get_kickoff_time: time_t (const struct samu *)
> > -+pdb_get_lanman_passwd: const uint8_t *(const struct samu *)
> > -+pdb_get_logoff_time: time_t (const struct samu *)
> > -+pdb_get_logon_count: uint16_t (const struct samu *)
> > -+pdb_get_logon_divs: uint16_t (const struct samu *)
> > -+pdb_get_logon_script: const char *(const struct samu *)
> > -+pdb_get_logon_time: time_t (const struct samu *)
> > -+pdb_get_munged_dial: const char *(const struct samu *)
> > -+pdb_get_nt_passwd: const uint8_t *(const struct samu *)
> > -+pdb_get_nt_username: const char *(const struct samu *)
> > -+pdb_get_pass_can_change: bool (const struct samu *)
> > -+pdb_get_pass_can_change_time: time_t (const struct samu *)
> > -+pdb_get_pass_can_change_time_noncalc: time_t (const struct samu *)
> > -+pdb_get_pass_last_set_time: time_t (const struct samu *)
> > -+pdb_get_pass_must_change_time: time_t (const struct samu *)
> > -+pdb_get_plaintext_passwd: const char *(const struct samu *)
> > -+pdb_get_profile_path: const char *(const struct samu *)
> > -+pdb_get_pw_history: const uint8_t *(const struct samu *, uint32_t *)
> > -+pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *, DATA_BLOB *, NTTIME *, struct security_descriptor **)
> > -+pdb_get_seq_num: bool (time_t *)
> > -+pdb_get_tevent_context: struct tevent_context *(void)
> > -+pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **)
> > -+pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **)
> > -+pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *)
> > -+pdb_get_unknown_6: uint32_t (const struct samu *)
> > -+pdb_get_user_rid: uint32_t (const struct samu *)
> > -+pdb_get_user_sid: const struct dom_sid *(const struct samu *)
> > -+pdb_get_username: const char *(const struct samu *)
> > -+pdb_get_workstations: const char *(const struct samu *)
> > -+pdb_getgrgid: bool (GROUP_MAP *, gid_t)
> > -+pdb_getgrnam: bool (GROUP_MAP *, const char *)
> > -+pdb_getgrsid: bool (GROUP_MAP *, struct dom_sid)
> > -+pdb_gethexhours: bool (const char *, unsigned char *)
> > -+pdb_gethexpwd: bool (const char *, unsigned char *)
> > -+pdb_getsampwnam: bool (struct samu *, const char *)
> > -+pdb_getsampwsid: bool (struct samu *, const struct dom_sid *)
> > -+pdb_gid_to_sid: bool (gid_t, struct dom_sid *)
> > -+pdb_group_rid_to_gid: gid_t (uint32_t)
> > -+pdb_increment_bad_password_count: bool (struct samu *)
> > -+pdb_is_password_change_time_max: bool (time_t)
> > -+pdb_is_responsible_for_builtin: bool (void)
> > -+pdb_is_responsible_for_our_sam: bool (void)
> > -+pdb_is_responsible_for_unix_groups: bool (void)
> > -+pdb_is_responsible_for_unix_users: bool (void)
> > -+pdb_is_responsible_for_wellknown: bool (void)
> > -+pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char **, enum lsa_SidType *)
> > -+pdb_new_rid: bool (uint32_t *)
> > -+pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> > -+pdb_nop_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
> > -+pdb_nop_enum_group_mapping: NTSTATUS (struct pdb_methods *, enum lsa_SidType, GROUP_MAP **, size_t *, bool)
> > -+pdb_nop_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
> > -+pdb_nop_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
> > -+pdb_nop_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
> > -+pdb_nop_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> > -+pdb_rename_sam_account: NTSTATUS (struct samu *, const char *)
> > -+pdb_search_aliases: struct pdb_search *(TALLOC_CTX *, const struct dom_sid *)
> > -+pdb_search_entries: uint32_t (struct pdb_search *, uint32_t, uint32_t, struct samr_displayentry **)
> > -+pdb_search_groups: struct pdb_search *(TALLOC_CTX *)
> > -+pdb_search_init: struct pdb_search *(TALLOC_CTX *, enum pdb_search_type)
> > -+pdb_search_users: struct pdb_search *(TALLOC_CTX *, uint32_t)
> > -+pdb_set_account_policy: bool (enum pdb_policy_type, uint32_t)
> > -+pdb_set_acct_ctrl: bool (struct samu *, uint32_t, enum pdb_value_state)
> > -+pdb_set_acct_desc: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
> > -+pdb_set_backend_private_data: bool (struct samu *, void *, void (*)(void **), const struct pdb_methods *, enum pdb_value_state)
> > -+pdb_set_bad_password_count: bool (struct samu *, uint16_t, enum pdb_value_state)
> > -+pdb_set_bad_password_time: bool (struct samu *, time_t, enum pdb_value_state)
> > -+pdb_set_code_page: bool (struct samu *, uint16_t, enum pdb_value_state)
> > -+pdb_set_comment: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_country_code: bool (struct samu *, uint16_t, enum pdb_value_state)
> > -+pdb_set_dir_drive: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_domain: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_fullname: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_group_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
> > -+pdb_set_group_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
> > -+pdb_set_homedir: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_hours: bool (struct samu *, const uint8_t *, int, enum pdb_value_state)
> > -+pdb_set_hours_len: bool (struct samu *, uint32_t, enum pdb_value_state)
> > -+pdb_set_init_flags: bool (struct samu *, enum pdb_elements, enum pdb_value_state)
> > -+pdb_set_kickoff_time: bool (struct samu *, time_t, enum pdb_value_state)
> > -+pdb_set_lanman_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
> > -+pdb_set_logoff_time: bool (struct samu *, time_t, enum pdb_value_state)
> > -+pdb_set_logon_count: bool (struct samu *, uint16_t, enum pdb_value_state)
> > -+pdb_set_logon_divs: bool (struct samu *, uint16_t, enum pdb_value_state)
> > -+pdb_set_logon_script: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_logon_time: bool (struct samu *, time_t, enum pdb_value_state)
> > -+pdb_set_munged_dial: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_nt_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
> > -+pdb_set_nt_username: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_pass_can_change: bool (struct samu *, bool)
> > -+pdb_set_pass_can_change_time: bool (struct samu *, time_t, enum pdb_value_state)
> > -+pdb_set_pass_last_set_time: bool (struct samu *, time_t, enum pdb_value_state)
> > -+pdb_set_plaintext_passwd: bool (struct samu *, const char *)
> > -+pdb_set_plaintext_pw_only: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_profile_path: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_pw_history: bool (struct samu *, const uint8_t *, uint32_t, enum pdb_value_state)
> > -+pdb_set_secret: NTSTATUS (const char *, DATA_BLOB *, DATA_BLOB *, struct security_descriptor *)
> > -+pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain *)
> > -+pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *)
> > -+pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *)
> > -+pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state)
> > -+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **)
> > -+pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
> > -+pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
> > -+pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_username: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_set_workstations: bool (struct samu *, const char *, enum pdb_value_state)
> > -+pdb_sethexhours: void (char *, const unsigned char *)
> > -+pdb_sethexpwd: void (char *, const unsigned char *, uint32_t)
> > -+pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *)
> > -+pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *)
> > -+pdb_uid_to_sid: bool (uid_t, struct dom_sid *)
> > -+pdb_update_autolock_flag: bool (struct samu *, bool *)
> > -+pdb_update_bad_password_count: bool (struct samu *, bool *)
> > -+pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *)
> > -+pdb_update_login_attempts: NTSTATUS (struct samu *, bool)
> > -+pdb_update_sam_account: NTSTATUS (struct samu *)
> > -+privilege_create_account: NTSTATUS (const struct dom_sid *)
> > -+privilege_delete_account: NTSTATUS (const struct dom_sid *)
> > -+privilege_enum_sids: NTSTATUS (enum sec_privilege, TALLOC_CTX *, struct dom_sid **, int *)
> > -+privilege_enumerate_accounts: NTSTATUS (struct dom_sid **, int *)
> > -+revoke_all_privileges: bool (const struct dom_sid *)
> > -+revoke_privilege_by_name: bool (const struct dom_sid *, const char *)
> > -+revoke_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
> > -+samu_alloc_rid_unix: NTSTATUS (struct pdb_methods *, struct samu *, const struct passwd *)
> > -+samu_new: struct samu *(TALLOC_CTX *)
> > -+samu_set_unix: NTSTATUS (struct samu *, const struct passwd *)
> > -+secrets_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
> > -+sid_check_is_builtin: bool (const struct dom_sid *)
> > -+sid_check_is_for_passdb: bool (const struct dom_sid *)
> > -+sid_check_is_in_builtin: bool (const struct dom_sid *)
> > -+sid_check_is_in_unix_groups: bool (const struct dom_sid *)
> > -+sid_check_is_in_unix_users: bool (const struct dom_sid *)
> > -+sid_check_is_in_wellknown_domain: bool (const struct dom_sid *)
> > -+sid_check_is_unix_groups: bool (const struct dom_sid *)
> > -+sid_check_is_unix_users: bool (const struct dom_sid *)
> > -+sid_check_is_wellknown_builtin: bool (const struct dom_sid *)
> > -+sid_check_is_wellknown_domain: bool (const struct dom_sid *, const char **)
> > -+sid_check_object_is_for_passdb: bool (const struct dom_sid *)
> > -+sid_to_gid: bool (const struct dom_sid *, gid_t *)
> > -+sid_to_uid: bool (const struct dom_sid *, uid_t *)
> > -+sids_to_unixids: bool (const struct dom_sid *, uint32_t, struct unixid *)
> > -+smb_add_user_group: int (const char *, const char *)
> > -+smb_create_group: int (const char *, gid_t *)
> > -+smb_delete_group: int (const char *)
> > -+smb_delete_user_group: int (const char *, const char *)
> > -+smb_nscd_flush_group_cache: void (void)
> > -+smb_nscd_flush_user_cache: void (void)
> > -+smb_register_passdb: NTSTATUS (int, const char *, pdb_init_function)
> > -+smb_set_primary_group: int (const char *, const char *)
> > -+uid_to_sid: void (struct dom_sid *, uid_t)
> > -+uid_to_unix_users_sid: void (uid_t, struct dom_sid *)
> > -+unix_groups_domain_name: const char *(void)
> > -+unix_users_domain_name: const char *(void)
> > -+unixid_from_both: void (struct unixid *, uint32_t)
> > -+unixid_from_gid: void (struct unixid *, uint32_t)
> > -+unixid_from_uid: void (struct unixid *, uint32_t)
> > -+wb_is_trusted_domain: wbcErr (const char *)
> > -+winbind_allocate_gid: bool (gid_t *)
> > -+winbind_allocate_uid: bool (uid_t *)
> > -+winbind_get_groups: bool (TALLOC_CTX *, const char *, uint32_t *, gid_t **)
> > -+winbind_get_sid_aliases: bool (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
> > -+winbind_getpwnam: struct passwd *(const char *)
> > -+winbind_getpwsid: struct passwd *(const struct dom_sid *)
> > -+winbind_gid_to_sid: bool (struct dom_sid *, gid_t)
> > -+winbind_lookup_name: bool (const char *, const char *, struct dom_sid *, enum lsa_SidType *)
> > -+winbind_lookup_rids: bool (TALLOC_CTX *, const struct dom_sid *, int, uint32_t *, const char **, const char ***, enum lsa_SidType **)
> > -+winbind_lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
> > -+winbind_lookup_usersids: bool (TALLOC_CTX *, const struct dom_sid *, uint32_t *, struct dom_sid **)
> > -+winbind_ping: bool (void)
> > -+winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *)
> > -+winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *)
> > -+winbind_uid_to_sid: bool (struct dom_sid *, uid_t)
> > -diff --git a/source3/wscript_build b/source3/wscript_build
> > -index e0432bf..6d6b6aa 100755
> > ---- a/source3/wscript_build
> > -+++ b/source3/wscript_build
> > -@@ -736,7 +736,7 @@ bld.SAMBA3_LIBRARY('pdb',
> > - passdb/lookup_sid.h''',
> > - abi_match=private_pdb_match,
> > - abi_directory='passdb/ABI',
> > -- vnum='0',
> > -+ vnum='0.1.0',
> > - vars=locals())
> > -
> > - bld.SAMBA3_LIBRARY('smbldaphelper',
> > ---
> > -1.8.5.2
> > -
> > -
> > -From 91debcafd196a9e821efddce0a9d75c48f8e168d Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Fri, 13 Dec 2013 19:08:34 +0100
> > -Subject: [PATCH 2/7] s3-auth: Add passwd_to_SamInfo3().
> > -
> > -First this function tries to contacts winbind if the user is a domain
> > -user to get valid information about it. If winbind isn't running it will
> > -try to create everything from the passwd struct. This is not always
> > -reliable but works in most cases. It improves the current situation
> > -which doesn't talk to winbind at all.
> > -
> > -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 1bb11c7744df6928cb8a096373ab920366b38770)
> > ----
> > - source3/auth/proto.h | 4 ++
> > - source3/auth/server_info.c | 116 +++++++++++++++++++++++++++++++++++++++++++++
> > - 2 files changed, 120 insertions(+)
> > -
> > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > -index 76661fc..8385e66 100644
> > ---- a/source3/auth/proto.h
> > -+++ b/source3/auth/proto.h
> > -@@ -286,6 +286,10 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > - const char *login_server,
> > - struct netr_SamInfo3 **_info3,
> > - struct extra_auth_info *extra);
> > -+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > -+ const char *unix_username,
> > -+ const struct passwd *pwd,
> > -+ struct netr_SamInfo3 **pinfo3);
> > - struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > - struct netr_SamInfo3 *orig);
> > - struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> > -index d2b7d6e..46d8178 100644
> > ---- a/source3/auth/server_info.c
> > -+++ b/source3/auth/server_info.c
> > -@@ -24,6 +24,7 @@
> > - #include "../libcli/security/security.h"
> > - #include "rpc_client/util_netlogon.h"
> > - #include "nsswitch/libwbclient/wbclient.h"
> > -+#include "lib/winbind_util.h"
> > - #include "passdb.h"
> > -
> > - #undef DBGC_CLASS
> > -@@ -436,6 +437,121 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > - return NT_STATUS_OK;
> > - }
> > -
> > -+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > -+ const char *unix_username,
> > -+ const struct passwd *pwd,
> > -+ struct netr_SamInfo3 **pinfo3)
> > -+{
> > -+ struct netr_SamInfo3 *info3;
> > -+ NTSTATUS status;
> > -+ TALLOC_CTX *tmp_ctx;
> > -+ const char *domain_name = NULL;
> > -+ const char *user_name = NULL;
> > -+ struct dom_sid domain_sid;
> > -+ struct dom_sid user_sid;
> > -+ struct dom_sid group_sid;
> > -+ enum lsa_SidType type;
> > -+ uint32_t num_sids = 0;
> > -+ struct dom_sid *user_sids = NULL;
> > -+ bool ok;
> > -+
> > -+ tmp_ctx = talloc_stackframe();
> > -+
> > -+ ok = lookup_name_smbconf(tmp_ctx,
> > -+ unix_username,
> > -+ LOOKUP_NAME_ALL,
> > -+ &domain_name,
> > -+ &user_name,
> > -+ &user_sid,
> > -+ &type);
> > -+ if (!ok) {
> > -+ status = NT_STATUS_NO_SUCH_USER;
> > -+ goto done;
> > -+ }
> > -+
> > -+ if (type != SID_NAME_USER) {
> > -+ status = NT_STATUS_NO_SUCH_USER;
> > -+ goto done;
> > -+ }
> > -+
> > -+ ok = winbind_lookup_usersids(tmp_ctx,
> > -+ &user_sid,
> > -+ &num_sids,
> > -+ &user_sids);
> > -+ /* Check if winbind is running */
> > -+ if (ok) {
> > -+ /*
> > -+ * Winbind is running and the first element of the user_sids
> > -+ * is the primary group.
> > -+ */
> > -+ if (num_sids > 0) {
> > -+ group_sid = user_sids[0];
> > -+ }
> > -+ } else {
> > -+ /*
> > -+ * Winbind is not running, create the group_sid from the
> > -+ * group id.
> > -+ */
> > -+ gid_to_sid(&group_sid, pwd->pw_gid);
> > -+ }
> > -+
> > -+ /* Make sure we have a valid group sid */
> > -+ ok = !is_null_sid(&group_sid);
> > -+ if (!ok) {
> > -+ status = NT_STATUS_NO_SUCH_USER;
> > -+ goto done;
> > -+ }
> > -+
> > -+ /* Construct a netr_SamInfo3 from the information we have */
> > -+ info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3);
> > -+ if (!info3) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ goto done;
> > -+ }
> > -+
> > -+ info3->base.account_name.string = talloc_strdup(info3, unix_username);
> > -+ if (info3->base.account_name.string == NULL) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ goto done;
> > -+ }
> > -+
> > -+ ZERO_STRUCT(domain_sid);
> > -+
> > -+ sid_copy(&domain_sid, &user_sid);
> > -+ sid_split_rid(&domain_sid, &info3->base.rid);
> > -+ info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
> > -+
> > -+ ok = sid_peek_check_rid(&domain_sid, &group_sid,
> > -+ &info3->base.primary_gid);
> > -+ if (!ok) {
> > -+ DEBUG(1, ("The primary group domain sid(%s) does not "
> > -+ "match the domain sid(%s) for %s(%s)\n",
> > -+ sid_string_dbg(&group_sid),
> > -+ sid_string_dbg(&domain_sid),
> > -+ unix_username,
> > -+ sid_string_dbg(&user_sid)));
> > -+ status = NT_STATUS_INVALID_SID;
> > -+ goto done;
> > -+ }
> > -+
> > -+ info3->base.acct_flags = ACB_NORMAL;
> > -+
> > -+ if (num_sids) {
> > -+ status = group_sids_to_info3(info3, user_sids, num_sids);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ goto done;
> > -+ }
> > -+ }
> > -+
> > -+ *pinfo3 = talloc_steal(mem_ctx, info3);
> > -+
> > -+ status = NT_STATUS_OK;
> > -+done:
> > -+ talloc_free(tmp_ctx);
> > -+
> > -+ return status;
> > -+}
> > -+
> > - #undef RET_NOMEM
> > -
> > - #define RET_NOMEM(ptr) do { \
> > ---
> > -1.8.5.2
> > -
> > -
> > -From c7b7670dc5cd8dbf727258666b6417d67afafb33 Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Fri, 13 Dec 2013 19:11:01 +0100
> > -Subject: [PATCH 3/7] s3-auth: Pass talloc context to make_server_info_pw().
> > -
> > -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 1b59c9743cf3fbd66b0b8b52162b2cc8d922e5cf)
> > ----
> > - source3/auth/auth_unix.c | 7 +++++--
> > - source3/auth/auth_util.c | 52 +++++++++++++++++++++++++++++-------------------
> > - source3/auth/proto.h | 7 ++++---
> > - source3/auth/user_krb5.c | 5 +----
> > - 4 files changed, 42 insertions(+), 29 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
> > -index c8b5435..7b483a2 100644
> > ---- a/source3/auth/auth_unix.c
> > -+++ b/source3/auth/auth_unix.c
> > -@@ -67,8 +67,11 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
> > - unbecome_root();
> > -
> > - if (NT_STATUS_IS_OK(nt_status)) {
> > -- if (pass) {
> > -- make_server_info_pw(server_info, pass->pw_name, pass);
> > -+ if (pass != NULL) {
> > -+ nt_status = make_server_info_pw(mem_ctx,
> > -+ pass->pw_name,
> > -+ pass,
> > -+ server_info);
> > - } else {
> > - /* we need to do somthing more useful here */
> > - nt_status = NT_STATUS_NO_SUCH_USER;
> > -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> > -index ceaa706..b225b0d 100644
> > ---- a/source3/auth/auth_util.c
> > -+++ b/source3/auth/auth_util.c
> > -@@ -639,14 +639,15 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
> > - to a struct samu
> > - ***************************************************************************/
> > -
> > --NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> > -- char *unix_username,
> > -- struct passwd *pwd)
> > -+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
> > -+ const char *unix_username,
> > -+ const struct passwd *pwd,
> > -+ struct auth_serversupplied_info **server_info)
> > - {
> > - NTSTATUS status;
> > - struct samu *sampass = NULL;
> > - char *qualified_name = NULL;
> > -- TALLOC_CTX *mem_ctx = NULL;
> > -+ TALLOC_CTX *tmp_ctx;
> > - struct dom_sid u_sid;
> > - enum lsa_SidType type;
> > - struct auth_serversupplied_info *result;
> > -@@ -664,27 +665,27 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> > - * plaintext passwords were used with no SAM backend.
> > - */
> > -
> > -- mem_ctx = talloc_init("make_server_info_pw_tmp");
> > -- if (!mem_ctx) {
> > -+ tmp_ctx = talloc_stackframe();
> > -+ if (tmp_ctx == NULL) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
> > -+ qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
> > - unix_users_domain_name(),
> > - unix_username );
> > - if (!qualified_name) {
> > -- TALLOC_FREE(mem_ctx);
> > -+ TALLOC_FREE(tmp_ctx);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
> > -+ if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
> > - NULL, NULL,
> > - &u_sid, &type)) {
> > -- TALLOC_FREE(mem_ctx);
> > -+ TALLOC_FREE(tmp_ctx);
> > - return NT_STATUS_NO_SUCH_USER;
> > - }
> > -
> > -- TALLOC_FREE(mem_ctx);
> > -+ TALLOC_FREE(tmp_ctx);
> > -
> > - if (type != SID_NAME_USER) {
> > - return NT_STATUS_NO_SUCH_USER;
> > -@@ -707,7 +708,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> > - /* set the user sid to be the calculated u_sid */
> > - pdb_set_user_sid(sampass, &u_sid, PDB_SET);
> > -
> > -- result = make_server_info(NULL);
> > -+ result = make_server_info(mem_ctx);
> > - if (result == NULL) {
> > - TALLOC_FREE(sampass);
> > - return NT_STATUS_NO_MEMORY;
> > -@@ -992,25 +993,36 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
> > - struct passwd *pwd;
> > - NTSTATUS status;
> > - struct auth_serversupplied_info *result;
> > -+ TALLOC_CTX *tmp_ctx;
> > -
> > -- pwd = Get_Pwnam_alloc(talloc_tos(), username);
> > -- if (pwd == NULL) {
> > -- return NT_STATUS_NO_SUCH_USER;
> > -+ tmp_ctx = talloc_stackframe();
> > -+ if (tmp_ctx == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- status = make_server_info_pw(&result, pwd->pw_name, pwd);
> > -+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
> > -+ if (pwd == NULL) {
> > -+ status = NT_STATUS_NO_SUCH_USER;
> > -+ goto done;
> > -+ }
> > -
> > -+ status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -+ goto done;
> > - }
> > -
> > - result->nss_token = true;
> > - result->guest = is_guest;
> > -
> > - /* Now turn the server_info into a session_info with the full token etc */
> > -- status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
> > -- TALLOC_FREE(result);
> > -- TALLOC_FREE(pwd);
> > -+ status = create_local_token(mem_ctx,
> > -+ result,
> > -+ NULL,
> > -+ pwd->pw_name,
> > -+ session_info);
> > -+
> > -+done:
> > -+ talloc_free(tmp_ctx);
> > -
> > - return status;
> > - }
> > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > -index 8385e66..7abca07 100644
> > ---- a/source3/auth/proto.h
> > -+++ b/source3/auth/proto.h
> > -@@ -206,9 +206,10 @@ bool user_in_group_sid(const char *username, const struct dom_sid *group_sid);
> > - bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid);
> > - bool user_in_group(const char *username, const char *groupname);
> > - struct passwd;
> > --NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> > -- char *unix_username,
> > -- struct passwd *pwd);
> > -+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
> > -+ const char *unix_username,
> > -+ const struct passwd *pwd,
> > -+ struct auth_serversupplied_info **server_info);
> > - NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
> > - const char *username,
> > - bool is_guest,
> > -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
> > -index 974a8aa..7d44285 100644
> > ---- a/source3/auth/user_krb5.c
> > -+++ b/source3/auth/user_krb5.c
> > -@@ -242,7 +242,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > - */
> > - DEBUG(10, ("didn't find user %s in passdb, calling "
> > - "make_server_info_pw\n", username));
> > -- status = make_server_info_pw(&tmp, username, pw);
> > -+ status = make_server_info_pw(mem_ctx, username, pw, &tmp);
> > - }
> > -
> > - TALLOC_FREE(sampass);
> > -@@ -253,9 +253,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > - return status;
> > - }
> > -
> > -- /* Steal tmp server info into the server_info pointer. */
> > -- server_info = talloc_move(mem_ctx, &tmp);
> > --
> > - /* make_server_info_pw does not set the domain. Without this
> > - * we end up with the local netbios name in substitutions for
> > - * %D. */
> > ---
> > -1.8.5.2
> > -
> > -
> > -From 4fbd13598e8bdc6acf41329f71de806de4265f36 Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Fri, 13 Dec 2013 19:19:02 +0100
> > -Subject: [PATCH 4/7] s3-auth: Add passwd_to_SamInfo3().
> > -
> > -Correctly lookup users which come from smb.conf. passwd_to_SamInfo3()
> > -tries to contact winbind if the user is a domain user to get
> > -valid information about it. If winbind isn't running it will try to
> > -create everything from the passwd struct. This is not always reliable
> > -but works in most cases. It improves the current situation which doesn't
> > -talk to winbind at all.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
> > -
> > -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -
> > -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> > -Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104
> > -
> > -(cherry picked from commit 40e6456b5896e934fcd581c2cac2389984256e09)
> > ----
> > - source3/auth/auth_util.c | 87 +++++++++-------------------------------------
> > - source3/auth/server_info.c | 22 ++++++++++--
> > - 2 files changed, 36 insertions(+), 73 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> > -index b225b0d..24190af 100644
> > ---- a/source3/auth/auth_util.c
> > -+++ b/source3/auth/auth_util.c
> > -@@ -645,98 +645,43 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
> > - struct auth_serversupplied_info **server_info)
> > - {
> > - NTSTATUS status;
> > -- struct samu *sampass = NULL;
> > -- char *qualified_name = NULL;
> > -- TALLOC_CTX *tmp_ctx;
> > -- struct dom_sid u_sid;
> > -- enum lsa_SidType type;
> > -+ TALLOC_CTX *tmp_ctx = NULL;
> > - struct auth_serversupplied_info *result;
> > -
> > -- /*
> > -- * The SID returned in server_info->sam_account is based
> > -- * on our SAM sid even though for a pure UNIX account this should
> > -- * not be the case as it doesn't really exist in the SAM db.
> > -- * This causes lookups on "[in]valid users" to fail as they
> > -- * will lookup this name as a "Unix User" SID to check against
> > -- * the user token. Fix this by adding the "Unix User"\unix_username
> > -- * SID to the sid array. The correct fix should probably be
> > -- * changing the server_info->sam_account user SID to be a
> > -- * S-1-22 Unix SID, but this might break old configs where
> > -- * plaintext passwords were used with no SAM backend.
> > -- */
> > --
> > - tmp_ctx = talloc_stackframe();
> > - if (tmp_ctx == NULL) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
> > -- unix_users_domain_name(),
> > -- unix_username );
> > -- if (!qualified_name) {
> > -- TALLOC_FREE(tmp_ctx);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
> > -- NULL, NULL,
> > -- &u_sid, &type)) {
> > -- TALLOC_FREE(tmp_ctx);
> > -- return NT_STATUS_NO_SUCH_USER;
> > -- }
> > --
> > -- TALLOC_FREE(tmp_ctx);
> > --
> > -- if (type != SID_NAME_USER) {
> > -- return NT_STATUS_NO_SUCH_USER;
> > -- }
> > --
> > -- if ( !(sampass = samu_new( NULL )) ) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- status = samu_set_unix( sampass, pwd );
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- /* In pathological cases the above call can set the account
> > -- * name to the DOMAIN\username form. Reset the account name
> > -- * using unix_username */
> > -- pdb_set_username(sampass, unix_username, PDB_SET);
> > --
> > -- /* set the user sid to be the calculated u_sid */
> > -- pdb_set_user_sid(sampass, &u_sid, PDB_SET);
> > --
> > -- result = make_server_info(mem_ctx);
> > -+ result = make_server_info(tmp_ctx);
> > - if (result == NULL) {
> > -- TALLOC_FREE(sampass);
> > -- return NT_STATUS_NO_MEMORY;
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ goto done;
> > - }
> > -
> > -- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
> > -- &result->info3, &result->extra);
> > -- TALLOC_FREE(sampass);
> > -+ status = passwd_to_SamInfo3(result,
> > -+ unix_username,
> > -+ pwd,
> > -+ &result->info3);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(10, ("Failed to convert samu to info3: %s\n",
> > -- nt_errstr(status)));
> > -- TALLOC_FREE(result);
> > -- return status;
> > -+ goto done;
> > - }
> > -
> > - result->unix_name = talloc_strdup(result, unix_username);
> > --
> > - if (result->unix_name == NULL) {
> > -- TALLOC_FREE(result);
> > -- return NT_STATUS_NO_MEMORY;
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ goto done;
> > - }
> > -
> > - result->utok.uid = pwd->pw_uid;
> > - result->utok.gid = pwd->pw_gid;
> > -
> > -- *server_info = result;
> > -+ *server_info = talloc_steal(mem_ctx, result);
> > -+ status = NT_STATUS_OK;
> > -+done:
> > -+ talloc_free(tmp_ctx);
> > -
> > -- return NT_STATUS_OK;
> > -+ return status;
> > - }
> > -
> > - static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
> > -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> > -index 46d8178..43711d5 100644
> > ---- a/source3/auth/server_info.c
> > -+++ b/source3/auth/server_info.c
> > -@@ -489,10 +489,28 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > - }
> > - } else {
> > - /*
> > -- * Winbind is not running, create the group_sid from the
> > -- * group id.
> > -+ * Winbind is not running, try to create the group_sid from the
> > -+ * passwd group id.
> > -+ */
> > -+
> > -+ /*
> > -+ * This can lead to a primary group of S-1-22-2-XX which
> > -+ * will be rejected by other Samba code.
> > - */
> > - gid_to_sid(&group_sid, pwd->pw_gid);
> > -+
> > -+ ZERO_STRUCT(domain_sid);
> > -+
> > -+ /*
> > -+ * If we are a unix group, set the group_sid to the
> > -+ * 'Domain Users' RID of 513 which will always resolve to a
> > -+ * name.
> > -+ */
> > -+ if (sid_check_is_in_unix_groups(&group_sid)) {
> > -+ sid_compose(&group_sid,
> > -+ get_global_sam_sid(),
> > -+ DOMAIN_RID_USERS);
> > -+ }
> > - }
> > -
> > - /* Make sure we have a valid group sid */
> > ---
> > -1.8.5.2
> > -
> > -
> > -From 76bb5e0888f4131ab773d90160051a51c401c90d Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Tue, 18 Feb 2014 10:02:57 +0100
> > -Subject: [PATCH 5/7] s3-auth: Pass mem_ctx to make_server_info_sam().
> > -
> > -Coverity-Id: 1168009
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -
> > -Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3dc72266005e87a291f5bf9847257e8c54314d39)
> > ----
> > - source3/auth/check_samsec.c | 2 +-
> > - source3/auth/proto.h | 5 ++--
> > - source3/auth/server_info_sam.c | 56 +++++++++++++++++++++++++++---------------
> > - source3/auth/user_krb5.c | 12 +++++----
> > - 4 files changed, 47 insertions(+), 28 deletions(-)
> > -
> > -diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
> > -index 7ed8cc2..b6cac60 100644
> > ---- a/source3/auth/check_samsec.c
> > -+++ b/source3/auth/check_samsec.c
> > -@@ -482,7 +482,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
> > - }
> > -
> > - become_root();
> > -- nt_status = make_server_info_sam(server_info, sampass);
> > -+ nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
> > - unbecome_root();
> > -
> > - TALLOC_FREE(sampass);
> > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > -index 7abca07..eac3e54 100644
> > ---- a/source3/auth/proto.h
> > -+++ b/source3/auth/proto.h
> > -@@ -190,8 +190,9 @@ bool make_user_info_guest(const struct tsocket_address *remote_address,
> > - struct auth_usersupplied_info **user_info);
> > -
> > - struct samu;
> > --NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
> > -- struct samu *sampass);
> > -+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
> > -+ struct samu *sampass,
> > -+ struct auth_serversupplied_info **pserver_info);
> > - NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
> > - const struct auth_serversupplied_info *server_info,
> > - DATA_BLOB *session_key,
> > -diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c
> > -index 5d657f9..47087b1 100644
> > ---- a/source3/auth/server_info_sam.c
> > -+++ b/source3/auth/server_info_sam.c
> > -@@ -58,39 +58,51 @@ static bool is_our_machine_account(const char *username)
> > - Make (and fill) a user_info struct from a struct samu
> > - ***************************************************************************/
> > -
> > --NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
> > -- struct samu *sampass)
> > -+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
> > -+ struct samu *sampass,
> > -+ struct auth_serversupplied_info **pserver_info)
> > - {
> > - struct passwd *pwd;
> > -- struct auth_serversupplied_info *result;
> > -+ struct auth_serversupplied_info *server_info;
> > - const char *username = pdb_get_username(sampass);
> > -+ TALLOC_CTX *tmp_ctx;
> > - NTSTATUS status;
> > -
> > -- if ( !(result = make_server_info(NULL)) ) {
> > -+ tmp_ctx = talloc_stackframe();
> > -+ if (tmp_ctx == NULL) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- if ( !(pwd = Get_Pwnam_alloc(result, username)) ) {
> > -+ server_info = make_server_info(tmp_ctx);
> > -+ if (server_info == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
> > -+ if (pwd == NULL) {
> > - DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
> > - pdb_get_username(sampass)));
> > -- TALLOC_FREE(result);
> > -- return NT_STATUS_NO_SUCH_USER;
> > -+ status = NT_STATUS_NO_SUCH_USER;
> > -+ goto out;
> > - }
> > -
> > -- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
> > -- &result->info3, &result->extra);
> > -+ status = samu_to_SamInfo3(server_info,
> > -+ sampass,
> > -+ lp_netbios_name(),
> > -+ &server_info->info3,
> > -+ &server_info->extra);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -- TALLOC_FREE(result);
> > -- return status;
> > -+ goto out;
> > - }
> > -
> > -- result->unix_name = pwd->pw_name;
> > -- /* Ensure that we keep pwd->pw_name, because we will free pwd below */
> > -- talloc_steal(result, pwd->pw_name);
> > -- result->utok.gid = pwd->pw_gid;
> > -- result->utok.uid = pwd->pw_uid;
> > -+ server_info->unix_name = talloc_strdup(server_info, pwd->pw_name);
> > -+ if (server_info->unix_name == NULL) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ goto out;
> > -+ }
> > -
> > -- TALLOC_FREE(pwd);
> > -+ server_info->utok.gid = pwd->pw_gid;
> > -+ server_info->utok.uid = pwd->pw_uid;
> > -
> > - if (IS_DC && is_our_machine_account(username)) {
> > - /*
> > -@@ -110,9 +122,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
> > - }
> > -
> > - DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
> > -- pdb_get_username(sampass), result->unix_name));
> > -+ pdb_get_username(sampass), server_info->unix_name));
> > -+
> > -+ *pserver_info = talloc_steal(mem_ctx, server_info);
> > -
> > -- *server_info = result;
> > -+ status = NT_STATUS_OK;
> > -+out:
> > -+ talloc_free(tmp_ctx);
> > -
> > -- return NT_STATUS_OK;
> > -+ return status;
> > - }
> > -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
> > -index 7d44285..e40c8ac 100644
> > ---- a/source3/auth/user_krb5.c
> > -+++ b/source3/auth/user_krb5.c
> > -@@ -223,9 +223,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > - * SID consistency with ntlmssp session setup
> > - */
> > - struct samu *sampass;
> > -- /* The stupid make_server_info_XX functions here
> > -- don't take a talloc context. */
> > -- struct auth_serversupplied_info *tmp = NULL;
> > -
> > - sampass = samu_new(talloc_tos());
> > - if (sampass == NULL) {
> > -@@ -235,14 +232,19 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > - if (pdb_getsampwnam(sampass, username)) {
> > - DEBUG(10, ("found user %s in passdb, calling "
> > - "make_server_info_sam\n", username));
> > -- status = make_server_info_sam(&tmp, sampass);
> > -+ status = make_server_info_sam(mem_ctx,
> > -+ sampass,
> > -+ &server_info);
> > - } else {
> > - /*
> > - * User not in passdb, make it up artificially
> > - */
> > - DEBUG(10, ("didn't find user %s in passdb, calling "
> > - "make_server_info_pw\n", username));
> > -- status = make_server_info_pw(mem_ctx, username, pw, &tmp);
> > -+ status = make_server_info_pw(mem_ctx,
> > -+ username,
> > -+ pw,
> > -+ &server_info);
> > - }
> > -
> > - TALLOC_FREE(sampass);
> > ---
> > -1.8.5.2
> > -
> > -
> > -From f9c0adb6237c6e60c33ee6af21f55c0cdefa132c Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Tue, 18 Feb 2014 10:19:57 +0100
> > -Subject: [PATCH 6/7] s3-auth: Pass mem_ctx to auth_check_ntlm_password().
> > -
> > -Coverity-Id: 1168009
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -
> > -Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 4d792db03f18aa164b565c7fdc7b446c174fba28)
> > ----
> > - source3/auth/auth.c | 50 ++++++++++++++++++-----------
> > - source3/auth/auth_ntlmssp.c | 6 ++--
> > - source3/auth/proto.h | 8 +++--
> > - source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++--
> > - source3/torture/pdbtest.c | 5 ++-
> > - 5 files changed, 48 insertions(+), 27 deletions(-)
> > -
> > -diff --git a/source3/auth/auth.c b/source3/auth/auth.c
> > -index c3797cf..dc9af02 100644
> > ---- a/source3/auth/auth.c
> > -+++ b/source3/auth/auth.c
> > -@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain)
> > - *
> > - **/
> > -
> > --NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > -- const struct auth_usersupplied_info *user_info,
> > -- struct auth_serversupplied_info **server_info)
> > -+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
> > -+ const struct auth_context *auth_context,
> > -+ const struct auth_usersupplied_info *user_info,
> > -+ struct auth_serversupplied_info **pserver_info)
> > - {
> > - /* if all the modules say 'not for me' this is reasonable */
> > - NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
> > - const char *unix_username;
> > - auth_methods *auth_method;
> > -- TALLOC_CTX *mem_ctx;
> > -
> > -- if (!user_info || !auth_context || !server_info)
> > -+ if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
> > - return NT_STATUS_LOGON_FAILURE;
> > -+ }
> > -
> > - DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
> > - user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
> > -@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > - return NT_STATUS_LOGON_FAILURE;
> > -
> > - for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
> > -+ struct auth_serversupplied_info *server_info;
> > -+ TALLOC_CTX *tmp_ctx;
> > - NTSTATUS result;
> > -
> > -- mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
> > -- user_info->mapped.domain_name, user_info->client.account_name);
> > -+ tmp_ctx = talloc_named(mem_ctx,
> > -+ 0,
> > -+ "%s authentication for user %s\\%s",
> > -+ auth_method->name,
> > -+ user_info->mapped.domain_name,
> > -+ user_info->client.account_name);
> > -
> > -- result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
> > -+ result = auth_method->auth(auth_context,
> > -+ auth_method->private_data,
> > -+ tmp_ctx,
> > -+ user_info,
> > -+ &server_info);
> > -
> > - /* check if the module did anything */
> > - if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
> > - DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
> > -- talloc_destroy(mem_ctx);
> > -+ TALLOC_FREE(tmp_ctx);
> > - continue;
> > - }
> > -
> > -@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > - auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
> > - }
> > -
> > -- talloc_destroy(mem_ctx);
> > --
> > -- if ( NT_STATUS_IS_OK(nt_status))
> > -- {
> > -- break;
> > -+ if (NT_STATUS_IS_OK(nt_status)) {
> > -+ *pserver_info = talloc_steal(mem_ctx, server_info);
> > -+ TALLOC_FREE(tmp_ctx);
> > -+ break;
> > - }
> > -+
> > -+ TALLOC_FREE(tmp_ctx);
> > - }
> > -
> > - /* successful authentication */
> > -
> > - if (NT_STATUS_IS_OK(nt_status)) {
> > -- unix_username = (*server_info)->unix_name;
> > -- if (!(*server_info)->guest) {
> > -+ unix_username = (*pserver_info)->unix_name;
> > -+ if (!(*pserver_info)->guest) {
> > - const char *rhost;
> > -
> > - if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
> > -@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > - }
> > -
> > - if (NT_STATUS_IS_OK(nt_status)) {
> > -- DEBUG((*server_info)->guest ? 5 : 2,
> > -+ DEBUG((*pserver_info)->guest ? 5 : 2,
> > - ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
> > -- (*server_info)->guest ? "guest " : "",
> > -+ (*pserver_info)->guest ? "guest " : "",
> > - user_info->client.account_name,
> > - user_info->mapped.account_name,
> > - unix_username));
> > -@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > - DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
> > - user_info->client.account_name, user_info->mapped.account_name,
> > - nt_errstr(nt_status)));
> > -- ZERO_STRUCTP(server_info);
> > -+ ZERO_STRUCTP(pserver_info);
> > -
> > - return nt_status;
> > - }
> > -diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
> > -index f99bd44..cb7726c 100644
> > ---- a/source3/auth/auth_ntlmssp.c
> > -+++ b/source3/auth/auth_ntlmssp.c
> > -@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
> > -
> > - mapped_user_info->flags = user_info->flags;
> > -
> > -- nt_status = auth_check_ntlm_password(auth_context,
> > -- mapped_user_info, &server_info);
> > -+ nt_status = auth_check_ntlm_password(mem_ctx,
> > -+ auth_context,
> > -+ mapped_user_info,
> > -+ &server_info);
> > -
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
> > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > -index eac3e54..15b1ba0 100644
> > ---- a/source3/auth/proto.h
> > -+++ b/source3/auth/proto.h
> > -@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
> > - * struct. When the return is other than NT_STATUS_OK the contents
> > - * of that structure is undefined.
> > - *
> > -+ * @param mem_ctx The memory context to use to allocate server_info
> > -+ *
> > - * @param user_info Contains the user supplied components, including the passwords.
> > - * Must be created with make_user_info() or one of its wrappers.
> > - *
> > -@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
> > - * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
> > - *
> > - **/
> > --
> > --NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > -- const struct auth_usersupplied_info *user_info,
> > -+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
> > -+ const struct auth_context *auth_context,
> > -+ const struct auth_usersupplied_info *user_info,
> > - struct auth_serversupplied_info **server_info);
> > -
> > - /* The following definitions come from auth/auth_builtin.c */
> > -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > -index e5ca474..0c8c9a5 100644
> > ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
> > -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > -@@ -1650,8 +1650,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> > - } /* end switch */
> > -
> > - if ( NT_STATUS_IS_OK(status) ) {
> > -- status = auth_check_ntlm_password(auth_context,
> > -- user_info, &server_info);
> > -+ status = auth_check_ntlm_password(p->mem_ctx,
> > -+ auth_context,
> > -+ user_info,
> > -+ &server_info);
> > - }
> > -
> > - TALLOC_FREE(auth_context);
> > -diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
> > -index 17da455..14d58b9 100644
> > ---- a/source3/torture/pdbtest.c
> > -+++ b/source3/torture/pdbtest.c
> > -@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
> > - return False;
> > - }
> > -
> > -- status = auth_check_ntlm_password(auth_context, user_info, &server_info);
> > -+ status = auth_check_ntlm_password(mem_ctx,
> > -+ auth_context,
> > -+ user_info,
> > -+ &server_info);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
> > ---
> > -1.8.5.2
> > -
> > -
> > -From a48bcd84c59b5b2cb8c3e0f5d68b35065bed81d7 Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Tue, 18 Feb 2014 13:52:49 +0100
> > -Subject: [PATCH 7/7] s3-auth: Pass mem_ctx to do_map_to_guest_server_info().
> > -
> > -Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -
> > -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> > -Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
> > -
> > -(cherry picked from commit 79e2725f339e7c5336b4053348c4266268de6ca3)
> > ----
> > - source3/auth/auth_ntlmssp.c | 7 ++++---
> > - source3/auth/auth_util.c | 12 +++++++-----
> > - source3/auth/proto.h | 8 +++++---
> > - 3 files changed, 16 insertions(+), 11 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
> > -index cb7726c..d4fe901 100644
> > ---- a/source3/auth/auth_ntlmssp.c
> > -+++ b/source3/auth/auth_ntlmssp.c
> > -@@ -151,10 +151,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
> > - free_user_info(&mapped_user_info);
> > -
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > -- nt_status = do_map_to_guest_server_info(nt_status,
> > -- &server_info,
> > -+ nt_status = do_map_to_guest_server_info(mem_ctx,
> > -+ nt_status,
> > - user_info->client.account_name,
> > -- user_info->client.domain_name);
> > -+ user_info->client.domain_name,
> > -+ &server_info);
> > - *server_returned_info = talloc_steal(mem_ctx, server_info);
> > - return nt_status;
> > - }
> > -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> > -index 24190af..8cf5cb7 100644
> > ---- a/source3/auth/auth_util.c
> > -+++ b/source3/auth/auth_util.c
> > -@@ -1536,9 +1536,11 @@ bool is_trusted_domain(const char* dom_name)
> > - on a logon error possibly map the error to success if "map to guest"
> > - is set approriately
> > - */
> > --NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
> > -- struct auth_serversupplied_info **server_info,
> > -- const char *user, const char *domain)
> > -+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
> > -+ NTSTATUS status,
> > -+ const char *user,
> > -+ const char *domain,
> > -+ struct auth_serversupplied_info **server_info)
> > - {
> > - user = user ? user : "";
> > - domain = domain ? domain : "";
> > -@@ -1548,13 +1550,13 @@ NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
> > - (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
> > - DEBUG(3,("No such user %s [%s] - using guest account\n",
> > - user, domain));
> > -- return make_server_info_guest(NULL, server_info);
> > -+ return make_server_info_guest(mem_ctx, server_info);
> > - }
> > - } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
> > - if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
> > - DEBUG(3,("Registered username %s for guest access\n",
> > - user));
> > -- return make_server_info_guest(NULL, server_info);
> > -+ return make_server_info_guest(mem_ctx, server_info);
> > - }
> > - }
> > -
> > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > -index 15b1ba0..7b8959f 100644
> > ---- a/source3/auth/proto.h
> > -+++ b/source3/auth/proto.h
> > -@@ -264,9 +264,11 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
> > - enum auth_password_state password_state);
> > - void free_user_info(struct auth_usersupplied_info **user_info);
> > -
> > --NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
> > -- struct auth_serversupplied_info **server_info,
> > -- const char *user, const char *domain);
> > -+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
> > -+ NTSTATUS status,
> > -+ const char *user,
> > -+ const char *domain,
> > -+ struct auth_serversupplied_info **server_info);
> > -
> > - /* The following definitions come from auth/auth_winbind.c */
> > -
> > ---
> > -1.8.5.2
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> > deleted file mode 100644
> > index daa283e..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> > +++ /dev/null
> > @@ -1,266 +0,0 @@
> > -From 168627e1877317db86471a4b0360dccd9f469aaa Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Mon, 13 Jan 2014 15:59:26 +0100
> > -Subject: [PATCH 1/2] s3-kerberos: remove print_kdc_line() completely.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Just calling print_canonical_sockaddr() is sufficient, as it already deals with
> > -ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
> > -removed as well. It was pointless because it always derived the port number from
> > -the provided address which was either a SMB (usually port 445) or LDAP
> > -connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
> > -Finally, the kerberos libraries that we support and build with, can deal with
> > -ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
> > -resolving the DC name on the kerberos library anymore.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/libads/kerberos.c | 73 ++++-------------------------------------------
> > - 1 file changed, 5 insertions(+), 68 deletions(-)
> > -
> > -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > -index b026e09..ea14350 100644
> > ---- a/source3/libads/kerberos.c
> > -+++ b/source3/libads/kerberos.c
> > -@@ -592,70 +592,6 @@ int kerberos_kinit_password(const char *principal,
> > - /************************************************************************
> > - ************************************************************************/
> > -
> > --static char *print_kdc_line(char *mem_ctx,
> > -- const char *prev_line,
> > -- const struct sockaddr_storage *pss,
> > -- const char *kdc_name)
> > --{
> > -- char addr[INET6_ADDRSTRLEN];
> > -- uint16_t port = get_sockaddr_port(pss);
> > --
> > -- if (pss->ss_family == AF_INET) {
> > -- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > -- prev_line,
> > -- print_canonical_sockaddr(mem_ctx, pss));
> > -- }
> > --
> > -- /*
> > -- * IPv6 starts here
> > -- */
> > --
> > -- DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
> > -- kdc_name, port));
> > --
> > -- if (port != 0 && port != DEFAULT_KRB5_PORT) {
> > -- /* Currently for IPv6 we can't specify a non-default
> > -- krb5 port with an address, as this requires a ':'.
> > -- Resolve to a name. */
> > -- char hostname[MAX_DNS_NAME_LENGTH];
> > -- int ret = sys_getnameinfo((const struct sockaddr *)pss,
> > -- sizeof(*pss),
> > -- hostname, sizeof(hostname),
> > -- NULL, 0,
> > -- NI_NAMEREQD);
> > -- if (ret) {
> > -- DEBUG(0,("print_kdc_line: can't resolve name "
> > -- "for kdc with non-default port %s. "
> > -- "Error %s\n.",
> > -- print_canonical_sockaddr(mem_ctx, pss),
> > -- gai_strerror(ret)));
> > -- return NULL;
> > -- }
> > -- /* Success, use host:port */
> > -- return talloc_asprintf(mem_ctx,
> > -- "%s\tkdc = %s:%u\n",
> > -- prev_line,
> > -- hostname,
> > -- (unsigned int)port);
> > -- }
> > --
> > -- /* no krb5 lib currently supports "kdc = ipv6 address"
> > -- * at all, so just fill in just the kdc_name if we have
> > -- * it and let the krb5 lib figure out the appropriate
> > -- * ipv6 address - gd */
> > --
> > -- if (kdc_name) {
> > -- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > -- prev_line, kdc_name);
> > -- }
> > --
> > -- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > -- prev_line,
> > -- print_sockaddr(addr,
> > -- sizeof(addr),
> > -- pss));
> > --}
> > --
> > - /************************************************************************
> > - Create a string list of available kdc's, possibly searching by sitename.
> > - Does DNS queries.
> > -@@ -698,7 +634,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
> > - char *result = NULL;
> > - struct netlogon_samlogon_response **responses = NULL;
> > - NTSTATUS status;
> > -- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
> > -+ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
> > -+ print_canonical_sockaddr(mem_ctx, pss));
> > -
> > - if (kdc_str == NULL) {
> > - TALLOC_FREE(frame);
> > -@@ -788,9 +725,9 @@ static char *get_kdc_ip_string(char *mem_ctx,
> > - }
> > -
> > - /* Append to the string - inefficient but not done often. */
> > -- new_kdc_str = print_kdc_line(mem_ctx, kdc_str,
> > -- &dc_addrs[i],
> > -- kdc_name);
> > -+ new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > -+ kdc_str,
> > -+ print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
> > - if (new_kdc_str == NULL) {
> > - goto fail;
> > - }
> > ---
> > -1.8.5.3
> > -
> > -
> > -From 3edb3d4084548960f03356cf4c44a6892e6efb84 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 7 Mar 2014 14:47:31 +0100
> > -Subject: [PATCH 2/2] s3-kerberos: remove unused kdc_name from
> > - create_local_private_krb5_conf_for_domain().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/libads/kerberos.c | 10 ++++------
> > - source3/libads/kerberos_proto.h | 3 +--
> > - source3/libnet/libnet_join.c | 3 +--
> > - source3/libsmb/namequery_dc.c | 6 ++----
> > - source3/winbindd/winbindd_cm.c | 6 ++----
> > - 5 files changed, 10 insertions(+), 18 deletions(-)
> > -
> > -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > -index ea14350..649e568 100644
> > ---- a/source3/libads/kerberos.c
> > -+++ b/source3/libads/kerberos.c
> > -@@ -618,8 +618,7 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
> > - static char *get_kdc_ip_string(char *mem_ctx,
> > - const char *realm,
> > - const char *sitename,
> > -- const struct sockaddr_storage *pss,
> > -- const char *kdc_name)
> > -+ const struct sockaddr_storage *pss)
> > - {
> > - TALLOC_CTX *frame = talloc_stackframe();
> > - int i;
> > -@@ -756,8 +755,7 @@ fail:
> > - bool create_local_private_krb5_conf_for_domain(const char *realm,
> > - const char *domain,
> > - const char *sitename,
> > -- const struct sockaddr_storage *pss,
> > -- const char *kdc_name)
> > -+ const struct sockaddr_storage *pss)
> > - {
> > - char *dname;
> > - char *tmpname = NULL;
> > -@@ -782,7 +780,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> > - return false;
> > - }
> > -
> > -- if (domain == NULL || pss == NULL || kdc_name == NULL) {
> > -+ if (domain == NULL || pss == NULL) {
> > - return false;
> > - }
> > -
> > -@@ -815,7 +813,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> > - goto done;
> > - }
> > -
> > -- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
> > -+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
> > - if (!kdc_ip_string) {
> > - goto done;
> > - }
> > -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> > -index f7470d2..2559634 100644
> > ---- a/source3/libads/kerberos_proto.h
> > -+++ b/source3/libads/kerberos_proto.h
> > -@@ -62,8 +62,7 @@ int kerberos_kinit_password(const char *principal,
> > - bool create_local_private_krb5_conf_for_domain(const char *realm,
> > - const char *domain,
> > - const char *sitename,
> > -- const struct sockaddr_storage *pss,
> > -- const char *kdc_name);
> > -+ const struct sockaddr_storage *pss);
> > -
> > - /* The following definitions come from libads/authdata.c */
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index a87eb38..68884cd 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -2152,8 +2152,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
> > -
> > - create_local_private_krb5_conf_for_domain(
> > - r->out.dns_domain_name, r->out.netbios_domain_name,
> > -- NULL, smbXcli_conn_remote_sockaddr(cli->conn),
> > -- smbXcli_conn_remote_name(cli->conn));
> > -+ NULL, smbXcli_conn_remote_sockaddr(cli->conn));
> > -
> > - if (r->out.domain_is_ad && r->in.account_ou &&
> > - !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
> > -diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
> > -index 3cfae79..eb34741 100644
> > ---- a/source3/libsmb/namequery_dc.c
> > -+++ b/source3/libsmb/namequery_dc.c
> > -@@ -112,14 +112,12 @@ static bool ads_dc_name(const char *domain,
> > - create_local_private_krb5_conf_for_domain(realm,
> > - domain,
> > - sitename,
> > -- &ads->ldap.ss,
> > -- ads->config.ldap_server_name);
> > -+ &ads->ldap.ss);
> > - } else {
> > - create_local_private_krb5_conf_for_domain(realm,
> > - domain,
> > - NULL,
> > -- &ads->ldap.ss,
> > -- ads->config.ldap_server_name);
> > -+ &ads->ldap.ss);
> > - }
> > - }
> > - #endif
> > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > -index 669a43e..be13a57 100644
> > ---- a/source3/winbindd/winbindd_cm.c
> > -+++ b/source3/winbindd/winbindd_cm.c
> > -@@ -1233,8 +1233,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
> > - create_local_private_krb5_conf_for_domain(domain->alt_name,
> > - domain->name,
> > - sitename,
> > -- pss,
> > -- *name);
> > -+ pss);
> > -
> > - SAFE_FREE(sitename);
> > - } else {
> > -@@ -1242,8 +1241,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
> > - create_local_private_krb5_conf_for_domain(domain->alt_name,
> > - domain->name,
> > - NULL,
> > -- pss,
> > -- *name);
> > -+ pss);
> > - }
> > - winbindd_set_locator_kdc_envs(domain);
> > -
> > ---
> > -1.8.5.3
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> > deleted file mode 100644
> > index 26a4caf..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> > +++ /dev/null
> > @@ -1,962 +0,0 @@
> > -From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 17 Jan 2014 14:29:03 +0100
> > -Subject: [PATCH 1/8] s3-libads: pass down local_service to
> > - kerberos_return_pac().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/libads/authdata.c | 6 +-----
> > - source3/libads/kerberos_proto.h | 1 +
> > - source3/utils/net_ads.c | 8 ++++++++
> > - source3/winbindd/winbindd_pam.c | 9 +++++++++
> > - 4 files changed, 19 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > -index 801e551..dd80dc2 100644
> > ---- a/source3/libads/authdata.c
> > -+++ b/source3/libads/authdata.c
> > -@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - bool add_netbios_addr,
> > - time_t renewable_time,
> > - const char *impersonate_princ_s,
> > -+ const char *local_service,
> > - struct PAC_LOGON_INFO **_logon_info)
> > - {
> > - krb5_error_code ret;
> > - NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
> > - DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
> > - const char *auth_princ = NULL;
> > -- const char *local_service = NULL;
> > - const char *cc = "MEMORY:kerberos_return_pac";
> > - struct auth_session_info *session_info;
> > - struct gensec_security *gensec_server_context;
> > -@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - }
> > - NT_STATUS_HAVE_NO_MEMORY(auth_princ);
> > -
> > -- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > -- lp_netbios_name(), lp_realm());
> > -- NT_STATUS_HAVE_NO_MEMORY(local_service);
> > --
> > - ret = kerberos_kinit_password_ext(auth_princ,
> > - pass,
> > - time_offset,
> > -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> > -index 2559634..1151d66 100644
> > ---- a/source3/libads/kerberos_proto.h
> > -+++ b/source3/libads/kerberos_proto.h
> > -@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - bool add_netbios_addr,
> > - time_t renewable_time,
> > - const char *impersonate_princ_s,
> > -+ const char *local_service,
> > - struct PAC_LOGON_INFO **logon_info);
> > -
> > - /* The following definitions come from libads/krb5_setpw.c */
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index 89eebf3..5a073b1 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - NTSTATUS status;
> > - int ret = -1;
> > - const char *impersonate_princ_s = NULL;
> > -+ const char *local_service = NULL;
> > -
> > - if (c->display_usage) {
> > - d_printf( "%s\n"
> > -@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - impersonate_princ_s = argv[0];
> > - }
> > -
> > -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > -+ lp_netbios_name(), lp_realm());
> > -+ if (local_service == NULL) {
> > -+ goto out;
> > -+ }
> > -+
> > - c->opt_password = net_prompt_pass(c, c->opt_user_name);
> > -
> > - status = kerberos_return_pac(mem_ctx,
> > -@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - true,
> > - 2592000, /* one month */
> > - impersonate_princ_s,
> > -+ local_service,
> > - &info);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - d_printf(_("failed to query kerberos PAC: %s\n"),
> > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > -index 3f3ec70..61e2cef 100644
> > ---- a/source3/winbindd/winbindd_pam.c
> > -+++ b/source3/winbindd/winbindd_pam.c
> > -@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > - time_t time_offset = 0;
> > - const char *user_ccache_file;
> > - struct PAC_LOGON_INFO *logon_info = NULL;
> > -+ const char *local_service;
> > -
> > - *info3 = NULL;
> > -
> > -@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > -+ lp_netbios_name(), lp_realm());
> > -+ if (local_service == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+
> > - /* if this is a user ccache, we need to act as the user to let the krb5
> > - * library handle the chown, etc. */
> > -
> > -@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > - true,
> > - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
> > - NULL,
> > -+ local_service,
> > - &logon_info);
> > - if (user_ccache_file != NULL) {
> > - gain_root_privilege();
> > ---
> > -1.8.5.3
> > -
> > -
> > -From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Mon, 3 Mar 2014 12:14:51 +0100
> > -Subject: [PATCH 2/8] auth/kerberos: fix a typo.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - auth/kerberos/kerberos_pac.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
> > -index 81f7f21..8f55c8f 100644
> > ---- a/auth/kerberos/kerberos_pac.c
> > -+++ b/auth/kerberos/kerberos_pac.c
> > -@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
> > - }
> > -
> > - /**
> > --* @brief Decode a blob containing a NDR envoded PAC structure
> > -+* @brief Decode a blob containing a NDR encoded PAC structure
> > - *
> > - * @param mem_ctx - The memory context
> > - * @param pac_data_blob - The data blob containing the NDR encoded data
> > ---
> > -1.8.5.3
> > -
> > -
> > -From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Mon, 10 Mar 2014 15:11:18 +0100
> > -Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used
> > - in "net ads kerberos pac".
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/utils/net_ads.c | 14 ++++++++++----
> > - 1 file changed, 10 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index 5a073b1..ac6346f 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - int ret = -1;
> > - const char *impersonate_princ_s = NULL;
> > - const char *local_service = NULL;
> > -+ int i;
> > -
> > - if (c->display_usage) {
> > - d_printf( "%s\n"
> > -@@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - return 0;
> > - }
> > -
> > -+ for (i=0; i<argc; i++) {
> > -+ if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
> > -+ impersonate_princ_s = get_string_param(argv[i]);
> > -+ if (impersonate_princ_s == NULL) {
> > -+ return -1;
> > -+ }
> > -+ }
> > -+ }
> > -+
> > - mem_ctx = talloc_init("net_ads_kerberos_pac");
> > - if (!mem_ctx) {
> > - goto out;
> > - }
> > -
> > -- if (argc > 0) {
> > -- impersonate_princ_s = argv[0];
> > -- }
> > --
> > - local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > - lp_netbios_name(), lp_realm());
> > - if (local_service == NULL) {
> > ---
> > -1.8.5.3
> > -
> > -
> > -From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Tue, 11 Mar 2014 16:34:36 +0100
> > -Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads
> > - kerberos pac".
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/utils/net_ads.c | 14 +++++++++++---
> > - 1 file changed, 11 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index ac6346f..c53c8c6 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - return -1;
> > - }
> > - }
> > -+ if (strnequal(argv[i], "local_service", strlen("local_service"))) {
> > -+ local_service = get_string_param(argv[i]);
> > -+ if (local_service == NULL) {
> > -+ return -1;
> > -+ }
> > -+ }
> > - }
> > -
> > - mem_ctx = talloc_init("net_ads_kerberos_pac");
> > -@@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - goto out;
> > - }
> > -
> > -- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > -- lp_netbios_name(), lp_realm());
> > - if (local_service == NULL) {
> > -- goto out;
> > -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > -+ lp_netbios_name(), lp_realm());
> > -+ if (local_service == NULL) {
> > -+ goto out;
> > -+ }
> > - }
> > -
> > - c->opt_password = net_prompt_pass(c, c->opt_user_name);
> > ---
> > -1.8.5.3
> > -
> > -
> > -From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 21 Feb 2014 18:56:04 +0100
> > -Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/libads/authdata.c | 28 +++++++++++++++++-----------
> > - source3/libads/kerberos_proto.h | 4 ++--
> > - source3/utils/net_ads.c | 17 ++++++++++++++++-
> > - source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++-
> > - 4 files changed, 56 insertions(+), 15 deletions(-)
> > -
> > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > -index dd80dc2..53e40ef 100644
> > ---- a/source3/libads/authdata.c
> > -+++ b/source3/libads/authdata.c
> > -@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> > - struct auth_session_info **session_info)
> > - {
> > - TALLOC_CTX *tmp_ctx;
> > -- struct PAC_LOGON_INFO *logon_info = NULL;
> > -+ struct PAC_DATA *pac_data = NULL;
> > - NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
> > -
> > - tmp_ctx = talloc_new(mem_ctx);
> > -@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> > - }
> > -
> > - if (pac_blob) {
> > -- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
> > -- NULL, NULL, 0, &logon_info);
> > -+ status = kerberos_decode_pac(tmp_ctx,
> > -+ *pac_blob,
> > -+ NULL,
> > -+ NULL,
> > -+ NULL,
> > -+ NULL,
> > -+ 0,
> > -+ &pac_data);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto done;
> > - }
> > - }
> > -
> > -- talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
> > -+ talloc_set_name_const(pac_data, "struct PAC_DATA");
> > -
> > -- auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
> > -+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
> > - *session_info = talloc_zero(mem_ctx, struct auth_session_info);
> > - if (!*session_info) {
> > - status = NT_STATUS_NO_MEMORY;
> > -@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - time_t renewable_time,
> > - const char *impersonate_princ_s,
> > - const char *local_service,
> > -- struct PAC_LOGON_INFO **_logon_info)
> > -+ struct PAC_DATA **_pac_data)
> > - {
> > - krb5_error_code ret;
> > - NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
> > -@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - size_t idx = 0;
> > - struct auth4_context *auth_context;
> > - struct loadparm_context *lp_ctx;
> > -- struct PAC_LOGON_INFO *logon_info = NULL;
> > -+ struct PAC_DATA *pac_data = NULL;
> > -
> > - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
> > - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
> > -@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - goto out;
> > - }
> > -
> > -- logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> > -- struct PAC_LOGON_INFO);
> > -- if (logon_info == NULL) {
> > -+ pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> > -+ struct PAC_DATA);
> > -+ if (pac_data == NULL) {
> > - DEBUG(1,("no PAC\n"));
> > - status = NT_STATUS_INVALID_PARAMETER;
> > - goto out;
> > - }
> > -
> > -- *_logon_info = talloc_move(mem_ctx, &logon_info);
> > -+ *_pac_data = talloc_move(mem_ctx, &pac_data);
> > -
> > - out:
> > - talloc_free(tmp_ctx);
> > -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> > -index 1151d66..b2f7486 100644
> > ---- a/source3/libads/kerberos_proto.h
> > -+++ b/source3/libads/kerberos_proto.h
> > -@@ -32,7 +32,7 @@
> > -
> > - #include "system/kerberos.h"
> > -
> > --struct PAC_LOGON_INFO;
> > -+struct PAC_DATA;
> > -
> > - #include "libads/ads_status.h"
> > -
> > -@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - time_t renewable_time,
> > - const char *impersonate_princ_s,
> > - const char *local_service,
> > -- struct PAC_LOGON_INFO **logon_info);
> > -+ struct PAC_DATA **pac_data);
> > -
> > - /* The following definitions come from libads/krb5_setpw.c */
> > -
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index c53c8c6..19da6da 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
> > - static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> > - {
> > - struct PAC_LOGON_INFO *info = NULL;
> > -+ struct PAC_DATA *pac_data = NULL;
> > - TALLOC_CTX *mem_ctx = NULL;
> > - NTSTATUS status;
> > - int ret = -1;
> > -@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - 2592000, /* one month */
> > - impersonate_princ_s,
> > - local_service,
> > -- &info);
> > -+ &pac_data);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - d_printf(_("failed to query kerberos PAC: %s\n"),
> > - nt_errstr(status));
> > - goto out;
> > - }
> > -
> > -+ for (i=0; i < pac_data->num_buffers; i++) {
> > -+
> > -+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> > -+ continue;
> > -+ }
> > -+
> > -+ info = pac_data->buffers[i].info->logon_info.info;
> > -+ if (!info) {
> > -+ goto out;
> > -+ }
> > -+
> > -+ break;
> > -+ }
> > -+
> > - if (info) {
> > - const char *s;
> > - s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
> > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > -index 61e2cef..a8daae51 100644
> > ---- a/source3/winbindd/winbindd_pam.c
> > -+++ b/source3/winbindd/winbindd_pam.c
> > -@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > - time_t time_offset = 0;
> > - const char *user_ccache_file;
> > - struct PAC_LOGON_INFO *logon_info = NULL;
> > -+ struct PAC_DATA *pac_data = NULL;
> > - const char *local_service;
> > -+ int i;
> > -
> > - *info3 = NULL;
> > -
> > -@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
> > - NULL,
> > - local_service,
> > -- &logon_info);
> > -+ &pac_data);
> > - if (user_ccache_file != NULL) {
> > - gain_root_privilege();
> > - }
> > -@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > - goto failed;
> > - }
> > -
> > -+ if (pac_data == NULL) {
> > -+ goto failed;
> > -+ }
> > -+
> > -+ for (i=0; i < pac_data->num_buffers; i++) {
> > -+
> > -+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> > -+ continue;
> > -+ }
> > -+
> > -+ logon_info = pac_data->buffers[i].info->logon_info.info;
> > -+ if (!logon_info) {
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > -+ }
> > -+
> > -+ break;
> > -+ }
> > -+
> > - *info3 = &logon_info->info3;
> > -
> > - DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
> > ---
> > -1.8.5.3
> > -
> > -
> > -From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Tue, 11 Mar 2014 18:07:11 +0100
> > -Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC
> > - container.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/libads/authdata.c | 29 +++++++++++++++++++++--------
> > - source3/libads/kerberos_proto.h | 7 ++++++-
> > - source3/utils/net_ads.c | 5 ++++-
> > - source3/winbindd/winbindd_pam.c | 8 +++++++-
> > - 4 files changed, 38 insertions(+), 11 deletions(-)
> > -
> > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > -index 53e40ef..276408d 100644
> > ---- a/source3/libads/authdata.c
> > -+++ b/source3/libads/authdata.c
> > -@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> > - {
> > - TALLOC_CTX *tmp_ctx;
> > - struct PAC_DATA *pac_data = NULL;
> > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > - NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
> > -
> > - tmp_ctx = talloc_new(mem_ctx);
> > -@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> > - }
> > - }
> > -
> > -- talloc_set_name_const(pac_data, "struct PAC_DATA");
> > -+ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
> > -+ if (pac_data_ctr == NULL) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ goto done;
> > -+ }
> > -+
> > -+ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
> > -+
> > -+ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
> > -+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
> > -+ pac_blob->data,
> > -+ pac_blob->length);
> > -+
> > -+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
> > -
> > -- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
> > - *session_info = talloc_zero(mem_ctx, struct auth_session_info);
> > - if (!*session_info) {
> > - status = NT_STATUS_NO_MEMORY;
> > -@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - time_t renewable_time,
> > - const char *impersonate_princ_s,
> > - const char *local_service,
> > -- struct PAC_DATA **_pac_data)
> > -+ struct PAC_DATA_CTR **_pac_data_ctr)
> > - {
> > - krb5_error_code ret;
> > - NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
> > -@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - size_t idx = 0;
> > - struct auth4_context *auth_context;
> > - struct loadparm_context *lp_ctx;
> > -- struct PAC_DATA *pac_data = NULL;
> > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > -
> > - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
> > - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
> > -@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - goto out;
> > - }
> > -
> > -- pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> > -- struct PAC_DATA);
> > -- if (pac_data == NULL) {
> > -+ pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> > -+ struct PAC_DATA_CTR);
> > -+ if (pac_data_ctr == NULL) {
> > - DEBUG(1,("no PAC\n"));
> > - status = NT_STATUS_INVALID_PARAMETER;
> > - goto out;
> > - }
> > -
> > -- *_pac_data = talloc_move(mem_ctx, &pac_data);
> > -+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
> > -
> > - out:
> > - talloc_free(tmp_ctx);
> > -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> > -index b2f7486..3d0ad4b 100644
> > ---- a/source3/libads/kerberos_proto.h
> > -+++ b/source3/libads/kerberos_proto.h
> > -@@ -34,6 +34,11 @@
> > -
> > - struct PAC_DATA;
> > -
> > -+struct PAC_DATA_CTR {
> > -+ DATA_BLOB pac_blob;
> > -+ struct PAC_DATA *pac_data;
> > -+};
> > -+
> > - #include "libads/ads_status.h"
> > -
> > - /* The following definitions come from libads/kerberos.c */
> > -@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - time_t renewable_time,
> > - const char *impersonate_princ_s,
> > - const char *local_service,
> > -- struct PAC_DATA **pac_data);
> > -+ struct PAC_DATA_CTR **pac_data_ctr);
> > -
> > - /* The following definitions come from libads/krb5_setpw.c */
> > -
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index 19da6da..19c28b1 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - {
> > - struct PAC_LOGON_INFO *info = NULL;
> > - struct PAC_DATA *pac_data = NULL;
> > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > - TALLOC_CTX *mem_ctx = NULL;
> > - NTSTATUS status;
> > - int ret = -1;
> > -@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - 2592000, /* one month */
> > - impersonate_princ_s,
> > - local_service,
> > -- &pac_data);
> > -+ &pac_data_ctr);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - d_printf(_("failed to query kerberos PAC: %s\n"),
> > - nt_errstr(status));
> > - goto out;
> > - }
> > -
> > -+ pac_data = pac_data_ctr->pac_data;
> > -+
> > - for (i=0; i < pac_data->num_buffers; i++) {
> > -
> > - if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > -index a8daae51..b41291e 100644
> > ---- a/source3/winbindd/winbindd_pam.c
> > -+++ b/source3/winbindd/winbindd_pam.c
> > -@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > - const char *user_ccache_file;
> > - struct PAC_LOGON_INFO *logon_info = NULL;
> > - struct PAC_DATA *pac_data = NULL;
> > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > - const char *local_service;
> > - int i;
> > -
> > -@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
> > - NULL,
> > - local_service,
> > -- &pac_data);
> > -+ &pac_data_ctr);
> > - if (user_ccache_file != NULL) {
> > - gain_root_privilege();
> > - }
> > -@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > - goto failed;
> > - }
> > -
> > -+ if (pac_data_ctr == NULL) {
> > -+ goto failed;
> > -+ }
> > -+
> > -+ pac_data = pac_data_ctr->pac_data;
> > - if (pac_data == NULL) {
> > - goto failed;
> > - }
> > ---
> > -1.8.5.3
> > -
> > -
> > -From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Tue, 11 Mar 2014 18:14:39 +0100
> > -Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac"
> > - command.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow
> > -dumping of individial pac buffer types. Ommitting type= or using type=0 will
> > -dump the whole PAC structure on stdout.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++----------------
> > - 1 file changed, 77 insertions(+), 38 deletions(-)
> > -
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index 19c28b1..f54cf23 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
> > - return ret;
> > - }
> > -
> > --static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> > -+static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv,
> > -+ struct PAC_DATA_CTR **pac_data_ctr)
> > - {
> > -- struct PAC_LOGON_INFO *info = NULL;
> > -- struct PAC_DATA *pac_data = NULL;
> > -- struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > -- TALLOC_CTX *mem_ctx = NULL;
> > - NTSTATUS status;
> > - int ret = -1;
> > - const char *impersonate_princ_s = NULL;
> > - const char *local_service = NULL;
> > - int i;
> > -
> > -- if (c->display_usage) {
> > -- d_printf( "%s\n"
> > -- "net ads kerberos pac [impersonation_principal]\n"
> > -- " %s\n",
> > -- _("Usage:"),
> > -- _("Dump the Kerberos PAC"));
> > -- return 0;
> > -- }
> > --
> > - for (i=0; i<argc; i++) {
> > - if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
> > - impersonate_princ_s = get_string_param(argv[i]);
> > -@@ -2633,13 +2621,8 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - }
> > - }
> > -
> > -- mem_ctx = talloc_init("net_ads_kerberos_pac");
> > -- if (!mem_ctx) {
> > -- goto out;
> > -- }
> > --
> > - if (local_service == NULL) {
> > -- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > -+ local_service = talloc_asprintf(c, "%s$@%s",
> > - lp_netbios_name(), lp_realm());
> > - if (local_service == NULL) {
> > - goto out;
> > -@@ -2648,7 +2631,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > -
> > - c->opt_password = net_prompt_pass(c, c->opt_user_name);
> > -
> > -- status = kerberos_return_pac(mem_ctx,
> > -+ status = kerberos_return_pac(c,
> > - c->opt_user_name,
> > - c->opt_password,
> > - 0,
> > -@@ -2660,39 +2643,95 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - 2592000, /* one month */
> > - impersonate_princ_s,
> > - local_service,
> > -- &pac_data_ctr);
> > -+ pac_data_ctr);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - d_printf(_("failed to query kerberos PAC: %s\n"),
> > - nt_errstr(status));
> > - goto out;
> > - }
> > -
> > -- pac_data = pac_data_ctr->pac_data;
> > -+ ret = 0;
> > -+ out:
> > -+ return ret;
> > -+}
> > -
> > -- for (i=0; i < pac_data->num_buffers; i++) {
> > -+static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv)
> > -+{
> > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > -+ int i;
> > -+ int ret = -1;
> > -+ enum PAC_TYPE type = 0;
> > -
> > -- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> > -- continue;
> > -+ if (c->display_usage) {
> > -+ d_printf( "%s\n"
> > -+ "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n"
> > -+ " %s\n",
> > -+ _("Usage:"),
> > -+ _("Dump the Kerberos PAC"));
> > -+ return -1;
> > -+ }
> > -+
> > -+ for (i=0; i<argc; i++) {
> > -+ if (strnequal(argv[i], "pac_buffer_type", strlen("pac_buffer_type"))) {
> > -+ type = get_int_param(argv[i]);
> > - }
> > -+ }
> > -
> > -- info = pac_data->buffers[i].info->logon_info.info;
> > -- if (!info) {
> > -- goto out;
> > -+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
> > -+ if (ret) {
> > -+ return ret;
> > -+ }
> > -+
> > -+ if (type == 0) {
> > -+
> > -+ char *s = NULL;
> > -+
> > -+ s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA,
> > -+ pac_data_ctr->pac_data);
> > -+ if (s != NULL) {
> > -+ d_printf(_("The Pac: %s\n"), s);
> > -+ talloc_free(s);
> > - }
> > -
> > -- break;
> > -+ return 0;
> > - }
> > -
> > -- if (info) {
> > -- const char *s;
> > -- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
> > -- d_printf(_("The Pac: %s\n"), s);
> > -+ for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) {
> > -+
> > -+ char *s = NULL;
> > -+
> > -+ if (pac_data_ctr->pac_data->buffers[i].type != type) {
> > -+ continue;
> > -+ }
> > -+
> > -+ s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type,
> > -+ pac_data_ctr->pac_data->buffers[i].info);
> > -+ if (s != NULL) {
> > -+ d_printf(_("The Pac: %s\n"), s);
> > -+ talloc_free(s);
> > -+ }
> > -+ break;
> > - }
> > -
> > -- ret = 0;
> > -- out:
> > -- TALLOC_FREE(mem_ctx);
> > -- return ret;
> > -+ return 0;
> > -+}
> > -+
> > -+static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> > -+{
> > -+ struct functable func[] = {
> > -+ {
> > -+ "dump",
> > -+ net_ads_kerberos_pac_dump,
> > -+ NET_TRANSPORT_ADS,
> > -+ N_("Dump Kerberos PAC"),
> > -+ N_("net ads kerberos pac dump\n"
> > -+ " Dump a Kerberos PAC to stdout")
> > -+ },
> > -+
> > -+ {NULL, NULL, 0, NULL, NULL}
> > -+ };
> > -+
> > -+ return net_run_function(c, argc, argv, "net ads kerberos pac", func);
> > - }
> > -
> > - static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
> > ---
> > -1.8.5.3
> > -
> > -
> > -From 91ceace4ee8fd141cac5dbe5282bed141c38bee7 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Tue, 11 Mar 2014 18:16:40 +0100
> > -Subject: [PATCH 8/8] s3-net: add a new "net ads kerberos pac save" tool.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Use "filename=string" to define a file where to save the unencrypted PAC to.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/utils/net_ads.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
> > - 1 file changed, 52 insertions(+)
> > -
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index f54cf23..8b8e719 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -2716,6 +2716,50 @@ static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char
> > - return 0;
> > - }
> > -
> > -+static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv)
> > -+{
> > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > -+ char *filename = NULL;
> > -+ int ret = -1;
> > -+ int i;
> > -+
> > -+ if (c->display_usage) {
> > -+ d_printf( "%s\n"
> > -+ "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n"
> > -+ " %s\n",
> > -+ _("Usage:"),
> > -+ _("Save the Kerberos PAC"));
> > -+ return -1;
> > -+ }
> > -+
> > -+ for (i=0; i<argc; i++) {
> > -+ if (strnequal(argv[i], "filename", strlen("filename"))) {
> > -+ filename = get_string_param(argv[i]);
> > -+ if (filename == NULL) {
> > -+ return -1;
> > -+ }
> > -+ }
> > -+ }
> > -+
> > -+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
> > -+ if (ret) {
> > -+ return ret;
> > -+ }
> > -+
> > -+ if (filename == NULL) {
> > -+ d_printf(_("please define \"filename=<filename>\" to save the PAC\n"));
> > -+ return -1;
> > -+ }
> > -+
> > -+ /* save the raw format */
> > -+ if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) {
> > -+ d_printf(_("failed to save PAC in %s\n"), filename);
> > -+ return -1;
> > -+ }
> > -+
> > -+ return 0;
> > -+}
> > -+
> > - static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> > - {
> > - struct functable func[] = {
> > -@@ -2727,6 +2771,14 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > - N_("net ads kerberos pac dump\n"
> > - " Dump a Kerberos PAC to stdout")
> > - },
> > -+ {
> > -+ "save",
> > -+ net_ads_kerberos_pac_save,
> > -+ NET_TRANSPORT_ADS,
> > -+ N_("Save Kerberos PAC"),
> > -+ N_("net ads kerberos pac save\n"
> > -+ " Save a Kerberos PAC in a file")
> > -+ },
> > -
> > - {NULL, NULL, 0, NULL, NULL}
> > - };
> > ---
> > -1.8.5.3
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> > deleted file mode 100644
> > index a2058f1..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> > +++ /dev/null
> > @@ -1,211 +0,0 @@
> > -From 942dedb71437cd89932a7f39ca73d65c09aa59be Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 2 Apr 2014 19:37:34 +0200
> > -Subject: [PATCH] s3-kerberos: make ipv6 support for generated krb5 config
> > - files more robust.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Older MIT Kerberos libraries will add any secondary ipv6 address as
> > -ipv4 address, defining the (default) krb5 port 88 circumvents that.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > ----
> > - source3/libads/kerberos.c | 29 +++++++++++++++++++++++++++--
> > - 1 file changed, 27 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > -index 649e568..f3c23ea 100644
> > ---- a/source3/libads/kerberos.c
> > -+++ b/source3/libads/kerberos.c
> > -@@ -615,6 +615,31 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
> > - *num_addrs += 1;
> > - }
> > -
> > -+/* print_canonical_sockaddr prints an ipv6 addr in the form of
> > -+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not
> > -+* always properly dealt with by some older krb5 libraries. Adding the hard-coded
> > -+* portnumber workarounds the issue. - gd */
> > -+
> > -+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
> > -+ const struct sockaddr_storage *pss)
> > -+{
> > -+ char *str = NULL;
> > -+
> > -+ str = print_canonical_sockaddr(mem_ctx, pss);
> > -+ if (str == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ if (pss->ss_family != AF_INET6) {
> > -+ return str;
> > -+ }
> > -+
> > -+#if defined(HAVE_IPV6)
> > -+ str = talloc_asprintf_append(str, ":88");
> > -+#endif
> > -+ return str;
> > -+}
> > -+
> > - static char *get_kdc_ip_string(char *mem_ctx,
> > - const char *realm,
> > - const char *sitename,
> > -@@ -634,7 +659,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
> > - struct netlogon_samlogon_response **responses = NULL;
> > - NTSTATUS status;
> > - char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
> > -- print_canonical_sockaddr(mem_ctx, pss));
> > -+ print_canonical_sockaddr_with_port(mem_ctx, pss));
> > -
> > - if (kdc_str == NULL) {
> > - TALLOC_FREE(frame);
> > -@@ -726,7 +751,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
> > - /* Append to the string - inefficient but not done often. */
> > - new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > - kdc_str,
> > -- print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
> > -+ print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
> > - if (new_kdc_str == NULL) {
> > - goto fail;
> > - }
> > ---
> > -1.9.0
> > -
> > -From 60db71015f84dd242be889576d85ccd5c6a1f73b Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 16 Apr 2014 16:07:14 +0200
> > -Subject: [PATCH] s3-libads: allow ads_try_connect() to re-use a resolved ip
> > - address.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Pass down a struct sockaddr_storage to ads_try_connect.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -
> > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > -Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
> > ----
> > - source3/libads/ldap.c | 44 ++++++++++++++++++++++++++------------------
> > - 1 file changed, 26 insertions(+), 18 deletions(-)
> > -
> > -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
> > -index d9bb8e2..8fed8fd 100644
> > ---- a/source3/libads/ldap.c
> > -+++ b/source3/libads/ldap.c
> > -@@ -228,33 +228,27 @@ bool ads_closest_dc(ADS_STRUCT *ads)
> > - try a connection to a given ldap server, returning True and setting the servers IP
> > - in the ads struct if successful
> > - */
> > --static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
> > -+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
> > -+ struct sockaddr_storage *ss)
> > - {
> > - struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
> > - TALLOC_CTX *frame = talloc_stackframe();
> > - bool ret = false;
> > -- struct sockaddr_storage ss;
> > - char addr[INET6_ADDRSTRLEN];
> > -
> > -- if (!server || !*server) {
> > -+ if (ss == NULL) {
> > - TALLOC_FREE(frame);
> > - return False;
> > - }
> > -
> > -- if (!resolve_name(server, &ss, 0x20, true)) {
> > -- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
> > -- server ));
> > -- TALLOC_FREE(frame);
> > -- return false;
> > -- }
> > -- print_sockaddr(addr, sizeof(addr), &ss);
> > -+ print_sockaddr(addr, sizeof(addr), ss);
> > -
> > - DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
> > - addr, ads->server.realm));
> > -
> > - ZERO_STRUCT( cldap_reply );
> > -
> > -- if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
> > -+ if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {
> > - DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
> > - ret = false;
> > - goto out;
> > -@@ -298,7 +292,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
> > - ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
> > -
> > - ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
> > -- ads->ldap.ss = ss;
> > -+ ads->ldap.ss = *ss;
> > -
> > - /* Store our site name. */
> > - sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
> > -@@ -330,6 +324,7 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
> > - bool use_own_domain = False;
> > - char *sitename;
> > - NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
> > -+ bool ok = false;
> > -
> > - /* if the realm and workgroup are both empty, assume they are ours */
> > -
> > -@@ -384,12 +379,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
> > - DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
> > - (got_realm ? "realm" : "domain"), realm));
> > -
> > -- if (get_dc_name(domain, realm, srv_name, &ip_out)) {
> > -+ ok = get_dc_name(domain, realm, srv_name, &ip_out);
> > -+ if (ok) {
> > - /*
> > - * we call ads_try_connect() to fill in the
> > - * ads->config details
> > - */
> > -- if (ads_try_connect(ads, srv_name, false)) {
> > -+ ok = ads_try_connect(ads, false, &ip_out);
> > -+ if (ok) {
> > - return NT_STATUS_OK;
> > - }
> > - }
> > -@@ -445,7 +442,8 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
> > - }
> > - }
> > -
> > -- if ( ads_try_connect(ads, server, false) ) {
> > -+ ok = ads_try_connect(ads, false, &ip_list[i].ss);
> > -+ if (ok) {
> > - SAFE_FREE(ip_list);
> > - SAFE_FREE(sitename);
> > - return NT_STATUS_OK;
> > -@@ -630,9 +628,19 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
> > - TALLOC_FREE(s);
> > - }
> > -
> > -- if (ads->server.ldap_server)
> > -- {
> > -- if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
> > -+ if (ads->server.ldap_server) {
> > -+ bool ok = false;
> > -+ struct sockaddr_storage ss;
> > -+
> > -+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
> > -+ if (!ok) {
> > -+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
> > -+ ads->server.ldap_server));
> > -+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
> > -+ goto out;
> > -+ }
> > -+ ok = ads_try_connect(ads, ads->server.gc, &ss);
> > -+ if (ok) {
> > - goto got_connection;
> > - }
> > -
> > ---
> > -1.9.0
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> > deleted file mode 100644
> > index c1dfc06..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> > +++ /dev/null
> > @@ -1,29894 +0,0 @@
> > -From 538f62edb2cc4c17204620d8a9b3075c7453422b Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Thu, 4 Sep 2014 12:55:53 +0200
> > -Subject: [PATCH 002/249] selftest: Fix selftest where pid is used
> > - uninitialized.
> > -
> > -On my system this gets evaluated to 0 so in the end we detect samba to
> > -be running cause $childpid is set to 0.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10793
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
> > -Autobuild-Date(master): Thu Sep 4 17:09:17 CEST 2014 on sn-devel-104
> > -
> > -(cherry picked from commit 6d2f56dbaf84203b351f33179cc3feaf557e0683)
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -
> > -Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
> > -Autobuild-Date(v4-1-test): Mon Sep 8 23:19:29 CEST 2014 on sn-devel-104
> > ----
> > - selftest/target/Samba.pm | 7 ++++++-
> > - 1 file changed, 6 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> > -index ab3851f..b0817fd 100644
> > ---- a/selftest/target/Samba.pm
> > -+++ b/selftest/target/Samba.pm
> > -@@ -188,7 +188,12 @@ sub get_interface($)
> > - sub cleanup_child($$)
> > - {
> > - my ($pid, $name) = @_;
> > -- my $childpid = waitpid($pid, WNOHANG);
> > -+ my $childpid = -1;
> > -+
> > -+ if (defined($pid)) {
> > -+ $childpid = waitpid($pid, WNOHANG);
> > -+ }
> > -+
> > - if ($childpid == 0) {
> > - } elsif ($childpid < 0) {
> > - printf STDERR "%s child process %d isn't here any more\n",
> > ---
> > -1.9.3
> > -
> > -
> > -From a14c0878c232dcf674008444f80dc0e5d8aada09 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 12:33:25 +0200
> > -Subject: [PATCH 003/249] auth/credentials: remove pointless talloc_reference()
> > - from cli_credentials_get_unparsed_name()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 953502925863377b5e566edff4ac68c63e8d151f)
> > ----
> > - auth/credentials/credentials.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > -index e636123..e597809 100644
> > ---- a/auth/credentials/credentials.c
> > -+++ b/auth/credentials/credentials.c
> > -@@ -669,7 +669,7 @@ _PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *c
> > - const char *name;
> > -
> > - if (bind_dn) {
> > -- name = talloc_reference(mem_ctx, bind_dn);
> > -+ name = talloc_strdup(mem_ctx, bind_dn);
> > - } else {
> > - cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
> > - if (domain && domain[0]) {
> > ---
> > -1.9.3
> > -
> > -
> > -From a9bbf2e55d56b9d2cec944ee32a127fc72e6ce6a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 12:33:25 +0200
> > -Subject: [PATCH 004/249] auth/credentials: remove pointless talloc_reference()
> > - from cli_credentials_get_principal_and_obtained()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit b8f09226458dc13cf901f481ede89d8a6bb94ba7)
> > ----
> > - auth/credentials/credentials.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > -index e597809..7a4b081 100644
> > ---- a/auth/credentials/credentials.c
> > -+++ b/auth/credentials/credentials.c
> > -@@ -267,7 +267,7 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
> > - }
> > - }
> > - *obtained = cred->principal_obtained;
> > -- return talloc_reference(mem_ctx, cred->principal);
> > -+ return talloc_strdup(mem_ctx, cred->principal);
> > - }
> > -
> > - /**
> > ---
> > -1.9.3
> > -
> > -
> > -From 5df785eba8389be9129984c6c5a1e59487685938 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 12:52:17 +0200
> > -Subject: [PATCH 005/249] auth/credentials: add
> > - cli_credentials_[set_]callback_data*
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 6ff6778bdc60f1cd4d52cba83bd47d3398fe5a20)
> > ----
> > - auth/credentials/credentials.c | 11 +++++++++++
> > - auth/credentials/credentials.h | 8 ++++++++
> > - 2 files changed, 19 insertions(+)
> > -
> > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > -index 7a4b081..e6a4710 100644
> > ---- a/auth/credentials/credentials.c
> > -+++ b/auth/credentials/credentials.c
> > -@@ -114,6 +114,17 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
> > - return cred;
> > - }
> > -
> > -+_PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
> > -+ void *callback_data)
> > -+{
> > -+ cred->priv_data = callback_data;
> > -+}
> > -+
> > -+_PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
> > -+{
> > -+ return cred->priv_data;
> > -+}
> > -+
> > - /**
> > - * Create a new anonymous credential
> > - * @param mem_ctx TALLOC_CTX parent for credentials structure
> > -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> > -index dbc014f..0f498ad 100644
> > ---- a/auth/credentials/credentials.h
> > -+++ b/auth/credentials/credentials.h
> > -@@ -332,6 +332,14 @@ bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
> > - bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
> > - const char *(*workstation_cb) (struct cli_credentials *));
> > -
> > -+void cli_credentials_set_callback_data(struct cli_credentials *cred,
> > -+ void *callback_data);
> > -+void *_cli_credentials_callback_data(struct cli_credentials *cred);
> > -+#define cli_credentials_callback_data(_cred, _type) \
> > -+ talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
> > -+#define cli_credentials_callback_data_void(_cred) \
> > -+ _cli_credentials_callback_data(_cred)
> > -+
> > - /**
> > - * Return attached NETLOGON credentials
> > - */
> > ---
> > -1.9.3
> > -
> > -
> > -From 8fd0244ac8fe4998a0931bc9d51b9dfbb182a2e1 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 13:21:14 +0200
> > -Subject: [PATCH 006/249] auth/credentials: add cli_credentials_shallow_copy()
> > -
> > -This is useful for testing.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit b3cd44d50cff99fa77611679d68d2d57434fefa4)
> > ----
> > - auth/credentials/credentials.c | 15 +++++++++++++++
> > - auth/credentials/credentials.h | 3 +++
> > - 2 files changed, 18 insertions(+)
> > -
> > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > -index e6a4710..c1c6993 100644
> > ---- a/auth/credentials/credentials.c
> > -+++ b/auth/credentials/credentials.c
> > -@@ -125,6 +125,21 @@ _PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
> > - return cred->priv_data;
> > - }
> > -
> > -+_PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
> > -+ struct cli_credentials *src)
> > -+{
> > -+ struct cli_credentials *dst;
> > -+
> > -+ dst = talloc(mem_ctx, struct cli_credentials);
> > -+ if (dst == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ *dst = *src;
> > -+
> > -+ return dst;
> > -+}
> > -+
> > - /**
> > - * Create a new anonymous credential
> > - * @param mem_ctx TALLOC_CTX parent for credentials structure
> > -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> > -index 0f498ad..1377bfa 100644
> > ---- a/auth/credentials/credentials.h
> > -+++ b/auth/credentials/credentials.h
> > -@@ -340,6 +340,9 @@ void *_cli_credentials_callback_data(struct cli_credentials *cred);
> > - #define cli_credentials_callback_data_void(_cred) \
> > - _cli_credentials_callback_data(_cred)
> > -
> > -+struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
> > -+ struct cli_credentials *src);
> > -+
> > - /**
> > - * Return attached NETLOGON credentials
> > - */
> > ---
> > -1.9.3
> > -
> > -
> > -From 52e4028da5db90ce3ee410997ea3464374fec46b Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 13:20:13 +0200
> > -Subject: [PATCH 007/249] s3:ntlm_auth: remove pointless credentials->priv_data
> > - = NULL;
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit cfeeb3ce3de5d1df07299fb83327ae258da0bf8d)
> > ----
> > - source3/utils/ntlm_auth.c | 1 -
> > - 1 file changed, 1 deletion(-)
> > -
> > -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> > -index b3bbaa4..a5e0cd2 100644
> > ---- a/source3/utils/ntlm_auth.c
> > -+++ b/source3/utils/ntlm_auth.c
> > -@@ -228,7 +228,6 @@ static const char *get_password(struct cli_credentials *credentials)
> > -
> > - /* Ask for a password */
> > - x_fprintf(x_stdout, "PW\n");
> > -- credentials->priv_data = NULL;
> > -
> > - manage_squid_request(NUM_HELPER_MODES /* bogus */, NULL, NULL, manage_gensec_get_pw_request, (void **)&password);
> > - talloc_steal(credentials, password);
> > ---
> > -1.9.3
> > -
> > -
> > -From bdfb13b91ce8961caeb98b01a75893895e8d484a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 13:22:10 +0200
> > -Subject: [PATCH 008/249] s4:torture/shell: simplify
> > - cli_credentials_set_password() call
> > -
> > -All we want is to avoid a possible callback...
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 36b3c9506c1ac5549a38140e7ffd57644290069f)
> > ----
> > - source4/torture/shell.c | 5 +----
> > - 1 file changed, 1 insertion(+), 4 deletions(-)
> > -
> > -diff --git a/source4/torture/shell.c b/source4/torture/shell.c
> > -index d6cc94c..aa85da3 100644
> > ---- a/source4/torture/shell.c
> > -+++ b/source4/torture/shell.c
> > -@@ -110,10 +110,7 @@ void torture_shell(struct torture_context *tctx)
> > - * stops the credentials system prompting when we use the "auth"
> > - * command to display the current auth parameters.
> > - */
> > -- if (cmdline_credentials->password_obtained != CRED_SPECIFIED) {
> > -- cli_credentials_set_password(cmdline_credentials, "",
> > -- CRED_SPECIFIED);
> > -- }
> > -+ cli_credentials_set_password(cmdline_credentials, "", CRED_GUESS_ENV);
> > -
> > - while (1) {
> > - cline = smb_readline("torture> ", NULL, NULL);
> > ---
> > -1.9.3
> > -
> > -
> > -From 91c0d6a26823f3057357c6b31bf1f686e5ed0f5e Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 13:23:08 +0200
> > -Subject: [PATCH 009/249] s4:torture/gentest: make use of
> > - cli_credentials_get_username()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit d36fcaa5f3c4d1ad54d767f4a7c5fa6c8d69c00e)
> > ----
> > - source4/torture/gentest.c | 3 ++-
> > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source4/torture/gentest.c b/source4/torture/gentest.c
> > -index 91b60e2..586a25b 100644
> > ---- a/source4/torture/gentest.c
> > -+++ b/source4/torture/gentest.c
> > -@@ -221,7 +221,8 @@ static bool connect_servers(struct tevent_context *ev,
> > -
> > - printf("Connecting to \\\\%s\\%s as %s - instance %d\n",
> > - servers[i].server_name, servers[i].share_name,
> > -- servers[i].credentials->username, j);
> > -+ cli_credentials_get_username(servers[i].credentials),
> > -+ j);
> > -
> > - cli_credentials_set_workstation(servers[i].credentials,
> > - "gentest", CRED_SPECIFIED);
> > ---
> > -1.9.3
> > -
> > -
> > -From 9687534ac54b732f73c3f4758055a278eaa0cbb2 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 13:23:41 +0200
> > -Subject: [PATCH 010/249] s4:torture/rpc: make use of
> > - cli_credentials_set_netlogon_creds()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit d47bf469b8a9064f4f7033918b1fe519adfa0c26)
> > ----
> > - source4/torture/rpc/schannel.c | 36 ++++++++++++++++--------------------
> > - 1 file changed, 16 insertions(+), 20 deletions(-)
> > -
> > -diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
> > -index e0862d2..8203749 100644
> > ---- a/source4/torture/rpc/schannel.c
> > -+++ b/source4/torture/rpc/schannel.c
> > -@@ -604,9 +604,9 @@ bool torture_rpc_schannel2(struct torture_context *torture)
> > - torture_assert(torture, join_ctx != NULL,
> > - "Failed to join domain with acct_flags=ACB_WSTRUST");
> > -
> > -- credentials2 = (struct cli_credentials *)talloc_memdup(torture, credentials1, sizeof(*credentials1));
> > -- credentials1->netlogon_creds = NULL;
> > -- credentials2->netlogon_creds = NULL;
> > -+ credentials2 = cli_credentials_shallow_copy(torture, credentials1);
> > -+ cli_credentials_set_netlogon_creds(credentials1, NULL);
> > -+ cli_credentials_set_netlogon_creds(credentials2, NULL);
> > -
> > - status = dcerpc_parse_binding(torture, binding, &b);
> > - torture_assert_ntstatus_ok(torture, status, "Bad binding string");
> > -@@ -624,8 +624,8 @@ bool torture_rpc_schannel2(struct torture_context *torture)
> > - credentials2, torture->ev, torture->lp_ctx);
> > - torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
> > -
> > -- credentials1->netlogon_creds = NULL;
> > -- credentials2->netlogon_creds = NULL;
> > -+ cli_credentials_set_netlogon_creds(credentials1, NULL);
> > -+ cli_credentials_set_netlogon_creds(credentials2, NULL);
> > -
> > - torture_comment(torture, "Testing logon on pipe1\n");
> > - if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
> > -@@ -827,16 +827,12 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
> > - s->nprocs = torture_setting_int(torture, "nprocs", 4);
> > - s->conns = talloc_zero_array(s, struct torture_schannel_bench_conn, s->nprocs);
> > -
> > -- s->user1_creds = (struct cli_credentials *)talloc_memdup(s,
> > -- cmdline_credentials,
> > -- sizeof(*s->user1_creds));
> > -+ s->user1_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
> > - tmp = torture_setting_string(s->tctx, "extra_user1", NULL);
> > - if (tmp) {
> > - cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
> > - }
> > -- s->user2_creds = (struct cli_credentials *)talloc_memdup(s,
> > -- cmdline_credentials,
> > -- sizeof(*s->user1_creds));
> > -+ s->user2_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
> > - tmp = torture_setting_string(s->tctx, "extra_user2", NULL);
> > - if (tmp) {
> > - cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
> > -@@ -855,15 +851,16 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
> > - cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
> > -
> > - for (i=0; i < s->nprocs; i++) {
> > -- s->conns[i].s = s;
> > -- s->conns[i].index = i;
> > -- s->conns[i].wks_creds = (struct cli_credentials *)talloc_memdup(
> > -- s->conns, s->wks_creds1,sizeof(*s->wks_creds1));
> > -+ struct cli_credentials *wks = s->wks_creds1;
> > -+
> > - if ((i % 2) && (torture_setting_bool(torture, "multijoin", false))) {
> > -- memcpy(s->conns[i].wks_creds, s->wks_creds2,
> > -- talloc_get_size(s->conns[i].wks_creds));
> > -+ wks = s->wks_creds2;
> > - }
> > -- s->conns[i].wks_creds->netlogon_creds = NULL;
> > -+
> > -+ s->conns[i].s = s;
> > -+ s->conns[i].index = i;
> > -+ s->conns[i].wks_creds = cli_credentials_shallow_copy(s->conns, wks);
> > -+ cli_credentials_set_netlogon_creds(s->conns[i].wks_creds, NULL);
> > - }
> > -
> > - status = dcerpc_parse_binding(s, binding, &s->b);
> > -@@ -962,8 +959,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
> > -
> > - /* Just as a test, connect with the new creds */
> > -
> > -- talloc_free(s->wks_creds1->netlogon_creds);
> > -- s->wks_creds1->netlogon_creds = NULL;
> > -+ cli_credentials_set_netlogon_creds(s->wks_creds1, NULL);
> > -
> > - status = dcerpc_pipe_connect_b(s, &net_pipe, s->b,
> > - &ndr_table_netlogon,
> > ---
> > -1.9.3
> > -
> > -
> > -From de6c67e98d94d003f36fef5472b8133c578b3c01 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 13:24:21 +0200
> > -Subject: [PATCH 011/249] s4:ntlm_auth: make use of
> > - cli_credentials_[set_]callback_data*
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit bbd63dd8a17468d3e332969a30c06e2b2f1540fc)
> > ----
> > - source4/utils/ntlm_auth.c | 10 ++++++----
> > - 1 file changed, 6 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
> > -index c363c9d..136e238 100644
> > ---- a/source4/utils/ntlm_auth.c
> > -+++ b/source4/utils/ntlm_auth.c
> > -@@ -299,10 +299,11 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod
> > - static const char *get_password(struct cli_credentials *credentials)
> > - {
> > - char *password = NULL;
> > --
> > -+ void *cb = cli_credentials_callback_data_void(credentials);
> > -+
> > - /* Ask for a password */
> > -- mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n");
> > -- credentials->priv_data = NULL;
> > -+ mux_printf((unsigned int)(uintptr_t)cb, "PW\n");
> > -+ cli_credentials_set_callback_data(credentials, NULL);
> > -
> > - manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
> > - return password;
> > -@@ -505,8 +506,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
> > - if (state->set_password) {
> > - cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
> > - } else {
> > -+ void *cb = (void*)(uintptr_t)mux_id;
> > -+ cli_credentials_set_callback_data(creds, cb);
> > - cli_credentials_set_password_callback(creds, get_password);
> > -- creds->priv_data = (void*)(uintptr_t)mux_id;
> > - }
> > - if (opt_workstation) {
> > - cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
> > ---
> > -1.9.3
> > -
> > -
> > -From 80c611a2b424e4e4a7e6de7ed6b9368bff0d9afb Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 12:41:40 +0200
> > -Subject: [PATCH 012/249] auth/credentials: keep cli_credentials private
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 9325bd9cb6bb942ea989f4e32799c76ea8af3d3e)
> > ----
> > - auth/credentials/credentials.c | 1 +
> > - auth/credentials/credentials.h | 101 +++-------------------------
> > - auth/credentials/credentials_internal.h | 114 ++++++++++++++++++++++++++++++++
> > - auth/credentials/credentials_krb5.c | 1 +
> > - auth/credentials/credentials_ntlm.c | 1 +
> > - auth/credentials/credentials_secrets.c | 1 +
> > - 6 files changed, 126 insertions(+), 93 deletions(-)
> > - create mode 100644 auth/credentials/credentials_internal.h
> > -
> > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > -index c1c6993..f334465 100644
> > ---- a/auth/credentials/credentials.c
> > -+++ b/auth/credentials/credentials.c
> > -@@ -24,6 +24,7 @@
> > - #include "includes.h"
> > - #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
> > - #include "auth/credentials/credentials.h"
> > -+#include "auth/credentials/credentials_internal.h"
> > - #include "libcli/auth/libcli_auth.h"
> > - #include "tevent.h"
> > - #include "param/param.h"
> > -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> > -index 1377bfa..cb09dc3 100644
> > ---- a/auth/credentials/credentials.h
> > -+++ b/auth/credentials/credentials.h
> > -@@ -25,9 +25,17 @@
> > - #include "../lib/util/data_blob.h"
> > - #include "librpc/gen_ndr/misc.h"
> > -
> > -+struct cli_credentials;
> > - struct ccache_container;
> > - struct tevent_context;
> > - struct netlogon_creds_CredentialState;
> > -+struct ldb_context;
> > -+struct ldb_message;
> > -+struct loadparm_context;
> > -+struct ccache_container;
> > -+struct gssapi_creds_container;
> > -+struct smb_krb5_context;
> > -+struct keytab_container;
> > -
> > - /* In order of priority */
> > - enum credentials_obtained {
> > -@@ -57,99 +65,6 @@ enum credentials_krb_forwardable {
> > - #define CLI_CRED_NTLM_AUTH 0x08
> > - #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
> > -
> > --struct cli_credentials {
> > -- enum credentials_obtained workstation_obtained;
> > -- enum credentials_obtained username_obtained;
> > -- enum credentials_obtained password_obtained;
> > -- enum credentials_obtained domain_obtained;
> > -- enum credentials_obtained realm_obtained;
> > -- enum credentials_obtained ccache_obtained;
> > -- enum credentials_obtained client_gss_creds_obtained;
> > -- enum credentials_obtained principal_obtained;
> > -- enum credentials_obtained keytab_obtained;
> > -- enum credentials_obtained server_gss_creds_obtained;
> > --
> > -- /* Threshold values (essentially a MAX() over a number of the
> > -- * above) for the ccache and GSS credentials, to ensure we
> > -- * regenerate/pick correctly */
> > --
> > -- enum credentials_obtained ccache_threshold;
> > -- enum credentials_obtained client_gss_creds_threshold;
> > --
> > -- const char *workstation;
> > -- const char *username;
> > -- const char *password;
> > -- const char *old_password;
> > -- const char *domain;
> > -- const char *realm;
> > -- const char *principal;
> > -- char *salt_principal;
> > -- char *impersonate_principal;
> > -- char *self_service;
> > -- char *target_service;
> > --
> > -- const char *bind_dn;
> > --
> > -- /* Allows authentication from a keytab or similar */
> > -- struct samr_Password *nt_hash;
> > --
> > -- /* Allows NTLM pass-though authentication */
> > -- DATA_BLOB lm_response;
> > -- DATA_BLOB nt_response;
> > --
> > -- struct ccache_container *ccache;
> > -- struct gssapi_creds_container *client_gss_creds;
> > -- struct keytab_container *keytab;
> > -- struct gssapi_creds_container *server_gss_creds;
> > --
> > -- const char *(*workstation_cb) (struct cli_credentials *);
> > -- const char *(*password_cb) (struct cli_credentials *);
> > -- const char *(*username_cb) (struct cli_credentials *);
> > -- const char *(*domain_cb) (struct cli_credentials *);
> > -- const char *(*realm_cb) (struct cli_credentials *);
> > -- const char *(*principal_cb) (struct cli_credentials *);
> > --
> > -- /* Private handle for the callback routines to use */
> > -- void *priv_data;
> > --
> > -- struct netlogon_creds_CredentialState *netlogon_creds;
> > -- enum netr_SchannelType secure_channel_type;
> > -- int kvno;
> > -- time_t password_last_changed_time;
> > --
> > -- struct smb_krb5_context *smb_krb5_context;
> > --
> > -- /* We are flagged to get machine account details from the
> > -- * secrets.ldb when we are asked for a username or password */
> > -- bool machine_account_pending;
> > -- struct loadparm_context *machine_account_pending_lp_ctx;
> > --
> > -- /* Is this a machine account? */
> > -- bool machine_account;
> > --
> > -- /* Should we be trying to use kerberos? */
> > -- enum credentials_use_kerberos use_kerberos;
> > --
> > -- /* Should we get a forwardable ticket? */
> > -- enum credentials_krb_forwardable krb_forwardable;
> > --
> > -- /* gensec features which should be used for connections */
> > -- uint32_t gensec_features;
> > --
> > -- /* Number of retries left before bailing out */
> > -- int tries;
> > --
> > -- /* Whether any callback is currently running */
> > -- bool callback_running;
> > --};
> > --
> > --struct ldb_context;
> > --struct ldb_message;
> > --struct loadparm_context;
> > --struct ccache_container;
> > --
> > --struct gssapi_creds_container;
> > --
> > - const char *cli_credentials_get_workstation(struct cli_credentials *cred);
> > - bool cli_credentials_set_workstation(struct cli_credentials *cred,
> > - const char *val,
> > -diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
> > -new file mode 100644
> > -index 0000000..5a3655b
> > ---- /dev/null
> > -+++ b/auth/credentials/credentials_internal.h
> > -@@ -0,0 +1,114 @@
> > -+/*
> > -+ samba -- Unix SMB/CIFS implementation.
> > -+
> > -+ Client credentials structure
> > -+
> > -+ Copyright (C) Jelmer Vernooij 2004-2006
> > -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
> > -+
> > -+ This program is free software; you can redistribute it and/or modify
> > -+ it under the terms of the GNU General Public License as published by
> > -+ the Free Software Foundation; either version 3 of the License, or
> > -+ (at your option) any later version.
> > -+
> > -+ This program is distributed in the hope that it will be useful,
> > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -+ GNU General Public License for more details.
> > -+
> > -+ You should have received a copy of the GNU General Public License
> > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > -+*/
> > -+#ifndef __CREDENTIALS_INTERNAL_H__
> > -+#define __CREDENTIALS_INTERNAL_H__
> > -+
> > -+#include "../lib/util/data_blob.h"
> > -+#include "librpc/gen_ndr/misc.h"
> > -+
> > -+struct cli_credentials {
> > -+ enum credentials_obtained workstation_obtained;
> > -+ enum credentials_obtained username_obtained;
> > -+ enum credentials_obtained password_obtained;
> > -+ enum credentials_obtained domain_obtained;
> > -+ enum credentials_obtained realm_obtained;
> > -+ enum credentials_obtained ccache_obtained;
> > -+ enum credentials_obtained client_gss_creds_obtained;
> > -+ enum credentials_obtained principal_obtained;
> > -+ enum credentials_obtained keytab_obtained;
> > -+ enum credentials_obtained server_gss_creds_obtained;
> > -+
> > -+ /* Threshold values (essentially a MAX() over a number of the
> > -+ * above) for the ccache and GSS credentials, to ensure we
> > -+ * regenerate/pick correctly */
> > -+
> > -+ enum credentials_obtained ccache_threshold;
> > -+ enum credentials_obtained client_gss_creds_threshold;
> > -+
> > -+ const char *workstation;
> > -+ const char *username;
> > -+ const char *password;
> > -+ const char *old_password;
> > -+ const char *domain;
> > -+ const char *realm;
> > -+ const char *principal;
> > -+ char *salt_principal;
> > -+ char *impersonate_principal;
> > -+ char *self_service;
> > -+ char *target_service;
> > -+
> > -+ const char *bind_dn;
> > -+
> > -+ /* Allows authentication from a keytab or similar */
> > -+ struct samr_Password *nt_hash;
> > -+
> > -+ /* Allows NTLM pass-though authentication */
> > -+ DATA_BLOB lm_response;
> > -+ DATA_BLOB nt_response;
> > -+
> > -+ struct ccache_container *ccache;
> > -+ struct gssapi_creds_container *client_gss_creds;
> > -+ struct keytab_container *keytab;
> > -+ struct gssapi_creds_container *server_gss_creds;
> > -+
> > -+ const char *(*workstation_cb) (struct cli_credentials *);
> > -+ const char *(*password_cb) (struct cli_credentials *);
> > -+ const char *(*username_cb) (struct cli_credentials *);
> > -+ const char *(*domain_cb) (struct cli_credentials *);
> > -+ const char *(*realm_cb) (struct cli_credentials *);
> > -+ const char *(*principal_cb) (struct cli_credentials *);
> > -+
> > -+ /* Private handle for the callback routines to use */
> > -+ void *priv_data;
> > -+
> > -+ struct netlogon_creds_CredentialState *netlogon_creds;
> > -+ enum netr_SchannelType secure_channel_type;
> > -+ int kvno;
> > -+ time_t password_last_changed_time;
> > -+
> > -+ struct smb_krb5_context *smb_krb5_context;
> > -+
> > -+ /* We are flagged to get machine account details from the
> > -+ * secrets.ldb when we are asked for a username or password */
> > -+ bool machine_account_pending;
> > -+ struct loadparm_context *machine_account_pending_lp_ctx;
> > -+
> > -+ /* Is this a machine account? */
> > -+ bool machine_account;
> > -+
> > -+ /* Should we be trying to use kerberos? */
> > -+ enum credentials_use_kerberos use_kerberos;
> > -+
> > -+ /* Should we get a forwardable ticket? */
> > -+ enum credentials_krb_forwardable krb_forwardable;
> > -+
> > -+ /* gensec features which should be used for connections */
> > -+ uint32_t gensec_features;
> > -+
> > -+ /* Number of retries left before bailing out */
> > -+ int tries;
> > -+
> > -+ /* Whether any callback is currently running */
> > -+ bool callback_running;
> > -+};
> > -+
> > -+#endif /* __CREDENTIALS_INTERNAL_H__ */
> > -diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
> > -index ec6a695..489a959 100644
> > ---- a/auth/credentials/credentials_krb5.c
> > -+++ b/auth/credentials/credentials_krb5.c
> > -@@ -26,6 +26,7 @@
> > - #include "system/gssapi.h"
> > - #include "auth/kerberos/kerberos.h"
> > - #include "auth/credentials/credentials.h"
> > -+#include "auth/credentials/credentials_internal.h"
> > - #include "auth/credentials/credentials_proto.h"
> > - #include "auth/credentials/credentials_krb5.h"
> > - #include "auth/kerberos/kerberos_credentials.h"
> > -diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
> > -index 8f143bf..8c6be39 100644
> > ---- a/auth/credentials/credentials_ntlm.c
> > -+++ b/auth/credentials/credentials_ntlm.c
> > -@@ -26,6 +26,7 @@
> > - #include "../lib/crypto/crypto.h"
> > - #include "libcli/auth/libcli_auth.h"
> > - #include "auth/credentials/credentials.h"
> > -+#include "auth/credentials/credentials_internal.h"
> > -
> > - _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
> > - int *flags,
> > -diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
> > -index 27ee607..678d167 100644
> > ---- a/auth/credentials/credentials_secrets.c
> > -+++ b/auth/credentials/credentials_secrets.c
> > -@@ -28,6 +28,7 @@
> > - #include "param/secrets.h"
> > - #include "system/filesys.h"
> > - #include "auth/credentials/credentials.h"
> > -+#include "auth/credentials/credentials_internal.h"
> > - #include "auth/credentials/credentials_proto.h"
> > - #include "auth/credentials/credentials_krb5.h"
> > - #include "auth/kerberos/kerberos_util.h"
> > ---
> > -1.9.3
> > -
> > -
> > -From 96ea01159cfee1e384dbd5966c7eb512d495e322 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 13:39:17 +0200
> > -Subject: [PATCH 013/249] auth/credentials: get the old password from
> > - secrets.tdb
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 26a7420c1c4307023b22676cd85d95010ecbf603)
> > ----
> > - auth/credentials/credentials_secrets.c | 11 +++++++++++
> > - 1 file changed, 11 insertions(+)
> > -
> > -diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
> > -index 678d167..6c1cded 100644
> > ---- a/auth/credentials/credentials_secrets.c
> > -+++ b/auth/credentials/credentials_secrets.c
> > -@@ -238,6 +238,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
> > - bool secrets_tdb_password_more_recent;
> > - time_t secrets_tdb_lct = 0;
> > - char *secrets_tdb_password = NULL;
> > -+ char *secrets_tdb_old_password = NULL;
> > - char *keystr;
> > - char *keystr_upper = NULL;
> > - char *secrets_tdb;
> > -@@ -285,6 +286,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
> > - if (NT_STATUS_IS_OK(status)) {
> > - secrets_tdb_password = (char *)dbuf.dptr;
> > - }
> > -+ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
> > -+ SECRETS_MACHINE_PASSWORD_PREV,
> > -+ domain);
> > -+ keystr_upper = strupper_talloc(tmp_ctx, keystr);
> > -+ status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
> > -+ &dbuf);
> > -+ if (NT_STATUS_IS_OK(status)) {
> > -+ secrets_tdb_old_password = (char *)dbuf.dptr;
> > -+ }
> > - }
> > -
> > - filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
> > -@@ -308,6 +318,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
> > - if (secrets_tdb_password_more_recent) {
> > - char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
> > - cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
> > -+ cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
> > - cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
> > - cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
> > - } else if (!NT_STATUS_IS_OK(status)) {
> > ---
> > -1.9.3
> > -
> > -
> > -From 74f5c14921f53b95b64dbcbf0352a89d50b20af1 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 14:25:54 +0200
> > -Subject: [PATCH 014/249] auth/credentials: simplify password_tries state
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 8ea36a8e58d499aa7bf342b365ca00cb39f295b6)
> > ----
> > - auth/credentials/credentials.c | 19 ++++++++++++++-----
> > - auth/credentials/credentials_internal.h | 2 +-
> > - 2 files changed, 15 insertions(+), 6 deletions(-)
> > -
> > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > -index f334465..4ac5356 100644
> > ---- a/auth/credentials/credentials.c
> > -+++ b/auth/credentials/credentials.c
> > -@@ -104,7 +104,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
> > -
> > - cred->machine_account = false;
> > -
> > -- cred->tries = 3;
> > -+ cred->password_tries = 0;
> > -
> > - cred->callback_running = false;
> > -
> > -@@ -397,6 +397,7 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
> > - enum credentials_obtained obtained)
> > - {
> > - if (obtained >= cred->password_obtained) {
> > -+ cred->password_tries = 0;
> > - cred->password = talloc_strdup(cred, val);
> > - if (cred->password) {
> > - /* Don't print the actual password in talloc memory dumps */
> > -@@ -418,6 +419,7 @@ _PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred
> > - const char *(*password_cb) (struct cli_credentials *))
> > - {
> > - if (cred->password_obtained < CRED_CALLBACK) {
> > -+ cred->password_tries = 3;
> > - cred->password_cb = password_cb;
> > - cred->password_obtained = CRED_CALLBACK;
> > - cli_credentials_invalidate_ccache(cred, cred->password_obtained);
> > -@@ -897,12 +899,19 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
> > - if (cred->password_obtained != CRED_CALLBACK_RESULT) {
> > - return false;
> > - }
> > --
> > -- cred->password_obtained = CRED_CALLBACK;
> > -
> > -- cred->tries--;
> > -+ if (cred->password_tries == 0) {
> > -+ return false;
> > -+ }
> > -+
> > -+ cred->password_tries--;
> > -
> > -- return (cred->tries > 0);
> > -+ if (cred->password_tries == 0) {
> > -+ return false;
> > -+ }
> > -+
> > -+ cred->password_obtained = CRED_CALLBACK;
> > -+ return true;
> > - }
> > -
> > - _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
> > -diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
> > -index 5a3655b..f2f79b9 100644
> > ---- a/auth/credentials/credentials_internal.h
> > -+++ b/auth/credentials/credentials_internal.h
> > -@@ -105,7 +105,7 @@ struct cli_credentials {
> > - uint32_t gensec_features;
> > -
> > - /* Number of retries left before bailing out */
> > -- int tries;
> > -+ uint32_t password_tries;
> > -
> > - /* Whether any callback is currently running */
> > - bool callback_running;
> > ---
> > -1.9.3
> > -
> > -
> > -From 8d2c51caeecebc0b7d16fb7cf7b7fe2f2b5d8edd Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 31 Jul 2013 14:32:36 +0200
> > -Subject: [PATCH 015/249] auth/credentials: use CRED_CALLBACK_RESULT after a
> > - callback
> > -
> > -We only do this if it's still CRED_CALLBACK after the callback,
> > -this allowes the callback to overwrite it.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -
> > -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> > -Autobuild-Date(master): Mon Aug 5 09:36:05 CEST 2013 on sn-devel-104
> > -(cherry picked from commit b699d404bb5d4385a757b5aa5d0e792cf9d5de59)
> > ----
> > - auth/credentials/credentials.c | 34 +++++++++++++++++++++++-----------
> > - 1 file changed, 23 insertions(+), 11 deletions(-)
> > -
> > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > -index 4ac5356..be497bc 100644
> > ---- a/auth/credentials/credentials.c
> > -+++ b/auth/credentials/credentials.c
> > -@@ -206,8 +206,10 @@ _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
> > - cred->callback_running = true;
> > - cred->username = cred->username_cb(cred);
> > - cred->callback_running = false;
> > -- cred->username_obtained = CRED_SPECIFIED;
> > -- cli_credentials_invalidate_ccache(cred, cred->username_obtained);
> > -+ if (cred->username_obtained == CRED_CALLBACK) {
> > -+ cred->username_obtained = CRED_CALLBACK_RESULT;
> > -+ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
> > -+ }
> > - }
> > -
> > - return cred->username;
> > -@@ -275,8 +277,10 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
> > - cred->callback_running = true;
> > - cred->principal = cred->principal_cb(cred);
> > - cred->callback_running = false;
> > -- cred->principal_obtained = CRED_SPECIFIED;
> > -- cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
> > -+ if (cred->principal_obtained == CRED_CALLBACK) {
> > -+ cred->principal_obtained = CRED_CALLBACK_RESULT;
> > -+ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
> > -+ }
> > - }
> > -
> > - if (cred->principal_obtained < cred->username_obtained
> > -@@ -382,8 +386,10 @@ _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
> > - cred->callback_running = true;
> > - cred->password = cred->password_cb(cred);
> > - cred->callback_running = false;
> > -- cred->password_obtained = CRED_CALLBACK_RESULT;
> > -- cli_credentials_invalidate_ccache(cred, cred->password_obtained);
> > -+ if (cred->password_obtained == CRED_CALLBACK) {
> > -+ cred->password_obtained = CRED_CALLBACK_RESULT;
> > -+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
> > -+ }
> > - }
> > -
> > - return cred->password;
> > -@@ -502,8 +508,10 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
> > - cred->callback_running = true;
> > - cred->domain = cred->domain_cb(cred);
> > - cred->callback_running = false;
> > -- cred->domain_obtained = CRED_SPECIFIED;
> > -- cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
> > -+ if (cred->domain_obtained == CRED_CALLBACK) {
> > -+ cred->domain_obtained = CRED_CALLBACK_RESULT;
> > -+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
> > -+ }
> > - }
> > -
> > - return cred->domain;
> > -@@ -561,8 +569,10 @@ _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
> > - cred->callback_running = true;
> > - cred->realm = cred->realm_cb(cred);
> > - cred->callback_running = false;
> > -- cred->realm_obtained = CRED_SPECIFIED;
> > -- cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
> > -+ if (cred->realm_obtained == CRED_CALLBACK) {
> > -+ cred->realm_obtained = CRED_CALLBACK_RESULT;
> > -+ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
> > -+ }
> > - }
> > -
> > - return cred->realm;
> > -@@ -612,7 +622,9 @@ _PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cre
> > - cred->callback_running = true;
> > - cred->workstation = cred->workstation_cb(cred);
> > - cred->callback_running = false;
> > -- cred->workstation_obtained = CRED_SPECIFIED;
> > -+ if (cred->workstation_obtained == CRED_CALLBACK) {
> > -+ cred->workstation_obtained = CRED_CALLBACK_RESULT;
> > -+ }
> > - }
> > -
> > - return cred->workstation;
> > ---
> > -1.9.3
> > -
> > -
> > -From a498324b38326a874616b0bab1e5a9cd29b664ce Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 17 May 2013 16:02:59 +0200
> > -Subject: [PATCH 016/249] s3-net: pass down ndr_interface_table to
> > - connect_dst_pipe().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 93e92faca9c99cd91878c2f48fb244233b16aa0f)
> > ----
> > - source3/utils/net_proto.h | 2 +-
> > - source3/utils/net_rpc.c | 4 ++--
> > - source3/utils/net_rpc_printer.c | 10 +++++-----
> > - source3/utils/net_util.c | 4 ++--
> > - 4 files changed, 10 insertions(+), 10 deletions(-)
> > -
> > -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> > -index 3f99e14..03fb312 100644
> > ---- a/source3/utils/net_proto.h
> > -+++ b/source3/utils/net_proto.h
> > -@@ -416,7 +416,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
> > - const char *server_name);
> > - NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> > - struct rpc_pipe_client **pp_pipe_hnd,
> > -- const struct ndr_syntax_id *interface);
> > -+ const struct ndr_interface_table *table);
> > - int net_use_krb_machine_account(struct net_context *c);
> > - int net_use_machine_account(struct net_context *c);
> > - bool net_find_server(struct net_context *c,
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index c5c4d6c..4503f59 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -3654,7 +3654,7 @@ static NTSTATUS rpc_share_migrate_shares_internals(struct net_context *c,
> > -
> > - /* connect destination PI_SRVSVC */
> > - nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
> > -- &ndr_table_srvsvc.syntax_id);
> > -+ &ndr_table_srvsvc);
> > - if (!NT_STATUS_IS_OK(nt_status))
> > - return nt_status;
> > -
> > -@@ -4140,7 +4140,7 @@ static NTSTATUS rpc_share_migrate_security_internals(struct net_context *c,
> > -
> > - /* connect destination PI_SRVSVC */
> > - nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
> > -- &ndr_table_srvsvc.syntax_id);
> > -+ &ndr_table_srvsvc);
> > - if (!NT_STATUS_IS_OK(nt_status))
> > - return nt_status;
> > -
> > -diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c
> > -index ba34de1..1e42e6f 100644
> > ---- a/source3/utils/net_rpc_printer.c
> > -+++ b/source3/utils/net_rpc_printer.c
> > -@@ -1578,7 +1578,7 @@ NTSTATUS rpc_printer_migrate_security_internals(struct net_context *c,
> > -
> > - /* connect destination PI_SPOOLSS */
> > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > -- &ndr_table_spoolss.syntax_id);
> > -+ &ndr_table_spoolss);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - return nt_status;
> > - }
> > -@@ -1730,7 +1730,7 @@ NTSTATUS rpc_printer_migrate_forms_internals(struct net_context *c,
> > -
> > - /* connect destination PI_SPOOLSS */
> > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > -- &ndr_table_spoolss.syntax_id);
> > -+ &ndr_table_spoolss);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - return nt_status;
> > - }
> > -@@ -1907,7 +1907,7 @@ NTSTATUS rpc_printer_migrate_drivers_internals(struct net_context *c,
> > - DEBUG(3,("copying printer-drivers\n"));
> > -
> > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > -- &ndr_table_spoolss.syntax_id);
> > -+ &ndr_table_spoolss);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - return nt_status;
> > - }
> > -@@ -2126,7 +2126,7 @@ NTSTATUS rpc_printer_migrate_printers_internals(struct net_context *c,
> > -
> > - /* connect destination PI_SPOOLSS */
> > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > -- &ndr_table_spoolss.syntax_id);
> > -+ &ndr_table_spoolss);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - return nt_status;
> > - }
> > -@@ -2301,7 +2301,7 @@ NTSTATUS rpc_printer_migrate_settings_internals(struct net_context *c,
> > -
> > - /* connect destination PI_SPOOLSS */
> > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > -- &ndr_table_spoolss.syntax_id);
> > -+ &ndr_table_spoolss);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - return nt_status;
> > - }
> > -diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
> > -index 9c4a77e..a4282ec 100644
> > ---- a/source3/utils/net_util.c
> > -+++ b/source3/utils/net_util.c
> > -@@ -231,7 +231,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
> > - **/
> > - NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> > - struct rpc_pipe_client **pp_pipe_hnd,
> > -- const struct ndr_syntax_id *interface)
> > -+ const struct ndr_interface_table *table)
> > - {
> > - NTSTATUS nt_status;
> > - char *server_name = SMB_STRDUP("127.0.0.1");
> > -@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> > - return nt_status;
> > - }
> > -
> > -- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, interface,
> > -+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(0, ("couldn't not initialize pipe\n"));
> > ---
> > -1.9.3
> > -
> > -
> > -From d5273069a42d7234daaf3dd043d0a6e455348385 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 17 May 2013 16:24:42 +0200
> > -Subject: [PATCH 017/249] s3-rpc_cli: remove prototype of nonexisting
> > - cli_rpc_pipe_open_krb5().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit a1368ca6ef8ab4f158c8b303ad058835f1bbf441)
> > ----
> > - source3/rpc_client/cli_pipe.h | 9 ---------
> > - 1 file changed, 9 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index bf785fb..34ae542 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -131,15 +131,6 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > - const char *domain,
> > - struct rpc_pipe_client **presult);
> > -
> > --NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
> > -- const struct ndr_syntax_id *interface,
> > -- enum dcerpc_transport_t transport,
> > -- enum dcerpc_AuthLevel auth_level,
> > -- const char *service_princ,
> > -- const char *username,
> > -- const char *password,
> > -- struct rpc_pipe_client **presult);
> > --
> > - NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > - struct rpc_pipe_client *cli,
> > - DATA_BLOB *session_key);
> > ---
> > -1.9.3
> > -
> > -
> > -From 1a6c1ddb44aac3f201bbe2cabab10e409ffd042b Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 17 May 2013 16:08:16 +0200
> > -Subject: [PATCH 018/249] s3-libnetapi: pass down ndr_interface_table to
> > - libnetapi_get_binding_handle().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit fa37bbd9d06865d265bf554a3c49920f956f2185)
> > ----
> > - source3/lib/netapi/cm.c | 4 ++--
> > - source3/lib/netapi/file.c | 6 +++---
> > - source3/lib/netapi/getdc.c | 6 +++---
> > - source3/lib/netapi/netapi_private.h | 3 ++-
> > - source3/lib/netapi/netlogon.c | 4 ++--
> > - source3/lib/netapi/serverinfo.c | 6 +++---
> > - source3/lib/netapi/share.c | 10 +++++-----
> > - source3/lib/netapi/shutdown.c | 4 ++--
> > - 8 files changed, 22 insertions(+), 21 deletions(-)
> > -
> > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > -index da3d2e1..c3ae19f 100644
> > ---- a/source3/lib/netapi/cm.c
> > -+++ b/source3/lib/netapi/cm.c
> > -@@ -269,7 +269,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > -
> > - WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > - const char *server_name,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct dcerpc_binding_handle **binding_handle)
> > - {
> > - struct rpc_pipe_client *pipe_cli;
> > -@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > -
> > - *binding_handle = NULL;
> > -
> > -- result = libnetapi_open_pipe(ctx, server_name, interface, &pipe_cli);
> > -+ result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
> > - if (!W_ERROR_IS_OK(result)) {
> > - return result;
> > - }
> > -diff --git a/source3/lib/netapi/file.c b/source3/lib/netapi/file.c
> > -index 1e406d2..551f9ff 100644
> > ---- a/source3/lib/netapi/file.c
> > -+++ b/source3/lib/netapi/file.c
> > -@@ -36,7 +36,7 @@ WERROR NetFileClose_r(struct libnetapi_ctx *ctx,
> > - struct dcerpc_binding_handle *b;
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -130,7 +130,7 @@ WERROR NetFileGetInfo_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -201,7 +201,7 @@ WERROR NetFileEnum_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -diff --git a/source3/lib/netapi/getdc.c b/source3/lib/netapi/getdc.c
> > -index 3b26d46..ae976f1 100644
> > ---- a/source3/lib/netapi/getdc.c
> > -+++ b/source3/lib/netapi/getdc.c
> > -@@ -47,7 +47,7 @@ WERROR NetGetDCName_r(struct libnetapi_ctx *ctx,
> > - void *buffer;
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_netlogon.syntax_id,
> > -+ &ndr_table_netlogon,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -101,7 +101,7 @@ WERROR NetGetAnyDCName_r(struct libnetapi_ctx *ctx,
> > - void *buffer;
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_netlogon.syntax_id,
> > -+ &ndr_table_netlogon,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -173,7 +173,7 @@ WERROR DsGetDcName_r(struct libnetapi_ctx *ctx,
> > - struct dcerpc_binding_handle *b;
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_netlogon.syntax_id,
> > -+ &ndr_table_netlogon,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
> > -index 349287b..62aa7ef 100644
> > ---- a/source3/lib/netapi/netapi_private.h
> > -+++ b/source3/lib/netapi/netapi_private.h
> > -@@ -30,6 +30,7 @@
> > - return fn ## _r(ctx, r);
> > -
> > - struct dcerpc_binding_handle;
> > -+struct ndr_interface_table;
> > -
> > - struct libnetapi_private_ctx {
> > - struct {
> > -@@ -64,7 +65,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > - struct rpc_pipe_client **presult);
> > - WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > - const char *server_name,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct dcerpc_binding_handle **binding_handle);
> > - WERROR libnetapi_samr_open_domain(struct libnetapi_ctx *mem_ctx,
> > - struct rpc_pipe_client *pipe_cli,
> > -diff --git a/source3/lib/netapi/netlogon.c b/source3/lib/netapi/netlogon.c
> > -index a046fb7..136cb48 100644
> > ---- a/source3/lib/netapi/netlogon.c
> > -+++ b/source3/lib/netapi/netlogon.c
> > -@@ -133,7 +133,7 @@ WERROR I_NetLogonControl_r(struct libnetapi_ctx *ctx,
> > - struct dcerpc_binding_handle *b;
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_netlogon.syntax_id,
> > -+ &ndr_table_netlogon,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -190,7 +190,7 @@ WERROR I_NetLogonControl2_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_netlogon.syntax_id,
> > -+ &ndr_table_netlogon,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
> > -index 046b693..b2a84d1 100644
> > ---- a/source3/lib/netapi/serverinfo.c
> > -+++ b/source3/lib/netapi/serverinfo.c
> > -@@ -503,7 +503,7 @@ WERROR NetServerGetInfo_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -616,7 +616,7 @@ WERROR NetServerSetInfo_r(struct libnetapi_ctx *ctx,
> > - struct dcerpc_binding_handle *b;
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -658,7 +658,7 @@ WERROR NetRemoteTOD_r(struct libnetapi_ctx *ctx,
> > - struct dcerpc_binding_handle *b;
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -diff --git a/source3/lib/netapi/share.c b/source3/lib/netapi/share.c
> > -index d12fa1c..090e1a9 100644
> > ---- a/source3/lib/netapi/share.c
> > -+++ b/source3/lib/netapi/share.c
> > -@@ -200,7 +200,7 @@ WERROR NetShareAdd_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -258,7 +258,7 @@ WERROR NetShareDel_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -321,7 +321,7 @@ WERROR NetShareEnum_r(struct libnetapi_ctx *ctx,
> > - ZERO_STRUCT(info_ctr);
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -428,7 +428,7 @@ WERROR NetShareGetInfo_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -502,7 +502,7 @@ WERROR NetShareSetInfo_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -diff --git a/source3/lib/netapi/shutdown.c b/source3/lib/netapi/shutdown.c
> > -index 78bc2fc..9e1e8e1 100644
> > ---- a/source3/lib/netapi/shutdown.c
> > -+++ b/source3/lib/netapi/shutdown.c
> > -@@ -38,7 +38,7 @@ WERROR NetShutdownInit_r(struct libnetapi_ctx *ctx,
> > - struct dcerpc_binding_handle *b;
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_initshutdown.syntax_id,
> > -+ &ndr_table_initshutdown,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -82,7 +82,7 @@ WERROR NetShutdownAbort_r(struct libnetapi_ctx *ctx,
> > - struct dcerpc_binding_handle *b;
> > -
> > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > -- &ndr_table_initshutdown.syntax_id,
> > -+ &ndr_table_initshutdown,
> > - &b);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > ---
> > -1.9.3
> > -
> > -
> > -From e25e7bfe15bdb89a9680708c27b50e14a8a86ca3 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 17 May 2013 16:10:13 +0200
> > -Subject: [PATCH 019/249] s3-libnetapi: pass down ndr_interface_table to
> > - libnetapi_open_pipe().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 77f7f2a976e5b95f3bd9f542b92926adee4f5fa6)
> > ----
> > - source3/lib/netapi/cm.c | 8 ++++----
> > - source3/lib/netapi/group.c | 18 +++++++++---------
> > - source3/lib/netapi/joindomain.c | 10 +++++-----
> > - source3/lib/netapi/localgroup.c | 14 +++++++-------
> > - source3/lib/netapi/netapi_private.h | 2 +-
> > - source3/lib/netapi/user.c | 22 +++++++++++-----------
> > - 6 files changed, 37 insertions(+), 37 deletions(-)
> > -
> > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > -index c3ae19f..dd1f1e3 100644
> > ---- a/source3/lib/netapi/cm.c
> > -+++ b/source3/lib/netapi/cm.c
> > -@@ -234,7 +234,7 @@ static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
> > -
> > - WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > - const char *server_name,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - struct rpc_pipe_client *result = NULL;
> > -@@ -251,10 +251,10 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > - return werr;
> > - }
> > -
> > -- status = pipe_cm_open(ctx, ipc, interface, &result);
> > -+ status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
> > -- get_pipe_name_from_syntax(talloc_tos(), interface),
> > -+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > - get_friendly_nt_error_msg(status));
> > - return WERR_DEST_NOT_FOUND;
> > - }
> > -@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > -
> > - *binding_handle = NULL;
> > -
> > -- result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
> > -+ result = libnetapi_open_pipe(ctx, server_name, table, &pipe_cli);
> > - if (!W_ERROR_IS_OK(result)) {
> > - return result;
> > - }
> > -diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
> > -index b806fc4..6d9b248 100644
> > ---- a/source3/lib/netapi/group.c
> > -+++ b/source3/lib/netapi/group.c
> > -@@ -76,7 +76,7 @@ WERROR NetGroupAdd_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -272,7 +272,7 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -492,7 +492,7 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -770,7 +770,7 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -918,7 +918,7 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -1078,7 +1078,7 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -1397,7 +1397,7 @@ WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -1544,7 +1544,7 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
> > -
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -1736,7 +1736,7 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
> > -index b6fb57a..d8e624f 100644
> > ---- a/source3/lib/netapi/joindomain.c
> > -+++ b/source3/lib/netapi/joindomain.c
> > -@@ -116,7 +116,7 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
> > - DATA_BLOB session_key;
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server,
> > -- &ndr_table_wkssvc.syntax_id,
> > -+ &ndr_table_wkssvc,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -257,7 +257,7 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
> > - DATA_BLOB session_key;
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_wkssvc.syntax_id,
> > -+ &ndr_table_wkssvc,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -313,7 +313,7 @@ WERROR NetGetJoinInformation_r(struct libnetapi_ctx *ctx,
> > - struct dcerpc_binding_handle *b;
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_wkssvc.syntax_id,
> > -+ &ndr_table_wkssvc,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -455,7 +455,7 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
> > - DATA_BLOB session_key;
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_wkssvc.syntax_id,
> > -+ &ndr_table_wkssvc,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -508,7 +508,7 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
> > - DATA_BLOB session_key;
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_wkssvc.syntax_id,
> > -+ &ndr_table_wkssvc,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
> > -index 17cab68..241970d 100644
> > ---- a/source3/lib/netapi/localgroup.c
> > -+++ b/source3/lib/netapi/localgroup.c
> > -@@ -185,7 +185,7 @@ WERROR NetLocalGroupAdd_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -319,7 +319,7 @@ WERROR NetLocalGroupDel_r(struct libnetapi_ctx *ctx,
> > - ZERO_STRUCT(alias_handle);
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -499,7 +499,7 @@ WERROR NetLocalGroupGetInfo_r(struct libnetapi_ctx *ctx,
> > - ZERO_STRUCT(alias_handle);
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -678,7 +678,7 @@ WERROR NetLocalGroupSetInfo_r(struct libnetapi_ctx *ctx,
> > - ZERO_STRUCT(alias_handle);
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -828,7 +828,7 @@ WERROR NetLocalGroupEnum_r(struct libnetapi_ctx *ctx,
> > - ZERO_STRUCT(alias_handle);
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -1141,7 +1141,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
> > -
> > - if (r->in.level == 3) {
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_lsarpc.syntax_id,
> > -+ &ndr_table_lsarpc,
> > - &lsa_pipe);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -1160,7 +1160,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
> > -index 62aa7ef..897cf3d 100644
> > ---- a/source3/lib/netapi/netapi_private.h
> > -+++ b/source3/lib/netapi/netapi_private.h
> > -@@ -61,7 +61,7 @@ NET_API_STATUS libnetapi_get_debuglevel(struct libnetapi_ctx *ctx, char **debugl
> > - WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx);
> > - WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > - const char *server_name,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult);
> > - WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > - const char *server_name,
> > -diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
> > -index a971e2d..4a39f69 100644
> > ---- a/source3/lib/netapi/user.c
> > -+++ b/source3/lib/netapi/user.c
> > -@@ -400,7 +400,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -552,7 +552,7 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
> > - ZERO_STRUCT(user_handle);
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > -
> > - if (!W_ERROR_IS_OK(werr)) {
> > -@@ -1322,7 +1322,7 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -1630,7 +1630,7 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -1764,7 +1764,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -1936,7 +1936,7 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -2395,7 +2395,7 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -2880,7 +2880,7 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -3015,7 +3015,7 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -3206,7 +3206,7 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > -@@ -3547,7 +3547,7 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
> > - }
> > -
> > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &pipe_cli);
> > - if (!W_ERROR_IS_OK(werr)) {
> > - goto done;
> > ---
> > -1.9.3
> > -
> > -
> > -From 4157ba43258373cd995b2ee74dcd4d65782dc2ea Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 17 May 2013 16:13:26 +0200
> > -Subject: [PATCH 020/249] s3-libnetapi: pass down ndr_interface_table to
> > - pipe_cm() and friends.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 0ce2178f2ffeaee324c7e8fef7c87727def7bd77)
> > ----
> > - source3/lib/netapi/cm.c | 16 ++++++++--------
> > - 1 file changed, 8 insertions(+), 8 deletions(-)
> > -
> > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > -index dd1f1e3..8551521 100644
> > ---- a/source3/lib/netapi/cm.c
> > -+++ b/source3/lib/netapi/cm.c
> > -@@ -161,7 +161,7 @@ WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx)
> > - ********************************************************************/
> > -
> > - static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - struct client_pipe_connection *p;
> > -@@ -177,7 +177,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
> > -
> > - if (strequal(ipc_remote_name, p->pipe->desthost)
> > - && ndr_syntax_id_equal(&p->pipe->abstract_syntax,
> > -- interface)) {
> > -+ &table->syntax_id)) {
> > - *presult = p->pipe;
> > - return NT_STATUS_OK;
> > - }
> > -@@ -191,7 +191,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
> > -
> > - static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> > - struct client_ipc_connection *ipc,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - struct client_pipe_connection *p;
> > -@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- status = cli_rpc_pipe_open_noauth(ipc->cli, interface, &p->pipe);
> > -+ status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - TALLOC_FREE(p);
> > - return status;
> > -@@ -219,14 +219,14 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> > -
> > - static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
> > - struct client_ipc_connection *ipc,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > -- if (NT_STATUS_IS_OK(pipe_cm_find(ipc, interface, presult))) {
> > -+ if (NT_STATUS_IS_OK(pipe_cm_find(ipc, table, presult))) {
> > - return NT_STATUS_OK;
> > - }
> > -
> > -- return pipe_cm_connect(ctx, ipc, interface, presult);
> > -+ return pipe_cm_connect(ctx, ipc, table, presult);
> > - }
> > -
> > - /********************************************************************
> > -@@ -251,7 +251,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > - return werr;
> > - }
> > -
> > -- status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
> > -+ status = pipe_cm_open(ctx, ipc, table, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
> > - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > ---
> > -1.9.3
> > -
> > -
> > -From ec8ba2a371ce4c4cc14d04e852034dcd92862542 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 17 May 2013 16:16:59 +0200
> > -Subject: [PATCH 021/249] s3-rpc_cli: pass down ndr_interface_table to
> > - rpc_pipe_open_ncalrpc().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 9b4fb5b074b035eaef98c4a463c9d68006ed52da)
> > ----
> > - source3/librpc/rpc/dcerpc_ep.c | 2 +-
> > - source3/rpc_client/cli_pipe.c | 4 ++--
> > - source3/rpc_client/cli_pipe.h | 2 +-
> > - 3 files changed, 4 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source3/librpc/rpc/dcerpc_ep.c b/source3/librpc/rpc/dcerpc_ep.c
> > -index bb080c5..410caa7 100644
> > ---- a/source3/librpc/rpc/dcerpc_ep.c
> > -+++ b/source3/librpc/rpc/dcerpc_ep.c
> > -@@ -365,7 +365,7 @@ static NTSTATUS ep_register(TALLOC_CTX *mem_ctx,
> > -
> > - status = rpc_pipe_open_ncalrpc(tmp_ctx,
> > - ncalrpc_sock,
> > -- &ndr_table_epmapper.syntax_id,
> > -+ &ndr_table_epmapper,
> > - &cli);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto done;
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 385ae25..427b628 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2682,7 +2682,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> > - Create a rpc pipe client struct, connecting to a unix domain socket
> > - ********************************************************************/
> > - NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > -- const struct ndr_syntax_id *abstract_syntax,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - struct rpc_pipe_client *result;
> > -@@ -2696,7 +2696,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- result->abstract_syntax = *abstract_syntax;
> > -+ result->abstract_syntax = table->syntax_id;
> > - result->transfer_syntax = ndr_transfer_syntax_ndr;
> > -
> > - result->desthost = get_myname(result);
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index 34ae542..3415db0 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -71,7 +71,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
> > - struct rpc_pipe_client **presult);
> > -
> > - NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > -- const struct ndr_syntax_id *abstract_syntax,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult);
> > -
> > - struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
> > ---
> > -1.9.3
> > -
> > -
> > -From 816b7983c2342ea500e7467f2ab6c04dff89308f Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 17 May 2013 16:44:05 +0200
> > -Subject: [PATCH 022/249] s3-rpc_cli: pass down ndr_interface_table to
> > - rpc_pipe_open_interface().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 6886cff0a7e97864e9094af936cbef08a3c8f6f4)
> > ----
> > - source3/printing/nt_printing_migrate_internal.c | 2 +-
> > - source3/printing/printspoolss.c | 4 +--
> > - source3/rpc_server/rpc_ncacn_np.c | 8 +++---
> > - source3/rpc_server/rpc_ncacn_np.h | 2 +-
> > - source3/smbd/lanman.c | 34 ++++++++++++-------------
> > - source3/smbd/reply.c | 2 +-
> > - 6 files changed, 26 insertions(+), 26 deletions(-)
> > -
> > -diff --git a/source3/printing/nt_printing_migrate_internal.c b/source3/printing/nt_printing_migrate_internal.c
> > -index 200db07f..6bc7ea2 100644
> > ---- a/source3/printing/nt_printing_migrate_internal.c
> > -+++ b/source3/printing/nt_printing_migrate_internal.c
> > -@@ -211,7 +211,7 @@ bool nt_printing_tdb_migrate(struct messaging_context *msg_ctx)
> > - }
> > -
> > - status = rpc_pipe_open_interface(tmp_ctx,
> > -- &ndr_table_winreg.syntax_id,
> > -+ &ndr_table_winreg,
> > - session_info,
> > - NULL,
> > - msg_ctx,
> > -diff --git a/source3/printing/printspoolss.c b/source3/printing/printspoolss.c
> > -index fc1e9c1..0507e83 100644
> > ---- a/source3/printing/printspoolss.c
> > -+++ b/source3/printing/printspoolss.c
> > -@@ -154,7 +154,7 @@ NTSTATUS print_spool_open(files_struct *fsp,
> > - * a job id */
> > -
> > - status = rpc_pipe_open_interface(fsp->conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - fsp->conn->session_info,
> > - fsp->conn->sconn->remote_address,
> > - fsp->conn->sconn->msg_ctx,
> > -@@ -343,7 +343,7 @@ void print_spool_terminate(struct connection_struct *conn,
> > - rap_jobid_delete(print_file->svcname, print_file->jobid);
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
> > -index b4602a9..7389b3e 100644
> > ---- a/source3/rpc_server/rpc_ncacn_np.c
> > -+++ b/source3/rpc_server/rpc_ncacn_np.c
> > -@@ -758,7 +758,7 @@ done:
> > - */
> > -
> > - NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > -- const struct ndr_syntax_id *syntax,
> > -+ const struct ndr_interface_table *table,
> > - const struct auth_session_info *session_info,
> > - const struct tsocket_address *remote_address,
> > - struct messaging_context *msg_ctx,
> > -@@ -783,7 +783,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- pipe_name = get_pipe_name_from_syntax(tmp_ctx, syntax);
> > -+ pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
> > - if (pipe_name == NULL) {
> > - status = NT_STATUS_INVALID_PARAMETER;
> > - goto done;
> > -@@ -800,7 +800,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > - switch (pipe_mode) {
> > - case RPC_SERVICE_MODE_EMBEDDED:
> > - status = rpc_pipe_open_internal(tmp_ctx,
> > -- syntax, session_info,
> > -+ &table->syntax_id, session_info,
> > - remote_address, msg_ctx,
> > - &cli);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -813,7 +813,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > - * to spoolssd. */
> > -
> > - status = rpc_pipe_open_external(tmp_ctx,
> > -- pipe_name, syntax,
> > -+ pipe_name, &table->syntax_id,
> > - session_info,
> > - &cli);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h
> > -index 586d61b..67cd8a1 100644
> > ---- a/source3/rpc_server/rpc_ncacn_np.h
> > -+++ b/source3/rpc_server/rpc_ncacn_np.h
> > -@@ -50,7 +50,7 @@ NTSTATUS rpcint_binding_handle(TALLOC_CTX *mem_ctx,
> > - struct messaging_context *msg_ctx,
> > - struct dcerpc_binding_handle **binding_handle);
> > - NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > -- const struct ndr_syntax_id *syntax,
> > -+ const struct ndr_interface_table *table,
> > - const struct auth_session_info *session_info,
> > - const struct tsocket_address *remote_address,
> > - struct messaging_context *msg_ctx,
> > -diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
> > -index d0dae36..3c488ec 100644
> > ---- a/source3/smbd/lanman.c
> > -+++ b/source3/smbd/lanman.c
> > -@@ -832,7 +832,7 @@ static bool api_DosPrintQGetInfo(struct smbd_server_connection *sconn,
> > - }
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -1029,7 +1029,7 @@ static bool api_DosPrintQEnum(struct smbd_server_connection *sconn,
> > - }
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -2256,7 +2256,7 @@ static bool api_RNetShareAdd(struct smbd_server_connection *sconn,
> > - return false;
> > - }
> > -
> > -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
> > -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -2368,7 +2368,7 @@ static bool api_RNetGroupEnum(struct smbd_server_connection *sconn,
> > - }
> > -
> > - status = rpc_pipe_open_interface(
> > -- talloc_tos(), &ndr_table_samr.syntax_id,
> > -+ talloc_tos(), &ndr_table_samr,
> > - conn->session_info, conn->sconn->remote_address,
> > - conn->sconn->msg_ctx, &samr_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -2574,7 +2574,7 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn,
> > - endp = *rdata + *rdata_len;
> > -
> > - status = rpc_pipe_open_interface(
> > -- talloc_tos(), &ndr_table_samr.syntax_id,
> > -+ talloc_tos(), &ndr_table_samr,
> > - conn->session_info, conn->sconn->remote_address,
> > - conn->sconn->msg_ctx, &samr_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -2774,7 +2774,7 @@ static bool api_RNetUserEnum(struct smbd_server_connection *sconn,
> > - endp = *rdata + *rdata_len;
> > -
> > - status = rpc_pipe_open_interface(
> > -- talloc_tos(), &ndr_table_samr.syntax_id,
> > -+ talloc_tos(), &ndr_table_samr,
> > - conn->session_info, conn->sconn->remote_address,
> > - conn->sconn->msg_ctx, &samr_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -3037,7 +3037,7 @@ static bool api_SamOEMChangePassword(struct smbd_server_connection *sconn,
> > - memcpy(password.data, data, 516);
> > - memcpy(hash.hash, data+516, 16);
> > -
> > -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
> > -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -3134,7 +3134,7 @@ static bool api_RDosPrintJobDel(struct smbd_server_connection *sconn,
> > - ZERO_STRUCT(handle);
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -3262,7 +3262,7 @@ static bool api_WPrintQueueCtrl(struct smbd_server_connection *sconn,
> > - ZERO_STRUCT(handle);
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -3444,7 +3444,7 @@ static bool api_PrintJobInfo(struct smbd_server_connection *sconn,
> > - ZERO_STRUCT(handle);
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -3621,7 +3621,7 @@ static bool api_RNetServerGetInfo(struct smbd_server_connection *sconn,
> > - p = *rdata;
> > - p2 = p + struct_len;
> > -
> > -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
> > -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -4052,7 +4052,7 @@ static bool api_RNetUserGetInfo(struct smbd_server_connection *sconn,
> > - ZERO_STRUCT(domain_handle);
> > - ZERO_STRUCT(user_handle);
> > -
> > -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
> > -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -4581,7 +4581,7 @@ static bool api_WPrintJobGetInfo(struct smbd_server_connection *sconn,
> > - ZERO_STRUCT(handle);
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -4723,7 +4723,7 @@ static bool api_WPrintJobEnumerate(struct smbd_server_connection *sconn,
> > - ZERO_STRUCT(handle);
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -4923,7 +4923,7 @@ static bool api_WPrintDestGetInfo(struct smbd_server_connection *sconn,
> > - ZERO_STRUCT(handle);
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -5055,7 +5055,7 @@ static bool api_WPrintDestEnum(struct smbd_server_connection *sconn,
> > - queuecnt = 0;
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -@@ -5366,7 +5366,7 @@ static bool api_RNetSessionEnum(struct smbd_server_connection *sconn,
> > - }
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_srvsvc.syntax_id,
> > -+ &ndr_table_srvsvc,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > -diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
> > -index 3f5b950..eace557 100644
> > ---- a/source3/smbd/reply.c
> > -+++ b/source3/smbd/reply.c
> > -@@ -5637,7 +5637,7 @@ void reply_printqueue(struct smb_request *req)
> > - ZERO_STRUCT(handle);
> > -
> > - status = rpc_pipe_open_interface(conn,
> > -- &ndr_table_spoolss.syntax_id,
> > -+ &ndr_table_spoolss,
> > - conn->session_info,
> > - conn->sconn->remote_address,
> > - conn->sconn->msg_ctx,
> > ---
> > -1.9.3
> > -
> > -
> > -From 3dc2d438f0b440f34b7cdd9eeac429a15f679460 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:03:23 +0200
> > -Subject: [PATCH 023/249] s3-rpc_cli: pass down ndr_interface_table to
> > - cli_rpc_pipe_open_schannel().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit f6d61b571d79ebf1df58513ec728057d00b95f3e)
> > ----
> > - source3/auth/auth_domain.c | 2 +-
> > - source3/rpc_client/cli_pipe.h | 2 +-
> > - source3/rpc_client/cli_pipe_schannel.c | 4 ++--
> > - source3/rpcclient/rpcclient.c | 2 +-
> > - source3/utils/net_rpc.c | 2 +-
> > - 5 files changed, 6 insertions(+), 6 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > -index 286c75c..a375f11 100644
> > ---- a/source3/auth/auth_domain.c
> > -+++ b/source3/auth/auth_domain.c
> > -@@ -115,7 +115,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > - if (lp_client_schannel()) {
> > - /* We also setup the creds chain in the open_schannel call. */
> > - result = cli_rpc_pipe_open_schannel(
> > -- *cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > -+ *cli, &ndr_table_netlogon, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> > - } else {
> > - result = cli_rpc_pipe_open_noauth(
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index 3415db0..d17322a 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -125,7 +125,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > - struct rpc_pipe_client **presult);
> > -
> > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index c275720..8bc01a5 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -169,7 +169,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > - ****************************************************************************/
> > -
> > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > - }
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
> > -+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> > - &result);
> > -
> > - /* Now we've bound using the session key we can close the netlog pipe. */
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index d204d7f..6b6478e 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -734,7 +734,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - break;
> > - case DCERPC_AUTH_TYPE_SCHANNEL:
> > - ntresult = cli_rpc_pipe_open_schannel(
> > -- cli, &cmd_entry->table->syntax_id,
> > -+ cli, cmd_entry->table,
> > - default_transport,
> > - pipe_default_auth_level,
> > - get_cmdline_auth_info_domain(auth_info),
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index 4503f59..dab9fcd 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -191,7 +191,7 @@ int run_rpc_command(struct net_context *c,
> > - &ndr_table_netlogon.syntax_id))) {
> > - /* Always try and create an schannel netlogon pipe. */
> > - nt_status = cli_rpc_pipe_open_schannel(
> > -- cli, &table->syntax_id, NCACN_NP,
> > -+ cli, table, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > ---
> > -1.9.3
> > -
> > -
> > -From 428596faf89f424c83edb86d45c5a1322e3fb6b5 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:08:33 +0200
> > -Subject: [PATCH 024/249] s3-rpc_cli: pass down ndr_interface_table to
> > - cli_rpc_pipe_open_ntlmssp_auth_schannel().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 7f169474fc86479abe09a5716b8029c6febcfaa9)
> > ----
> > - source3/rpc_client/cli_pipe.h | 2 +-
> > - source3/rpc_client/cli_pipe_schannel.c | 4 ++--
> > - 2 files changed, 3 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index d17322a..7026692 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -116,7 +116,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - struct rpc_pipe_client **presult);
> > -
> > - NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index 8bc01a5..261a768 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -128,7 +128,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
> > - ****************************************************************************/
> > -
> > - NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > - }
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
> > -+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> > - &result);
> > -
> > - /* Now we've bound using the session key we can close the netlog pipe. */
> > ---
> > -1.9.3
> > -
> > -
> > -From cda31f4e490942ffc89513f000fa147f535a2713 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:17:24 +0200
> > -Subject: [PATCH 025/249] s3-rpc_cli: pass down ndr_interface_table to
> > - cli_rpc_pipe_open_schannel_with_key().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 3dc3a6c8483a8de22b483ecf164c81232d4a8d65)
> > ----
> > - source3/libnet/libnet_join.c | 2 +-
> > - source3/rpc_client/cli_pipe.c | 6 +++---
> > - source3/rpc_client/cli_pipe.h | 2 +-
> > - source3/rpc_client/cli_pipe_schannel.c | 4 ++--
> > - source3/utils/net_rpc_join.c | 4 ++--
> > - source3/winbindd/winbindd_cm.c | 8 ++++----
> > - 6 files changed, 13 insertions(+), 13 deletions(-)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index 1418385..9f47f3b 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -1287,7 +1287,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > - }
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY,
> > - netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 427b628..34cef32 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -3022,7 +3022,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > - ****************************************************************************/
> > -
> > - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -@@ -3033,7 +3033,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - struct pipe_auth_data *auth;
> > - NTSTATUS status;
> > -
> > -- status = cli_rpc_pipe_open(cli, transport, interface, &result);
> > -+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -@@ -3070,7 +3070,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > -
> > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > - "for domain %s and bound using schannel.\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), interface),
> > -+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > - result->desthost, domain));
> > -
> > - *presult = result;
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index 7026692..65bfbc8 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -108,7 +108,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> > - struct rpc_pipe_client **presult);
> > -
> > - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index 261a768..784e63f 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > - }
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> > -+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> > - &result);
> > -
> > - /* Now we've bound using the session key we can close the netlog pipe. */
> > -@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > - }
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> > -+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> > - &result);
> > -
> > - /* Now we've bound using the session key we can close the netlog pipe. */
> > -diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
> > -index 56799cd..4b43769 100644
> > ---- a/source3/utils/net_rpc_join.c
> > -+++ b/source3/utils/net_rpc_join.c
> > -@@ -137,7 +137,7 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
> > - }
> > -
> > - ntret = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY,
> > - domain, &netlogon_pipe->dc, &pipe_hnd);
> > -
> > -@@ -497,7 +497,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > - struct rpc_pipe_client *netlogon_schannel_pipe;
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY, domain, &pipe_hnd->dc,
> > - &netlogon_schannel_pipe);
> > -
> > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > -index 61917db..f17fc68 100644
> > ---- a/source3/winbindd/winbindd_cm.c
> > -+++ b/source3/winbindd/winbindd_cm.c
> > -@@ -2415,7 +2415,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - goto anonymous;
> > - }
> > - status = cli_rpc_pipe_open_schannel_with_key
> > -- (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
> > -+ (conn->cli, &ndr_table_samr, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY,
> > - domain->name, &p_creds, &conn->samr_pipe);
> > -
> > -@@ -2547,7 +2547,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > - }
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
> > -- &ndr_table_lsarpc.syntax_id,
> > -+ &ndr_table_lsarpc,
> > - NCACN_IP_TCP,
> > - DCERPC_AUTH_LEVEL_PRIVACY,
> > - domain->name,
> > -@@ -2646,7 +2646,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - goto anonymous;
> > - }
> > - result = cli_rpc_pipe_open_schannel_with_key
> > -- (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
> > -+ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY,
> > - domain->name, &p_creds, &conn->lsa_pipe);
> > -
> > -@@ -2831,7 +2831,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > - */
> > -
> > - result = cli_rpc_pipe_open_schannel_with_key(
> > -- conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > -+ conn->cli, &ndr_table_netlogon, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
> > - &conn->netlogon_pipe);
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 9b569e91cd22806eedae76d3fb60cdbd7548e4c2 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:29:28 +0200
> > -Subject: [PATCH 026/249] s3-rpc_cli: pass down ndr_interface_table to
> > - cli_rpc_pipe_open_noauth().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 9813fe2b04a5b4abaa95ea1d893b3803edbede4d)
> > ----
> > - source3/auth/auth_domain.c | 2 +-
> > - source3/client/client.c | 2 +-
> > - source3/lib/netapi/cm.c | 2 +-
> > - source3/libnet/libnet_join.c | 8 ++++----
> > - source3/libsmb/libsmb_dir.c | 2 +-
> > - source3/libsmb/libsmb_server.c | 2 +-
> > - source3/libsmb/passchange.c | 4 ++--
> > - source3/libsmb/trustdom_cache.c | 2 +-
> > - source3/libsmb/trusts_util.c | 2 +-
> > - source3/rpc_client/cli_pipe.c | 4 ++--
> > - source3/rpc_client/cli_pipe.h | 2 +-
> > - source3/rpc_client/cli_pipe_schannel.c | 2 +-
> > - source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
> > - source3/rpcclient/cmd_spoolss.c | 2 +-
> > - source3/rpcclient/cmd_test.c | 4 ++--
> > - source3/rpcclient/rpcclient.c | 2 +-
> > - source3/torture/test_async_echo.c | 2 +-
> > - source3/utils/net_ads.c | 2 +-
> > - source3/utils/net_rpc.c | 20 ++++++++++----------
> > - source3/utils/net_rpc_join.c | 6 +++---
> > - source3/utils/net_rpc_shell.c | 2 +-
> > - source3/utils/net_rpc_trust.c | 2 +-
> > - source3/utils/net_util.c | 8 ++++----
> > - source3/utils/netlookup.c | 2 +-
> > - source3/utils/smbcacls.c | 7 +++----
> > - source3/utils/smbcquotas.c | 2 +-
> > - source3/utils/smbtree.c | 2 +-
> > - source3/winbindd/winbindd_cm.c | 10 +++++-----
> > - 28 files changed, 54 insertions(+), 55 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > -index a375f11..54ee5a1 100644
> > ---- a/source3/auth/auth_domain.c
> > -+++ b/source3/auth/auth_domain.c
> > -@@ -119,7 +119,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > - DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> > - } else {
> > - result = cli_rpc_pipe_open_noauth(
> > -- *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
> > -+ *cli, &ndr_table_netlogon, &netlogon_pipe);
> > - }
> > -
> > - if (!NT_STATUS_IS_OK(result)) {
> > -diff --git a/source3/client/client.c b/source3/client/client.c
> > -index ab46cb8..dafc5f0 100644
> > ---- a/source3/client/client.c
> > -+++ b/source3/client/client.c
> > -@@ -4227,7 +4227,7 @@ static bool browse_host_rpc(bool sort)
> > - int i;
> > - struct dcerpc_binding_handle *b;
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
> > - &pipe_hnd);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > -index 8551521..1cfdccf 100644
> > ---- a/source3/lib/netapi/cm.c
> > -+++ b/source3/lib/netapi/cm.c
> > -@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
> > -+ status = cli_rpc_pipe_open_noauth(ipc->cli, table, &p->pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - TALLOC_FREE(p);
> > - return status;
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index 9f47f3b..324c8f3 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -749,7 +749,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
> > - goto done;
> > - }
> > -
> > -- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
> > -@@ -819,7 +819,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > - fstring trust_passwd;
> > - NTSTATUS status;
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > -@@ -908,7 +908,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
> > -
> > - /* Open the domain */
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
> > -@@ -1377,7 +1377,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
> > -
> > - /* Open the domain */
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
> > -diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
> > -index 87e10d8..3a07f11 100644
> > ---- a/source3/libsmb/libsmb_dir.c
> > -+++ b/source3/libsmb/libsmb_dir.c
> > -@@ -277,7 +277,7 @@ net_share_enum_rpc(struct cli_state *cli,
> > - struct dcerpc_binding_handle *b;
> > -
> > - /* Open the server service pipe */
> > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
> > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(1, ("net_share_enum_rpc pipe open fail!\n"));
> > -diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
> > -index d4254da..dff0062 100644
> > ---- a/source3/libsmb/libsmb_server.c
> > -+++ b/source3/libsmb/libsmb_server.c
> > -@@ -802,7 +802,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
> > - ipc_srv->cli = ipc_cli;
> > -
> > - nt_status = cli_rpc_pipe_open_noauth(
> > -- ipc_srv->cli, &ndr_table_lsarpc.syntax_id, &pipe_hnd);
> > -+ ipc_srv->cli, &ndr_table_lsarpc, &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(1, ("cli_nt_session_open fail!\n"));
> > - errno = ENOTSUP;
> > -diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
> > -index 3933833..9736ada 100644
> > ---- a/source3/libsmb/passchange.c
> > -+++ b/source3/libsmb/passchange.c
> > -@@ -169,7 +169,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
> > - * way.
> > - */
> > - result = cli_rpc_pipe_open_noauth(
> > -- cli, &ndr_table_samr.syntax_id, &pipe_hnd);
> > -+ cli, &ndr_table_samr, &pipe_hnd);
> > - }
> > -
> > - if (!NT_STATUS_IS_OK(result)) {
> > -@@ -230,7 +230,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
> > - result = NT_STATUS_UNSUCCESSFUL;
> > -
> > - /* OK, this is ugly, but... try an anonymous pipe. */
> > -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > -+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > - &pipe_hnd);
> > -
> > - if ( NT_STATUS_IS_OK(result) &&
> > -diff --git a/source3/libsmb/trustdom_cache.c b/source3/libsmb/trustdom_cache.c
> > -index 8789d30..dadc751 100644
> > ---- a/source3/libsmb/trustdom_cache.c
> > -+++ b/source3/libsmb/trustdom_cache.c
> > -@@ -289,7 +289,7 @@ static bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
> > -
> > - /* open the LSARPC_PIPE */
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &lsa_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto done;
> > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > -index 0d039bc..6156ba0 100644
> > ---- a/source3/libsmb/trusts_util.c
> > -+++ b/source3/libsmb/trusts_util.c
> > -@@ -182,7 +182,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
> > - /* Shouldn't we open this with schannel ? JRA. */
> > -
> > - nt_status = cli_rpc_pipe_open_noauth(
> > -- cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
> > -+ cli, &ndr_table_netlogon, &netlogon_pipe);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
> > - dc_name, nt_errstr(nt_status)));
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 34cef32..1137abd 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2948,11 +2948,11 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > - ****************************************************************************/
> > -
> > - NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
> > -- interface, presult);
> > -+ &table->syntax_id, presult);
> > - }
> > -
> > - /****************************************************************************
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index 65bfbc8..9aae61a 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -77,7 +77,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > - struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
> > -
> > - NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult);
> > -
> > - NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index 784e63f..bc672ef 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -217,7 +217,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli,
> > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > - NTSTATUS status;
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > - &netlogon_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > -diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> > -index 335647b..c12cd05 100644
> > ---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
> > -+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> > -@@ -2504,7 +2504,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
> > - * Now start the NT Domain stuff :-).
> > - */
> > -
> > -- ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss.syntax_id, pp_pipe);
> > -+ ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss, pp_pipe);
> > - if (!NT_STATUS_IS_OK(ret)) {
> > - DEBUG(2,("spoolss_connect_to_client: unable to open the spoolss pipe on machine %s. Error was : %s.\n",
> > - remote_machine, nt_errstr(ret)));
> > -diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
> > -index 5c499d4..fb011f8 100644
> > ---- a/source3/rpcclient/cmd_spoolss.c
> > -+++ b/source3/rpcclient/cmd_spoolss.c
> > -@@ -3453,7 +3453,7 @@ static WERROR cmd_spoolss_printercmp(struct rpc_pipe_client *cli,
> > - if ( !NT_STATUS_IS_OK(nt_status) )
> > - return WERR_GENERAL_FAILURE;
> > -
> > -- nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss.syntax_id,
> > -+ nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss,
> > - &cli2);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - printf("failed to open spoolss pipe on server %s (%s)\n",
> > -diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c
> > -index 591ae8c..367dc71 100644
> > ---- a/source3/rpcclient/cmd_test.c
> > -+++ b/source3/rpcclient/cmd_test.c
> > -@@ -36,14 +36,14 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
> > - d_printf("testme\n");
> > -
> > - status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
> > -- &ndr_table_lsarpc.syntax_id,
> > -+ &ndr_table_lsarpc,
> > - &lsa_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto done;
> > - }
> > -
> > - status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
> > -- &ndr_table_samr.syntax_id,
> > -+ &ndr_table_samr,
> > - &samr_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto done;
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index 6b6478e..e3b35bb 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -167,7 +167,7 @@ static void fetch_machine_sid(struct cli_state *cli)
> > - goto error;
> > - }
> > -
> > -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &lsapipe);
> > - if (!NT_STATUS_IS_OK(result)) {
> > - fprintf(stderr, "could not initialise lsa pipe. Error was %s\n", nt_errstr(result) );
> > -diff --git a/source3/torture/test_async_echo.c b/source3/torture/test_async_echo.c
> > -index 6df95dd..f21daa4 100644
> > ---- a/source3/torture/test_async_echo.c
> > -+++ b/source3/torture/test_async_echo.c
> > -@@ -82,7 +82,7 @@ bool run_async_echo(int dummy)
> > - printf("torture_open_connection failed\n");
> > - goto fail;
> > - }
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho,
> > - &p);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - printf("Could not open echo pipe: %s\n", nt_errstr(status));
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index 5699943..89eebf3 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -1957,7 +1957,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
> > - SAFE_FREE(srv_cn_escaped);
> > - SAFE_FREE(printername_escaped);
> > -
> > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
> > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss, &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
> > - servername);
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index dab9fcd..69ff14d 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -82,7 +82,7 @@ NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
> > - union lsa_PolicyInformation *info = NULL;
> > - struct dcerpc_binding_handle *b;
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &lsa_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
> > -@@ -212,7 +212,7 @@ int run_rpc_command(struct net_context *c,
> > - c->opt_password, &pipe_hnd);
> > - } else {
> > - nt_status = cli_rpc_pipe_open_noauth(
> > -- cli, &table->syntax_id,
> > -+ cli, table,
> > - &pipe_hnd);
> > - }
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > -@@ -348,7 +348,7 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
> > - NTSTATUS result;
> > - enum netr_SchannelType sec_channel_type;
> > -
> > -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > -+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(result)) {
> > - DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
> > -@@ -1966,7 +1966,7 @@ static NTSTATUS get_sid_from_name(struct cli_state *cli,
> > - NTSTATUS status, result;
> > - struct dcerpc_binding_handle *b;
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto done;
> > -@@ -2980,7 +2980,7 @@ static NTSTATUS rpc_list_alias_members(struct net_context *c,
> > - }
> > -
> > - result = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(pipe_hnd),
> > -- &ndr_table_lsarpc.syntax_id,
> > -+ &ndr_table_lsarpc,
> > - &lsa_pipe);
> > - if (!NT_STATUS_IS_OK(result)) {
> > - d_fprintf(stderr, _("Couldn't open LSA pipe. Error was %s\n"),
> > -@@ -6232,7 +6232,7 @@ static NTSTATUS rpc_trustdom_get_pdc(struct net_context *c,
> > -
> > - /* Try netr_GetDcName */
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > - &netr);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > -@@ -6379,7 +6379,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
> > - * Call LsaOpenPolicy and LsaQueryInfo
> > - */
> > -
> > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
> > -@@ -6656,7 +6656,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc,
> > - return -1;
> > - };
> > -
> > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
> > -@@ -6834,7 +6834,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
> > - return -1;
> > - };
> > -
> > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
> > -@@ -6950,7 +6950,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
> > - /*
> > - * Open \PIPE\samr and get needed policy handles
> > - */
> > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
> > -diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
> > -index 4b43769..aabbe54 100644
> > ---- a/source3/utils/net_rpc_join.c
> > -+++ b/source3/utils/net_rpc_join.c
> > -@@ -245,7 +245,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > -
> > - /* Fetch domain sid */
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
> > -@@ -280,7 +280,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > - }
> > -
> > - /* Create domain user */
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
> > -@@ -456,7 +456,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > -
> > - /* Now check the whole process from top-to-bottom */
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
> > -diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c
> > -index 6086066..120cfa6 100644
> > ---- a/source3/utils/net_rpc_shell.c
> > -+++ b/source3/utils/net_rpc_shell.c
> > -@@ -85,7 +85,7 @@ static NTSTATUS net_sh_run(struct net_context *c,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- status = cli_rpc_pipe_open_noauth(ctx->cli, &cmd->table->syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(ctx->cli, cmd->table,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - d_fprintf(stderr, _("Could not open pipe: %s\n"),
> > -diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
> > -index 9060700..5e58103 100644
> > ---- a/source3/utils/net_rpc_trust.c
> > -+++ b/source3/utils/net_rpc_trust.c
> > -@@ -210,7 +210,7 @@ static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx,
> > - return status;
> > - }
> > -
> > -- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id, pipe_hnd);
> > -+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc, pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("Failed to initialise lsa pipe with error [%s]\n",
> > - nt_errstr(status)));
> > -diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
> > -index a4282ec..13a0ef1 100644
> > ---- a/source3/utils/net_util.c
> > -+++ b/source3/utils/net_util.c
> > -@@ -45,7 +45,7 @@ NTSTATUS net_rpc_lookup_name(struct net_context *c,
> > -
> > - ZERO_STRUCT(pol);
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &lsa_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
> > -@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> > - return nt_status;
> > - }
> > -
> > -- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
> > -+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, table,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(0, ("couldn't not initialize pipe\n"));
> > -@@ -571,7 +571,7 @@ static NTSTATUS net_scan_dc_noad(struct net_context *c,
> > - ZERO_STRUCTP(dc_info);
> > - ZERO_STRUCT(pol);
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &pipe_hnd);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > -@@ -634,7 +634,7 @@ NTSTATUS net_scan_dc(struct net_context *c,
> > -
> > - ZERO_STRUCTP(dc_info);
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup,
> > - &dssetup_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(10,("net_scan_dc: failed to open dssetup pipe with %s, "
> > -diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c
> > -index b66c34e..56d3bfe 100644
> > ---- a/source3/utils/netlookup.c
> > -+++ b/source3/utils/netlookup.c
> > -@@ -122,7 +122,7 @@ static struct con_struct *create_cs(struct net_context *c,
> > - }
> > -
> > - nt_status = cli_rpc_pipe_open_noauth(cs->cli,
> > -- &ndr_table_lsarpc.syntax_id,
> > -+ &ndr_table_lsarpc,
> > - &cs->lsapipe);
> > -
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > -diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
> > -index 23a1192..f092839 100644
> > ---- a/source3/utils/smbcacls.c
> > -+++ b/source3/utils/smbcacls.c
> > -@@ -96,7 +96,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
> > - goto tcon_fail;
> > - }
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &p);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto fail;
> > -@@ -146,7 +146,7 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
> > - goto tcon_fail;
> > - }
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > - &p);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto fail;
> > -@@ -187,14 +187,13 @@ static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
> > - struct policy_handle handle;
> > - NTSTATUS status, result;
> > - TALLOC_CTX *frame = talloc_stackframe();
> > -- const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id;
> > -
> > - status = cli_tree_connect(cli, "IPC$", "?????", "", 0);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto done;
> > - }
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe);
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto tdis;
> > - }
> > -diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
> > -index bf1f95c..2791b93 100644
> > ---- a/source3/utils/smbcquotas.c
> > -+++ b/source3/utils/smbcquotas.c
> > -@@ -58,7 +58,7 @@ static bool cli_open_policy_hnd(void)
> > - NTSTATUS ret;
> > - cli_ipc = connect_one("IPC$");
> > - ret = cli_rpc_pipe_open_noauth(cli_ipc,
> > -- &ndr_table_lsarpc.syntax_id,
> > -+ &ndr_table_lsarpc,
> > - &global_pipe_hnd);
> > - if (!NT_STATUS_IS_OK(ret)) {
> > - return False;
> > -diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
> > -index 40b1f09..5c07b12 100644
> > ---- a/source3/utils/smbtree.c
> > -+++ b/source3/utils/smbtree.c
> > -@@ -177,7 +177,7 @@ static bool get_rpc_shares(struct cli_state *cli,
> > - return False;
> > - }
> > -
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
> > - &pipe_hnd);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > -index f17fc68..facef64 100644
> > ---- a/source3/winbindd/winbindd_cm.c
> > -+++ b/source3/winbindd/winbindd_cm.c
> > -@@ -2078,7 +2078,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
> > - DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
> > -
> > - status = cli_rpc_pipe_open_noauth(domain->conn.cli,
> > -- &ndr_table_dssetup.syntax_id,
> > -+ &ndr_table_dssetup,
> > - &cli);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -2129,7 +2129,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
> > -
> > - no_dssetup:
> > - status = cli_rpc_pipe_open_noauth(domain->conn.cli,
> > -- &ndr_table_lsarpc.syntax_id, &cli);
> > -+ &ndr_table_lsarpc, &cli);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
> > -@@ -2447,7 +2447,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - anonymous:
> > -
> > - /* Finally fall back to anonymous. */
> > -- status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
> > -+ status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
> > - &conn->samr_pipe);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -2674,7 +2674,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - anonymous:
> > -
> > - result = cli_rpc_pipe_open_noauth(conn->cli,
> > -- &ndr_table_lsarpc.syntax_id,
> > -+ &ndr_table_lsarpc,
> > - &conn->lsa_pipe);
> > - if (!NT_STATUS_IS_OK(result)) {
> > - result = NT_STATUS_PIPE_NOT_AVAILABLE;
> > -@@ -2765,7 +2765,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > - TALLOC_FREE(conn->netlogon_pipe);
> > -
> > - result = cli_rpc_pipe_open_noauth(conn->cli,
> > -- &ndr_table_netlogon.syntax_id,
> > -+ &ndr_table_netlogon,
> > - &netlogon_pipe);
> > - if (!NT_STATUS_IS_OK(result)) {
> > - return result;
> > ---
> > -1.9.3
> > -
> > -
> > -From fce35e003f655b3564ee4df5ebfe7f3e6ff6d188 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:33:03 +0200
> > -Subject: [PATCH 027/249] s3-rpc_cli: pass down ndr_interface_table to
> > - cli_rpc_pipe_open_noauth_transport().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 9aa99c3cfb0ff7a290dd4df472a4ff30d0efcb76)
> > ----
> > - source3/rpc_client/cli_pipe.c | 13 +++++++------
> > - source3/rpc_client/cli_pipe.h | 2 +-
> > - source3/rpcclient/rpcclient.c | 2 +-
> > - 3 files changed, 9 insertions(+), 8 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 1137abd..4523ab7 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2865,14 +2865,14 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > -
> > - NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > - enum dcerpc_transport_t transport,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - struct rpc_pipe_client *result;
> > - struct pipe_auth_data *auth;
> > - NTSTATUS status;
> > -
> > -- status = cli_rpc_pipe_open(cli, transport, interface, &result);
> > -+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -@@ -2921,7 +2921,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > - status = rpc_pipe_bind(result, auth);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - int lvl = 0;
> > -- if (ndr_syntax_id_equal(interface,
> > -+ if (ndr_syntax_id_equal(&table->syntax_id,
> > - &ndr_table_dssetup.syntax_id)) {
> > - /* non AD domains just don't have this pipe, avoid
> > - * level 0 statement in that case - gd */
> > -@@ -2929,7 +2929,8 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > - }
> > - DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
> > - "%s failed with error %s\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), interface),
> > -+ get_pipe_name_from_syntax(talloc_tos(),
> > -+ &table->syntax_id),
> > - nt_errstr(status) ));
> > - TALLOC_FREE(result);
> > - return status;
> > -@@ -2937,7 +2938,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > -
> > - DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
> > - "%s and bound anonymously.\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), interface),
> > -+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > - result->desthost));
> > -
> > - *presult = result;
> > -@@ -2952,7 +2953,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> > - struct rpc_pipe_client **presult)
> > - {
> > - return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
> > -- &table->syntax_id, presult);
> > -+ table, presult);
> > - }
> > -
> > - /****************************************************************************
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index 9aae61a..f37f8a9 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -82,7 +82,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> > -
> > - NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > - enum dcerpc_transport_t transport,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult);
> > -
> > - NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index e3b35bb..c23ff2d 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -690,7 +690,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - case DCERPC_AUTH_TYPE_NONE:
> > - ntresult = cli_rpc_pipe_open_noauth_transport(
> > - cli, default_transport,
> > -- &cmd_entry->table->syntax_id,
> > -+ cmd_entry->table,
> > - &cmd_entry->rpc_pipe);
> > - break;
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > ---
> > -1.9.3
> > -
> > -
> > -From 0d85042853b635486912688102253b2f358b5056 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:38:01 +0200
> > -Subject: [PATCH 028/249] s3-rpc_cli: pass down ndr_interface_table to
> > - cli_rpc_pipe_open().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 34cc4b409558f229fba24f59e81ef9100a851d24)
> > ----
> > - source3/rpc_client/cli_pipe.c | 14 +++++++-------
> > - 1 file changed, 7 insertions(+), 7 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 4523ab7..4dc7345 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2843,7 +2843,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > -
> > - static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > - enum dcerpc_transport_t transport,
> > -- const struct ndr_syntax_id *interface,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - switch (transport) {
> > -@@ -2851,9 +2851,9 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > - return rpc_pipe_open_tcp(NULL,
> > - smbXcli_conn_remote_name(cli->conn),
> > - smbXcli_conn_remote_sockaddr(cli->conn),
> > -- interface, presult);
> > -+ &table->syntax_id, presult);
> > - case NCACN_NP:
> > -- return rpc_pipe_open_np(cli, interface, presult);
> > -+ return rpc_pipe_open_np(cli, &table->syntax_id, presult);
> > - default:
> > - return NT_STATUS_NOT_IMPLEMENTED;
> > - }
> > -@@ -2872,7 +2872,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > - struct pipe_auth_data *auth;
> > - NTSTATUS status;
> > -
> > -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -@@ -2977,7 +2977,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > -
> > - NTSTATUS status;
> > -
> > -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -@@ -3034,7 +3034,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - struct pipe_auth_data *auth;
> > - NTSTATUS status;
> > -
> > -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -@@ -3104,7 +3104,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> > - return NT_STATUS_INVALID_PARAMETER;
> > - }
> > -
> > -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From d5e312185a7adc8429f8caba29a9808ab7954a27 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:40:45 +0200
> > -Subject: [PATCH 029/249] s3-rpc_cli: pass down ndr_interface_table to
> > - rpc_pipe_open_np().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 8cd3a060514ddcc178c938100edfb0b177c00c8c)
> > ----
> > - source3/rpc_client/cli_pipe.c | 8 ++++----
> > - 1 file changed, 4 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 4dc7345..0347d76 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2775,7 +2775,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r
> > - ****************************************************************************/
> > -
> > - static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > -- const struct ndr_syntax_id *abstract_syntax,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - struct rpc_pipe_client *result;
> > -@@ -2793,7 +2793,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- result->abstract_syntax = *abstract_syntax;
> > -+ result->abstract_syntax = table->syntax_id;
> > - result->transfer_syntax = ndr_transfer_syntax_ndr;
> > - result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
> > - result->srv_name_slash = talloc_asprintf_strupper_m(
> > -@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- status = rpc_transport_np_init(result, cli, abstract_syntax,
> > -+ status = rpc_transport_np_init(result, cli, &table->syntax_id,
> > - &result->transport);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - TALLOC_FREE(result);
> > -@@ -2853,7 +2853,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > - smbXcli_conn_remote_sockaddr(cli->conn),
> > - &table->syntax_id, presult);
> > - case NCACN_NP:
> > -- return rpc_pipe_open_np(cli, &table->syntax_id, presult);
> > -+ return rpc_pipe_open_np(cli, table, presult);
> > - default:
> > - return NT_STATUS_NOT_IMPLEMENTED;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From f1fa7838cb933fd0d390a56d823272f8528eb63c Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:44:00 +0200
> > -Subject: [PATCH 030/249] s3-rpc_cli: pass down ndr_interface_table to
> > - rpc_pipe_open_tcp().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 5c5cff0a722a0925ae75ea7aa11ede0d82d5b92d)
> > ----
> > - source3/rpc_client/cli_pipe.c | 8 ++++----
> > - source3/rpc_client/cli_pipe.h | 2 +-
> > - source3/torture/rpc_open_tcp.c | 2 +-
> > - 3 files changed, 6 insertions(+), 6 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 0347d76..46adf69 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2663,19 +2663,19 @@ done:
> > - */
> > - NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> > - const struct sockaddr_storage *addr,
> > -- const struct ndr_syntax_id *abstract_syntax,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - NTSTATUS status;
> > - uint16_t port = 0;
> > -
> > -- status = rpc_pipe_get_tcp_port(host, addr, abstract_syntax, &port);
> > -+ status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -
> > - return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
> > -- abstract_syntax, presult);
> > -+ &table->syntax_id, presult);
> > - }
> > -
> > - /********************************************************************
> > -@@ -2851,7 +2851,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > - return rpc_pipe_open_tcp(NULL,
> > - smbXcli_conn_remote_name(cli->conn),
> > - smbXcli_conn_remote_sockaddr(cli->conn),
> > -- &table->syntax_id, presult);
> > -+ table, presult);
> > - case NCACN_NP:
> > - return rpc_pipe_open_np(cli, table, presult);
> > - default:
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index f37f8a9..6fcc587 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -67,7 +67,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > - NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
> > - const char *host,
> > - const struct sockaddr_storage *ss_addr,
> > -- const struct ndr_syntax_id *abstract_syntax,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult);
> > -
> > - NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > -diff --git a/source3/torture/rpc_open_tcp.c b/source3/torture/rpc_open_tcp.c
> > -index d29f4cf..cd27b5f 100644
> > ---- a/source3/torture/rpc_open_tcp.c
> > -+++ b/source3/torture/rpc_open_tcp.c
> > -@@ -95,7 +95,7 @@ int main(int argc, const char **argv)
> > - }
> > -
> > - status = rpc_pipe_open_tcp(mem_ctx, argv[2], NULL,
> > -- &((*table)->syntax_id),
> > -+ *table,
> > - &rpc_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - d_printf("ERROR calling rpc_pipe_open_tcp(): %s\n",
> > ---
> > -1.9.3
> > -
> > -
> > -From 67c01c15af1bbb98916e75f7cad61edcc13c2e2f Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:46:07 +0200
> > -Subject: [PATCH 031/249] s3-rpc_cli: pass down ndr_interface_table to
> > - rpc_pipe_get_tcp_port().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 0ff8c2d508949f732716e24047694cecf38597df)
> > ----
> > - source3/rpc_client/cli_pipe.c | 10 +++++-----
> > - 1 file changed, 5 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 46adf69..15e77db 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2518,7 +2518,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
> > - */
> > - static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > - const struct sockaddr_storage *addr,
> > -- const struct ndr_syntax_id *abstract_syntax,
> > -+ const struct ndr_interface_table *table,
> > - uint16_t *pport)
> > - {
> > - NTSTATUS status;
> > -@@ -2541,7 +2541,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > - goto done;
> > - }
> > -
> > -- if (ndr_syntax_id_equal(abstract_syntax,
> > -+ if (ndr_syntax_id_equal(&table->syntax_id,
> > - &ndr_table_epmapper.syntax_id)) {
> > - *pport = 135;
> > - return NT_STATUS_OK;
> > -@@ -2576,7 +2576,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > - }
> > -
> > - map_binding->transport = NCACN_IP_TCP;
> > -- map_binding->object = *abstract_syntax;
> > -+ map_binding->object = table->syntax_id;
> > - map_binding->host = host; /* needed? */
> > - map_binding->endpoint = "0"; /* correct? needed? */
> > -
> > -@@ -2612,7 +2612,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > - status = dcerpc_epm_Map(epm_handle,
> > - tmp_ctx,
> > - discard_const_p(struct GUID,
> > -- &(abstract_syntax->uuid)),
> > -+ &(table->syntax_id.uuid)),
> > - map_tower,
> > - entry_handle,
> > - max_towers,
> > -@@ -2669,7 +2669,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> > - NTSTATUS status;
> > - uint16_t port = 0;
> > -
> > -- status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
> > -+ status = rpc_pipe_get_tcp_port(host, addr, table, &port);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From a032ff8c89e479792947af4315ed6eb59a69f8f5 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:47:16 +0200
> > -Subject: [PATCH 032/249] s3-rpc_cli: pass down ndr_interface_table to
> > - rpc_pipe_open_tcp_port().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 7bdcfcb37c5b96ee6aa0cecffd89c6d17291fe62)
> > ----
> > - source3/rpc_client/cli_pipe.c | 8 ++++----
> > - 1 file changed, 4 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 15e77db..1b2955f 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2447,7 +2447,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
> > - static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
> > - const struct sockaddr_storage *ss_addr,
> > - uint16_t port,
> > -- const struct ndr_syntax_id *abstract_syntax,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_pipe_client **presult)
> > - {
> > - struct rpc_pipe_client *result;
> > -@@ -2460,7 +2460,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- result->abstract_syntax = *abstract_syntax;
> > -+ result->abstract_syntax = table->syntax_id;
> > - result->transfer_syntax = ndr_transfer_syntax_ndr;
> > -
> > - result->desthost = talloc_strdup(result, host);
> > -@@ -2549,7 +2549,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > -
> > - /* open the connection to the endpoint mapper */
> > - status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
> > -- &ndr_table_epmapper.syntax_id,
> > -+ &ndr_table_epmapper,
> > - &epm_pipe);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -2675,7 +2675,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> > - }
> > -
> > - return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
> > -- &table->syntax_id, presult);
> > -+ table, presult);
> > - }
> > -
> > - /********************************************************************
> > ---
> > -1.9.3
> > -
> > -
> > -From 0b4ae5ec146e35c364f01c033d6c22efb99b7314 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:52:05 +0200
> > -Subject: [PATCH 033/249] s3-rpc_cli: pass down ndr_interface_table to
> > - rpc_transport_np_init().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit c41b6e5c5e7fcdbd98c1eb2bea08378b47d343d4)
> > ----
> > - source3/rpc_client/cli_pipe.c | 2 +-
> > - source3/rpc_client/rpc_transport.h | 2 +-
> > - source3/rpc_client/rpc_transport_np.c | 4 ++--
> > - 3 files changed, 4 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 1b2955f..1fa8d91 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- status = rpc_transport_np_init(result, cli, &table->syntax_id,
> > -+ status = rpc_transport_np_init(result, cli, table,
> > - &result->transport);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - TALLOC_FREE(result);
> > -diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
> > -index bc115dd..2b4a323 100644
> > ---- a/source3/rpc_client/rpc_transport.h
> > -+++ b/source3/rpc_client/rpc_transport.h
> > -@@ -89,7 +89,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
> > - TALLOC_CTX *mem_ctx,
> > - struct rpc_cli_transport **presult);
> > - NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> > -- const struct ndr_syntax_id *abstract_syntax,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_cli_transport **presult);
> > -
> > - /* The following definitions come from rpc_client/rpc_transport_sock.c */
> > -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
> > -index f0696ad..7bd1ca3 100644
> > ---- a/source3/rpc_client/rpc_transport_np.c
> > -+++ b/source3/rpc_client/rpc_transport_np.c
> > -@@ -152,7 +152,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
> > - }
> > -
> > - NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> > -- const struct ndr_syntax_id *abstract_syntax,
> > -+ const struct ndr_interface_table *table,
> > - struct rpc_cli_transport **presult)
> > - {
> > - TALLOC_CTX *frame = talloc_stackframe();
> > -@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> > - goto fail;
> > - }
> > -
> > -- req = rpc_transport_np_init_send(frame, ev, cli, abstract_syntax);
> > -+ req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
> > - if (req == NULL) {
> > - status = NT_STATUS_NO_MEMORY;
> > - goto fail;
> > ---
> > -1.9.3
> > -
> > -
> > -From 739d05d91f23c4c6e17078c84192f30911cbdfcd Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 24 May 2013 13:56:53 +0200
> > -Subject: [PATCH 034/249] s3-rpc_cli: pass down ndr_interface_table to
> > - rpc_transport_np_init_send().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit b19e7e6638a5dd53e3c6e6701f78bf31184ed493)
> > ----
> > - source3/rpc_client/rpc_transport.h | 2 +-
> > - source3/rpc_client/rpc_transport_np.c | 6 +++---
> > - 2 files changed, 4 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
> > -index 2b4a323..72e7609 100644
> > ---- a/source3/rpc_client/rpc_transport.h
> > -+++ b/source3/rpc_client/rpc_transport.h
> > -@@ -84,7 +84,7 @@ struct cli_state;
> > - struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> > - struct tevent_context *ev,
> > - struct cli_state *cli,
> > -- const struct ndr_syntax_id *abstract_syntax);
> > -+ const struct ndr_interface_table *table);
> > - NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
> > - TALLOC_CTX *mem_ctx,
> > - struct rpc_cli_transport **presult);
> > -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
> > -index 7bd1ca3..c0f313e 100644
> > ---- a/source3/rpc_client/rpc_transport_np.c
> > -+++ b/source3/rpc_client/rpc_transport_np.c
> > -@@ -40,7 +40,7 @@ static void rpc_transport_np_init_pipe_open(struct tevent_req *subreq);
> > - struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> > - struct tevent_context *ev,
> > - struct cli_state *cli,
> > -- const struct ndr_syntax_id *abstract_syntax)
> > -+ const struct ndr_interface_table *table)
> > - {
> > - struct tevent_req *req;
> > - struct rpc_transport_np_init_state *state;
> > -@@ -55,7 +55,7 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> > - state->ev = ev;
> > - state->cli = cli;
> > - state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
> > -- state->pipe_name = get_pipe_name_from_syntax(state, abstract_syntax);
> > -+ state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
> > - if (tevent_req_nomem(state->pipe_name, req)) {
> > - return tevent_req_post(req, ev);
> > - }
> > -@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> > - goto fail;
> > - }
> > -
> > -- req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
> > -+ req = rpc_transport_np_init_send(frame, ev, cli, table);
> > - if (req == NULL) {
> > - status = NT_STATUS_NO_MEMORY;
> > - goto fail;
> > ---
> > -1.9.3
> > -
> > -
> > -From c5529ee9045c44114ab1716b05d3408baa1b4e42 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 24 Sep 2008 11:04:42 +0200
> > -Subject: [PATCH 035/249] s3: libnet_join: add admin_domain.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit c11a79c5a054e862f61c97093fa2ce5e5040f111)
> > ----
> > - source3/librpc/idl/libnet_join.idl | 2 ++
> > - 1 file changed, 2 insertions(+)
> > -
> > -diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
> > -index 4f28bb6..ac0a350 100644
> > ---- a/source3/librpc/idl/libnet_join.idl
> > -+++ b/source3/librpc/idl/libnet_join.idl
> > -@@ -21,6 +21,7 @@ interface libnetjoin
> > - [in,ref] string *domain_name,
> > - [in] string account_ou,
> > - [in] string admin_account,
> > -+ [in] string admin_domain,
> > - [in,noprint] string admin_password,
> > - [in] string machine_password,
> > - [in] wkssvc_joinflags join_flags,
> > -@@ -51,6 +52,7 @@ interface libnetjoin
> > - [in] string domain_name,
> > - [in] string account_ou,
> > - [in] string admin_account,
> > -+ [in] string admin_domain,
> > - [in,noprint] string admin_password,
> > - [in] string machine_password,
> > - [in] wkssvc_joinflags unjoin_flags,
> > ---
> > -1.9.3
> > -
> > -
> > -From a0d8f42ac44d279ae7bc599792cd1d564925dcbf Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 24 Sep 2008 11:05:37 +0200
> > -Subject: [PATCH 036/249] s3: libnet_join: use admin_domain in libnetjoin.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit cc0cbd4fdc6e07538d67cc41ca07bad1eaebf493)
> > ----
> > - source3/libnet/libnet_join.c | 27 ++++++++++++++++++++++++++-
> > - 1 file changed, 26 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index 324c8f3..2253079 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -701,6 +701,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
> > -
> > - static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
> > - const char *user,
> > -+ const char *domain,
> > - const char *pass,
> > - bool use_kerberos,
> > - struct cli_state **cli)
> > -@@ -720,7 +721,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
> > - NULL, 0,
> > - "IPC$", "IPC",
> > - user,
> > -- NULL,
> > -+ domain,
> > - pass,
> > - flags,
> > - SMB_SIGNING_DEFAULT);
> > -@@ -742,6 +743,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
> > -
> > - status = libnet_join_connect_dc_ipc(r->in.dc_name,
> > - r->in.admin_account,
> > -+ r->in.admin_domain,
> > - r->in.admin_password,
> > - r->in.use_kerberos,
> > - cli);
> > -@@ -1368,6 +1370,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
> > -
> > - status = libnet_join_connect_dc_ipc(r->in.dc_name,
> > - r->in.admin_account,
> > -+ r->in.admin_domain,
> > - r->in.admin_password,
> > - r->in.use_kerberos,
> > - &cli);
> > -@@ -1755,6 +1758,17 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
> > - return WERR_SETUP_DOMAIN_CONTROLLER;
> > - }
> > -
> > -+ if (!r->in.admin_domain) {
> > -+ char *admin_domain = NULL;
> > -+ char *admin_account = NULL;
> > -+ split_domain_user(mem_ctx,
> > -+ r->in.admin_account,
> > -+ &admin_domain,
> > -+ &admin_account);
> > -+ r->in.admin_domain = admin_domain;
> > -+ r->in.admin_account = admin_account;
> > -+ }
> > -+
> > - if (!secrets_init()) {
> > - libnet_join_set_error_string(mem_ctx, r,
> > - "Unable to open secrets database");
> > -@@ -2316,6 +2330,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
> > - return WERR_SETUP_DOMAIN_CONTROLLER;
> > - }
> > -
> > -+ if (!r->in.admin_domain) {
> > -+ char *admin_domain = NULL;
> > -+ char *admin_account = NULL;
> > -+ split_domain_user(mem_ctx,
> > -+ r->in.admin_account,
> > -+ &admin_domain,
> > -+ &admin_account);
> > -+ r->in.admin_domain = admin_domain;
> > -+ r->in.admin_account = admin_account;
> > -+ }
> > -+
> > - if (!secrets_init()) {
> > - libnet_unjoin_set_error_string(mem_ctx, r,
> > - "Unable to open secrets database");
> > ---
> > -1.9.3
> > -
> > -
> > -From 46f8496292a12b7acdd045d126b61fa9d8afee74 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Thu, 6 Nov 2008 11:40:03 +0100
> > -Subject: [PATCH 037/249] s3-libnetjoin: add machine_name length check.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit c4d6d75cf48aed7b17728e283581366143fa4233)
> > ----
> > - source3/libnet/libnet_join.c | 9 +++++++++
> > - 1 file changed, 9 insertions(+)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index 2253079..b731d9b 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -1746,6 +1746,15 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
> > - return WERR_INVALID_PARAM;
> > - }
> > -
> > -+ if (strlen(r->in.machine_name) > 15) {
> > -+ libnet_join_set_error_string(mem_ctx, r,
> > -+ "Our netbios name can be at most 15 chars long, "
> > -+ "\"%s\" is %u chars long\n",
> > -+ r->in.machine_name,
> > -+ (unsigned int)strlen(r->in.machine_name));
> > -+ return WERR_INVALID_PARAM;
> > -+ }
> > -+
> > - if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
> > - &r->in.domain_name,
> > - &r->in.dc_name)) {
> > ---
> > -1.9.3
> > -
> > -
> > -From a60cf7ddd4e2d41d92cdd35ab05f2d6a30b055c9 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Thu, 6 Nov 2008 13:37:45 +0100
> > -Subject: [PATCH 038/249] s3-libnetjoin: move "net rpc oldjoin" to use
> > - libnetjoin.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit d398a12f7907866189c1b253ca6a40e5454f42a1)
> > ----
> > - source3/utils/net_rpc.c | 182 ++++++++++++++++++++++--------------------------
> > - 1 file changed, 84 insertions(+), 98 deletions(-)
> > -
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index 69ff14d..720e9d2 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -37,6 +37,8 @@
> > - #include "secrets.h"
> > - #include "lib/netapi/netapi.h"
> > - #include "lib/netapi/netapi_net.h"
> > -+#include "librpc/gen_ndr/libnet_join.h"
> > -+#include "libnet/libnet_join.h"
> > - #include "rpc_client/init_lsa.h"
> > - #include "../libcli/security/security.h"
> > - #include "libsmb/libsmb.h"
> > -@@ -314,48 +316,46 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
> > - }
> > -
> > - /**
> > -- * Join a domain, the old way.
> > -+ * Join a domain, the old way. This function exists to allow
> > -+ * the message to be displayed when oldjoin was explicitly
> > -+ * requested, but not when it was implied by "net rpc join".
> > - *
> > - * This uses 'machinename' as the inital password, and changes it.
> > - *
> > - * The password should be created with 'server manager' or equiv first.
> > - *
> > -- * All parameters are provided by the run_rpc_command function, except for
> > -- * argc, argv which are passed through.
> > -- *
> > -- * @param domain_sid The domain sid acquired from the remote server.
> > -- * @param cli A cli_state connected to the server.
> > -- * @param mem_ctx Talloc context, destroyed on completion of the function.
> > - * @param argc Standard main() style argc.
> > - * @param argv Standard main() style argv. Initial components are already
> > - * stripped.
> > - *
> > -- * @return Normal NTSTATUS return.
> > -+ * @return A shell status integer (0 for success).
> > - **/
> > -
> > --static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
> > -- const struct dom_sid *domain_sid,
> > -- const char *domain_name,
> > -- struct cli_state *cli,
> > -- struct rpc_pipe_client *pipe_hnd,
> > -- TALLOC_CTX *mem_ctx,
> > -- int argc,
> > -- const char **argv)
> > -+static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
> > - {
> > -+ struct libnet_JoinCtx *r = NULL;
> > -+ TALLOC_CTX *mem_ctx;
> > -+ WERROR werr;
> > -+ const char *domain = lp_workgroup(); /* FIXME */
> > -+ bool modify_config = lp_config_backend_is_registry();
> > -+ enum netr_SchannelType sec_chan_type;
> > -+ char *pw = NULL;
> > -
> > -- fstring trust_passwd;
> > -- unsigned char orig_trust_passwd_hash[16];
> > -- NTSTATUS result;
> > -- enum netr_SchannelType sec_channel_type;
> > -+ if (c->display_usage) {
> > -+ d_printf("Usage:\n"
> > -+ "net rpc oldjoin\n"
> > -+ " Join a domain the old way\n");
> > -+ return 0;
> > -+ }
> > -
> > -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > -- &pipe_hnd);
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
> > -- "error was %s\n",
> > -- smbXcli_conn_remote_name(cli->conn),
> > -- nt_errstr(result) ));
> > -- return result;
> > -+ mem_ctx = talloc_init("net_rpc_oldjoin");
> > -+ if (!mem_ctx) {
> > -+ return -1;
> > -+ }
> > -+
> > -+ werr = libnet_init_JoinCtx(mem_ctx, &r);
> > -+ if (!W_ERROR_IS_OK(werr)) {
> > -+ goto fail;
> > - }
> > -
> > - /*
> > -@@ -363,92 +363,78 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
> > - a BDC, the server must agree that we are a BDC.
> > - */
> > - if (argc >= 0) {
> > -- sec_channel_type = get_sec_channel_type(argv[0]);
> > -+ sec_chan_type = get_sec_channel_type(argv[0]);
> > - } else {
> > -- sec_channel_type = get_sec_channel_type(NULL);
> > -+ sec_chan_type = get_sec_channel_type(NULL);
> > - }
> > -
> > -- fstrcpy(trust_passwd, lp_netbios_name());
> > -- if (!strlower_m(trust_passwd)) {
> > -- return NT_STATUS_UNSUCCESSFUL;
> > -+ if (!c->msg_ctx) {
> > -+ d_fprintf(stderr, _("Could not initialise message context. "
> > -+ "Try running as root\n"));
> > -+ werr = WERR_ACCESS_DENIED;
> > -+ goto fail;
> > - }
> > -
> > -- /*
> > -- * Machine names can be 15 characters, but the max length on
> > -- * a password is 14. --jerry
> > -- */
> > --
> > -- trust_passwd[14] = '\0';
> > --
> > -- E_md4hash(trust_passwd, orig_trust_passwd_hash);
> > --
> > -- result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup,
> > -- lp_netbios_name(),
> > -- orig_trust_passwd_hash,
> > -- sec_channel_type);
> > --
> > -- if (NT_STATUS_IS_OK(result))
> > -- printf(_("Joined domain %s.\n"), c->opt_target_workgroup);
> > -+ pw = talloc_strndup(r, lp_netbios_name(), 14);
> > -+ if (pw == NULL) {
> > -+ werr = WERR_NOMEM;
> > -+ goto fail;
> > -+ }
> > -
> > -+ r->in.msg_ctx = c->msg_ctx;
> > -+ r->in.domain_name = domain;
> > -+ r->in.secure_channel_type = sec_chan_type;
> > -+ r->in.dc_name = c->opt_host;
> > -+ r->in.admin_account = "";
> > -+ r->in.admin_password = strlower_talloc(r, pw);
> > -+ if (r->in.admin_password == NULL) {
> > -+ werr = WERR_NOMEM;
> > -+ goto fail;
> > -+ }
> > -+ r->in.debug = true;
> > -+ r->in.modify_config = modify_config;
> > -+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
> > -+ WKSSVC_JOIN_FLAGS_JOIN_UNSECURE |
> > -+ WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED;
> > -
> > -- if (!secrets_store_domain_sid(c->opt_target_workgroup, domain_sid)) {
> > -- DEBUG(0, ("error storing domain sid for %s\n", c->opt_target_workgroup));
> > -- result = NT_STATUS_UNSUCCESSFUL;
> > -+ werr = libnet_Join(mem_ctx, r);
> > -+ if (!W_ERROR_IS_OK(werr)) {
> > -+ goto fail;
> > - }
> > -
> > -- return result;
> > --}
> > -+ /* Check the short name of the domain */
> > -
> > --/**
> > -- * Join a domain, the old way.
> > -- *
> > -- * @param argc Standard main() style argc.
> > -- * @param argv Standard main() style argv. Initial components are already
> > -- * stripped.
> > -- *
> > -- * @return A shell status integer (0 for success).
> > -- **/
> > -+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
> > -+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
> > -+ d_printf("domain name obtained from the server.\n");
> > -+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
> > -+ d_printf("You should set \"workgroup = %s\" in %s.\n",
> > -+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
> > -+ }
> > -
> > --static int net_rpc_perform_oldjoin(struct net_context *c, int argc, const char **argv)
> > --{
> > -- return run_rpc_command(c, NULL, &ndr_table_netlogon,
> > -- NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
> > -- rpc_oldjoin_internals,
> > -- argc, argv);
> > --}
> > -+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
> > -
> > --/**
> > -- * Join a domain, the old way. This function exists to allow
> > -- * the message to be displayed when oldjoin was explicitly
> > -- * requested, but not when it was implied by "net rpc join".
> > -- *
> > -- * @param argc Standard main() style argc.
> > -- * @param argv Standard main() style argv. Initial components are already
> > -- * stripped.
> > -- *
> > -- * @return A shell status integer (0 for success).
> > -- **/
> > -+ if (r->out.dns_domain_name) {
> > -+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
> > -+ r->out.dns_domain_name);
> > -+ } else {
> > -+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
> > -+ r->out.netbios_domain_name);
> > -+ }
> > -
> > --static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
> > --{
> > -- int rc = -1;
> > -+ TALLOC_FREE(mem_ctx);
> > -
> > -- if (c->display_usage) {
> > -- d_printf( "%s\n"
> > -- "net rpc oldjoin\n"
> > -- " %s\n",
> > -- _("Usage:"),
> > -- _("Join a domain the old way"));
> > -- return 0;
> > -- }
> > -+ return 0;
> > -
> > -- rc = net_rpc_perform_oldjoin(c, argc, argv);
> > -+fail:
> > -+ /* issue an overall failure message at the end. */
> > -+ d_fprintf(stderr, _("Failed to join domain: %s\n"),
> > -+ r && r->out.error_string ? r->out.error_string :
> > -+ get_friendly_werror_msg(werr));
> > -
> > -- if (rc) {
> > -- d_fprintf(stderr, _("Failed to join domain\n"));
> > -- }
> > -+ TALLOC_FREE(mem_ctx);
> > -
> > -- return rc;
> > -+ return -1;
> > - }
> > -
> > - /**
> > -@@ -492,7 +478,7 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
> > - return -1;
> > - }
> > -
> > -- if ((net_rpc_perform_oldjoin(c, argc, argv) == 0))
> > -+ if ((net_rpc_oldjoin(c, argc, argv) == 0))
> > - return 0;
> > -
> > - return net_rpc_join_newstyle(c, argc, argv);
> > ---
> > -1.9.3
> > -
> > -
> > -From 3185251186366984b5ec06322c75cfda71dccdbc Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 13 Jun 2013 19:12:27 +0200
> > -Subject: [PATCH 039/249] s3:libnet: let the caller truncate the pw in
> > - libnet_join_joindomain_rpc_unsecure()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 1242ab0cb3bf575b695b39313604af9d0a7f1b3a)
> > ----
> > - source3/libnet/libnet_join.c | 15 +--------------
> > - 1 file changed, 1 insertion(+), 14 deletions(-)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index b731d9b..d8ec235 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -818,7 +818,6 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > - struct rpc_pipe_client *pipe_hnd = NULL;
> > - unsigned char orig_trust_passwd_hash[16];
> > - unsigned char new_trust_passwd_hash[16];
> > -- fstring trust_passwd;
> > - NTSTATUS status;
> > -
> > - status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > -@@ -837,19 +836,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > - E_md4hash(r->in.machine_password, new_trust_passwd_hash);
> > -
> > - /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
> > -- fstrcpy(trust_passwd, r->in.admin_password);
> > -- if (!strlower_m(trust_passwd)) {
> > -- return NT_STATUS_INVALID_PARAMETER;
> > -- }
> > --
> > -- /*
> > -- * Machine names can be 15 characters, but the max length on
> > -- * a password is 14. --jerry
> > -- */
> > --
> > -- trust_passwd[14] = '\0';
> > --
> > -- E_md4hash(trust_passwd, orig_trust_passwd_hash);
> > -+ E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
> > -
> > - status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
> > - r->in.machine_name,
> > ---
> > -1.9.3
> > -
> > -
> > -From e1e15a73a9a5215866f6471c5e583457c516b47e Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Tue, 3 Feb 2009 20:10:05 +0100
> > -Subject: [PATCH 040/249] s3-net: use libnetjoin for "net rpc testjoin".
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 9cfa6251600ddea0e821f2bd3fd359c28eb1b7f9)
> > ----
> > - source3/utils/net_proto.h | 2 +-
> > - source3/utils/net_rpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++
> > - source3/utils/net_rpc_join.c | 29 -------------------
> > - 3 files changed, 67 insertions(+), 30 deletions(-)
> > -
> > -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> > -index 03fb312..d791708 100644
> > ---- a/source3/utils/net_proto.h
> > -+++ b/source3/utils/net_proto.h
> > -@@ -145,6 +145,7 @@ int run_rpc_command(struct net_context *c,
> > - int argc,
> > - const char **argv);
> > - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
> > -+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> > - int net_rpc_join(struct net_context *c, int argc, const char **argv);
> > - NTSTATUS rpc_info_internals(struct net_context *c,
> > - const struct dom_sid *domain_sid,
> > -@@ -205,7 +206,6 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
> > - const char *server,
> > - const struct sockaddr_storage *server_ss);
> > - int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> > --int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> > -
> > - /* The following definitions come from utils/net_rpc_printer.c */
> > -
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index 720e9d2..592be44 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -438,6 +438,72 @@ fail:
> > - }
> > -
> > - /**
> > -+ * check that a join is OK
> > -+ *
> > -+ * @return A shell status integer (0 for success)
> > -+ *
> > -+ **/
> > -+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > -+{
> > -+ NTSTATUS status;
> > -+ TALLOC_CTX *mem_ctx;
> > -+ const char *domain = c->opt_target_workgroup;
> > -+ const char *dc = c->opt_host;
> > -+
> > -+ if (c->display_usage) {
> > -+ d_printf("Usage\n"
> > -+ "net rpc testjoin\n"
> > -+ " Test if a join is OK\n");
> > -+ return 0;
> > -+ }
> > -+
> > -+ mem_ctx = talloc_init("net_rpc_testjoin");
> > -+ if (!mem_ctx) {
> > -+ return -1;
> > -+ }
> > -+
> > -+ if (!dc) {
> > -+ struct netr_DsRGetDCNameInfo *info;
> > -+
> > -+ if (!c->msg_ctx) {
> > -+ d_fprintf(stderr, _("Could not initialise message context. "
> > -+ "Try running as root\n"));
> > -+ talloc_destroy(mem_ctx);
> > -+ return -1;
> > -+ }
> > -+
> > -+ status = dsgetdcname(mem_ctx,
> > -+ c->msg_ctx,
> > -+ domain,
> > -+ NULL,
> > -+ NULL,
> > -+ DS_RETURN_DNS_NAME,
> > -+ &info);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ talloc_destroy(mem_ctx);
> > -+ return -1;
> > -+ }
> > -+
> > -+ dc = strip_hostname(info->dc_unc);
> > -+ }
> > -+
> > -+ /* Display success or failure */
> > -+ status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
> > -+ c->opt_kerberos);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
> > -+ domain, nt_errstr(status));
> > -+ talloc_destroy(mem_ctx);
> > -+ return -1;
> > -+ }
> > -+
> > -+ printf("Join to '%s' is OK\n",domain);
> > -+ talloc_destroy(mem_ctx);
> > -+
> > -+ return 0;
> > -+}
> > -+
> > -+/**
> > - * 'net rpc join' entrypoint.
> > - * @param argc Standard main() style argc.
> > - * @param argv Standard main() style argv. Initial components are already
> > -diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
> > -index aabbe54..ee39a5c 100644
> > ---- a/source3/utils/net_rpc_join.c
> > -+++ b/source3/utils/net_rpc_join.c
> > -@@ -561,32 +561,3 @@ done:
> > -
> > - return retval;
> > - }
> > --
> > --/**
> > -- * check that a join is OK
> > -- *
> > -- * @return A shell status integer (0 for success)
> > -- *
> > -- **/
> > --int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > --{
> > -- NTSTATUS nt_status;
> > --
> > -- if (c->display_usage) {
> > -- d_printf(_("Usage\n"
> > -- "net rpc testjoin\n"
> > -- " Test if a join is OK\n"));
> > -- return 0;
> > -- }
> > --
> > -- /* Display success or failure */
> > -- nt_status = net_rpc_join_ok(c, c->opt_target_workgroup, NULL, NULL);
> > -- if (!NT_STATUS_IS_OK(nt_status)) {
> > -- fprintf(stderr, _("Join to domain '%s' is not valid: %s\n"),
> > -- c->opt_target_workgroup, nt_errstr(nt_status));
> > -- return -1;
> > -- }
> > --
> > -- printf(_("Join to '%s' is OK\n"), c->opt_target_workgroup);
> > -- return 0;
> > --}
> > ---
> > -1.9.3
> > -
> > -
> > -From a0474baa59c0991c2b2d8e3f425c9a6845162f45 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Tue, 3 Feb 2009 20:21:05 +0100
> > -Subject: [PATCH 041/249] s3-net: use libnetjoin for "net rpc join" newstyle.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 3e4ded48bbeacdcd128f3c667cbdd12a3efca312)
> > ----
> > - source3/utils/net_proto.h | 8 +---
> > - source3/utils/net_rpc.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++
> > - source3/wscript_build | 2 +-
> > - 3 files changed, 108 insertions(+), 8 deletions(-)
> > -
> > -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> > -index d791708..1809ba9 100644
> > ---- a/source3/utils/net_proto.h
> > -+++ b/source3/utils/net_proto.h
> > -@@ -146,6 +146,7 @@ int run_rpc_command(struct net_context *c,
> > - const char **argv);
> > - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
> > - int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> > -+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> > - int net_rpc_join(struct net_context *c, int argc, const char **argv);
> > - NTSTATUS rpc_info_internals(struct net_context *c,
> > - const struct dom_sid *domain_sid,
> > -@@ -200,13 +201,6 @@ int net_rpc(struct net_context *c, int argc, const char **argv);
> > -
> > - int net_rpc_audit(struct net_context *c, int argc, const char **argv);
> > -
> > --/* The following definitions come from utils/net_rpc_join.c */
> > --
> > --NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
> > -- const char *server,
> > -- const struct sockaddr_storage *server_ss);
> > --int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> > --
> > - /* The following definitions come from utils/net_rpc_printer.c */
> > -
> > - NTSTATUS net_copy_fileattr(struct net_context *c,
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index 592be44..6358460 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -504,6 +504,112 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > - }
> > -
> > - /**
> > -+ * Join a domain using the administrator username and password
> > -+ *
> > -+ * @param argc Standard main() style argc
> > -+ * @param argc Standard main() style argv. Initial components are already
> > -+ * stripped. Currently not used.
> > -+ * @return A shell status integer (0 for success)
> > -+ *
> > -+ **/
> > -+
> > -+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > -+{
> > -+ struct libnet_JoinCtx *r = NULL;
> > -+ TALLOC_CTX *mem_ctx;
> > -+ WERROR werr;
> > -+ const char *domain = lp_workgroup(); /* FIXME */
> > -+ bool modify_config = lp_config_backend_is_registry();
> > -+ enum netr_SchannelType sec_chan_type;
> > -+
> > -+ if (c->display_usage) {
> > -+ d_printf("Usage:\n"
> > -+ "net rpc join\n"
> > -+ " Join a domain the new way\n");
> > -+ return 0;
> > -+ }
> > -+
> > -+ mem_ctx = talloc_init("net_rpc_join_newstyle");
> > -+ if (!mem_ctx) {
> > -+ return -1;
> > -+ }
> > -+
> > -+ werr = libnet_init_JoinCtx(mem_ctx, &r);
> > -+ if (!W_ERROR_IS_OK(werr)) {
> > -+ goto fail;
> > -+ }
> > -+
> > -+ /*
> > -+ check what type of join - if the user want's to join as
> > -+ a BDC, the server must agree that we are a BDC.
> > -+ */
> > -+ if (argc >= 0) {
> > -+ sec_chan_type = get_sec_channel_type(argv[0]);
> > -+ } else {
> > -+ sec_chan_type = get_sec_channel_type(NULL);
> > -+ }
> > -+
> > -+ if (!c->msg_ctx) {
> > -+ d_fprintf(stderr, _("Could not initialise message context. "
> > -+ "Try running as root\n"));
> > -+ werr = WERR_ACCESS_DENIED;
> > -+ goto fail;
> > -+ }
> > -+
> > -+ r->in.msg_ctx = c->msg_ctx;
> > -+ r->in.domain_name = domain;
> > -+ r->in.secure_channel_type = sec_chan_type;
> > -+ r->in.dc_name = c->opt_host;
> > -+ r->in.admin_account = c->opt_user_name;
> > -+ r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
> > -+ r->in.debug = true;
> > -+ r->in.use_kerberos = c->opt_kerberos;
> > -+ r->in.modify_config = modify_config;
> > -+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
> > -+ WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
> > -+ WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
> > -+
> > -+ werr = libnet_Join(mem_ctx, r);
> > -+ if (!W_ERROR_IS_OK(werr)) {
> > -+ goto fail;
> > -+ }
> > -+
> > -+ /* Check the short name of the domain */
> > -+
> > -+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
> > -+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
> > -+ d_printf("domain name obtained from the server.\n");
> > -+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
> > -+ d_printf("You should set \"workgroup = %s\" in %s.\n",
> > -+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
> > -+ }
> > -+
> > -+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
> > -+
> > -+ if (r->out.dns_domain_name) {
> > -+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
> > -+ r->out.dns_domain_name);
> > -+ } else {
> > -+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
> > -+ r->out.netbios_domain_name);
> > -+ }
> > -+
> > -+ TALLOC_FREE(mem_ctx);
> > -+
> > -+ return 0;
> > -+
> > -+fail:
> > -+ /* issue an overall failure message at the end. */
> > -+ d_printf("Failed to join domain: %s\n",
> > -+ r && r->out.error_string ? r->out.error_string :
> > -+ get_friendly_werror_msg(werr));
> > -+
> > -+ TALLOC_FREE(mem_ctx);
> > -+
> > -+ return -1;
> > -+}
> > -+
> > -+/**
> > - * 'net rpc join' entrypoint.
> > - * @param argc Standard main() style argc.
> > - * @param argv Standard main() style argv. Initial components are already
> > -diff --git a/source3/wscript_build b/source3/wscript_build
> > -index 9461b05..0bf84e2 100755
> > ---- a/source3/wscript_build
> > -+++ b/source3/wscript_build
> > -@@ -507,7 +507,7 @@ LIBNET_SAMSYNC_SRC = '''libnet/libnet_samsync.c
> > -
> > - NET_SRC1 = '''utils/net.c utils/net_ads.c utils/net_help.c
> > - utils/net_rap.c utils/net_rpc.c utils/net_rpc_samsync.c
> > -- utils/net_rpc_join.c utils/net_time.c utils/net_lookup.c
> > -+ utils/net_time.c utils/net_lookup.c
> > - utils/net_cache.c utils/net_groupmap.c
> > - utils/net_idmap.c utils/net_idmap_check.c
> > - utils/interact.c
> > ---
> > -1.9.3
> > -
> > -
> > -From b2aad96d2ffd5545c250cce605dfdb7f0852806c Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 15 Jul 2013 13:28:34 +0200
> > -Subject: [PATCH 042/249] s3-net: avoid confusing output in net_rpc_oldjoin()
> > - if NET_FLAGS_EXPECT_FALLBACK is passed
> > -
> > -"net rpc join" tries net_rpc_oldjoin() first and falls back to
> > -net_rpc_join_newstyle(). We should not print the join failed
> > -if just net_rpc_oldjoin() failed.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 05d9b4165af9e7f03d3fbeb64db4fc305fcec4df)
> > ----
> > - source3/utils/net.h | 1 +
> > - source3/utils/net_proto.h | 1 -
> > - source3/utils/net_rpc.c | 15 +++++++++++++--
> > - 3 files changed, 14 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source3/utils/net.h b/source3/utils/net.h
> > -index 2056d89..e97734a 100644
> > ---- a/source3/utils/net.h
> > -+++ b/source3/utils/net.h
> > -@@ -182,6 +182,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD };
> > - #define NET_FLAGS_SIGN 0x00000040 /* sign RPC connection */
> > - #define NET_FLAGS_SEAL 0x00000080 /* seal RPC connection */
> > - #define NET_FLAGS_TCP 0x00000100 /* use ncacn_ip_tcp */
> > -+#define NET_FLAGS_EXPECT_FALLBACK 0x00000200 /* the caller will fallback */
> > -
> > - /* net share operation modes */
> > - #define NET_MODE_SHARE_MIGRATE 1
> > -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> > -index 1809ba9..25e9db2 100644
> > ---- a/source3/utils/net_proto.h
> > -+++ b/source3/utils/net_proto.h
> > -@@ -146,7 +146,6 @@ int run_rpc_command(struct net_context *c,
> > - const char **argv);
> > - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
> > - int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> > --int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> > - int net_rpc_join(struct net_context *c, int argc, const char **argv);
> > - NTSTATUS rpc_info_internals(struct net_context *c,
> > - const struct dom_sid *domain_sid,
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index 6358460..dff8801 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -427,11 +427,16 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
> > - return 0;
> > -
> > - fail:
> > -+ if (c->opt_flags & NET_FLAGS_EXPECT_FALLBACK) {
> > -+ goto cleanup;
> > -+ }
> > -+
> > - /* issue an overall failure message at the end. */
> > - d_fprintf(stderr, _("Failed to join domain: %s\n"),
> > - r && r->out.error_string ? r->out.error_string :
> > - get_friendly_werror_msg(werr));
> > -
> > -+cleanup:
> > - TALLOC_FREE(mem_ctx);
> > -
> > - return -1;
> > -@@ -513,7 +518,7 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > - *
> > - **/
> > -
> > --int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > -+static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > - {
> > - struct libnet_JoinCtx *r = NULL;
> > - TALLOC_CTX *mem_ctx;
> > -@@ -623,6 +628,8 @@ fail:
> > -
> > - int net_rpc_join(struct net_context *c, int argc, const char **argv)
> > - {
> > -+ int ret;
> > -+
> > - if (c->display_usage) {
> > - d_printf("%s\n%s",
> > - _("Usage:"),
> > -@@ -650,8 +657,12 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
> > - return -1;
> > - }
> > -
> > -- if ((net_rpc_oldjoin(c, argc, argv) == 0))
> > -+ c->opt_flags |= NET_FLAGS_EXPECT_FALLBACK;
> > -+ ret = net_rpc_oldjoin(c, argc, argv);
> > -+ c->opt_flags &= ~NET_FLAGS_EXPECT_FALLBACK;
> > -+ if (ret == 0) {
> > - return 0;
> > -+ }
> > -
> > - return net_rpc_join_newstyle(c, argc, argv);
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 8e8a2602d1c793f9a46e5219dea91a46e34d24ca Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 16 Jul 2013 10:07:30 +0200
> > -Subject: [PATCH 043/249] s4:librpc: fix netlogon connections against servers
> > - without AES support
> > -
> > -LogonGetCapabilities() only works on the credential chain if
> > -the server supports AES, so we need to work on a temporary copy
> > -until we know the server replied a valid return authenticator.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 34fa7946993506fde2c6b30e4a41bea27390a814)
> > ----
> > - source4/librpc/rpc/dcerpc_schannel.c | 8 ++++++--
> > - 1 file changed, 6 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
> > -index 1480486..130ebeb 100644
> > ---- a/source4/librpc/rpc/dcerpc_schannel.c
> > -+++ b/source4/librpc/rpc/dcerpc_schannel.c
> > -@@ -385,6 +385,7 @@ struct auth_schannel_state {
> > - struct loadparm_context *lp_ctx;
> > - uint8_t auth_level;
> > - struct netlogon_creds_CredentialState *creds_state;
> > -+ struct netlogon_creds_CredentialState save_creds_state;
> > - struct netr_Authenticator auth;
> > - struct netr_Authenticator return_auth;
> > - union netr_Capabilities capabilities;
> > -@@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx)
> > - s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
> > - if (composite_nomem(s->creds_state, c)) return;
> > -
> > -- netlogon_creds_client_authenticator(s->creds_state, &s->auth);
> > -+ s->save_creds_state = *s->creds_state;
> > -+ netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
> > -
> > - s->c.in.server_name = talloc_asprintf(c,
> > - "\\\\%s",
> > -@@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq)
> > - }
> > -
> > - /* verify credentials */
> > -- if (!netlogon_creds_client_check(s->creds_state,
> > -+ if (!netlogon_creds_client_check(&s->save_creds_state,
> > - &s->c.out.return_authenticator->cred)) {
> > - composite_error(c, NT_STATUS_UNSUCCESSFUL);
> > - return;
> > - }
> > -
> > -+ *s->creds_state = s->save_creds_state;
> > -+
> > - if (!NT_STATUS_IS_OK(s->c.out.result)) {
> > - composite_error(c, s->c.out.result);
> > - return;
> > ---
> > -1.9.3
> > -
> > -
> > -From 300fb415d5a6a60702b0c8464e0e76cf0e11fdeb Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 22 Mar 2013 15:07:10 +0100
> > -Subject: [PATCH 044/249] s3:rpcclient: use talloc_stackframe() in do_cmd()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit d54c908ff5bef774f5cca038741558089ff6baeb)
> > ----
> > - source3/rpcclient/rpcclient.c | 8 ++++++--
> > - 1 file changed, 6 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index c23ff2d..9bf296e 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -678,7 +678,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > -
> > - /* Create mem_ctx */
> > -
> > -- if (!(mem_ctx = talloc_init("do_cmd"))) {
> > -+ if (!(mem_ctx = talloc_stackframe())) {
> > - DEBUG(0, ("talloc_init() failed\n"));
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -@@ -745,12 +745,14 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - "auth type %u\n",
> > - cmd_entry->table->name,
> > - pipe_default_auth_type ));
> > -+ talloc_free(mem_ctx);
> > - return NT_STATUS_UNSUCCESSFUL;
> > - }
> > - if (!NT_STATUS_IS_OK(ntresult)) {
> > - DEBUG(0, ("Could not initialise %s. Error was %s\n",
> > - cmd_entry->table->name,
> > - nt_errstr(ntresult) ));
> > -+ talloc_free(mem_ctx);
> > - return ntresult;
> > - }
> > -
> > -@@ -765,6 +767,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - trust_password, &machine_account,
> > - &sec_channel_type))
> > - {
> > -+ talloc_free(mem_ctx);
> > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > - }
> > -
> > -@@ -780,6 +783,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - if (!NT_STATUS_IS_OK(ntresult)) {
> > - DEBUG(0, ("Could not initialise credentials for %s.\n",
> > - cmd_entry->table->name));
> > -+ talloc_free(mem_ctx);
> > - return ntresult;
> > - }
> > - }
> > -@@ -803,7 +807,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > -
> > - /* Cleanup */
> > -
> > -- talloc_destroy(mem_ctx);
> > -+ talloc_free(mem_ctx);
> > -
> > - return ntresult;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 95972ec54aafcf8a66e0164cd1fb478b6f4c58f6 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 24 Apr 2013 12:36:04 +0200
> > -Subject: [PATCH 045/249] libcli/auth: make
> > - netlogon_creds_crypt_samlogon_validation more robust
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 39fedd27182d9e1985418ea79b86aef69999dd57)
> > ----
> > - libcli/auth/credentials.c | 6 +++++-
> > - 1 file changed, 5 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > -index fb77ede..5c8b25b 100644
> > ---- a/libcli/auth/credentials.c
> > -+++ b/libcli/auth/credentials.c
> > -@@ -493,8 +493,12 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> > - bool encrypt)
> > - {
> > - static const char zeros[16];
> > --
> > - struct netr_SamBaseInfo *base = NULL;
> > -+
> > -+ if (validation == NULL) {
> > -+ return;
> > -+ }
> > -+
> > - switch (validation_level) {
> > - case 2:
> > - if (validation->sam2) {
> > ---
> > -1.9.3
> > -
> > -
> > -From ac092a319c388cc2577bcbd87e16522ba37dc2d0 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 14 Jun 2013 09:47:50 +0200
> > -Subject: [PATCH 046/249] libcli/auth: fix shadowed declaration in
> > - netlogon_creds_crypt_samlogon_validation()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 291f6a1e031dc9db7d03b3ca924c4309b313cae5)
> > ----
> > - libcli/auth/credentials.c | 8 ++++----
> > - 1 file changed, 4 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > -index 5c8b25b..2e9c87e 100644
> > ---- a/libcli/auth/credentials.c
> > -+++ b/libcli/auth/credentials.c
> > -@@ -490,7 +490,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
> > - static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
> > - uint16_t validation_level,
> > - union netr_Validation *validation,
> > -- bool encrypt)
> > -+ bool do_encrypt)
> > - {
> > - static const char zeros[16];
> > - struct netr_SamBaseInfo *base = NULL;
> > -@@ -531,7 +531,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> > - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
> > - if (memcmp(base->key.key, zeros,
> > - sizeof(base->key.key)) != 0) {
> > -- if (encrypt) {
> > -+ if (do_encrypt) {
> > - netlogon_creds_aes_encrypt(creds,
> > - base->key.key,
> > - sizeof(base->key.key));
> > -@@ -544,7 +544,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> > -
> > - if (memcmp(base->LMSessKey.key, zeros,
> > - sizeof(base->LMSessKey.key)) != 0) {
> > -- if (encrypt) {
> > -+ if (do_encrypt) {
> > - netlogon_creds_aes_encrypt(creds,
> > - base->LMSessKey.key,
> > - sizeof(base->LMSessKey.key));
> > -@@ -574,7 +574,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> > - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
> > - if (memcmp(base->LMSessKey.key, zeros,
> > - sizeof(base->LMSessKey.key)) != 0) {
> > -- if (encrypt) {
> > -+ if (do_encrypt) {
> > - netlogon_creds_des_encrypt_LMKey(creds,
> > - &base->LMSessKey);
> > - } else {
> > ---
> > -1.9.3
> > -
> > -
> > -From c535bfb9ead2175ae68b9d18a1692218a0fcf800 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 25 Apr 2013 17:01:00 +0200
> > -Subject: [PATCH 047/249] libcli/auth: add
> > - netlogon_creds_[de|en]crypt_samlogon_logon()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit c7319fce604d5f89a89094b6b18ef459a347aef8)
> > ----
> > - libcli/auth/credentials.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++
> > - libcli/auth/proto.h | 6 +++
> > - 2 files changed, 124 insertions(+)
> > -
> > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > -index 2e9c87e..78a8d7a 100644
> > ---- a/libcli/auth/credentials.c
> > -+++ b/libcli/auth/credentials.c
> > -@@ -601,6 +601,124 @@ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_Credential
> > - validation, true);
> > - }
> > -
> > -+static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > -+ enum netr_LogonInfoClass level,
> > -+ union netr_LogonLevel *logon,
> > -+ bool encrypt)
> > -+{
> > -+ static const char zeros[16];
> > -+
> > -+ if (logon == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ switch (level) {
> > -+ case NetlogonInteractiveInformation:
> > -+ case NetlogonInteractiveTransitiveInformation:
> > -+ case NetlogonServiceInformation:
> > -+ case NetlogonServiceTransitiveInformation:
> > -+ if (logon->password == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ uint8_t *h;
> > -+
> > -+ h = logon->password->lmpassword.hash;
> > -+ if (memcmp(h, zeros, 16) != 0) {
> > -+ if (encrypt) {
> > -+ netlogon_creds_aes_encrypt(creds, h, 16);
> > -+ } else {
> > -+ netlogon_creds_aes_decrypt(creds, h, 16);
> > -+ }
> > -+ }
> > -+
> > -+ h = logon->password->ntpassword.hash;
> > -+ if (memcmp(h, zeros, 16) != 0) {
> > -+ if (encrypt) {
> > -+ netlogon_creds_aes_encrypt(creds, h, 16);
> > -+ } else {
> > -+ netlogon_creds_aes_decrypt(creds, h, 16);
> > -+ }
> > -+ }
> > -+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > -+ uint8_t *h;
> > -+
> > -+ h = logon->password->lmpassword.hash;
> > -+ if (memcmp(h, zeros, 16) != 0) {
> > -+ netlogon_creds_arcfour_crypt(creds, h, 16);
> > -+ }
> > -+
> > -+ h = logon->password->ntpassword.hash;
> > -+ if (memcmp(h, zeros, 16) != 0) {
> > -+ netlogon_creds_arcfour_crypt(creds, h, 16);
> > -+ }
> > -+ } else {
> > -+ struct samr_Password *p;
> > -+
> > -+ p = &logon->password->lmpassword;
> > -+ if (memcmp(p->hash, zeros, 16) != 0) {
> > -+ if (encrypt) {
> > -+ netlogon_creds_des_encrypt(creds, p);
> > -+ } else {
> > -+ netlogon_creds_des_decrypt(creds, p);
> > -+ }
> > -+ }
> > -+ p = &logon->password->ntpassword;
> > -+ if (memcmp(p->hash, zeros, 16) != 0) {
> > -+ if (encrypt) {
> > -+ netlogon_creds_des_encrypt(creds, p);
> > -+ } else {
> > -+ netlogon_creds_des_decrypt(creds, p);
> > -+ }
> > -+ }
> > -+ }
> > -+ break;
> > -+
> > -+ case NetlogonNetworkInformation:
> > -+ case NetlogonNetworkTransitiveInformation:
> > -+ break;
> > -+
> > -+ case NetlogonGenericInformation:
> > -+ if (logon->generic == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ if (encrypt) {
> > -+ netlogon_creds_aes_encrypt(creds,
> > -+ logon->generic->data,
> > -+ logon->generic->length);
> > -+ } else {
> > -+ netlogon_creds_aes_decrypt(creds,
> > -+ logon->generic->data,
> > -+ logon->generic->length);
> > -+ }
> > -+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > -+ netlogon_creds_arcfour_crypt(creds,
> > -+ logon->generic->data,
> > -+ logon->generic->length);
> > -+ } else {
> > -+ /* Using DES to verify kerberos tickets makes no sense */
> > -+ }
> > -+ break;
> > -+ }
> > -+}
> > -+
> > -+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > -+ enum netr_LogonInfoClass level,
> > -+ union netr_LogonLevel *logon)
> > -+{
> > -+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, false);
> > -+}
> > -+
> > -+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > -+ enum netr_LogonInfoClass level,
> > -+ union netr_LogonLevel *logon)
> > -+{
> > -+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
> > -+}
> > -+
> > - /*
> > - copy a netlogon_creds_CredentialState struct
> > - */
> > -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
> > -index 6bc18d7..110e039 100644
> > ---- a/libcli/auth/proto.h
> > -+++ b/libcli/auth/proto.h
> > -@@ -64,6 +64,12 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
> > - void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
> > - uint16_t validation_level,
> > - union netr_Validation *validation);
> > -+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > -+ enum netr_LogonInfoClass level,
> > -+ union netr_LogonLevel *logon);
> > -+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > -+ enum netr_LogonInfoClass level,
> > -+ union netr_LogonLevel *logon);
> > -
> > - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From d4f36f187d7c87c8daae3f94cdba52225faa19b8 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 24 Apr 2013 12:53:27 +0200
> > -Subject: [PATCH 048/249] libcli/auth: add netlogon_creds_shallow_copy_logon()
> > -
> > -This can be used before netlogon_creds_encrypt_samlogon_logon()
> > -in order to keep the provided buffers unchanged.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 2ea749a1a43a6539b01d36dbe0402a99619444e1)
> > ----
> > - libcli/auth/credentials.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++
> > - libcli/auth/proto.h | 3 ++
> > - 2 files changed, 76 insertions(+)
> > -
> > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > -index 78a8d7a..1f664d3 100644
> > ---- a/libcli/auth/credentials.c
> > -+++ b/libcli/auth/credentials.c
> > -@@ -719,6 +719,79 @@ void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState
> > - netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
> > - }
> > -
> > -+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
> > -+ enum netr_LogonInfoClass level,
> > -+ const union netr_LogonLevel *in)
> > -+{
> > -+ union netr_LogonLevel *out;
> > -+
> > -+ if (in == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ out = talloc(mem_ctx, union netr_LogonLevel);
> > -+ if (out == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ *out = *in;
> > -+
> > -+ switch (level) {
> > -+ case NetlogonInteractiveInformation:
> > -+ case NetlogonInteractiveTransitiveInformation:
> > -+ case NetlogonServiceInformation:
> > -+ case NetlogonServiceTransitiveInformation:
> > -+ if (in->password == NULL) {
> > -+ return out;
> > -+ }
> > -+
> > -+ out->password = talloc(out, struct netr_PasswordInfo);
> > -+ if (out->password == NULL) {
> > -+ talloc_free(out);
> > -+ return NULL;
> > -+ }
> > -+ *out->password = *in->password;
> > -+
> > -+ return out;
> > -+
> > -+ case NetlogonNetworkInformation:
> > -+ case NetlogonNetworkTransitiveInformation:
> > -+ break;
> > -+
> > -+ case NetlogonGenericInformation:
> > -+ if (in->generic == NULL) {
> > -+ return out;
> > -+ }
> > -+
> > -+ out->generic = talloc(out, struct netr_GenericInfo);
> > -+ if (out->generic == NULL) {
> > -+ talloc_free(out);
> > -+ return NULL;
> > -+ }
> > -+ *out->generic = *in->generic;
> > -+
> > -+ if (in->generic->data == NULL) {
> > -+ return out;
> > -+ }
> > -+
> > -+ if (in->generic->length == 0) {
> > -+ return out;
> > -+ }
> > -+
> > -+ out->generic->data = talloc_memdup(out->generic,
> > -+ in->generic->data,
> > -+ in->generic->length);
> > -+ if (out->generic->data == NULL) {
> > -+ talloc_free(out);
> > -+ return NULL;
> > -+ }
> > -+
> > -+ return out;
> > -+ }
> > -+
> > -+ return out;
> > -+}
> > -+
> > - /*
> > - copy a netlogon_creds_CredentialState struct
> > - */
> > -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
> > -index 110e039..0c319d3 100644
> > ---- a/libcli/auth/proto.h
> > -+++ b/libcli/auth/proto.h
> > -@@ -70,6 +70,9 @@ void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState
> > - void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > - enum netr_LogonInfoClass level,
> > - union netr_LogonLevel *logon);
> > -+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
> > -+ enum netr_LogonInfoClass level,
> > -+ const union netr_LogonLevel *in);
> > -
> > - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 8cf11ba846fc31ce26020aabcf463817b56580a7 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 24 Apr 2013 16:00:18 +0200
> > -Subject: [PATCH 049/249] s4:netlogon: make use of
> > - netlogon_creds_decrypt_samlogon_logon()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 9d548318da11247ffe8acf505cdb5299090c16f0)
> > ----
> > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++---------------------
> > - 1 file changed, 6 insertions(+), 22 deletions(-)
> > -
> > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -index 70239a4..c41cd02 100644
> > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -@@ -712,29 +712,15 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
> > - user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
> > - NT_STATUS_HAVE_NO_MEMORY(user_info);
> > -
> > -+ netlogon_creds_decrypt_samlogon_logon(creds,
> > -+ r->in.logon_level,
> > -+ r->in.logon);
> > -+
> > - switch (r->in.logon_level) {
> > - case NetlogonInteractiveInformation:
> > - case NetlogonServiceInformation:
> > - case NetlogonInteractiveTransitiveInformation:
> > - case NetlogonServiceTransitiveInformation:
> > -- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- netlogon_creds_aes_decrypt(creds,
> > -- r->in.logon->password->lmpassword.hash,
> > -- sizeof(r->in.logon->password->lmpassword.hash));
> > -- netlogon_creds_aes_decrypt(creds,
> > -- r->in.logon->password->ntpassword.hash,
> > -- sizeof(r->in.logon->password->ntpassword.hash));
> > -- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > -- netlogon_creds_arcfour_crypt(creds,
> > -- r->in.logon->password->lmpassword.hash,
> > -- sizeof(r->in.logon->password->lmpassword.hash));
> > -- netlogon_creds_arcfour_crypt(creds,
> > -- r->in.logon->password->ntpassword.hash,
> > -- sizeof(r->in.logon->password->ntpassword.hash));
> > -- } else {
> > -- netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword);
> > -- netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword);
> > -- }
> > -
> > - /* TODO: we need to deny anonymous access here */
> > - nt_status = auth_context_create(mem_ctx,
> > -@@ -788,11 +774,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
> > - case NetlogonGenericInformation:
> > - {
> > - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- netlogon_creds_aes_decrypt(creds,
> > -- r->in.logon->generic->data, r->in.logon->generic->length);
> > -+ /* OK */
> > - } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > -- netlogon_creds_arcfour_crypt(creds,
> > -- r->in.logon->generic->data, r->in.logon->generic->length);
> > -+ /* OK */
> > - } else {
> > - /* Using DES to verify kerberos tickets makes no sense */
> > - return NT_STATUS_INVALID_PARAMETER;
> > ---
> > -1.9.3
> > -
> > -
> > -From 22bdc484af1b1a4ebd9451fd5cde4d3993dd6f0a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 24 Apr 2013 16:00:44 +0200
> > -Subject: [PATCH 050/249] s3:netlogon: make use of
> > - netlogon_creds_decrypt_samlogon_logon()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 7b3ddd1a0bb41fe84c115555113362044620e484)
> > ----
> > - source3/rpc_server/netlogon/srv_netlog_nt.c | 45 ++++++++++++++---------------
> > - 1 file changed, 21 insertions(+), 24 deletions(-)
> > -
> > -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > -index e5ca474..09857b6 100644
> > ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
> > -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > -@@ -1467,6 +1467,15 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> > - struct auth_context *auth_context = NULL;
> > - const char *fn;
> > -
> > -+#ifdef DEBUG_PASSWORD
> > -+ logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
> > -+ r->in.logon_level,
> > -+ r->in.logon);
> > -+ if (logon == NULL) {
> > -+ logon = r->in.logon;
> > -+ }
> > -+#endif
> > -+
> > - switch (p->opnum) {
> > - case NDR_NETR_LOGONSAMLOGON:
> > - fn = "_netr_LogonSamLogon";
> > -@@ -1547,6 +1556,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> > -
> > - status = NT_STATUS_OK;
> > -
> > -+ netlogon_creds_decrypt_samlogon_logon(creds,
> > -+ r->in.logon_level,
> > -+ logon);
> > -+
> > - switch (r->in.logon_level) {
> > - case NetlogonNetworkInformation:
> > - case NetlogonNetworkTransitiveInformation:
> > -@@ -1592,32 +1605,16 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> > - uint8_t chal[8];
> > -
> > - #ifdef DEBUG_PASSWORD
> > -- DEBUG(100,("lm owf password:"));
> > -- dump_data(100, logon->password->lmpassword.hash, 16);
> > --
> > -- DEBUG(100,("nt owf password:"));
> > -- dump_data(100, logon->password->ntpassword.hash, 16);
> > --#endif
> > -- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- netlogon_creds_aes_decrypt(creds,
> > -- logon->password->lmpassword.hash,
> > -- 16);
> > -- netlogon_creds_aes_decrypt(creds,
> > -- logon->password->ntpassword.hash,
> > -- 16);
> > -- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > -- netlogon_creds_arcfour_crypt(creds,
> > -- logon->password->lmpassword.hash,
> > -- 16);
> > -- netlogon_creds_arcfour_crypt(creds,
> > -- logon->password->ntpassword.hash,
> > -- 16);
> > -- } else {
> > -- netlogon_creds_des_decrypt(creds, &logon->password->lmpassword);
> > -- netlogon_creds_des_decrypt(creds, &logon->password->ntpassword);
> > -+ if (logon != r->in.logon) {
> > -+ DEBUG(100,("lm owf password:"));
> > -+ dump_data(100,
> > -+ r->in.logon->password->lmpassword.hash, 16);
> > -+
> > -+ DEBUG(100,("nt owf password:"));
> > -+ dump_data(100,
> > -+ r->in.logon->password->ntpassword.hash, 16);
> > - }
> > -
> > --#ifdef DEBUG_PASSWORD
> > - DEBUG(100,("decrypt of lm owf password:"));
> > - dump_data(100, logon->password->lmpassword.hash, 16);
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From b25c7249bdca17d4b4720a2e8f8ba329c4105e94 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 25 Apr 2013 18:27:57 +0200
> > -Subject: [PATCH 051/249] s3:rpc_client: make rpccli_schannel_bind_data()
> > - static
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 6ce645e03c279cbb2ed8a94f033b8e0601b61ef4)
> > ----
> > - source3/rpc_client/cli_pipe.c | 9 +++++----
> > - source3/rpc_client/cli_pipe.h | 6 ------
> > - 2 files changed, 5 insertions(+), 10 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 1fa8d91..66fa2d2 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2401,10 +2401,11 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > - return status;
> > - }
> > -
> > --NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
> > -- enum dcerpc_AuthLevel auth_level,
> > -- struct netlogon_creds_CredentialState *creds,
> > -- struct pipe_auth_data **presult)
> > -+static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > -+ const char *domain,
> > -+ enum dcerpc_AuthLevel auth_level,
> > -+ struct netlogon_creds_CredentialState *creds,
> > -+ struct pipe_auth_data **presult)
> > - {
> > - struct schannel_state *schannel_auth;
> > - struct pipe_auth_data *result;
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index 6fcc587..8eb6040 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -58,12 +58,6 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
> > - NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
> > - struct pipe_auth_data **presult);
> > -
> > --NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > -- const char *domain,
> > -- enum dcerpc_AuthLevel auth_level,
> > -- struct netlogon_creds_CredentialState *creds,
> > -- struct pipe_auth_data **presult);
> > --
> > - NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
> > - const char *host,
> > - const struct sockaddr_storage *ss_addr,
> > ---
> > -1.9.3
> > -
> > -
> > -From 9f56e42ba78ce4e1248f06a0cecfc97789aea260 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 25 Apr 2013 18:29:31 +0200
> > -Subject: [PATCH 052/249] s3:rpc_client: use the correct context for
> > - netlogon_creds_copy() in rpccli_schannel_bind_data()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 8a302fc353de8d373a0ec8544da4da6f305ec923)
> > ----
> > - source3/rpc_client/cli_pipe.c | 5 ++++-
> > - 1 file changed, 4 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 66fa2d2..afe8030 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2431,7 +2431,10 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > -
> > - schannel_auth->state = SCHANNEL_STATE_START;
> > - schannel_auth->initiator = true;
> > -- schannel_auth->creds = netlogon_creds_copy(result, creds);
> > -+ schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
> > -+ if (schannel_auth->creds == NULL) {
> > -+ goto fail;
> > -+ }
> > -
> > - result->auth_ctx = schannel_auth;
> > - *presult = result;
> > ---
> > -1.9.3
> > -
> > -
> > -From 08d78b16f0adf1d223f29d613a498878230522be Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 25 Apr 2013 19:43:58 +0200
> > -Subject: [PATCH 053/249] s3:rpc_client: rename same variables in
> > - cli_rpc_pipe_open_schannel_with_key()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 94be8d63cd21fbb9e31bf7a92af82e19c596f94f)
> > ----
> > - source3/rpc_client/cli_pipe.c | 30 +++++++++++++++---------------
> > - 1 file changed, 15 insertions(+), 15 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index afe8030..ec804e7 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -3032,32 +3032,32 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > - struct netlogon_creds_CredentialState **pdc,
> > -- struct rpc_pipe_client **presult)
> > -+ struct rpc_pipe_client **_rpccli)
> > - {
> > -- struct rpc_pipe_client *result;
> > -- struct pipe_auth_data *auth;
> > -+ struct rpc_pipe_client *rpccli;
> > -+ struct pipe_auth_data *rpcauth;
> > - NTSTATUS status;
> > -
> > -- status = cli_rpc_pipe_open(cli, transport, table, &result);
> > -+ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -
> > -- status = rpccli_schannel_bind_data(result, domain, auth_level,
> > -- *pdc, &auth);
> > -+ status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
> > -+ *pdc, &rpcauth);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
> > - nt_errstr(status)));
> > -- TALLOC_FREE(result);
> > -+ TALLOC_FREE(rpccli);
> > - return status;
> > - }
> > -
> > -- status = rpc_pipe_bind(result, auth);
> > -+ status = rpc_pipe_bind(rpccli, rpcauth);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
> > - "cli_rpc_pipe_bind failed with error %s\n",
> > - nt_errstr(status) ));
> > -- TALLOC_FREE(result);
> > -+ TALLOC_FREE(rpccli);
> > - return status;
> > - }
> > -
> > -@@ -3065,10 +3065,10 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - * The credentials on a new netlogon pipe are the ones we are passed
> > - * in - copy them over
> > - */
> > -- if (result->dc == NULL) {
> > -- result->dc = netlogon_creds_copy(result, *pdc);
> > -- if (result->dc == NULL) {
> > -- TALLOC_FREE(result);
> > -+ if (rpccli->dc == NULL) {
> > -+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> > -+ if (rpccli->dc == NULL) {
> > -+ TALLOC_FREE(rpccli);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > - }
> > -@@ -3076,9 +3076,9 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > - "for domain %s and bound using schannel.\n",
> > - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > -- result->desthost, domain));
> > -+ rpccli->desthost, domain));
> > -
> > -- *presult = result;
> > -+ *_rpccli = rpccli;
> > - return NT_STATUS_OK;
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 33991d3ea286fc5da1458ca64aa4fc004547ae04 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 5 Aug 2013 20:26:54 +0200
> > -Subject: [PATCH 054/249] s3:libsmb: remove unused cli_state->is_guestlogin
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 11e0be0e72cfc4bc65ba2b0ffd10cbae3ad69b2d)
> > ----
> > - source3/include/client.h | 1 -
> > - source3/libsmb/cliconnect.c | 5 -----
> > - 2 files changed, 6 deletions(-)
> > -
> > -diff --git a/source3/include/client.h b/source3/include/client.h
> > -index 3f92d6d..59fb104 100644
> > ---- a/source3/include/client.h
> > -+++ b/source3/include/client.h
> > -@@ -72,7 +72,6 @@ struct cli_state {
> > - int timeout; /* in milliseconds. */
> > - int initialised;
> > - int win95;
> > -- bool is_guestlogin;
> > - /* What the server offered. */
> > - uint32_t server_posix_capabilities;
> > - /* What the client requested. */
> > -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
> > -index 13e7704..81bc028 100644
> > ---- a/source3/libsmb/cliconnect.c
> > -+++ b/source3/libsmb/cliconnect.c
> > -@@ -240,7 +240,6 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq)
> > - p = bytes;
> > -
> > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > -
> > - status = smb_bytes_talloc_string(cli,
> > - inhdr,
> > -@@ -448,7 +447,6 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq)
> > - p = bytes;
> > -
> > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > -
> > - status = smb_bytes_talloc_string(cli,
> > - inhdr,
> > -@@ -613,7 +611,6 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq)
> > - p = bytes;
> > -
> > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > -
> > - status = smb_bytes_talloc_string(cli,
> > - inhdr,
> > -@@ -930,7 +927,6 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq)
> > - p = bytes;
> > -
> > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > -
> > - status = smb_bytes_talloc_string(cli,
> > - inhdr,
> > -@@ -1180,7 +1176,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
> > - state->inbuf = in;
> > - inhdr = in + NBT_HDR_SIZE;
> > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > -
> > - blob_length = SVAL(vwv+3, 0);
> > - if (blob_length > num_bytes) {
> > ---
> > -1.9.3
> > -
> > -
> > -From 937a0f2fc020e12c21c10597a889275614603add Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 15 Jun 2013 09:41:52 +0200
> > -Subject: [PATCH 055/249] s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AES
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit d82ab70579ff2bcb69f997068482b198f321d1ef)
> > ----
> > - source3/auth/auth_domain.c | 3 ++-
> > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > -index 54ee5a1..06078e2 100644
> > ---- a/source3/auth/auth_domain.c
> > -+++ b/source3/auth/auth_domain.c
> > -@@ -133,7 +133,8 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > -
> > - if (!lp_client_schannel()) {
> > - /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -+ NETLOGON_NEG_SUPPORTS_AES;
> > - enum netr_SchannelType sec_chan_type = 0;
> > - unsigned char machine_pwd[16];
> > - const char *account_name;
> > ---
> > -1.9.3
> > -
> > -
> > -From 981a88bb20cef572e5573ee2f18115a6e395fbf9 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 15 Jun 2013 09:41:52 +0200
> > -Subject: [PATCH 056/249] s3:libnet_join: try to use NETLOGON_NEG_SUPPORTS_AES
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit beba32619a91977543f882432fd08acc9de78fd3)
> > ----
> > - source3/libnet/libnet_join.c | 3 ++-
> > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index d8ec235..c1eccda 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -1194,7 +1194,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > - const char *dc_name,
> > - const bool use_kerberos)
> > - {
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -+ NETLOGON_NEG_SUPPORTS_AES;
> > - struct cli_state *cli = NULL;
> > - struct rpc_pipe_client *pipe_hnd = NULL;
> > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > ---
> > -1.9.3
> > -
> > -
> > -From 846a35f004850695ca7c9d4597cd8729bb7c99e3 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 15 Jun 2013 09:41:52 +0200
> > -Subject: [PATCH 057/249] s3:rpc_client: try to use NETLOGON_NEG_SUPPORTS_AES
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 04600634b3e761d7c56f699fd4ba80b4cd2926a1)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 3 ++-
> > - source3/rpc_client/cli_pipe_schannel.c | 6 ++++--
> > - 2 files changed, 6 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 3d6a3e1..5e8a2fc 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -610,7 +610,8 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > -
> > - if (!cli->dc) {
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -+ NETLOGON_NEG_SUPPORTS_AES;
> > - result = rpccli_netlogon_setup_creds(cli,
> > - cli->desthost, /* server name */
> > - lp_workgroup(), /* domain */
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index bc672ef..de745c0 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -136,7 +136,8 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > - const char *password,
> > - struct rpc_pipe_client **presult)
> > - {
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -+ NETLOGON_NEG_SUPPORTS_AES;
> > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > - struct rpc_pipe_client *result = NULL;
> > - NTSTATUS status;
> > -@@ -175,7 +176,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > - const char *domain,
> > - struct rpc_pipe_client **presult)
> > - {
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -+ NETLOGON_NEG_SUPPORTS_AES;
> > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > - struct rpc_pipe_client *result = NULL;
> > - NTSTATUS status;
> > ---
> > -1.9.3
> > -
> > -
> > -From a56391bc8cbe1fa9142d0a20f4bf977538f27e67 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 15 Jun 2013 09:41:52 +0200
> > -Subject: [PATCH 058/249] s3:rpcclient: try to use NETLOGON_NEG_SUPPORTS_AES
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit e77a64f505fc43628e487e832033d0cd8ec4de8e)
> > ----
> > - source3/rpcclient/cmd_netlogon.c | 3 ++-
> > - source3/rpcclient/rpcclient.c | 3 ++-
> > - 2 files changed, 4 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > -index 01d6da4..d92434b 100644
> > ---- a/source3/rpcclient/cmd_netlogon.c
> > -+++ b/source3/rpcclient/cmd_netlogon.c
> > -@@ -1120,7 +1120,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > - NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
> > - NTSTATUS result;
> > - const char *server_name = cli->desthost;
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -+ NETLOGON_NEG_SUPPORTS_AES;
> > - struct netr_Authenticator clnt_creds, srv_cred;
> > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > - unsigned char trust_passwd_hash[16];
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index 9bf296e..cb7b70f 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -758,7 +758,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > -
> > - if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> > - &ndr_table_netlogon.syntax_id)) {
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -+ NETLOGON_NEG_SUPPORTS_AES;
> > - enum netr_SchannelType sec_channel_type;
> > - uchar trust_password[16];
> > - const char *machine_account;
> > ---
> > -1.9.3
> > -
> > -
> > -From 06c4ff36efc63ef014c449602dc314ca4e7016bd Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 25 Apr 2013 19:57:09 +0200
> > -Subject: [PATCH 059/249] s3:rpc_client: fix/add AES downgrade detection to
> > - rpc_pipe_bind_step_two_done()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 90e28c1825b2c48714d7b34fdb57d3878116d07e)
> > ----
> > - source3/rpc_client/cli_pipe.c | 19 +++++++------------
> > - 1 file changed, 7 insertions(+), 12 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index ec804e7..c354a6f 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1828,8 +1828,7 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> > - status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
> > - TALLOC_FREE(subreq);
> > - if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -- if (state->cli->dc && state->cli->dc->negotiate_flags &
> > -- NETLOGON_NEG_SUPPORTS_AES) {
> > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > - DEBUG(5, ("AES is not supported and the error was %s\n",
> > - nt_errstr(status)));
> > - tevent_req_nterror(req,
> > -@@ -1880,9 +1879,6 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> > - return;
> > - }
> > -
> > -- TALLOC_FREE(state->cli->dc);
> > -- state->cli->dc = talloc_steal(state->cli, state->creds);
> > --
> > - if (!NT_STATUS_IS_OK(state->r.out.result)) {
> > - DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
> > - nt_errstr(state->r.out.result)));
> > -@@ -1890,18 +1886,17 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> > - return;
> > - }
> > -
> > -- if (state->creds->negotiate_flags !=
> > -- state->r.out.capabilities->server_capabilities) {
> > -- DEBUG(0, ("The client capabilities don't match the server "
> > -- "capabilities: local[0x%08X] remote[0x%08X]\n",
> > -- state->creds->negotiate_flags,
> > -- state->capabilities.server_capabilities));
> > -+ if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> > -+ DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
> > -+ "but AES was not negotiated - downgrade detected",
> > -+ state->cli->desthost));
> > - tevent_req_nterror(req,
> > - NT_STATUS_INVALID_NETWORK_RESPONSE);
> > - return;
> > - }
> > -
> > -- /* TODO: Add downgrade dectection. */
> > -+ TALLOC_FREE(state->cli->dc);
> > -+ state->cli->dc = talloc_move(state->cli, &state->creds);
> > -
> > - tevent_req_done(req);
> > - return;
> > ---
> > -1.9.3
> > -
> > -
> > -From e6416b9fe5019c3ce1aa8ecf42d73125a049338f Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 25 Apr 2013 19:45:52 +0200
> > -Subject: [PATCH 060/249] s3:rpc_client: use netlogon_creds_copy before
> > - rpc_pipe_bind
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit e9c8e3fb92143525f846523e446e2213e5b55d9d)
> > ----
> > - source3/rpc_client/cli_pipe.c | 24 ++++++++++++------------
> > - 1 file changed, 12 insertions(+), 12 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index c354a6f..eb172db 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -3047,6 +3047,18 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - return status;
> > - }
> > -
> > -+ /*
> > -+ * The credentials on a new netlogon pipe are the ones we are passed
> > -+ * in - copy them over
> > -+ *
> > -+ * This may get overwritten... in rpc_pipe_bind()...
> > -+ */
> > -+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> > -+ if (rpccli->dc == NULL) {
> > -+ TALLOC_FREE(rpccli);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > - status = rpc_pipe_bind(rpccli, rpcauth);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
> > -@@ -3056,18 +3068,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - return status;
> > - }
> > -
> > -- /*
> > -- * The credentials on a new netlogon pipe are the ones we are passed
> > -- * in - copy them over
> > -- */
> > -- if (rpccli->dc == NULL) {
> > -- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> > -- if (rpccli->dc == NULL) {
> > -- TALLOC_FREE(rpccli);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- }
> > --
> > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > - "for domain %s and bound using schannel.\n",
> > - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > ---
> > -1.9.3
> > -
> > -
> > -From 1836ea96ed7dd055278fd6cac3f69a06ea979ea2 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 25 Apr 2013 19:34:13 +0200
> > -Subject: [PATCH 061/249] s3:rpc_client: add netr_LogonGetCapabilities to
> > - cli_rpc_pipe_open_schannel_with_key()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit eecb5bafba5b362d4fdf33d6a2a32e4ee56f30a4)
> > ----
> > - source3/rpc_client/cli_pipe.c | 101 ++++++++++++++++++++++++++++++++++++++++++
> > - 1 file changed, 101 insertions(+)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index eb172db..314eb92 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -3032,6 +3032,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - struct rpc_pipe_client *rpccli;
> > - struct pipe_auth_data *rpcauth;
> > - NTSTATUS status;
> > -+ NTSTATUS result;
> > -+ struct netlogon_creds_CredentialState save_creds;
> > -+ struct netr_Authenticator auth;
> > -+ struct netr_Authenticator return_auth;
> > -+ union netr_Capabilities capabilities;
> > -
> > - status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -3068,6 +3073,102 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - return status;
> > - }
> > -
> > -+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ save_creds = *rpccli->dc;
> > -+ ZERO_STRUCT(return_auth);
> > -+ ZERO_STRUCT(capabilities);
> > -+
> > -+ netlogon_creds_client_authenticator(&save_creds, &auth);
> > -+
> > -+ status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
> > -+ talloc_tos(),
> > -+ rpccli->srv_name_slash,
> > -+ save_creds.computer_name,
> > -+ &auth, &return_auth,
> > -+ 1, &capabilities,
> > -+ &result);
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ DEBUG(5, ("AES was negotiated and the error was %s - "
> > -+ "downgrade detected\n",
> > -+ nt_errstr(status)));
> > -+ TALLOC_FREE(rpccli);
> > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -+ }
> > -+
> > -+ /* This is probably an old Samba Version */
> > -+ DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
> > -+ nt_errstr(status)));
> > -+ goto done;
> > -+ }
> > -+
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> > -+ nt_errstr(status)));
> > -+ TALLOC_FREE(rpccli);
> > -+ return status;
> > -+ }
> > -+
> > -+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
> > -+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ /* This means AES isn't supported. */
> > -+ DEBUG(5, ("AES was negotiated and the result was %s - "
> > -+ "downgrade detected\n",
> > -+ nt_errstr(result)));
> > -+ TALLOC_FREE(rpccli);
> > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -+ }
> > -+
> > -+ /* This is probably an old Windows version */
> > -+ DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
> > -+ nt_errstr(result)));
> > -+ goto done;
> > -+ }
> > -+
> > -+ /*
> > -+ * We need to check the credential state here, cause win2k3 and earlier
> > -+ * returns NT_STATUS_NOT_IMPLEMENTED
> > -+ */
> > -+ if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
> > -+ /*
> > -+ * Server replied with bad credential. Fail.
> > -+ */
> > -+ DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
> > -+ "replied with bad credential\n",
> > -+ rpccli->desthost));
> > -+ TALLOC_FREE(rpccli);
> > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -+ }
> > -+ *rpccli->dc = save_creds;
> > -+
> > -+ if (!NT_STATUS_IS_OK(result)) {
> > -+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> > -+ nt_errstr(result)));
> > -+ TALLOC_FREE(rpccli);
> > -+ return result;
> > -+ }
> > -+
> > -+ if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> > -+ /* This means AES isn't supported. */
> > -+ DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
> > -+ "was OK - downgrade detected\n"));
> > -+ TALLOC_FREE(rpccli);
> > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -+ }
> > -+
> > -+ if (save_creds.negotiate_flags != capabilities.server_capabilities) {
> > -+ DEBUG(0, ("The client capabilities don't match the server "
> > -+ "capabilities: local[0x%08X] remote[0x%08X]\n",
> > -+ save_creds.negotiate_flags,
> > -+ capabilities.server_capabilities));
> > -+ TALLOC_FREE(rpccli);
> > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -+ }
> > -+
> > -+done:
> > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > - "for domain %s and bound using schannel.\n",
> > - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > ---
> > -1.9.3
> > -
> > -
> > -From 675be19880c2ac4bca14d69592ce39bb66a34dec Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 25 Apr 2013 18:30:36 +0200
> > -Subject: [PATCH 062/249] s3:rpc_client: remove netr_LogonGetCapabilities check
> > - from rpc_pipe_bind*
> > -
> > -It's done in the caller now.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3302356226cca474f0afab9a129220241c16663f)
> > ----
> > - source3/rpc_client/cli_pipe.c | 150 +-----------------------------------------
> > - 1 file changed, 1 insertion(+), 149 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 314eb92..cba055a 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1568,15 +1568,9 @@ struct rpc_pipe_bind_state {
> > - DATA_BLOB rpc_out;
> > - bool auth3;
> > - uint32_t rpc_call_id;
> > -- struct netr_Authenticator auth;
> > -- struct netr_Authenticator return_auth;
> > -- struct netlogon_creds_CredentialState *creds;
> > -- union netr_Capabilities capabilities;
> > -- struct netr_LogonGetCapabilities r;
> > - };
> > -
> > - static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
> > --static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
> > - static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
> > - struct rpc_pipe_bind_state *state,
> > - DATA_BLOB *credentials);
> > -@@ -1679,14 +1673,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> > -
> > - case DCERPC_AUTH_TYPE_NONE:
> > - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
> > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > - /* Bind complete. */
> > - tevent_req_done(req);
> > - return;
> > -
> > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > -- rpc_pipe_bind_step_two_trigger(req);
> > -- return;
> > --
> > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > - case DCERPC_AUTH_TYPE_KRB5:
> > -@@ -1763,145 +1754,6 @@ err_out:
> > - tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
> > - }
> > -
> > --static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq);
> > --
> > --static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req)
> > --{
> > -- struct rpc_pipe_bind_state *state =
> > -- tevent_req_data(req,
> > -- struct rpc_pipe_bind_state);
> > -- struct dcerpc_binding_handle *b = state->cli->binding_handle;
> > -- struct schannel_state *schannel_auth =
> > -- talloc_get_type_abort(state->cli->auth->auth_ctx,
> > -- struct schannel_state);
> > -- struct tevent_req *subreq;
> > --
> > -- if (schannel_auth == NULL ||
> > -- !ndr_syntax_id_equal(&state->cli->abstract_syntax,
> > -- &ndr_table_netlogon.syntax_id)) {
> > -- tevent_req_done(req);
> > -- return;
> > -- }
> > --
> > -- ZERO_STRUCT(state->return_auth);
> > --
> > -- state->creds = netlogon_creds_copy(state, schannel_auth->creds);
> > -- if (state->creds == NULL) {
> > -- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
> > -- return;
> > -- }
> > --
> > -- netlogon_creds_client_authenticator(state->creds, &state->auth);
> > --
> > -- state->r.in.server_name = state->cli->srv_name_slash;
> > -- state->r.in.computer_name = state->creds->computer_name;
> > -- state->r.in.credential = &state->auth;
> > -- state->r.in.query_level = 1;
> > -- state->r.in.return_authenticator = &state->return_auth;
> > --
> > -- state->r.out.capabilities = &state->capabilities;
> > -- state->r.out.return_authenticator = &state->return_auth;
> > --
> > -- subreq = dcerpc_netr_LogonGetCapabilities_r_send(talloc_tos(),
> > -- state->ev,
> > -- b,
> > -- &state->r);
> > -- if (subreq == NULL) {
> > -- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
> > -- return;
> > -- }
> > --
> > -- tevent_req_set_callback(subreq, rpc_pipe_bind_step_two_done, req);
> > -- return;
> > --}
> > --
> > --static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> > --{
> > -- struct tevent_req *req =
> > -- tevent_req_callback_data(subreq,
> > -- struct tevent_req);
> > -- struct rpc_pipe_bind_state *state =
> > -- tevent_req_data(req,
> > -- struct rpc_pipe_bind_state);
> > -- NTSTATUS status;
> > --
> > -- status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
> > -- TALLOC_FREE(subreq);
> > -- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- DEBUG(5, ("AES is not supported and the error was %s\n",
> > -- nt_errstr(status)));
> > -- tevent_req_nterror(req,
> > -- NT_STATUS_INVALID_NETWORK_RESPONSE);
> > -- return;
> > -- }
> > --
> > -- /* This is probably NT */
> > -- DEBUG(5, ("We are checking against an NT - %s\n",
> > -- nt_errstr(status)));
> > -- tevent_req_done(req);
> > -- return;
> > -- } else if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
> > -- nt_errstr(status)));
> > -- tevent_req_nterror(req, status);
> > -- return;
> > -- }
> > --
> > -- if (NT_STATUS_EQUAL(state->r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
> > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- /* This means AES isn't supported. */
> > -- DEBUG(5, ("AES is not supported and the error was %s\n",
> > -- nt_errstr(state->r.out.result)));
> > -- tevent_req_nterror(req,
> > -- NT_STATUS_INVALID_NETWORK_RESPONSE);
> > -- return;
> > -- }
> > --
> > -- /* This is probably an old Samba version */
> > -- DEBUG(5, ("We are checking against an old Samba version - %s\n",
> > -- nt_errstr(state->r.out.result)));
> > -- tevent_req_done(req);
> > -- return;
> > -- }
> > --
> > -- /* We need to check the credential state here, cause win2k3 and earlier
> > -- * returns NT_STATUS_NOT_IMPLEMENTED */
> > -- if (!netlogon_creds_client_check(state->creds,
> > -- &state->r.out.return_authenticator->cred)) {
> > -- /*
> > -- * Server replied with bad credential. Fail.
> > -- */
> > -- DEBUG(0,("rpc_pipe_bind_step_two_done: server %s "
> > -- "replied with bad credential\n",
> > -- state->cli->desthost));
> > -- tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
> > -- return;
> > -- }
> > --
> > -- if (!NT_STATUS_IS_OK(state->r.out.result)) {
> > -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
> > -- nt_errstr(state->r.out.result)));
> > -- tevent_req_nterror(req, state->r.out.result);
> > -- return;
> > -- }
> > --
> > -- if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> > -- DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
> > -- "but AES was not negotiated - downgrade detected",
> > -- state->cli->desthost));
> > -- tevent_req_nterror(req,
> > -- NT_STATUS_INVALID_NETWORK_RESPONSE);
> > -- return;
> > -- }
> > --
> > -- TALLOC_FREE(state->cli->dc);
> > -- state->cli->dc = talloc_move(state->cli, &state->creds);
> > --
> > -- tevent_req_done(req);
> > -- return;
> > --}
> > --
> > - static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
> > - struct rpc_pipe_bind_state *state,
> > - DATA_BLOB *auth_token)
> > ---
> > -1.9.3
> > -
> > -
> > -From f9b4e38b8458ec905b5f78e402f21f23c4a967e1 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 25 Apr 2013 19:33:28 +0200
> > -Subject: [PATCH 063/249] s3:rpc_client: remove unused
> > - cli_rpc_pipe_open_ntlmssp_auth_schannel()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 04938cbeecc777f7b799a11f1ca0461b351d968a)
> > ----
> > - source3/rpc_client/cli_pipe.h | 9 ----
> > - source3/rpc_client/cli_pipe_schannel.c | 80 ----------------------------------
> > - 2 files changed, 89 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index 8eb6040..ab99373 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -109,15 +109,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - struct netlogon_creds_CredentialState **pdc,
> > - struct rpc_pipe_client **presult);
> > -
> > --NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > -- const struct ndr_interface_table *table,
> > -- enum dcerpc_transport_t transport,
> > -- enum dcerpc_AuthLevel auth_level,
> > -- const char *domain,
> > -- const char *username,
> > -- const char *password,
> > -- struct rpc_pipe_client **presult);
> > --
> > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > - const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index de745c0..aaae44b 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -86,86 +86,6 @@ static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon
> > -
> > - /****************************************************************************
> > - Open a named pipe to an SMB server and bind using schannel (bind type 68).
> > -- Fetch the session key ourselves using a temporary netlogon pipe. This
> > -- version uses an ntlmssp auth bound netlogon pipe to get the key.
> > -- ****************************************************************************/
> > --
> > --static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
> > -- const char *domain,
> > -- const char *username,
> > -- const char *password,
> > -- uint32 *pneg_flags,
> > -- struct rpc_pipe_client **presult)
> > --{
> > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > -- NTSTATUS status;
> > --
> > -- status = cli_rpc_pipe_open_spnego(
> > -- cli, &ndr_table_netlogon, NCACN_NP,
> > -- GENSEC_OID_NTLMSSP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > -- smbXcli_conn_remote_name(cli->conn),
> > -- domain, username, password, &netlogon_pipe);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
> > -- pneg_flags);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- TALLOC_FREE(netlogon_pipe);
> > -- return status;
> > -- }
> > --
> > -- *presult = netlogon_pipe;
> > -- return NT_STATUS_OK;
> > --}
> > --
> > --/****************************************************************************
> > -- Open a named pipe to an SMB server and bind using schannel (bind type 68).
> > -- Fetch the session key ourselves using a temporary netlogon pipe. This version
> > -- uses an ntlmssp bind to get the session key.
> > -- ****************************************************************************/
> > --
> > --NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > -- const struct ndr_interface_table *table,
> > -- enum dcerpc_transport_t transport,
> > -- enum dcerpc_AuthLevel auth_level,
> > -- const char *domain,
> > -- const char *username,
> > -- const char *password,
> > -- struct rpc_pipe_client **presult)
> > --{
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -- NETLOGON_NEG_SUPPORTS_AES;
> > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > -- struct rpc_pipe_client *result = NULL;
> > -- NTSTATUS status;
> > --
> > -- status = get_schannel_session_key_auth_ntlmssp(
> > -- cli, domain, username, password, &neg_flags, &netlogon_pipe);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
> > -- "key from server %s for domain %s.\n",
> > -- smbXcli_conn_remote_name(cli->conn), domain ));
> > -- return status;
> > -- }
> > --
> > -- status = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> > -- &result);
> > --
> > -- /* Now we've bound using the session key we can close the netlog pipe. */
> > -- TALLOC_FREE(netlogon_pipe);
> > --
> > -- if (NT_STATUS_IS_OK(status)) {
> > -- *presult = result;
> > -- }
> > -- return status;
> > --}
> > --
> > --/****************************************************************************
> > -- Open a named pipe to an SMB server and bind using schannel (bind type 68).
> > - Fetch the session key ourselves using a temporary netlogon pipe.
> > - ****************************************************************************/
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 35d07a4d7ca15e4cf22f7cc96d6958c9856dc0a0 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 3 Aug 2013 11:26:13 +0200
> > -Subject: [PATCH 064/249] auth/gensec: first check GENSEC_FEATURE_SESSION_KEY
> > - before returning NOT_IMPLEMENTED
> > -
> > -Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 45c74c8084d2db14fef6a79cd98068be2ab73f30)
> > ----
> > - auth/gensec/gensec.c | 7 ++++---
> > - 1 file changed, 4 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
> > -index ea62861..9a8f0ef 100644
> > ---- a/auth/gensec/gensec.c
> > -+++ b/auth/gensec/gensec.c
> > -@@ -155,13 +155,14 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
> > - TALLOC_CTX *mem_ctx,
> > - DATA_BLOB *session_key)
> > - {
> > -- if (!gensec_security->ops->session_key) {
> > -- return NT_STATUS_NOT_IMPLEMENTED;
> > -- }
> > - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
> > - return NT_STATUS_NO_USER_SESSION_KEY;
> > - }
> > -
> > -+ if (!gensec_security->ops->session_key) {
> > -+ return NT_STATUS_NOT_IMPLEMENTED;
> > -+ }
> > -+
> > - return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 6eda030bd26347cef3fb670b0876956c97c00bfa Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 3 Aug 2013 11:43:58 +0200
> > -Subject: [PATCH 065/249] auth/gensec: add gensec_security_by_auth_type()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 59b09564a7edac8dc241269587146342244ce58b)
> > ----
> > - auth/gensec/gensec.h | 3 +++
> > - auth/gensec/gensec_start.c | 26 ++++++++++++++++++++++++++
> > - 2 files changed, 29 insertions(+)
> > -
> > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > -index 396a16d..c080861 100644
> > ---- a/auth/gensec/gensec.h
> > -+++ b/auth/gensec/gensec.h
> > -@@ -268,6 +268,9 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
> > - const char *oid_string);
> > - const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
> > - const char *sasl_name);
> > -+const struct gensec_security_ops *gensec_security_by_auth_type(
> > -+ struct gensec_security *gensec_security,
> > -+ uint32_t auth_type);
> > - struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
> > - TALLOC_CTX *mem_ctx);
> > - const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > -index e46f0ee..c2cfa1c 100644
> > ---- a/auth/gensec/gensec_start.c
> > -+++ b/auth/gensec/gensec_start.c
> > -@@ -246,6 +246,32 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
> > - return NULL;
> > - }
> > -
> > -+_PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
> > -+ struct gensec_security *gensec_security,
> > -+ uint32_t auth_type)
> > -+{
> > -+ int i;
> > -+ struct gensec_security_ops **backends;
> > -+ const struct gensec_security_ops *backend;
> > -+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > -+ if (!mem_ctx) {
> > -+ return NULL;
> > -+ }
> > -+ backends = gensec_security_mechs(gensec_security, mem_ctx);
> > -+ for (i=0; backends && backends[i]; i++) {
> > -+ if (!gensec_security_ops_enabled(backends[i], gensec_security))
> > -+ continue;
> > -+ if (backends[i]->auth_type == auth_type) {
> > -+ backend = backends[i];
> > -+ talloc_free(mem_ctx);
> > -+ return backend;
> > -+ }
> > -+ }
> > -+ talloc_free(mem_ctx);
> > -+
> > -+ return NULL;
> > -+}
> > -+
> > - static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
> > - const char *name)
> > - {
> > ---
> > -1.9.3
> > -
> > -
> > -From f4e1506ed3a032d38605207f592cbc4ece93a414 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 24 Apr 2013 12:33:28 +0200
> > -Subject: [PATCH 066/249] libcli/auth: maintain the sequence number for the
> > - NETLOGON SSP as 64bit
> > -
> > -See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 9f2e81ae02549369db49c05edf7071612a03a8b8)
> > ----
> > - libcli/auth/schannel.h | 2 +-
> > - libcli/auth/schannel_sign.c | 17 +++++++++++++----
> > - source3/librpc/rpc/dcerpc_helpers.c | 4 ++--
> > - 3 files changed, 16 insertions(+), 7 deletions(-)
> > -
> > -diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
> > -index bfccd95..271b5bb 100644
> > ---- a/libcli/auth/schannel.h
> > -+++ b/libcli/auth/schannel.h
> > -@@ -30,7 +30,7 @@ enum schannel_position {
> > -
> > - struct schannel_state {
> > - enum schannel_position state;
> > -- uint32_t seq_num;
> > -+ uint64_t seq_num;
> > - bool initiator;
> > - struct netlogon_creds_CredentialState *creds;
> > - };
> > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > -index 1871da2..6e5d454 100644
> > ---- a/libcli/auth/schannel_sign.c
> > -+++ b/libcli/auth/schannel_sign.c
> > -@@ -24,6 +24,17 @@
> > - #include "../libcli/auth/schannel.h"
> > - #include "../lib/crypto/crypto.h"
> > -
> > -+#define SETUP_SEQNUM(state, buf, initiator) do { \
> > -+ uint8_t *_buf = buf; \
> > -+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> > -+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
> > -+ if (initiator) { \
> > -+ _seq_num_high |= 0x80000000; \
> > -+ } \
> > -+ RSIVAL(_buf, 0, _seq_num_low); \
> > -+ RSIVAL(_buf, 4, _seq_num_high); \
> > -+} while(0)
> > -+
> > - static void netsec_offset_and_sizes(struct schannel_state *state,
> > - bool do_seal,
> > - uint32_t *_min_sig_size,
> > -@@ -255,8 +266,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > - confounder = NULL;
> > - }
> > -
> > -- RSIVAL(seq_num, 0, state->seq_num);
> > -- SIVAL(seq_num, 4, state->initiator?0:0x80);
> > -+ SETUP_SEQNUM(state, seq_num, !state->initiator);
> > -
> > - if (do_unseal) {
> > - netsec_do_seal(state, seq_num,
> > -@@ -325,8 +335,7 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > - &checksum_length,
> > - &confounder_ofs);
> > -
> > -- RSIVAL(seq_num, 0, state->seq_num);
> > -- SIVAL(seq_num, 4, state->initiator?0x80:0);
> > -+ SETUP_SEQNUM(state, seq_num, state->initiator);
> > -
> > - if (do_seal) {
> > - confounder = _confounder;
> > -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> > -index a55e419..0095990 100644
> > ---- a/source3/librpc/rpc/dcerpc_helpers.c
> > -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> > -@@ -462,8 +462,8 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
> > - return NT_STATUS_INVALID_PARAMETER;
> > - }
> > -
> > -- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
> > -- sas->seq_num));
> > -+ DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
> > -+ (unsigned long long)sas->seq_num));
> > -
> > - switch (auth_level) {
> > - case DCERPC_AUTH_LEVEL_PRIVACY:
> > ---
> > -1.9.3
> > -
> > -
> > -From f99afc1924dbb267e696bbdf26db606a8c77f093 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 12:53:42 +0200
> > -Subject: [PATCH 067/249] libcli/auth: add netsec_create_state()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 33215398f32c76f4b8ada7b547c6d0741cb2ac16)
> > ----
> > - libcli/auth/schannel_proto.h | 3 +++
> > - libcli/auth/schannel_sign.c | 23 +++++++++++++++++++++++
> > - 2 files changed, 26 insertions(+)
> > -
> > -diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
> > -index 0414218..da76559 100644
> > ---- a/libcli/auth/schannel_proto.h
> > -+++ b/libcli/auth/schannel_proto.h
> > -@@ -28,6 +28,9 @@ struct schannel_state;
> > - struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
> > - struct loadparm_context *lp_ctx);
> > -
> > -+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState *creds,
> > -+ bool initiator);
> > - NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > - bool do_unseal,
> > - uint8_t *data, size_t length,
> > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > -index 6e5d454..518a6a9 100644
> > ---- a/libcli/auth/schannel_sign.c
> > -+++ b/libcli/auth/schannel_sign.c
> > -@@ -35,6 +35,29 @@
> > - RSIVAL(_buf, 4, _seq_num_high); \
> > - } while(0)
> > -
> > -+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState *creds,
> > -+ bool initiator)
> > -+{
> > -+ struct schannel_state *state;
> > -+
> > -+ state = talloc(mem_ctx, struct schannel_state);
> > -+ if (state == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ state->state = SCHANNEL_STATE_UPDATE_1;
> > -+ state->initiator = initiator;
> > -+ state->seq_num = 0;
> > -+ state->creds = netlogon_creds_copy(state, creds);
> > -+ if (state->creds == NULL) {
> > -+ talloc_free(state);
> > -+ return NULL;
> > -+ }
> > -+
> > -+ return state;
> > -+}
> > -+
> > - static void netsec_offset_and_sizes(struct schannel_state *state,
> > - bool do_seal,
> > - uint32_t *_min_sig_size,
> > ---
> > -1.9.3
> > -
> > -
> > -From f13417a00173fcde96417773a1a551caced24c8b Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 13:28:11 +0200
> > -Subject: [PATCH 068/249] s3:cli_pipe: make use of netsec_create_state()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit e96142fc439efb7c90719f9c387778c4218ae637)
> > ----
> > - source3/rpc_client/cli_pipe.c | 9 +--------
> > - 1 file changed, 1 insertion(+), 8 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index cba055a..9e979b0 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2271,18 +2271,11 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > - goto fail;
> > - }
> > -
> > -- schannel_auth = talloc_zero(result, struct schannel_state);
> > -+ schannel_auth = netsec_create_state(result, creds, true /* initiator */);
> > - if (schannel_auth == NULL) {
> > - goto fail;
> > - }
> > -
> > -- schannel_auth->state = SCHANNEL_STATE_START;
> > -- schannel_auth->initiator = true;
> > -- schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
> > -- if (schannel_auth->creds == NULL) {
> > -- goto fail;
> > -- }
> > --
> > - result->auth_ctx = schannel_auth;
> > - *presult = result;
> > - return NT_STATUS_OK;
> > ---
> > -1.9.3
> > -
> > -
> > -From becf68bc072fdfab4489326d148775ebdbe27fda Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 13:28:59 +0200
> > -Subject: [PATCH 069/249] s3:cli_pipe: pass down creds->computer_name to
> > - NL_AUTH_MESSAGE
> > -
> > -We need to use the same computer_name value as in the netr_Authenticate3()
> > -request.
> > -
> > -We abuse cli->auth->user_name to pass the value down.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 838cb539621ef19cac6badb4b10678dcc3a6f68a)
> > ----
> > - source3/rpc_client/cli_pipe.c | 13 ++++++-------
> > - 1 file changed, 6 insertions(+), 7 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 9e979b0..1de71fb 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1027,13 +1027,12 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > - NTSTATUS status;
> > - struct NL_AUTH_MESSAGE r;
> > -
> > -- /* Use lp_workgroup() if domain not specified */
> > -+ if (!cli->auth->user_name || !cli->auth->user_name[0]) {
> > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > -+ }
> > -
> > - if (!cli->auth->domain || !cli->auth->domain[0]) {
> > -- cli->auth->domain = talloc_strdup(cli, lp_workgroup());
> > -- if (cli->auth->domain == NULL) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > - }
> > -
> > - /*
> > -@@ -1044,7 +1043,7 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > - r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > - NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > - r.oem_netbios_domain.a = cli->auth->domain;
> > -- r.oem_netbios_computer.a = lp_netbios_name();
> > -+ r.oem_netbios_computer.a = cli->auth->user_name;
> > -
> > - status = dcerpc_push_schannel_bind(cli, &r, auth_token);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -2265,7 +2264,7 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > - result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
> > - result->auth_level = auth_level;
> > -
> > -- result->user_name = talloc_strdup(result, "");
> > -+ result->user_name = talloc_strdup(result, creds->computer_name);
> > - result->domain = talloc_strdup(result, domain);
> > - if ((result->user_name == NULL) || (result->domain == NULL)) {
> > - goto fail;
> > ---
> > -1.9.3
> > -
> > -
> > -From b447ab32047f33d306ee891d1d3fe2ae5a8c56f1 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 3 Aug 2013 08:50:54 +0200
> > -Subject: [PATCH 070/249] s3:cli_pipe.c: return NO_USER_SESSION_KEY in
> > - cli_get_session_key() for schannel
> > -
> > -SCHANNEL connections don't have a user session key,
> > -they're like anonymous connections.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit af4dc306846a30a5a1201306cc2cbf4d494e16e7)
> > ----
> > - source3/rpc_client/cli_pipe.c | 7 -------
> > - 1 file changed, 7 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 1de71fb..470469f 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -3091,7 +3091,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > - {
> > - NTSTATUS status;
> > - struct pipe_auth_data *a;
> > -- struct schannel_state *schannel_auth;
> > - struct gensec_security *gensec_security;
> > - DATA_BLOB sk = data_blob_null;
> > - bool make_dup = false;
> > -@@ -3107,12 +3106,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > - }
> > -
> > - switch (cli->auth->auth_type) {
> > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > -- schannel_auth = talloc_get_type_abort(a->auth_ctx,
> > -- struct schannel_state);
> > -- sk = data_blob_const(schannel_auth->creds->session_key, 16);
> > -- make_dup = true;
> > -- break;
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > - case DCERPC_AUTH_TYPE_KRB5:
> > ---
> > -1.9.3
> > -
> > -
> > -From abebeb10c26f6fa7e61c56553ce1e52b5d45937a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 13:33:37 +0200
> > -Subject: [PATCH 071/249] s3:rpc_server: make use of netsec_create_state()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a964309bf7631f4f6953e0d6556f8ed8e5300dcc)
> > ----
> > - source3/rpc_server/srv_pipe.c | 12 ++++--------
> > - 1 file changed, 4 insertions(+), 8 deletions(-)
> > -
> > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > -index 7daff04..9043a14 100644
> > ---- a/source3/rpc_server/srv_pipe.c
> > -+++ b/source3/rpc_server/srv_pipe.c
> > -@@ -462,8 +462,8 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
> > - */
> > -
> > - become_root();
> > -- status = schannel_get_creds_state(p, lp_ctx,
> > -- neg.oem_netbios_computer.a, &creds);
> > -+ status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
> > -+ neg.oem_netbios_computer.a, &creds);
> > - unbecome_root();
> > -
> > - talloc_unlink(p, lp_ctx);
> > -@@ -472,16 +472,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
> > - return False;
> > - }
> > -
> > -- schannel_auth = talloc_zero(p, struct schannel_state);
> > -+ schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
> > -+ TALLOC_FREE(creds);
> > - if (!schannel_auth) {
> > -- TALLOC_FREE(creds);
> > - return False;
> > - }
> > -
> > -- schannel_auth->state = SCHANNEL_STATE_START;
> > -- schannel_auth->initiator = false;
> > -- schannel_auth->creds = creds;
> > --
> > - /*
> > - * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
> > - * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
> > ---
> > -1.9.3
> > -
> > -
> > -From b567c4ef93de5c098d724c15b614f5f233903812 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 13:36:30 +0200
> > -Subject: [PATCH 072/249] s3:dcerpc_helpers: remove unused DEBUG message of
> > - schannel_state->seq_num.
> > -
> > -This is a layer violation and not needed anymore as we know
> > -how the seqnum handling works now.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a36ccdc83edb7437dd00601c459421286fd79db4)
> > ----
> > - source3/librpc/rpc/dcerpc_helpers.c | 3 ---
> > - 1 file changed, 3 deletions(-)
> > -
> > -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> > -index 0095990..97999d7 100644
> > ---- a/source3/librpc/rpc/dcerpc_helpers.c
> > -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> > -@@ -462,9 +462,6 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
> > - return NT_STATUS_INVALID_PARAMETER;
> > - }
> > -
> > -- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
> > -- (unsigned long long)sas->seq_num));
> > --
> > - switch (auth_level) {
> > - case DCERPC_AUTH_LEVEL_PRIVACY:
> > - status = netsec_outgoing_packet(sas,
> > ---
> > -1.9.3
> > -
> > -
> > -From e044773b51b76b3582669ee7e3a388d6471e2f2e Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 10:08:54 +0200
> > -Subject: [PATCH 073/249] s4:libnet: avoid usage of dcerpc_schannel_creds()
> > -
> > -We use cli_credentials_get_netlogon_creds() which returns the same value.
> > -
> > -dcerpc_schannel_creds() is a layer violation.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit c0144273af8f0956a05d102113c40cec77069f7a)
> > ----
> > - source4/libnet/libnet_samsync.c | 7 +++----
> > - 1 file changed, 3 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source4/libnet/libnet_samsync.c b/source4/libnet/libnet_samsync.c
> > -index 9629b9f..206d81e 100644
> > ---- a/source4/libnet/libnet_samsync.c
> > -+++ b/source4/libnet/libnet_samsync.c
> > -@@ -25,7 +25,6 @@
> > - #include "libcli/auth/libcli_auth.h"
> > - #include "../libcli/samsync/samsync.h"
> > - #include "auth/gensec/gensec.h"
> > --#include "auth/gensec/schannel.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "libcli/auth/schannel.h"
> > - #include "librpc/gen_ndr/ndr_netlogon.h"
> > -@@ -183,9 +182,9 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx
> > -
> > - /* get NETLOGON credentials */
> > -
> > -- nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds);
> > -- if (!NT_STATUS_IS_OK(nt_status)) {
> > -- r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer");
> > -+ creds = cli_credentials_get_netlogon_creds(machine_account);
> > -+ if (creds == NULL) {
> > -+ r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from credentials");
> > - talloc_free(samsync_ctx);
> > - return nt_status;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 322dc86454fc4e60de641ef02da2c2744c347001 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 10:08:54 +0200
> > -Subject: [PATCH 074/249] s4:torture: avoid usage of dcerpc_schannel_creds()
> > -
> > -We use cli_credentials_get_netlogon_creds() which returns the same value.
> > -
> > -dcerpc_schannel_creds() is a layer violation.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 2ea3a24dced0814100e352bbbca124011be73602)
> > ----
> > - source4/torture/rpc/samlogon.c | 5 ++---
> > - source4/torture/rpc/samr.c | 6 +++---
> > - source4/torture/rpc/samsync.c | 11 ++++-------
> > - source4/torture/rpc/schannel.c | 6 ++----
> > - 4 files changed, 11 insertions(+), 17 deletions(-)
> > -
> > -diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
> > -index 4861038..886ff39 100644
> > ---- a/source4/torture/rpc/samlogon.c
> > -+++ b/source4/torture/rpc/samlogon.c
> > -@@ -29,7 +29,6 @@
> > - #include "lib/cmdline/popt_common.h"
> > - #include "torture/rpc/torture_rpc.h"
> > - #include "auth/gensec/gensec.h"
> > --#include "auth/gensec/schannel.h"
> > - #include "libcli/auth/libcli_auth.h"
> > - #include "param/param.h"
> > -
> > -@@ -1764,8 +1763,8 @@ bool torture_rpc_samlogon(struct torture_context *torture)
> > - torture_assert_ntstatus_ok_goto(torture, status, ret, failed,
> > - talloc_asprintf(torture, "RPC pipe connect as domain member failed: %s\n", nt_errstr(status)));
> > -
> > -- status = dcerpc_schannel_creds(p->conn->security_state.generic_state, mem_ctx, &creds);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -+ creds = cli_credentials_get_netlogon_creds(machine_credentials);
> > -+ if (creds == NULL) {
> > - ret = false;
> > - goto failed;
> > - }
> > -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
> > -index cdfa2b8..d4d64f9 100644
> > ---- a/source4/torture/rpc/samr.c
> > -+++ b/source4/torture/rpc/samr.c
> > -@@ -37,7 +37,6 @@
> > - #include "torture/rpc/torture_rpc.h"
> > - #include "param/param.h"
> > - #include "auth/gensec/gensec.h"
> > --#include "auth/gensec/schannel.h"
> > - #include "auth/gensec/gensec_proto.h"
> > - #include "../libcli/auth/schannel.h"
> > -
> > -@@ -2959,6 +2958,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
> > -
> > - static bool test_SamLogon(struct torture_context *tctx,
> > - struct dcerpc_pipe *p,
> > -+ struct cli_credentials *machine_credentials,
> > - struct cli_credentials *test_credentials,
> > - NTSTATUS expected_result,
> > - bool interactive)
> > -@@ -2978,7 +2978,7 @@ static bool test_SamLogon(struct torture_context *tctx,
> > - struct netr_Authenticator a;
> > - struct dcerpc_binding_handle *b = p->binding_handle;
> > -
> > -- torture_assert_ntstatus_ok(tctx, dcerpc_schannel_creds(p->conn->security_state.generic_state, tctx, &creds), "");
> > -+ torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
> > -
> > - if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
> > - flags |= CLI_CRED_LANMAN_AUTH;
> > -@@ -3105,7 +3105,7 @@ static bool test_SamLogon_with_creds(struct torture_context *tctx,
> > - torture_comment(tctx, "Testing samlogon (%s) as %s password: %s\n",
> > - interactive ? "interactive" : "network", acct_name, password);
> > -
> > -- if (!test_SamLogon(tctx, p, test_credentials,
> > -+ if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
> > - expected_samlogon_result, interactive)) {
> > - torture_warning(tctx, "new password did not work\n");
> > - ret = false;
> > -diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
> > -index 81027d0..15cab73 100644
> > ---- a/source4/torture/rpc/samsync.c
> > -+++ b/source4/torture/rpc/samsync.c
> > -@@ -27,7 +27,6 @@
> > - #include "system/time.h"
> > - #include "torture/rpc/torture_rpc.h"
> > - #include "auth/gensec/gensec.h"
> > --#include "auth/gensec/schannel.h"
> > - #include "libcli/auth/libcli_auth.h"
> > - #include "libcli/samsync/samsync.h"
> > - #include "libcli/security/security.h"
> > -@@ -1720,9 +1719,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
> > - }
> > - samsync_state->b = samsync_state->p->binding_handle;
> > -
> > -- status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state,
> > -- samsync_state, &samsync_state->creds);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -+ samsync_state->creds = cli_credentials_get_netlogon_creds(credentials);
> > -+ if (samsync_state->creds == NULL) {
> > - ret = false;
> > - }
> > -
> > -@@ -1758,9 +1756,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
> > - goto failed;
> > - }
> > -
> > -- status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->conn->security_state.generic_state,
> > -- samsync_state, &samsync_state->creds_netlogon_wksta);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -+ samsync_state->creds_netlogon_wksta = cli_credentials_get_netlogon_creds(credentials_wksta);
> > -+ if (samsync_state->creds_netlogon_wksta == NULL) {
> > - torture_comment(torture, "Failed to obtail schanel creds!\n");
> > - ret = false;
> > - }
> > -diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
> > -index 8203749..0098dcf 100644
> > ---- a/source4/torture/rpc/schannel.c
> > -+++ b/source4/torture/rpc/schannel.c
> > -@@ -26,14 +26,12 @@
> > - #include "auth/credentials/credentials.h"
> > - #include "torture/rpc/torture_rpc.h"
> > - #include "lib/cmdline/popt_common.h"
> > --#include "auth/gensec/schannel.h"
> > - #include "../libcli/auth/schannel.h"
> > - #include "libcli/auth/libcli_auth.h"
> > - #include "libcli/security/security.h"
> > - #include "system/filesys.h"
> > - #include "param/param.h"
> > - #include "librpc/rpc/dcerpc_proto.h"
> > --#include "auth/gensec/gensec.h"
> > - #include "libcli/composite/composite.h"
> > - #include "lib/events/events.h"
> > -
> > -@@ -413,8 +411,8 @@ static bool test_schannel(struct torture_context *tctx,
> > -
> > - torture_assert_ntstatus_ok(tctx, status, "bind auth");
> > -
> > -- status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
> > -- torture_assert_ntstatus_ok(tctx, status, "schannel creds");
> > -+ creds = cli_credentials_get_netlogon_creds(credentials);
> > -+ torture_assert(tctx, (creds != NULL), "schannel creds");
> > -
> > - /* checks the capabilities */
> > - torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
> > ---
> > -1.9.3
> > -
> > -
> > -From fa1c5bc2cdff9decd361c919567c502ef0c09385 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 12:31:41 +0200
> > -Subject: [PATCH 075/249] s4:gensec/schannel: remove unused
> > - dcerpc_schannel_creds()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 4cad5dcb6d5e49cc9bb1aa4ca454f369e00e8c6f)
> > ----
> > - source4/auth/gensec/schannel.c | 23 -----------------------
> > - source4/auth/gensec/schannel.h | 26 --------------------------
> > - 2 files changed, 49 deletions(-)
> > - delete mode 100644 source4/auth/gensec/schannel.h
> > -
> > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > -index e7c545f..10d2565 100644
> > ---- a/source4/auth/gensec/schannel.c
> > -+++ b/source4/auth/gensec/schannel.c
> > -@@ -29,7 +29,6 @@
> > - #include "../libcli/auth/schannel.h"
> > - #include "librpc/rpc/dcerpc.h"
> > - #include "param/param.h"
> > --#include "auth/gensec/schannel.h"
> > - #include "auth/gensec/gensec_toplevel_proto.h"
> > -
> > - _PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > -@@ -204,28 +203,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > - }
> > -
> > - /**
> > -- * Return the struct netlogon_creds_CredentialState.
> > -- *
> > -- * Make sure not to call this unless gensec is using schannel...
> > -- */
> > --
> > --/* TODO: make this non-public */
> > --
> > --_PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- struct netlogon_creds_CredentialState **creds)
> > --{
> > -- struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
> > --
> > -- *creds = talloc_reference(mem_ctx, state->creds);
> > -- if (!*creds) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- return NT_STATUS_OK;
> > --}
> > --
> > --
> > --/**
> > - * Returns anonymous credentials for schannel, matching Win2k3.
> > - *
> > - */
> > -diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h
> > -deleted file mode 100644
> > -index 88a32a7..0000000
> > ---- a/source4/auth/gensec/schannel.h
> > -+++ /dev/null
> > -@@ -1,26 +0,0 @@
> > --/*
> > -- Unix SMB/CIFS implementation.
> > --
> > -- dcerpc schannel operations
> > --
> > -- Copyright (C) Andrew Tridgell 2004
> > -- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> > --
> > -- This program is free software; you can redistribute it and/or modify
> > -- it under the terms of the GNU General Public License as published by
> > -- the Free Software Foundation; either version 3 of the License, or
> > -- (at your option) any later version.
> > --
> > -- This program is distributed in the hope that it will be useful,
> > -- but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -- GNU General Public License for more details.
> > --
> > -- You should have received a copy of the GNU General Public License
> > -- along with this program. If not, see <http://www.gnu.org/licenses/>.
> > --*/
> > --
> > --struct netlogon_creds_CredentialState;
> > --NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- struct netlogon_creds_CredentialState **creds);
> > ---
> > -1.9.3
> > -
> > -
> > -From eeb52af669e963ac856fc77be6a47f7ed33d8580 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 13:04:07 +0200
> > -Subject: [PATCH 076/249] s4:gensec/schannel: simplify the code by using
> > - netsec_create_state()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 49f347eb11bd12a3f25b0fcb8ba36d4a36594868)
> > ----
> > - source4/auth/gensec/schannel.c | 98 +++++++++++++-----------------------------
> > - 1 file changed, 30 insertions(+), 68 deletions(-)
> > -
> > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > -index 10d2565..3896a41 100644
> > ---- a/source4/auth/gensec/schannel.c
> > -+++ b/source4/auth/gensec/schannel.c
> > -@@ -35,12 +35,11 @@ _PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > -
> > - static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
> > - {
> > -- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
> > -- uint32_t sig_size;
> > --
> > -- sig_size = netsec_outgoing_sig_size(state);
> > -+ struct schannel_state *state =
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -
> > -- return sig_size;
> > -+ return netsec_outgoing_sig_size(state);
> > - }
> > -
> > - static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
> > -@@ -54,7 +53,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > - struct tevent_context *ev,
> > - const DATA_BLOB in, DATA_BLOB *out)
> > - {
> > -- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
> > -+ struct schannel_state *state =
> > -+ talloc_get_type(gensec_security->private_data,
> > -+ struct schannel_state);
> > - NTSTATUS status;
> > - enum ndr_err_code ndr_err;
> > - struct NL_AUTH_MESSAGE bind_schannel;
> > -@@ -67,24 +68,22 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > -
> > - switch (gensec_security->gensec_role) {
> > - case GENSEC_CLIENT:
> > -- if (state->state != SCHANNEL_STATE_START) {
> > -+ if (state != NULL) {
> > - /* we could parse the bind ack, but we don't know what it is yet */
> > - return NT_STATUS_OK;
> > - }
> > -
> > -- state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> > -- if (state->creds == NULL) {
> > -+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> > -+ if (creds == NULL) {
> > - return NT_STATUS_INVALID_PARAMETER_MIX;
> > - }
> > -- /*
> > -- * We need to create a reference here or we don't get
> > -- * updates performed on the credentials if we create a
> > -- * copy.
> > -- */
> > -- state->creds = talloc_reference(state, state->creds);
> > -- if (state->creds == NULL) {
> > -+
> > -+ state = netsec_create_state(gensec_security,
> > -+ creds, true /* initiator */);
> > -+ if (state == NULL) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -+ gensec_security->private_data = state;
> > -
> > - bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> > - #if 0
> > -@@ -117,12 +116,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > - return status;
> > - }
> > -
> > -- state->state = SCHANNEL_STATE_UPDATE_1;
> > --
> > - return NT_STATUS_MORE_PROCESSING_REQUIRED;
> > - case GENSEC_SERVER:
> > -
> > -- if (state->state != SCHANNEL_STATE_START) {
> > -+ if (state != NULL) {
> > - /* no third leg on this protocol */
> > - return NT_STATUS_INVALID_PARAMETER;
> > - }
> > -@@ -177,7 +174,12 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > - return status;
> > - }
> > -
> > -- state->creds = talloc_steal(state, creds);
> > -+ state = netsec_create_state(gensec_security,
> > -+ creds, false /* not initiator */);
> > -+ if (state == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ gensec_security->private_data = state;
> > -
> > - bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> > - bind_schannel_ack.Flags = 0;
> > -@@ -195,8 +197,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > - return status;
> > - }
> > -
> > -- state->state = SCHANNEL_STATE_UPDATE_1;
> > --
> > - return NT_STATUS_OK;
> > - }
> > - return NT_STATUS_INVALID_PARAMETER;
> > -@@ -214,54 +214,16 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> > - return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
> > - }
> > -
> > --static NTSTATUS schannel_start(struct gensec_security *gensec_security)
> > --{
> > -- struct schannel_state *state;
> > --
> > -- state = talloc_zero(gensec_security, struct schannel_state);
> > -- if (!state) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- state->state = SCHANNEL_STATE_START;
> > -- gensec_security->private_data = state;
> > --
> > -- return NT_STATUS_OK;
> > --}
> > --
> > - static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> > - {
> > -- NTSTATUS status;
> > -- struct schannel_state *state;
> > --
> > -- status = schannel_start(gensec_security);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- state = (struct schannel_state *)gensec_security->private_data;
> > -- state->initiator = false;
> > --
> > - return NT_STATUS_OK;
> > - }
> > -
> > - static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
> > - {
> > -- NTSTATUS status;
> > -- struct schannel_state *state;
> > --
> > -- status = schannel_start(gensec_security);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- state = (struct schannel_state *)gensec_security->private_data;
> > -- state->initiator = true;
> > --
> > - return NT_STATUS_OK;
> > - }
> > -
> > --
> > - static bool schannel_have_feature(struct gensec_security *gensec_security,
> > - uint32_t feature)
> > - {
> > -@@ -287,8 +249,8 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> > - const DATA_BLOB *sig)
> > - {
> > - struct schannel_state *state =
> > -- talloc_get_type(gensec_security->private_data,
> > -- struct schannel_state);
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -
> > - return netsec_incoming_packet(state, true,
> > - discard_const_p(uint8_t, data),
> > -@@ -304,8 +266,8 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> > - const DATA_BLOB *sig)
> > - {
> > - struct schannel_state *state =
> > -- talloc_get_type(gensec_security->private_data,
> > -- struct schannel_state);
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -
> > - return netsec_incoming_packet(state, false,
> > - discard_const_p(uint8_t, data),
> > -@@ -321,8 +283,8 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> > - DATA_BLOB *sig)
> > - {
> > - struct schannel_state *state =
> > -- talloc_get_type(gensec_security->private_data,
> > -- struct schannel_state);
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -
> > - return netsec_outgoing_packet(state, mem_ctx, true,
> > - data, length, sig);
> > -@@ -338,8 +300,8 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> > - DATA_BLOB *sig)
> > - {
> > - struct schannel_state *state =
> > -- talloc_get_type(gensec_security->private_data,
> > -- struct schannel_state);
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -
> > - return netsec_outgoing_packet(state, mem_ctx, false,
> > - discard_const_p(uint8_t, data),
> > ---
> > -1.9.3
> > -
> > -
> > -From 685f00cfd7be11f4c62441e17d6416b9a668bb47 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 13:25:20 +0200
> > -Subject: [PATCH 077/249] s4:gensec/schannel: use the correct computer_name
> > - from netlogon_creds_CredentialState
> > -
> > -We need to use the same computer_name we used in the netr_Authenticate3
> > -request.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit b5104768225ae0308aa3f22f8d9bca389ef3cb3a)
> > ----
> > - source4/auth/gensec/schannel.c | 6 +++---
> > - 1 file changed, 3 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > -index 3896a41..91f166b 100644
> > ---- a/source4/auth/gensec/schannel.c
> > -+++ b/source4/auth/gensec/schannel.c
> > -@@ -94,17 +94,17 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > - NL_FLAG_UTF8_DNS_DOMAIN_NAME |
> > - NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
> > - bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > -- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
> > -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > - bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
> > - /* w2k3 refuses us if we use the full DNS workstation?
> > - why? perhaps because we don't fill in the dNSHostName
> > - attribute in the machine account? */
> > -- bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
> > -+ bind_schannel.utf8_netbios_computer = creds->computer_name;
> > - #else
> > - bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > - NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > - bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > -- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
> > -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > - #endif
> > -
> > - ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
> > ---
> > -1.9.3
> > -
> > -
> > -From bd54e89fc5eb4d6afed3ef770dabf14a6ac6b060 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 3 Aug 2013 11:21:32 +0200
> > -Subject: [PATCH 078/249] s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is
> > - not supported
> > -
> > -There's a sequence number attached to the connection,
> > -which needs to be incremented with each message...
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a07049a839729e29ca888bae353cd37fd6238486)
> > ----
> > - source4/auth/gensec/schannel.c | 3 ---
> > - 1 file changed, 3 deletions(-)
> > -
> > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > -index 91f166b..7fc0c7c 100644
> > ---- a/source4/auth/gensec/schannel.c
> > -+++ b/source4/auth/gensec/schannel.c
> > -@@ -234,9 +234,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
> > - if (feature & GENSEC_FEATURE_DCE_STYLE) {
> > - return true;
> > - }
> > -- if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
> > -- return true;
> > -- }
> > - return false;
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From afcf626800e8aaf94878d62d1fd7318b2ffe21c1 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 3 Aug 2013 11:27:55 +0200
> > -Subject: [PATCH 079/249] s4:gensec/schannel: there's no point in having
> > - schannel_session_key()
> > -
> > -gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
> > -before calling schannel_session_key(), as we don't provide
> > -GENSEC_FEATURE_SESSION_KEY.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 9b9ab1ae6963b3819dc2b095cbe9e1432f3459b7)
> > ----
> > - source4/auth/gensec/schannel.c | 8 --------
> > - 1 file changed, 8 deletions(-)
> > -
> > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > -index 7fc0c7c..ebf6469 100644
> > ---- a/source4/auth/gensec/schannel.c
> > -+++ b/source4/auth/gensec/schannel.c
> > -@@ -42,13 +42,6 @@ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t
> > - return netsec_outgoing_sig_size(state);
> > - }
> > -
> > --static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- DATA_BLOB *session_key)
> > --{
> > -- return NT_STATUS_NOT_IMPLEMENTED;
> > --}
> > --
> > - static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > - struct tevent_context *ev,
> > - const DATA_BLOB in, DATA_BLOB *out)
> > -@@ -315,7 +308,6 @@ static const struct gensec_security_ops gensec_schannel_security_ops = {
> > - .sign_packet = schannel_sign_packet,
> > - .check_packet = schannel_check_packet,
> > - .unseal_packet = schannel_unseal_packet,
> > -- .session_key = schannel_session_key,
> > - .session_info = schannel_session_info,
> > - .sig_size = schannel_sig_size,
> > - .have_feature = schannel_have_feature,
> > ---
> > -1.9.3
> > -
> > -
> > -From 56599b7019eabe3656bdba676214c74191ad068f Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 3 Aug 2013 11:32:31 +0200
> > -Subject: [PATCH 080/249] s4:gensec/schannel: only require
> > - librpc/gen_ndr/dcerpc.h
> > -
> > -We just need DCERPC_AUTH_TYPE_SCHANNEL
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit e90e1b5c76db4cf589adf8856eb32e5f0d955734)
> > ----
> > - source4/auth/gensec/schannel.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > -index ebf6469..e67432c 100644
> > ---- a/source4/auth/gensec/schannel.c
> > -+++ b/source4/auth/gensec/schannel.c
> > -@@ -27,7 +27,7 @@
> > - #include "auth/gensec/gensec.h"
> > - #include "auth/gensec/gensec_proto.h"
> > - #include "../libcli/auth/schannel.h"
> > --#include "librpc/rpc/dcerpc.h"
> > -+#include "librpc/gen_ndr/dcerpc.h"
> > - #include "param/param.h"
> > - #include "auth/gensec/gensec_toplevel_proto.h"
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From baa82a6ef22c1761c7206323e90781d008a7888b Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 13:37:54 +0200
> > -Subject: [PATCH 081/249] libcli/auth/schannel: make struct schannel_state
> > - private
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 4c978b68d9a87001f625c10421e7d4cc140b4554)
> > ----
> > - libcli/auth/schannel.h | 13 -------------
> > - libcli/auth/schannel_sign.c | 12 ++++++++++++
> > - 2 files changed, 12 insertions(+), 13 deletions(-)
> > -
> > -diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
> > -index 271b5bb..c53d68e 100644
> > ---- a/libcli/auth/schannel.h
> > -+++ b/libcli/auth/schannel.h
> > -@@ -22,17 +22,4 @@
> > -
> > - #include "libcli/auth/libcli_auth.h"
> > - #include "libcli/auth/schannel_state.h"
> > --
> > --enum schannel_position {
> > -- SCHANNEL_STATE_START = 0,
> > -- SCHANNEL_STATE_UPDATE_1
> > --};
> > --
> > --struct schannel_state {
> > -- enum schannel_position state;
> > -- uint64_t seq_num;
> > -- bool initiator;
> > -- struct netlogon_creds_CredentialState *creds;
> > --};
> > --
> > - #include "libcli/auth/schannel_proto.h"
> > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > -index 518a6a9..88a6e1e 100644
> > ---- a/libcli/auth/schannel_sign.c
> > -+++ b/libcli/auth/schannel_sign.c
> > -@@ -24,6 +24,18 @@
> > - #include "../libcli/auth/schannel.h"
> > - #include "../lib/crypto/crypto.h"
> > -
> > -+enum schannel_position {
> > -+ SCHANNEL_STATE_START = 0,
> > -+ SCHANNEL_STATE_UPDATE_1
> > -+};
> > -+
> > -+struct schannel_state {
> > -+ enum schannel_position state;
> > -+ uint64_t seq_num;
> > -+ bool initiator;
> > -+ struct netlogon_creds_CredentialState *creds;
> > -+};
> > -+
> > - #define SETUP_SEQNUM(state, buf, initiator) do { \
> > - uint8_t *_buf = buf; \
> > - uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> > ---
> > -1.9.3
> > -
> > -
> > -From 29806ef23a9826688ace1dc52cd7af554cf83294 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 2 Aug 2013 15:42:21 +0200
> > -Subject: [PATCH 082/249] libcli/auth/schannel: remove unused schannel_position
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 57bcbb9c50f0a0252110a1e04a2883b511cd9165)
> > ----
> > - libcli/auth/schannel_sign.c | 7 -------
> > - 1 file changed, 7 deletions(-)
> > -
> > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > -index 88a6e1e..9502cba 100644
> > ---- a/libcli/auth/schannel_sign.c
> > -+++ b/libcli/auth/schannel_sign.c
> > -@@ -24,13 +24,7 @@
> > - #include "../libcli/auth/schannel.h"
> > - #include "../lib/crypto/crypto.h"
> > -
> > --enum schannel_position {
> > -- SCHANNEL_STATE_START = 0,
> > -- SCHANNEL_STATE_UPDATE_1
> > --};
> > --
> > - struct schannel_state {
> > -- enum schannel_position state;
> > - uint64_t seq_num;
> > - bool initiator;
> > - struct netlogon_creds_CredentialState *creds;
> > -@@ -58,7 +52,6 @@ struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > - return NULL;
> > - }
> > -
> > -- state->state = SCHANNEL_STATE_UPDATE_1;
> > - state->initiator = initiator;
> > - state->seq_num = 0;
> > - state->creds = netlogon_creds_copy(state, creds);
> > ---
> > -1.9.3
> > -
> > -
> > -From a6ad9118c250446ea9571f5ce9895b11ab8537ed Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 5 Aug 2013 07:12:01 +0200
> > -Subject: [PATCH 083/249] auth/gensec: introduce gensec_internal.h
> > -
> > -We should treat most gensec related structures private.
> > -
> > -It's a long way, but this is a start.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 71c63e85e7a09acb57f6b75284358f2b3b29eeed)
> > ----
> > - auth/gensec/gensec.c | 1 +
> > - auth/gensec/gensec.h | 100 ++-------------------------
> > - auth/gensec/gensec_internal.h | 127 +++++++++++++++++++++++++++++++++++
> > - auth/gensec/gensec_start.c | 1 +
> > - auth/gensec/gensec_util.c | 1 +
> > - auth/gensec/spnego.c | 1 +
> > - auth/ntlmssp/gensec_ntlmssp.c | 1 +
> > - auth/ntlmssp/gensec_ntlmssp_server.c | 1 +
> > - auth/ntlmssp/ntlmssp.c | 1 +
> > - auth/ntlmssp/ntlmssp_client.c | 1 +
> > - auth/ntlmssp/ntlmssp_server.c | 1 +
> > - source3/libads/authdata.c | 1 +
> > - source3/librpc/crypto/gse.c | 1 +
> > - source3/libsmb/ntlmssp_wrap.c | 1 +
> > - source3/utils/ntlm_auth.c | 1 +
> > - source4/auth/gensec/cyrus_sasl.c | 1 +
> > - source4/auth/gensec/gensec_gssapi.c | 1 +
> > - source4/auth/gensec/gensec_krb5.c | 1 +
> > - source4/auth/gensec/pygensec.c | 1 +
> > - source4/auth/gensec/schannel.c | 1 +
> > - source4/ldap_server/ldap_backend.c | 1 +
> > - source4/libcli/ldap/ldap_bind.c | 1 +
> > - source4/torture/auth/ntlmssp.c | 1 +
> > - source4/utils/ntlm_auth.c | 1 +
> > - 24 files changed, 153 insertions(+), 96 deletions(-)
> > - create mode 100644 auth/gensec/gensec_internal.h
> > -
> > -diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
> > -index 9a8f0ef..d364a34 100644
> > ---- a/auth/gensec/gensec.c
> > -+++ b/auth/gensec/gensec.c
> > -@@ -26,6 +26,7 @@
> > - #include "lib/tsocket/tsocket.h"
> > - #include "lib/util/tevent_ntstatus.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "librpc/rpc/dcerpc.h"
> > -
> > - /*
> > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > -index c080861..5d39d81 100644
> > ---- a/auth/gensec/gensec.h
> > -+++ b/auth/gensec/gensec.h
> > -@@ -76,6 +76,7 @@ struct gensec_settings;
> > - struct tevent_context;
> > - struct tevent_req;
> > - struct smb_krb5_context;
> > -+struct tsocket_address;
> > -
> > - struct gensec_settings {
> > - struct loadparm_context *lp_ctx;
> > -@@ -93,106 +94,13 @@ struct gensec_settings {
> > - const char *server_netbios_name;
> > - };
> > -
> > --struct gensec_security_ops {
> > -- const char *name;
> > -- const char *sasl_name;
> > -- uint8_t auth_type; /* 0 if not offered on DCE-RPC */
> > -- const char **oid; /* NULL if not offered by SPNEGO */
> > -- NTSTATUS (*client_start)(struct gensec_security *gensec_security);
> > -- NTSTATUS (*server_start)(struct gensec_security *gensec_security);
> > -- /**
> > -- Determine if a packet has the right 'magic' for this mechanism
> > -- */
> > -- NTSTATUS (*magic)(struct gensec_security *gensec_security,
> > -- const DATA_BLOB *first_packet);
> > -- NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > -- struct tevent_context *ev,
> > -- const DATA_BLOB in, DATA_BLOB *out);
> > -- NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > -- uint8_t *data, size_t length,
> > -- const uint8_t *whole_pdu, size_t pdu_length,
> > -- DATA_BLOB *sig);
> > -- NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > -- const uint8_t *data, size_t length,
> > -- const uint8_t *whole_pdu, size_t pdu_length,
> > -- DATA_BLOB *sig);
> > -- size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
> > -- size_t (*max_input_size)(struct gensec_security *gensec_security);
> > -- size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
> > -- NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
> > -- const uint8_t *data, size_t length,
> > -- const uint8_t *whole_pdu, size_t pdu_length,
> > -- const DATA_BLOB *sig);
> > -- NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
> > -- uint8_t *data, size_t length,
> > -- const uint8_t *whole_pdu, size_t pdu_length,
> > -- const DATA_BLOB *sig);
> > -- NTSTATUS (*wrap)(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- const DATA_BLOB *in,
> > -- DATA_BLOB *out);
> > -- NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- const DATA_BLOB *in,
> > -- DATA_BLOB *out);
> > -- NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- const DATA_BLOB *in,
> > -- DATA_BLOB *out,
> > -- size_t *len_processed);
> > -- NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- const DATA_BLOB *in,
> > -- DATA_BLOB *out,
> > -- size_t *len_processed);
> > -- NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
> > -- DATA_BLOB blob, size_t *size);
> > -- NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> > -- DATA_BLOB *session_key);
> > -- NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> > -- struct auth_session_info **session_info);
> > -- void (*want_feature)(struct gensec_security *gensec_security,
> > -- uint32_t feature);
> > -- bool (*have_feature)(struct gensec_security *gensec_security,
> > -- uint32_t feature);
> > -- NTTIME (*expire_time)(struct gensec_security *gensec_security);
> > -- bool enabled;
> > -- bool kerberos;
> > -- enum gensec_priority priority;
> > --};
> > --
> > --struct gensec_security_ops_wrapper {
> > -- const struct gensec_security_ops *op;
> > -- const char *oid;
> > --};
> > -+struct gensec_security_ops;
> > -+struct gensec_security_ops_wrapper;
> > -
> > - #define GENSEC_INTERFACE_VERSION 0
> > -
> > --struct gensec_security {
> > -- const struct gensec_security_ops *ops;
> > -- void *private_data;
> > -- struct cli_credentials *credentials;
> > -- struct gensec_target target;
> > -- enum gensec_role gensec_role;
> > -- bool subcontext;
> > -- uint32_t want_features;
> > -- uint32_t max_update_size;
> > -- uint8_t dcerpc_auth_level;
> > -- struct tsocket_address *local_addr, *remote_addr;
> > -- struct gensec_settings *settings;
> > --
> > -- /* When we are a server, this may be filled in to provide an
> > -- * NTLM authentication backend, and user lookup (such as if no
> > -- * PAC is found) */
> > -- struct auth4_context *auth_context;
> > --};
> > --
> > - /* this structure is used by backends to determine the size of some critical types */
> > --struct gensec_critical_sizes {
> > -- int interface_version;
> > -- int sizeof_gensec_security_ops;
> > -- int sizeof_gensec_security;
> > --};
> > -+struct gensec_critical_sizes;
> > - const struct gensec_critical_sizes *gensec_interface_version(void);
> > -
> > - /* Socket wrapper */
> > -diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
> > -new file mode 100644
> > -index 0000000..41b6f0d
> > ---- /dev/null
> > -+++ b/auth/gensec/gensec_internal.h
> > -@@ -0,0 +1,127 @@
> > -+/*
> > -+ Unix SMB/CIFS implementation.
> > -+
> > -+ Generic Authentication Interface
> > -+
> > -+ Copyright (C) Andrew Tridgell 2003
> > -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> > -+
> > -+ This program is free software; you can redistribute it and/or modify
> > -+ it under the terms of the GNU General Public License as published by
> > -+ the Free Software Foundation; either version 3 of the License, or
> > -+ (at your option) any later version.
> > -+
> > -+ This program is distributed in the hope that it will be useful,
> > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -+ GNU General Public License for more details.
> > -+
> > -+ You should have received a copy of the GNU General Public License
> > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > -+*/
> > -+
> > -+#ifndef __GENSEC_INTERNAL_H__
> > -+#define __GENSEC_INTERNAL_H__
> > -+
> > -+struct gensec_security;
> > -+
> > -+struct gensec_security_ops {
> > -+ const char *name;
> > -+ const char *sasl_name;
> > -+ uint8_t auth_type; /* 0 if not offered on DCE-RPC */
> > -+ const char **oid; /* NULL if not offered by SPNEGO */
> > -+ NTSTATUS (*client_start)(struct gensec_security *gensec_security);
> > -+ NTSTATUS (*server_start)(struct gensec_security *gensec_security);
> > -+ /**
> > -+ Determine if a packet has the right 'magic' for this mechanism
> > -+ */
> > -+ NTSTATUS (*magic)(struct gensec_security *gensec_security,
> > -+ const DATA_BLOB *first_packet);
> > -+ NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ const DATA_BLOB in, DATA_BLOB *out);
> > -+ NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > -+ uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > -+ DATA_BLOB *sig);
> > -+ NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > -+ const uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > -+ DATA_BLOB *sig);
> > -+ size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
> > -+ size_t (*max_input_size)(struct gensec_security *gensec_security);
> > -+ size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
> > -+ NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
> > -+ const uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > -+ const DATA_BLOB *sig);
> > -+ NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
> > -+ uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > -+ const DATA_BLOB *sig);
> > -+ NTSTATUS (*wrap)(struct gensec_security *gensec_security,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ const DATA_BLOB *in,
> > -+ DATA_BLOB *out);
> > -+ NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ const DATA_BLOB *in,
> > -+ DATA_BLOB *out);
> > -+ NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ const DATA_BLOB *in,
> > -+ DATA_BLOB *out,
> > -+ size_t *len_processed);
> > -+ NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ const DATA_BLOB *in,
> > -+ DATA_BLOB *out,
> > -+ size_t *len_processed);
> > -+ NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
> > -+ DATA_BLOB blob, size_t *size);
> > -+ NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> > -+ DATA_BLOB *session_key);
> > -+ NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> > -+ struct auth_session_info **session_info);
> > -+ void (*want_feature)(struct gensec_security *gensec_security,
> > -+ uint32_t feature);
> > -+ bool (*have_feature)(struct gensec_security *gensec_security,
> > -+ uint32_t feature);
> > -+ NTTIME (*expire_time)(struct gensec_security *gensec_security);
> > -+ bool enabled;
> > -+ bool kerberos;
> > -+ enum gensec_priority priority;
> > -+};
> > -+
> > -+struct gensec_security_ops_wrapper {
> > -+ const struct gensec_security_ops *op;
> > -+ const char *oid;
> > -+};
> > -+
> > -+struct gensec_security {
> > -+ const struct gensec_security_ops *ops;
> > -+ void *private_data;
> > -+ struct cli_credentials *credentials;
> > -+ struct gensec_target target;
> > -+ enum gensec_role gensec_role;
> > -+ bool subcontext;
> > -+ uint32_t want_features;
> > -+ uint32_t max_update_size;
> > -+ uint8_t dcerpc_auth_level;
> > -+ struct tsocket_address *local_addr, *remote_addr;
> > -+ struct gensec_settings *settings;
> > -+
> > -+ /* When we are a server, this may be filled in to provide an
> > -+ * NTLM authentication backend, and user lookup (such as if no
> > -+ * PAC is found) */
> > -+ struct auth4_context *auth_context;
> > -+};
> > -+
> > -+/* this structure is used by backends to determine the size of some critical types */
> > -+struct gensec_critical_sizes {
> > -+ int interface_version;
> > -+ int sizeof_gensec_security_ops;
> > -+ int sizeof_gensec_security;
> > -+};
> > -+
> > -+#endif /* __GENSEC_H__ */
> > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > -index c2cfa1c..34029f5 100644
> > ---- a/auth/gensec/gensec_start.c
> > -+++ b/auth/gensec/gensec_start.c
> > -@@ -27,6 +27,7 @@
> > - #include "librpc/rpc/dcerpc.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "lib/param/param.h"
> > - #include "lib/util/tsort.h"
> > - #include "lib/util/samba_modules.h"
> > -diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
> > -index 64952b1..568128a 100644
> > ---- a/auth/gensec/gensec_util.c
> > -+++ b/auth/gensec/gensec_util.c
> > -@@ -22,6 +22,7 @@
> > -
> > - #include "includes.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/common_auth.h"
> > - #include "../lib/util/asn1.h"
> > -
> > -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
> > -index da1fc0e..38a45f8 100644
> > ---- a/auth/gensec/spnego.c
> > -+++ b/auth/gensec/spnego.c
> > -@@ -27,6 +27,7 @@
> > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "param/param.h"
> > - #include "lib/util/asn1.h"
> > -
> > -diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
> > -index 9e1d8a8..654c0e3 100644
> > ---- a/auth/ntlmssp/gensec_ntlmssp.c
> > -+++ b/auth/ntlmssp/gensec_ntlmssp.c
> > -@@ -22,6 +22,7 @@
> > - #include "includes.h"
> > - #include "auth/ntlmssp/ntlmssp.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/ntlmssp/ntlmssp_private.h"
> > -
> > - NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security,
> > -diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
> > -index f4dfab3..69c56fb 100644
> > ---- a/auth/ntlmssp/gensec_ntlmssp_server.c
> > -+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
> > -@@ -31,6 +31,7 @@
> > - #include "../libcli/auth/libcli_auth.h"
> > - #include "../lib/crypto/crypto.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/common_auth.h"
> > - #include "param/param.h"
> > -
> > -diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
> > -index 1a2d662..916b376 100644
> > ---- a/auth/ntlmssp/ntlmssp.c
> > -+++ b/auth/ntlmssp/ntlmssp.c
> > -@@ -29,6 +29,7 @@ struct auth_session_info;
> > - #include "../libcli/auth/libcli_auth.h"
> > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > -
> > - /**
> > - * Callbacks for NTLMSSP - for both client and server operating modes
> > -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
> > -index fc66a8d..f99257d 100644
> > ---- a/auth/ntlmssp/ntlmssp_client.c
> > -+++ b/auth/ntlmssp/ntlmssp_client.c
> > -@@ -29,6 +29,7 @@ struct auth_session_info;
> > - #include "../libcli/auth/libcli_auth.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "param/param.h"
> > - #include "auth/ntlmssp/ntlmssp_private.h"
> > - #include "../librpc/gen_ndr/ndr_ntlmssp.h"
> > -diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
> > -index 57179e1..2f3f0bb 100644
> > ---- a/auth/ntlmssp/ntlmssp_server.c
> > -+++ b/auth/ntlmssp/ntlmssp_server.c
> > -@@ -28,6 +28,7 @@
> > - #include "../libcli/auth/libcli_auth.h"
> > - #include "../lib/crypto/crypto.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/common_auth.h"
> > -
> > - /**
> > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > -index 2c667a6..582917d 100644
> > ---- a/source3/libads/authdata.c
> > -+++ b/source3/libads/authdata.c
> > -@@ -30,6 +30,7 @@
> > - #include "lib/param/param.h"
> > - #include "librpc/crypto/gse.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > - #include "../libcli/auth/spnego.h"
> > -
> > - #ifdef HAVE_KRB5
> > -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
> > -index 11a5457..8db3cdd 100644
> > ---- a/source3/librpc/crypto/gse.c
> > -+++ b/source3/librpc/crypto/gse.c
> > -@@ -26,6 +26,7 @@
> > - #include "libads/kerberos_proto.h"
> > - #include "auth/common_auth.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "../librpc/gen_ndr/dcerpc.h"
> > -
> > -diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
> > -index 9ce4b12..46f68ae 100644
> > ---- a/source3/libsmb/ntlmssp_wrap.c
> > -+++ b/source3/libsmb/ntlmssp_wrap.c
> > -@@ -23,6 +23,7 @@
> > - #include "auth/ntlmssp/ntlmssp_private.h"
> > - #include "auth_generic.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "librpc/rpc/dcerpc.h"
> > - #include "lib/param/param.h"
> > -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> > -index a5e0cd2..5fcb60e 100644
> > ---- a/source3/utils/ntlm_auth.c
> > -+++ b/source3/utils/ntlm_auth.c
> > -@@ -32,6 +32,7 @@
> > - #include "../libcli/auth/spnego.h"
> > - #include "auth/ntlmssp/ntlmssp.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "librpc/crypto/gse.h"
> > - #include "smb_krb5.h"
> > -diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
> > -index 2e733bf..08dccd6 100644
> > ---- a/source4/auth/gensec/cyrus_sasl.c
> > -+++ b/source4/auth/gensec/cyrus_sasl.c
> > -@@ -23,6 +23,7 @@
> > - #include "lib/tsocket/tsocket.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/gensec/gensec_proto.h"
> > - #include "auth/gensec/gensec_toplevel_proto.h"
> > - #include <sasl/sasl.h>
> > -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> > -index 4fc544f..63a53bf 100644
> > ---- a/source4/auth/gensec/gensec_gssapi.c
> > -+++ b/source4/auth/gensec/gensec_gssapi.c
> > -@@ -34,6 +34,7 @@
> > - #include "auth/credentials/credentials.h"
> > - #include "auth/credentials/credentials_krb5.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/gensec/gensec_proto.h"
> > - #include "auth/gensec/gensec_toplevel_proto.h"
> > - #include "param/param.h"
> > -diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
> > -index fbec64c..ecc3331 100644
> > ---- a/source4/auth/gensec/gensec_krb5.c
> > -+++ b/source4/auth/gensec/gensec_krb5.c
> > -@@ -34,6 +34,7 @@
> > - #include "auth/credentials/credentials_krb5.h"
> > - #include "auth/kerberos/kerberos_credentials.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/gensec/gensec_proto.h"
> > - #include "auth/gensec/gensec_toplevel_proto.h"
> > - #include "param/param.h"
> > -diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c
> > -index 02e5ae2..fd6daff 100644
> > ---- a/source4/auth/gensec/pygensec.c
> > -+++ b/source4/auth/gensec/pygensec.c
> > -@@ -20,6 +20,7 @@
> > - #include "includes.h"
> > - #include "param/pyparam.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > - #include "auth/credentials/pycredentials.h"
> > - #include "libcli/util/pyerrors.h"
> > - #include "python/modules.h"
> > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > -index e67432c..eb2e100 100644
> > ---- a/source4/auth/gensec/schannel.c
> > -+++ b/source4/auth/gensec/schannel.c
> > -@@ -25,6 +25,7 @@
> > - #include "auth/auth.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/gensec/gensec_proto.h"
> > - #include "../libcli/auth/schannel.h"
> > - #include "librpc/gen_ndr/dcerpc.h"
> > -diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
> > -index 4a195e5..f0da82c 100644
> > ---- a/source4/ldap_server/ldap_backend.c
> > -+++ b/source4/ldap_server/ldap_backend.c
> > -@@ -23,6 +23,7 @@
> > - #include "../lib/util/dlinklist.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > - #include "param/param.h"
> > - #include "smbd/service_stream.h"
> > - #include "dsdb/samdb/samdb.h"
> > -diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
> > -index b355e18..f0a498b 100644
> > ---- a/source4/libcli/ldap/ldap_bind.c
> > -+++ b/source4/libcli/ldap/ldap_bind.c
> > -@@ -27,6 +27,7 @@
> > - #include "libcli/ldap/ldap_client.h"
> > - #include "lib/tls/tls.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > - #include "auth/gensec/gensec_socket.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "lib/stream/packet.h"
> > -diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c
> > -index bdaa65b..45e5889 100644
> > ---- a/source4/torture/auth/ntlmssp.c
> > -+++ b/source4/torture/auth/ntlmssp.c
> > -@@ -19,6 +19,7 @@
> > -
> > - #include "includes.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > - #include "auth/ntlmssp/ntlmssp.h"
> > - #include "auth/ntlmssp/ntlmssp_private.h"
> > - #include "lib/cmdline/popt_common.h"
> > -diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
> > -index 136e238..1e2feb0 100644
> > ---- a/source4/utils/ntlm_auth.c
> > -+++ b/source4/utils/ntlm_auth.c
> > -@@ -27,6 +27,7 @@
> > - #include <ldb.h>
> > - #include "auth/credentials/credentials.h"
> > - #include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > - #include "auth/auth.h"
> > - #include "librpc/gen_ndr/ndr_netlogon.h"
> > - #include "auth/auth_sam.h"
> > ---
> > -1.9.3
> > -
> > -
> > -From fabdf9f539385d97bc4bf2550e7fd4de2d1b5d01 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 5 Aug 2013 10:37:26 +0200
> > -Subject: [PATCH 084/249] auth/gensec: avoid talloc_reference in
> > - gensec_use_kerberos_mechs()
> > -
> > -We now always copy.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3e3534f882651880093381f5a7846c0938df6501)
> > ----
> > - auth/gensec/gensec_start.c | 38 ++++++++++++++++++++------------------
> > - 1 file changed, 20 insertions(+), 18 deletions(-)
> > -
> > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > -index 34029f5..096ad36 100644
> > ---- a/auth/gensec/gensec_start.c
> > -+++ b/auth/gensec/gensec_start.c
> > -@@ -80,13 +80,6 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> > - use_kerberos = cli_credentials_get_kerberos_state(creds);
> > - }
> > -
> > -- if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
> > -- if (!talloc_reference(mem_ctx, old_gensec_list)) {
> > -- return NULL;
> > -- }
> > -- return old_gensec_list;
> > -- }
> > --
> > - for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
> > - /* noop */
> > - }
> > -@@ -99,35 +92,44 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> > - j = 0;
> > - for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
> > - int oid_idx;
> > -- bool found_spnego = false;
> > -+ bool keep = false;
> > -+
> > - for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
> > - if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
> > -- new_gensec_list[j] = old_gensec_list[i];
> > -- j++;
> > -- found_spnego = true;
> > -+ keep = true;
> > - break;
> > - }
> > - }
> > -- if (found_spnego) {
> > -- continue;
> > -- }
> > -+
> > - switch (use_kerberos) {
> > -+ case CRED_AUTO_USE_KERBEROS:
> > -+ keep = true;
> > -+ break;
> > -+
> > - case CRED_DONT_USE_KERBEROS:
> > - if (old_gensec_list[i]->kerberos == false) {
> > -- new_gensec_list[j] = old_gensec_list[i];
> > -- j++;
> > -+ keep = true;
> > - }
> > -+
> > - break;
> > -+
> > - case CRED_MUST_USE_KERBEROS:
> > - if (old_gensec_list[i]->kerberos == true) {
> > -- new_gensec_list[j] = old_gensec_list[i];
> > -- j++;
> > -+ keep = true;
> > - }
> > -+
> > - break;
> > - default:
> > - /* Can't happen or invalid parameter */
> > - return NULL;
> > - }
> > -+
> > -+ if (!keep) {
> > -+ continue;
> > -+ }
> > -+
> > -+ new_gensec_list[j] = old_gensec_list[i];
> > -+ j++;
> > - }
> > - new_gensec_list[j] = NULL;
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From b71ed3dd183d64beda108d0881c03978ef4b3892 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 5 Aug 2013 10:39:16 +0200
> > -Subject: [PATCH 085/249] auth/gensec: avoid talloc_reference in
> > - gensec_security_mechs()
> > -
> > -We now always copy.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 6a7a44db5999af7262478eb1c186d784d6075beb)
> > ----
> > - auth/gensec/gensec_start.c | 27 +++++++++------------------
> > - 1 file changed, 9 insertions(+), 18 deletions(-)
> > -
> > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > -index 096ad36..00e2759 100644
> > ---- a/auth/gensec/gensec_start.c
> > -+++ b/auth/gensec/gensec_start.c
> > -@@ -140,28 +140,19 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
> > - struct gensec_security *gensec_security,
> > - TALLOC_CTX *mem_ctx)
> > - {
> > -- struct gensec_security_ops **backends;
> > -- if (!gensec_security) {
> > -- backends = gensec_security_all();
> > -- if (!talloc_reference(mem_ctx, backends)) {
> > -- return NULL;
> > -- }
> > -- return backends;
> > -- } else {
> > -- struct cli_credentials *creds = gensec_get_credentials(gensec_security);
> > -+ struct cli_credentials *creds = NULL;
> > -+ struct gensec_security_ops **backends = gensec_security_all();
> > -+
> > -+ if (gensec_security != NULL) {
> > -+ creds = gensec_get_credentials(gensec_security);
> > -+
> > - if (gensec_security->settings->backends) {
> > - backends = gensec_security->settings->backends;
> > -- } else {
> > -- backends = gensec_security_all();
> > - }
> > -- if (!creds) {
> > -- if (!talloc_reference(mem_ctx, backends)) {
> > -- return NULL;
> > -- }
> > -- return backends;
> > -- }
> > -- return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
> > - }
> > -+
> > -+ return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
> > -+
> > - }
> > -
> > - static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
> > ---
> > -1.9.3
> > -
> > -
> > -From fe6a14d48b0eb3dfcfc6d7f0b68e8f28b7ad9796 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 5 Aug 2013 16:12:13 +0200
> > -Subject: [PATCH 086/249] auth/gensec: make it possible to implement async
> > - backends
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit e81550c8117166d0fbf69ba1d3957cb950c42961)
> > ----
> > - auth/gensec/gensec.c | 202 ++++++++++++++++++++++++++++++++----------
> > - auth/gensec/gensec_internal.h | 7 ++
> > - 2 files changed, 160 insertions(+), 49 deletions(-)
> > -
> > -diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
> > -index d364a34..abcbcb9 100644
> > ---- a/auth/gensec/gensec.c
> > -+++ b/auth/gensec/gensec.c
> > -@@ -218,61 +218,92 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
> > - const DATA_BLOB in, DATA_BLOB *out)
> > - {
> > - NTSTATUS status;
> > -+ const struct gensec_security_ops *ops = gensec_security->ops;
> > -+ TALLOC_CTX *frame = NULL;
> > -+ struct tevent_req *subreq = NULL;
> > -+ bool ok;
> > -
> > -- status = gensec_security->ops->update(gensec_security, out_mem_ctx,
> > -- ev, in, out);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > -+ if (ops->update_send == NULL) {
> > -
> > -- /*
> > -- * Because callers using the
> > -- * gensec_start_mech_by_auth_type() never call
> > -- * gensec_want_feature(), it isn't sensible for them
> > -- * to have to call gensec_have_feature() manually, and
> > -- * these are not points of negotiation, but are
> > -- * asserted by the client
> > -- */
> > -- switch (gensec_security->dcerpc_auth_level) {
> > -- case DCERPC_AUTH_LEVEL_INTEGRITY:
> > -- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> > -- DEBUG(0,("Did not manage to negotiate mandetory feature "
> > -- "SIGN for dcerpc auth_level %u\n",
> > -- gensec_security->dcerpc_auth_level));
> > -- return NT_STATUS_ACCESS_DENIED;
> > -- }
> > -- break;
> > -- case DCERPC_AUTH_LEVEL_PRIVACY:
> > -- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> > -- DEBUG(0,("Did not manage to negotiate mandetory feature "
> > -- "SIGN for dcerpc auth_level %u\n",
> > -- gensec_security->dcerpc_auth_level));
> > -- return NT_STATUS_ACCESS_DENIED;
> > -+ status = ops->update(gensec_security, out_mem_ctx,
> > -+ ev, in, out);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > - }
> > -- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
> > -- DEBUG(0,("Did not manage to negotiate mandetory feature "
> > -- "SEAL for dcerpc auth_level %u\n",
> > -- gensec_security->dcerpc_auth_level));
> > -- return NT_STATUS_ACCESS_DENIED;
> > -+
> > -+ /*
> > -+ * Because callers using the
> > -+ * gensec_start_mech_by_auth_type() never call
> > -+ * gensec_want_feature(), it isn't sensible for them
> > -+ * to have to call gensec_have_feature() manually, and
> > -+ * these are not points of negotiation, but are
> > -+ * asserted by the client
> > -+ */
> > -+ switch (gensec_security->dcerpc_auth_level) {
> > -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> > -+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > -+ "SIGN for dcerpc auth_level %u\n",
> > -+ gensec_security->dcerpc_auth_level));
> > -+ return NT_STATUS_ACCESS_DENIED;
> > -+ }
> > -+ break;
> > -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> > -+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > -+ "SIGN for dcerpc auth_level %u\n",
> > -+ gensec_security->dcerpc_auth_level));
> > -+ return NT_STATUS_ACCESS_DENIED;
> > -+ }
> > -+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
> > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > -+ "SEAL for dcerpc auth_level %u\n",
> > -+ gensec_security->dcerpc_auth_level));
> > -+ return NT_STATUS_ACCESS_DENIED;
> > -+ }
> > -+ break;
> > -+ default:
> > -+ break;
> > - }
> > -- break;
> > -- default:
> > -- break;
> > -+
> > -+ return NT_STATUS_OK;
> > - }
> > -
> > -- return NT_STATUS_OK;
> > -+ frame = talloc_stackframe();
> > -+
> > -+ subreq = ops->update_send(frame, ev, gensec_security, in);
> > -+ if (subreq == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ ok = tevent_req_poll_ntstatus(subreq, ev, &status);
> > -+ if (!ok) {
> > -+ goto fail;
> > -+ }
> > -+ status = ops->update_recv(subreq, out_mem_ctx, out);
> > -+ fail:
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > - }
> > -
> > - struct gensec_update_state {
> > -- struct tevent_immediate *im;
> > -+ const struct gensec_security_ops *ops;
> > -+ struct tevent_req *subreq;
> > - struct gensec_security *gensec_security;
> > -- DATA_BLOB in;
> > - DATA_BLOB out;
> > -+
> > -+ /*
> > -+ * only for sync backends, we should remove this
> > -+ * once all backends are async.
> > -+ */
> > -+ struct tevent_immediate *im;
> > -+ DATA_BLOB in;
> > - };
> > -
> > - static void gensec_update_async_trigger(struct tevent_context *ctx,
> > - struct tevent_immediate *im,
> > - void *private_data);
> > -+static void gensec_update_subreq_done(struct tevent_req *subreq);
> > -+
> > - /**
> > - * Next state function for the GENSEC state machine async version
> > - *
> > -@@ -298,17 +329,31 @@ _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
> > - return NULL;
> > - }
> > -
> > -- state->gensec_security = gensec_security;
> > -- state->in = in;
> > -- state->out = data_blob(NULL, 0);
> > -- state->im = tevent_create_immediate(state);
> > -- if (tevent_req_nomem(state->im, req)) {
> > -+ state->ops = gensec_security->ops;
> > -+ state->gensec_security = gensec_security;
> > -+
> > -+ if (state->ops->update_send == NULL) {
> > -+ state->in = in;
> > -+ state->im = tevent_create_immediate(state);
> > -+ if (tevent_req_nomem(state->im, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ tevent_schedule_immediate(state->im, ev,
> > -+ gensec_update_async_trigger,
> > -+ req);
> > -+
> > -+ return req;
> > -+ }
> > -+
> > -+ state->subreq = state->ops->update_send(state, ev, gensec_security, in);
> > -+ if (tevent_req_nomem(state->subreq, req)) {
> > - return tevent_req_post(req, ev);
> > - }
> > -
> > -- tevent_schedule_immediate(state->im, ev,
> > -- gensec_update_async_trigger,
> > -- req);
> > -+ tevent_req_set_callback(state->subreq,
> > -+ gensec_update_subreq_done,
> > -+ req);
> > -
> > - return req;
> > - }
> > -@@ -323,12 +368,71 @@ static void gensec_update_async_trigger(struct tevent_context *ctx,
> > - tevent_req_data(req, struct gensec_update_state);
> > - NTSTATUS status;
> > -
> > -- status = gensec_update(state->gensec_security, state, ctx,
> > -- state->in, &state->out);
> > -+ status = state->ops->update(state->gensec_security, state, ctx,
> > -+ state->in, &state->out);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+
> > -+ tevent_req_done(req);
> > -+}
> > -+
> > -+static void gensec_update_subreq_done(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct gensec_update_state *state =
> > -+ tevent_req_data(req,
> > -+ struct gensec_update_state);
> > -+ NTSTATUS status;
> > -+
> > -+ state->subreq = NULL;
> > -+
> > -+ status = state->ops->update_recv(subreq, state, &state->out);
> > -+ TALLOC_FREE(subreq);
> > - if (tevent_req_nterror(req, status)) {
> > - return;
> > - }
> > -
> > -+ /*
> > -+ * Because callers using the
> > -+ * gensec_start_mech_by_authtype() never call
> > -+ * gensec_want_feature(), it isn't sensible for them
> > -+ * to have to call gensec_have_feature() manually, and
> > -+ * these are not points of negotiation, but are
> > -+ * asserted by the client
> > -+ */
> > -+ switch (state->gensec_security->dcerpc_auth_level) {
> > -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> > -+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
> > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > -+ "SIGN for dcerpc auth_level %u\n",
> > -+ state->gensec_security->dcerpc_auth_level));
> > -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> > -+ return;
> > -+ }
> > -+ break;
> > -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> > -+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
> > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > -+ "SIGN for dcerpc auth_level %u\n",
> > -+ state->gensec_security->dcerpc_auth_level));
> > -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> > -+ return;
> > -+ }
> > -+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
> > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > -+ "SEAL for dcerpc auth_level %u\n",
> > -+ state->gensec_security->dcerpc_auth_level));
> > -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> > -+ return;
> > -+ }
> > -+ break;
> > -+ default:
> > -+ break;
> > -+ }
> > -+
> > - tevent_req_done(req);
> > - }
> > -
> > -diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
> > -index 41b6f0d..c04164a 100644
> > ---- a/auth/gensec/gensec_internal.h
> > -+++ b/auth/gensec/gensec_internal.h
> > -@@ -40,6 +40,13 @@ struct gensec_security_ops {
> > - NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > - struct tevent_context *ev,
> > - const DATA_BLOB in, DATA_BLOB *out);
> > -+ struct tevent_req *(*update_send)(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct gensec_security *gensec_security,
> > -+ const DATA_BLOB in);
> > -+ NTSTATUS (*update_recv)(struct tevent_req *req,
> > -+ TALLOC_CTX *out_mem_ctx,
> > -+ DATA_BLOB *out);
> > - NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > - uint8_t *data, size_t length,
> > - const uint8_t *whole_pdu, size_t pdu_length,
> > ---
> > -1.9.3
> > -
> > -
> > -From aa559f2fc6f228fba268adafa92392dff8152747 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 5 Aug 2013 11:10:55 +0200
> > -Subject: [PATCH 087/249] auth/gensec: use 'const char * const *' for function
> > - parameters
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit c81b6f7448d7f945635784de645bea4f7f2e230f)
> > ----
> > - auth/gensec/gensec.h | 2 +-
> > - auth/gensec/gensec_start.c | 2 +-
> > - auth/gensec/spnego.c | 2 +-
> > - 3 files changed, 3 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > -index 5d39d81..d0bc451 100644
> > ---- a/auth/gensec/gensec.h
> > -+++ b/auth/gensec/gensec.h
> > -@@ -184,7 +184,7 @@ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gense
> > - const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > - struct gensec_security *gensec_security,
> > - TALLOC_CTX *mem_ctx,
> > -- const char **oid_strings,
> > -+ const char * const *oid_strings,
> > - const char *skip);
> > - const char **gensec_security_oids(struct gensec_security *gensec_security,
> > - TALLOC_CTX *mem_ctx,
> > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > -index 00e2759..2874c13 100644
> > ---- a/auth/gensec/gensec_start.c
> > -+++ b/auth/gensec/gensec_start.c
> > -@@ -373,7 +373,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
> > - _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > - struct gensec_security *gensec_security,
> > - TALLOC_CTX *mem_ctx,
> > -- const char **oid_strings,
> > -+ const char * const *oid_strings,
> > - const char *skip)
> > - {
> > - struct gensec_security_ops_wrapper *backends_out;
> > -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
> > -index 38a45f8..0eb6da1 100644
> > ---- a/auth/gensec/spnego.c
> > -+++ b/auth/gensec/spnego.c
> > -@@ -417,7 +417,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
> > - struct spnego_state *spnego_state,
> > - TALLOC_CTX *out_mem_ctx,
> > - struct tevent_context *ev,
> > -- const char **mechType,
> > -+ const char * const *mechType,
> > - const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out)
> > - {
> > - int i;
> > ---
> > -1.9.3
> > -
> > -
> > -From a2e14962e1eeebaac2fb4539794a454b0f486869 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 5 Aug 2013 11:20:21 +0200
> > -Subject: [PATCH 088/249] auth/gensec: treat struct gensec_security_ops as
> > - const if possible.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 966faef9c61d2ec02d75fc3ccc82a61524fb77e4)
> > ----
> > - auth/gensec/gensec.h | 14 +++++-----
> > - auth/gensec/gensec_start.c | 52 ++++++++++++++++++++------------------
> > - auth/gensec/spnego.c | 8 +++---
> > - source3/auth/auth_generic.c | 15 ++++++-----
> > - source3/libads/authdata.c | 11 ++++----
> > - source3/libsmb/auth_generic.c | 15 ++++++-----
> > - source3/utils/ntlm_auth.c | 22 ++++++++--------
> > - source4/ldap_server/ldap_backend.c | 4 +--
> > - 8 files changed, 75 insertions(+), 66 deletions(-)
> > -
> > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > -index d0bc451..ac1fadf 100644
> > ---- a/auth/gensec/gensec.h
> > -+++ b/auth/gensec/gensec.h
> > -@@ -85,7 +85,7 @@ struct gensec_settings {
> > - /* this allows callers to specify a specific set of ops that
> > - * should be used, rather than those loaded by the plugin
> > - * mechanism */
> > -- struct gensec_security_ops **backends;
> > -+ const struct gensec_security_ops * const *backends;
> > -
> > - /* To fill in our own name in the NTLMSSP server */
> > - const char *server_dns_domain;
> > -@@ -179,7 +179,7 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
> > - const struct gensec_security_ops *gensec_security_by_auth_type(
> > - struct gensec_security *gensec_security,
> > - uint32_t auth_type);
> > --struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
> > -+const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
> > - TALLOC_CTX *mem_ctx);
> > - const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > - struct gensec_security *gensec_security,
> > -@@ -243,11 +243,11 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
> > - const DATA_BLOB *in,
> > - DATA_BLOB *out);
> > -
> > --struct gensec_security_ops **gensec_security_all(void);
> > --bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security);
> > --struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> > -- struct gensec_security_ops **old_gensec_list,
> > -- struct cli_credentials *creds);
> > -+const struct gensec_security_ops * const *gensec_security_all(void);
> > -+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security);
> > -+const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> > -+ const struct gensec_security_ops * const *old_gensec_list,
> > -+ struct cli_credentials *creds);
> > -
> > - NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
> > - const char *sasl_name);
> > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > -index 2874c13..3ae64d5 100644
> > ---- a/auth/gensec/gensec_start.c
> > -+++ b/auth/gensec/gensec_start.c
> > -@@ -33,17 +33,17 @@
> > - #include "lib/util/samba_modules.h"
> > -
> > - /* the list of currently registered GENSEC backends */
> > --static struct gensec_security_ops **generic_security_ops;
> > -+static const struct gensec_security_ops **generic_security_ops;
> > - static int gensec_num_backends;
> > -
> > - /* Return all the registered mechs. Don't modify the return pointer,
> > -- * but you may talloc_reference it if convient */
> > --_PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
> > -+ * but you may talloc_referen it if convient */
> > -+_PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
> > - {
> > - return generic_security_ops;
> > - }
> > -
> > --bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
> > -+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
> > - {
> > - return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
> > - }
> > -@@ -68,11 +68,11 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_
> > - * more compplex.
> > - */
> > -
> > --_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> > -- struct gensec_security_ops **old_gensec_list,
> > -- struct cli_credentials *creds)
> > -+_PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> > -+ const struct gensec_security_ops * const *old_gensec_list,
> > -+ struct cli_credentials *creds)
> > - {
> > -- struct gensec_security_ops **new_gensec_list;
> > -+ const struct gensec_security_ops **new_gensec_list;
> > - int i, j, num_mechs_in;
> > - enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
> > -
> > -@@ -84,7 +84,9 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> > - /* noop */
> > - }
> > -
> > -- new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
> > -+ new_gensec_list = talloc_array(mem_ctx,
> > -+ const struct gensec_security_ops *,
> > -+ num_mechs_in + 1);
> > - if (!new_gensec_list) {
> > - return NULL;
> > - }
> > -@@ -136,12 +138,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> > - return new_gensec_list;
> > - }
> > -
> > --_PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
> > -+_PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
> > - struct gensec_security *gensec_security,
> > - TALLOC_CTX *mem_ctx)
> > - {
> > - struct cli_credentials *creds = NULL;
> > -- struct gensec_security_ops **backends = gensec_security_all();
> > -+ const struct gensec_security_ops * const *backends = gensec_security_all();
> > -
> > - if (gensec_security != NULL) {
> > - creds = gensec_get_credentials(gensec_security);
> > -@@ -159,7 +161,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
> > - uint8_t auth_type)
> > - {
> > - int i;
> > -- struct gensec_security_ops **backends;
> > -+ const struct gensec_security_ops **backends;
> > - const struct gensec_security_ops *backend;
> > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > - if (!mem_ctx) {
> > -@@ -185,7 +187,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
> > - const char *oid_string)
> > - {
> > - int i, j;
> > -- struct gensec_security_ops **backends;
> > -+ const struct gensec_security_ops **backends;
> > - const struct gensec_security_ops *backend;
> > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > - if (!mem_ctx) {
> > -@@ -218,7 +220,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
> > - const char *sasl_name)
> > - {
> > - int i;
> > -- struct gensec_security_ops **backends;
> > -+ const struct gensec_security_ops **backends;
> > - const struct gensec_security_ops *backend;
> > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > - if (!mem_ctx) {
> > -@@ -245,7 +247,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
> > - uint32_t auth_type)
> > - {
> > - int i;
> > -- struct gensec_security_ops **backends;
> > -+ const struct gensec_security_ops **backends;
> > - const struct gensec_security_ops *backend;
> > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > - if (!mem_ctx) {
> > -@@ -270,7 +272,7 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
> > - const char *name)
> > - {
> > - int i;
> > -- struct gensec_security_ops **backends;
> > -+ const struct gensec_security_ops **backends;
> > - const struct gensec_security_ops *backend;
> > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > - if (!mem_ctx) {
> > -@@ -306,7 +308,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
> > - const char **sasl_names)
> > - {
> > - const struct gensec_security_ops **backends_out;
> > -- struct gensec_security_ops **backends;
> > -+ const struct gensec_security_ops **backends;
> > - int i, k, sasl_idx;
> > - int num_backends_out = 0;
> > -
> > -@@ -377,7 +379,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > - const char *skip)
> > - {
> > - struct gensec_security_ops_wrapper *backends_out;
> > -- struct gensec_security_ops **backends;
> > -+ const struct gensec_security_ops **backends;
> > - int i, j, k, oid_idx;
> > - int num_backends_out = 0;
> > -
> > -@@ -451,7 +453,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > - static const char **gensec_security_oids_from_ops(
> > - struct gensec_security *gensec_security,
> > - TALLOC_CTX *mem_ctx,
> > -- struct gensec_security_ops **ops,
> > -+ const struct gensec_security_ops * const *ops,
> > - const char *skip)
> > - {
> > - int i;
> > -@@ -542,8 +544,10 @@ _PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_securi
> > - TALLOC_CTX *mem_ctx,
> > - const char *skip)
> > - {
> > -- struct gensec_security_ops **ops
> > -- = gensec_security_mechs(gensec_security, mem_ctx);
> > -+ const struct gensec_security_ops **ops;
> > -+
> > -+ ops = gensec_security_mechs(gensec_security, mem_ctx);
> > -+
> > - return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
> > - }
> > -
> > -@@ -876,13 +880,13 @@ _PUBLIC_ NTSTATUS gensec_register(const struct gensec_security_ops *ops)
> > -
> > - generic_security_ops = talloc_realloc(talloc_autofree_context(),
> > - generic_security_ops,
> > -- struct gensec_security_ops *,
> > -+ const struct gensec_security_ops *,
> > - gensec_num_backends+2);
> > - if (!generic_security_ops) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
> > -+ generic_security_ops[gensec_num_backends] = ops;
> > - gensec_num_backends++;
> > - generic_security_ops[gensec_num_backends] = NULL;
> > -
> > -@@ -908,7 +912,7 @@ _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
> > - return &critical_sizes;
> > - }
> > -
> > --static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
> > -+static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
> > - return (*gs2)->priority - (*gs1)->priority;
> > - }
> > -
> > -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
> > -index 0eb6da1..d90a50c 100644
> > ---- a/auth/gensec/spnego.c
> > -+++ b/auth/gensec/spnego.c
> > -@@ -352,9 +352,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
> > - const DATA_BLOB in, DATA_BLOB *out)
> > - {
> > - int i,j;
> > -- struct gensec_security_ops **all_ops
> > -- = gensec_security_mechs(gensec_security, out_mem_ctx);
> > -- for (i=0; all_ops[i]; i++) {
> > -+ const struct gensec_security_ops **all_ops;
> > -+
> > -+ all_ops = gensec_security_mechs(gensec_security, out_mem_ctx);
> > -+
> > -+ for (i=0; all_ops && all_ops[i]; i++) {
> > - bool is_spnego;
> > - NTSTATUS nt_status;
> > -
> > -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> > -index a2ba4e3..e15c87e 100644
> > ---- a/source3/auth/auth_generic.c
> > -+++ b/source3/auth/auth_generic.c
> > -@@ -203,6 +203,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> > - return nt_status;
> > - }
> > - } else {
> > -+ const struct gensec_security_ops **backends = NULL;
> > - struct gensec_settings *gensec_settings;
> > - struct loadparm_context *lp_ctx;
> > - size_t idx = 0;
> > -@@ -259,24 +260,24 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> > -- struct gensec_security_ops *, 4);
> > -- if (gensec_settings->backends == NULL) {
> > -+ backends = talloc_zero_array(gensec_settings,
> > -+ const struct gensec_security_ops *, 4);
> > -+ if (backends == NULL) {
> > - TALLOC_FREE(tmp_ctx);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -+ gensec_settings->backends = backends;
> > -
> > - gensec_init();
> > -
> > - /* These need to be in priority order, krb5 before NTLMSSP */
> > - #if defined(HAVE_KRB5)
> > -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> > -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> > - #endif
> > -
> > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> > -
> > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
> > -- GENSEC_OID_SPNEGO);
> > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > -
> > - /*
> > - * This is anonymous for now, because we just use it
> > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > -index 582917d..801e551 100644
> > ---- a/source3/libads/authdata.c
> > -+++ b/source3/libads/authdata.c
> > -@@ -111,7 +111,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - const char *cc = "MEMORY:kerberos_return_pac";
> > - struct auth_session_info *session_info;
> > - struct gensec_security *gensec_server_context;
> > --
> > -+ const struct gensec_security_ops **backends;
> > - struct gensec_settings *gensec_settings;
> > - size_t idx = 0;
> > - struct auth4_context *auth_context;
> > -@@ -230,16 +230,17 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > - goto out;
> > - }
> > -
> > -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> > -- struct gensec_security_ops *, 2);
> > -- if (gensec_settings->backends == NULL) {
> > -+ backends = talloc_zero_array(gensec_settings,
> > -+ const struct gensec_security_ops *, 2);
> > -+ if (backends == NULL) {
> > - status = NT_STATUS_NO_MEMORY;
> > - goto out;
> > - }
> > -+ gensec_settings->backends = backends;
> > -
> > - gensec_init();
> > -
> > -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> > -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> > -
> > - status = gensec_server_start(tmp_ctx, gensec_settings,
> > - auth_context, &gensec_server_context);
> > -diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
> > -index ba0a0ce..e30c1b7 100644
> > ---- a/source3/libsmb/auth_generic.c
> > -+++ b/source3/libsmb/auth_generic.c
> > -@@ -54,6 +54,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> > - NTSTATUS nt_status;
> > - size_t idx = 0;
> > - struct gensec_settings *gensec_settings;
> > -+ const struct gensec_security_ops **backends = NULL;
> > - struct loadparm_context *lp_ctx;
> > -
> > - ans = talloc_zero(mem_ctx, struct auth_generic_state);
> > -@@ -76,24 +77,24 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> > -- struct gensec_security_ops *, 4);
> > -- if (gensec_settings->backends == NULL) {
> > -+ backends = talloc_zero_array(gensec_settings,
> > -+ const struct gensec_security_ops *, 4);
> > -+ if (backends == NULL) {
> > - TALLOC_FREE(ans);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -+ gensec_settings->backends = backends;
> > -
> > - gensec_init();
> > -
> > - /* These need to be in priority order, krb5 before NTLMSSP */
> > - #if defined(HAVE_KRB5)
> > -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> > -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> > - #endif
> > -
> > -- gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
> > -+ backends[idx++] = &gensec_ntlmssp3_client_ops;
> > -
> > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
> > -- GENSEC_OID_SPNEGO);
> > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > -
> > - nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
> > -
> > -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> > -index 5fcb60e..25e717c 100644
> > ---- a/source3/utils/ntlm_auth.c
> > -+++ b/source3/utils/ntlm_auth.c
> > -@@ -1035,7 +1035,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
> > - NTSTATUS nt_status;
> > -
> > - TALLOC_CTX *tmp_ctx;
> > --
> > -+ const struct gensec_security_ops **backends;
> > - struct gensec_settings *gensec_settings;
> > - size_t idx = 0;
> > - struct cli_credentials *server_credentials;
> > -@@ -1079,26 +1079,26 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
> > - gensec_settings->server_dns_name = strlower_talloc(gensec_settings,
> > - get_mydnsfullname());
> > -
> > -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> > -- struct gensec_security_ops *, 4);
> > -+ backends = talloc_zero_array(gensec_settings,
> > -+ const struct gensec_security_ops *, 4);
> > -
> > -- if (gensec_settings->backends == NULL) {
> > -+ if (backends == NULL) {
> > - TALLOC_FREE(tmp_ctx);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > --
> > -+ gensec_settings->backends = backends;
> > -+
> > - gensec_init();
> > -
> > - /* These need to be in priority order, krb5 before NTLMSSP */
> > - #if defined(HAVE_KRB5)
> > -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> > -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> > - #endif
> > --
> > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> > -
> > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
> > -- GENSEC_OID_SPNEGO);
> > --
> > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> > -+
> > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > -+
> > - /*
> > - * This is anonymous for now, because we just use it
> > - * to set the kerberos state at the moment
> > -diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
> > -index f0da82c..3432594 100644
> > ---- a/source4/ldap_server/ldap_backend.c
> > -+++ b/source4/ldap_server/ldap_backend.c
> > -@@ -192,8 +192,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
> > -
> > - if (conn->server_credentials) {
> > - char **sasl_mechs = NULL;
> > -- struct gensec_security_ops **backends = gensec_security_all();
> > -- struct gensec_security_ops **ops
> > -+ const struct gensec_security_ops * const *backends = gensec_security_all();
> > -+ const struct gensec_security_ops **ops
> > - = gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
> > - unsigned int i, j = 0;
> > - for (i = 0; ops && ops[i]; i++) {
> > ---
> > -1.9.3
> > -
> > -
> > -From 6a58d4f4cb60bf25c1493ef0aedd5978abc06969 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 5 Aug 2013 10:43:38 +0200
> > -Subject: [PATCH 089/249] libcli/auth: avoid possible mem leak in
> > - read_negTokenInit()
> > -
> > -Also add error checks.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit f1e60142e12deb560e3c62441fd9ff2acd086b60)
> > ----
> > - libcli/auth/spnego_parse.c | 19 +++++++++++++++----
> > - 1 file changed, 15 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
> > -index 3bf7aea..2c73613 100644
> > ---- a/libcli/auth/spnego_parse.c
> > -+++ b/libcli/auth/spnego_parse.c
> > -@@ -46,13 +46,24 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
> > - asn1_start_tag(asn1, ASN1_CONTEXT(0));
> > - asn1_start_tag(asn1, ASN1_SEQUENCE(0));
> > -
> > -- token->mechTypes = talloc(NULL, const char *);
> > -+ token->mechTypes = talloc(mem_ctx, const char *);
> > -+ if (token->mechTypes == NULL) {
> > -+ asn1->has_error = true;
> > -+ return false;
> > -+ }
> > - for (i = 0; !asn1->has_error &&
> > - 0 < asn1_tag_remaining(asn1); i++) {
> > - char *oid;
> > -- token->mechTypes = talloc_realloc(NULL,
> > -- token->mechTypes,
> > -- const char *, i+2);
> > -+ const char **p;
> > -+ p = talloc_realloc(mem_ctx,
> > -+ token->mechTypes,
> > -+ const char *, i+2);
> > -+ if (p == NULL) {
> > -+ TALLOC_FREE(token->mechTypes);
> > -+ asn1->has_error = true;
> > -+ return false;
> > -+ }
> > -+ token->mechTypes = p;
> > - asn1_read_OID(asn1, token->mechTypes, &oid);
> > - token->mechTypes[i] = oid;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 8835471a993521e49aa48ef55f324874e1933108 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 5 Aug 2013 10:46:47 +0200
> > -Subject: [PATCH 090/249] libcli/auth: add more const to
> > - spnego_negTokenInit->mechTypes
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -
> > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > -Autobuild-Date(master): Sat Aug 10 11:11:54 CEST 2013 on sn-devel-104
> > -(cherry picked from commit 9177a0d1c1c92c45ef92fbda55fc6dd8aeb76b6c)
> > ----
> > - libcli/auth/spnego.h | 2 +-
> > - libcli/auth/spnego_parse.c | 27 ++++++++++++++++-----------
> > - libcli/auth/spnego_proto.h | 2 +-
> > - source3/utils/ntlm_auth.c | 2 +-
> > - 4 files changed, 19 insertions(+), 14 deletions(-)
> > -
> > -diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
> > -index 9a93f2e..539b903 100644
> > ---- a/libcli/auth/spnego.h
> > -+++ b/libcli/auth/spnego.h
> > -@@ -49,7 +49,7 @@ enum spnego_negResult {
> > - };
> > -
> > - struct spnego_negTokenInit {
> > -- const char **mechTypes;
> > -+ const char * const *mechTypes;
> > - DATA_BLOB reqFlags;
> > - uint8_t reqFlagsPadding;
> > - DATA_BLOB mechToken;
> > -diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
> > -index 2c73613..b1ca07d 100644
> > ---- a/libcli/auth/spnego_parse.c
> > -+++ b/libcli/auth/spnego_parse.c
> > -@@ -42,12 +42,14 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
> > -
> > - switch (context) {
> > - /* Read mechTypes */
> > -- case ASN1_CONTEXT(0):
> > -+ case ASN1_CONTEXT(0): {
> > -+ const char **mechTypes;
> > -+
> > - asn1_start_tag(asn1, ASN1_CONTEXT(0));
> > - asn1_start_tag(asn1, ASN1_SEQUENCE(0));
> > -
> > -- token->mechTypes = talloc(mem_ctx, const char *);
> > -- if (token->mechTypes == NULL) {
> > -+ mechTypes = talloc(mem_ctx, const char *);
> > -+ if (mechTypes == NULL) {
> > - asn1->has_error = true;
> > - return false;
> > - }
> > -@@ -56,22 +58,25 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
> > - char *oid;
> > - const char **p;
> > - p = talloc_realloc(mem_ctx,
> > -- token->mechTypes,
> > -+ mechTypes,
> > - const char *, i+2);
> > - if (p == NULL) {
> > -- TALLOC_FREE(token->mechTypes);
> > -+ talloc_free(mechTypes);
> > - asn1->has_error = true;
> > - return false;
> > - }
> > -- token->mechTypes = p;
> > -- asn1_read_OID(asn1, token->mechTypes, &oid);
> > -- token->mechTypes[i] = oid;
> > -+ mechTypes = p;
> > -+
> > -+ asn1_read_OID(asn1, mechTypes, &oid);
> > -+ mechTypes[i] = oid;
> > - }
> > -- token->mechTypes[i] = NULL;
> > -+ mechTypes[i] = NULL;
> > -+ token->mechTypes = mechTypes;
> > -
> > - asn1_end_tag(asn1);
> > - asn1_end_tag(asn1);
> > - break;
> > -+ }
> > - /* Read reqFlags */
> > - case ASN1_CONTEXT(1):
> > - asn1_start_tag(asn1, ASN1_CONTEXT(1));
> > -@@ -366,7 +371,7 @@ bool spnego_free_data(struct spnego_data *spnego)
> > - switch(spnego->type) {
> > - case SPNEGO_NEG_TOKEN_INIT:
> > - if (spnego->negTokenInit.mechTypes) {
> > -- talloc_free(spnego->negTokenInit.mechTypes);
> > -+ talloc_free(discard_const(spnego->negTokenInit.mechTypes));
> > - }
> > - data_blob_free(&spnego->negTokenInit.reqFlags);
> > - data_blob_free(&spnego->negTokenInit.mechToken);
> > -@@ -390,7 +395,7 @@ out:
> > - }
> > -
> > - bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
> > -- const char **mech_types,
> > -+ const char * const *mech_types,
> > - DATA_BLOB *blob)
> > - {
> > - struct asn1_data *asn1 = asn1_init(mem_ctx);
> > -diff --git a/libcli/auth/spnego_proto.h b/libcli/auth/spnego_proto.h
> > -index 5fd5e59..c0fa934 100644
> > ---- a/libcli/auth/spnego_proto.h
> > -+++ b/libcli/auth/spnego_proto.h
> > -@@ -24,5 +24,5 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
> > - ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego);
> > - bool spnego_free_data(struct spnego_data *spnego);
> > - bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
> > -- const char **mech_types,
> > -+ const char * const *mech_types,
> > - DATA_BLOB *blob);
> > -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> > -index 25e717c..1df615c 100644
> > ---- a/source3/utils/ntlm_auth.c
> > -+++ b/source3/utils/ntlm_auth.c
> > -@@ -2058,7 +2058,7 @@ static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper
> > -
> > - /* The server offers a list of mechanisms */
> > -
> > -- const char **mechType = (const char **)spnego.negTokenInit.mechTypes;
> > -+ const char *const *mechType = spnego.negTokenInit.mechTypes;
> > -
> > - while (*mechType != NULL) {
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From c06bb0c3d2c032f8b4848c75baa1fd900650866a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 9 Aug 2013 10:15:05 +0200
> > -Subject: [PATCH 091/249] auth/credentials: make sure
> > - cli_credentials_get_nt_hash() always returns a talloc object
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - auth/credentials/credentials.c | 19 ++++++++++++++-----
> > - auth/credentials/credentials.h | 4 ++--
> > - 2 files changed, 16 insertions(+), 7 deletions(-)
> > -
> > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > -index be497bc..57a7c0b 100644
> > ---- a/auth/credentials/credentials.c
> > -+++ b/auth/credentials/credentials.c
> > -@@ -471,8 +471,8 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
> > - * @param cred credentials context
> > - * @retval If set, the cleartext password, otherwise NULL
> > - */
> > --_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> > -- TALLOC_CTX *mem_ctx)
> > -+_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> > -+ TALLOC_CTX *mem_ctx)
> > - {
> > - const char *password = cli_credentials_get_password(cred);
> > -
> > -@@ -481,13 +481,22 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
> > - if (!nt_hash) {
> > - return NULL;
> > - }
> > --
> > -+
> > - E_md4hash(password, nt_hash->hash);
> > -
> > - return nt_hash;
> > -- } else {
> > -- return cred->nt_hash;
> > -+ } else if (cred->nt_hash != NULL) {
> > -+ struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
> > -+ if (!nt_hash) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ *nt_hash = *cred->nt_hash;
> > -+
> > -+ return nt_hash;
> > - }
> > -+
> > -+ return NULL;
> > - }
> > -
> > - /**
> > -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> > -index cb09dc3..766a513 100644
> > ---- a/auth/credentials/credentials.h
> > -+++ b/auth/credentials/credentials.h
> > -@@ -141,8 +141,8 @@ bool cli_credentials_set_password(struct cli_credentials *cred,
> > - enum credentials_obtained obtained);
> > - struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
> > - void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
> > --const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> > -- TALLOC_CTX *mem_ctx);
> > -+struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> > -+ TALLOC_CTX *mem_ctx);
> > - bool cli_credentials_set_realm(struct cli_credentials *cred,
> > - const char *val,
> > - enum credentials_obtained obtained);
> > ---
> > -1.9.3
> > -
> > -
> > -From 8a3ed9f72ef9f9de32da4d454b866d64eb24ee17 Mon Sep 17 00:00:00 2001
> > -From: Howard Chu <hyc@symas.com>
> > -Date: Tue, 17 Sep 2013 13:09:50 -0700
> > -Subject: [PATCH 092/249] Add SASL/EXTERNAL gensec module
> > -
> > -Signed-off-by: Howard Chu <hyc@symas.com>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
> > -(cherry picked from commit 6bf59b03d72b94b71e53fc2404c11e0d237e41b2)
> > ----
> > - auth/gensec/external.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++
> > - auth/gensec/gensec.h | 3 +-
> > - auth/gensec/wscript_build | 7 ++++
> > - 3 files changed, 91 insertions(+), 1 deletion(-)
> > - create mode 100644 auth/gensec/external.c
> > -
> > -diff --git a/auth/gensec/external.c b/auth/gensec/external.c
> > -new file mode 100644
> > -index 0000000..a26e435
> > ---- /dev/null
> > -+++ b/auth/gensec/external.c
> > -@@ -0,0 +1,82 @@
> > -+/*
> > -+ Unix SMB/CIFS implementation.
> > -+
> > -+ SASL/EXTERNAL authentication.
> > -+
> > -+ Copyright (C) Howard Chu <hyc@symas.com> 2013
> > -+
> > -+ This program is free software; you can redistribute it and/or modify
> > -+ it under the terms of the GNU General Public License as published by
> > -+ the Free Software Foundation; either version 3 of the License, or
> > -+ (at your option) any later version.
> > -+
> > -+ This program is distributed in the hope that it will be useful,
> > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -+ GNU General Public License for more details.
> > -+
> > -+ You should have received a copy of the GNU General Public License
> > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > -+*/
> > -+
> > -+#include "includes.h"
> > -+#include "auth/credentials/credentials.h"
> > -+#include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > -+#include "auth/gensec/gensec_proto.h"
> > -+#include "auth/gensec/gensec_toplevel_proto.h"
> > -+
> > -+/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
> > -+ * layer is already mutually authenticated.
> > -+ */
> > -+
> > -+NTSTATUS gensec_external_init(void);
> > -+
> > -+static NTSTATUS gensec_external_start(struct gensec_security *gensec_security)
> > -+{
> > -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN)
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > -+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL)
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+static NTSTATUS gensec_external_update(struct gensec_security *gensec_security,
> > -+ TALLOC_CTX *out_mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ const DATA_BLOB in, DATA_BLOB *out)
> > -+{
> > -+ *out = data_blob_talloc(out_mem_ctx, "", 0);
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+/* We have no features */
> > -+static bool gensec_external_have_feature(struct gensec_security *gensec_security,
> > -+ uint32_t feature)
> > -+{
> > -+ return false;
> > -+}
> > -+
> > -+static const struct gensec_security_ops gensec_external_ops = {
> > -+ .name = "sasl-EXTERNAL",
> > -+ .sasl_name = "EXTERNAL",
> > -+ .client_start = gensec_external_start,
> > -+ .update = gensec_external_update,
> > -+ .have_feature = gensec_external_have_feature,
> > -+ .enabled = true,
> > -+ .priority = GENSEC_EXTERNAL
> > -+};
> > -+
> > -+
> > -+NTSTATUS gensec_external_init(void)
> > -+{
> > -+ NTSTATUS ret;
> > -+
> > -+ ret = gensec_register(&gensec_external_ops);
> > -+ if (!NT_STATUS_IS_OK(ret)) {
> > -+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
> > -+ gensec_external_ops.name));
> > -+ }
> > -+ return ret;
> > -+}
> > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > -index ac1fadf..6974f87 100644
> > ---- a/auth/gensec/gensec.h
> > -+++ b/auth/gensec/gensec.h
> > -@@ -41,7 +41,8 @@ enum gensec_priority {
> > - GENSEC_SCHANNEL = 60,
> > - GENSEC_NTLMSSP = 50,
> > - GENSEC_SASL = 20,
> > -- GENSEC_OTHER = 0
> > -+ GENSEC_OTHER = 10,
> > -+ GENSEC_EXTERNAL = 0
> > - };
> > -
> > - struct gensec_security;
> > -diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
> > -index fcd74a3..71222f7 100755
> > ---- a/auth/gensec/wscript_build
> > -+++ b/auth/gensec/wscript_build
> > -@@ -16,3 +16,10 @@ bld.SAMBA_MODULE('gensec_spnego',
> > - init_function='gensec_spnego_init',
> > - deps='asn1util samba-credentials SPNEGO_PARSE'
> > - )
> > -+
> > -+bld.SAMBA_MODULE('gensec_external',
> > -+ source='external.c',
> > -+ autoproto='external_proto.h',
> > -+ subsystem='gensec',
> > -+ init_function='gensec_external_init'
> > -+ )
> > ---
> > -1.9.3
> > -
> > -
> > -From 75d9566940069ebeb367191ec6a6641bf7d45a83 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 17:24:10 +0200
> > -Subject: [PATCH 093/249] gensec: move schannel module to toplevel.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 4d2ec9e37ee9dcf7b521806a1c0aabdffe524d47)
> > ----
> > - auth/gensec/schannel.c | 330 ++++++++++++++++++++++++++++++++++++++
> > - auth/gensec/wscript_build | 8 +
> > - source4/auth/gensec/schannel.c | 330 --------------------------------------
> > - source4/auth/gensec/wscript_build | 10 --
> > - 4 files changed, 338 insertions(+), 340 deletions(-)
> > - create mode 100644 auth/gensec/schannel.c
> > - delete mode 100644 source4/auth/gensec/schannel.c
> > -
> > -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
> > -new file mode 100644
> > -index 0000000..eb2e100
> > ---- /dev/null
> > -+++ b/auth/gensec/schannel.c
> > -@@ -0,0 +1,330 @@
> > -+/*
> > -+ Unix SMB/CIFS implementation.
> > -+
> > -+ dcerpc schannel operations
> > -+
> > -+ Copyright (C) Andrew Tridgell 2004
> > -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> > -+
> > -+ This program is free software; you can redistribute it and/or modify
> > -+ it under the terms of the GNU General Public License as published by
> > -+ the Free Software Foundation; either version 3 of the License, or
> > -+ (at your option) any later version.
> > -+
> > -+ This program is distributed in the hope that it will be useful,
> > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -+ GNU General Public License for more details.
> > -+
> > -+ You should have received a copy of the GNU General Public License
> > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > -+*/
> > -+
> > -+#include "includes.h"
> > -+#include "librpc/gen_ndr/ndr_schannel.h"
> > -+#include "auth/auth.h"
> > -+#include "auth/credentials/credentials.h"
> > -+#include "auth/gensec/gensec.h"
> > -+#include "auth/gensec/gensec_internal.h"
> > -+#include "auth/gensec/gensec_proto.h"
> > -+#include "../libcli/auth/schannel.h"
> > -+#include "librpc/gen_ndr/dcerpc.h"
> > -+#include "param/param.h"
> > -+#include "auth/gensec/gensec_toplevel_proto.h"
> > -+
> > -+_PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > -+
> > -+static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
> > -+{
> > -+ struct schannel_state *state =
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -+
> > -+ return netsec_outgoing_sig_size(state);
> > -+}
> > -+
> > -+static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ const DATA_BLOB in, DATA_BLOB *out)
> > -+{
> > -+ struct schannel_state *state =
> > -+ talloc_get_type(gensec_security->private_data,
> > -+ struct schannel_state);
> > -+ NTSTATUS status;
> > -+ enum ndr_err_code ndr_err;
> > -+ struct NL_AUTH_MESSAGE bind_schannel;
> > -+ struct NL_AUTH_MESSAGE bind_schannel_ack;
> > -+ struct netlogon_creds_CredentialState *creds;
> > -+ const char *workstation;
> > -+ const char *domain;
> > -+
> > -+ *out = data_blob(NULL, 0);
> > -+
> > -+ switch (gensec_security->gensec_role) {
> > -+ case GENSEC_CLIENT:
> > -+ if (state != NULL) {
> > -+ /* we could parse the bind ack, but we don't know what it is yet */
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> > -+ if (creds == NULL) {
> > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > -+ }
> > -+
> > -+ state = netsec_create_state(gensec_security,
> > -+ creds, true /* initiator */);
> > -+ if (state == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ gensec_security->private_data = state;
> > -+
> > -+ bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> > -+#if 0
> > -+ /* to support this we'd need to have access to the full domain name */
> > -+ /* 0x17, 23 */
> > -+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > -+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
> > -+ NL_FLAG_UTF8_DNS_DOMAIN_NAME |
> > -+ NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
> > -+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > -+ bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
> > -+ /* w2k3 refuses us if we use the full DNS workstation?
> > -+ why? perhaps because we don't fill in the dNSHostName
> > -+ attribute in the machine account? */
> > -+ bind_schannel.utf8_netbios_computer = creds->computer_name;
> > -+#else
> > -+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > -+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > -+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > -+#endif
> > -+
> > -+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
> > -+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -+ status = ndr_map_error2ntstatus(ndr_err);
> > -+ DEBUG(3, ("Could not create schannel bind: %s\n",
> > -+ nt_errstr(status)));
> > -+ return status;
> > -+ }
> > -+
> > -+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
> > -+ case GENSEC_SERVER:
> > -+
> > -+ if (state != NULL) {
> > -+ /* no third leg on this protocol */
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > -+ }
> > -+
> > -+ /* parse the schannel startup blob */
> > -+ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
> > -+ (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
> > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -+ status = ndr_map_error2ntstatus(ndr_err);
> > -+ DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
> > -+ nt_errstr(status)));
> > -+ return status;
> > -+ }
> > -+
> > -+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
> > -+ domain = bind_schannel.oem_netbios_domain.a;
> > -+ if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
> > -+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> > -+ domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
> > -+ return NT_STATUS_LOGON_FAILURE;
> > -+ }
> > -+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
> > -+ domain = bind_schannel.utf8_dns_domain.u;
> > -+ if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
> > -+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> > -+ domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
> > -+ return NT_STATUS_LOGON_FAILURE;
> > -+ }
> > -+ } else {
> > -+ DEBUG(3, ("Request for schannel to without domain\n"));
> > -+ return NT_STATUS_LOGON_FAILURE;
> > -+ }
> > -+
> > -+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
> > -+ workstation = bind_schannel.oem_netbios_computer.a;
> > -+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
> > -+ workstation = bind_schannel.utf8_netbios_computer.u;
> > -+ } else {
> > -+ DEBUG(3, ("Request for schannel to without netbios workstation\n"));
> > -+ return NT_STATUS_LOGON_FAILURE;
> > -+ }
> > -+
> > -+ status = schannel_get_creds_state(out_mem_ctx,
> > -+ gensec_security->settings->lp_ctx,
> > -+ workstation, &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
> > -+ workstation, nt_errstr(status)));
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
> > -+ return NT_STATUS_LOGON_FAILURE;
> > -+ }
> > -+ return status;
> > -+ }
> > -+
> > -+ state = netsec_create_state(gensec_security,
> > -+ creds, false /* not initiator */);
> > -+ if (state == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ gensec_security->private_data = state;
> > -+
> > -+ bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> > -+ bind_schannel_ack.Flags = 0;
> > -+ bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
> > -+ * this does not have
> > -+ * any meaning here
> > -+ * - gd */
> > -+
> > -+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
> > -+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -+ status = ndr_map_error2ntstatus(ndr_err);
> > -+ DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
> > -+ workstation, nt_errstr(status)));
> > -+ return status;
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > -+}
> > -+
> > -+/**
> > -+ * Returns anonymous credentials for schannel, matching Win2k3.
> > -+ *
> > -+ */
> > -+
> > -+static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct auth_session_info **_session_info)
> > -+{
> > -+ return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
> > -+}
> > -+
> > -+static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> > -+{
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
> > -+{
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+static bool schannel_have_feature(struct gensec_security *gensec_security,
> > -+ uint32_t feature)
> > -+{
> > -+ if (feature & (GENSEC_FEATURE_SIGN |
> > -+ GENSEC_FEATURE_SEAL)) {
> > -+ return true;
> > -+ }
> > -+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
> > -+ return true;
> > -+ }
> > -+ return false;
> > -+}
> > -+
> > -+/*
> > -+ unseal a packet
> > -+*/
> > -+static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> > -+ uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > -+ const DATA_BLOB *sig)
> > -+{
> > -+ struct schannel_state *state =
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -+
> > -+ return netsec_incoming_packet(state, true,
> > -+ discard_const_p(uint8_t, data),
> > -+ length, sig);
> > -+}
> > -+
> > -+/*
> > -+ check the signature on a packet
> > -+*/
> > -+static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> > -+ const uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > -+ const DATA_BLOB *sig)
> > -+{
> > -+ struct schannel_state *state =
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -+
> > -+ return netsec_incoming_packet(state, false,
> > -+ discard_const_p(uint8_t, data),
> > -+ length, sig);
> > -+}
> > -+/*
> > -+ seal a packet
> > -+*/
> > -+static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > -+ DATA_BLOB *sig)
> > -+{
> > -+ struct schannel_state *state =
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -+
> > -+ return netsec_outgoing_packet(state, mem_ctx, true,
> > -+ data, length, sig);
> > -+}
> > -+
> > -+/*
> > -+ sign a packet
> > -+*/
> > -+static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ const uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > -+ DATA_BLOB *sig)
> > -+{
> > -+ struct schannel_state *state =
> > -+ talloc_get_type_abort(gensec_security->private_data,
> > -+ struct schannel_state);
> > -+
> > -+ return netsec_outgoing_packet(state, mem_ctx, false,
> > -+ discard_const_p(uint8_t, data),
> > -+ length, sig);
> > -+}
> > -+
> > -+static const struct gensec_security_ops gensec_schannel_security_ops = {
> > -+ .name = "schannel",
> > -+ .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
> > -+ .client_start = schannel_client_start,
> > -+ .server_start = schannel_server_start,
> > -+ .update = schannel_update,
> > -+ .seal_packet = schannel_seal_packet,
> > -+ .sign_packet = schannel_sign_packet,
> > -+ .check_packet = schannel_check_packet,
> > -+ .unseal_packet = schannel_unseal_packet,
> > -+ .session_info = schannel_session_info,
> > -+ .sig_size = schannel_sig_size,
> > -+ .have_feature = schannel_have_feature,
> > -+ .enabled = true,
> > -+ .priority = GENSEC_SCHANNEL
> > -+};
> > -+
> > -+_PUBLIC_ NTSTATUS gensec_schannel_init(void)
> > -+{
> > -+ NTSTATUS ret;
> > -+ ret = gensec_register(&gensec_schannel_security_ops);
> > -+ if (!NT_STATUS_IS_OK(ret)) {
> > -+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
> > -+ gensec_schannel_security_ops.name));
> > -+ return ret;
> > -+ }
> > -+
> > -+ return ret;
> > -+}
> > -diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
> > -index 71222f7..7329eec 100755
> > ---- a/auth/gensec/wscript_build
> > -+++ b/auth/gensec/wscript_build
> > -@@ -17,6 +17,14 @@ bld.SAMBA_MODULE('gensec_spnego',
> > - deps='asn1util samba-credentials SPNEGO_PARSE'
> > - )
> > -
> > -+bld.SAMBA_MODULE('gensec_schannel',
> > -+ source='schannel.c',
> > -+ autoproto='schannel_proto.h',
> > -+ subsystem='gensec',
> > -+ init_function='gensec_schannel_init',
> > -+ deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session'
> > -+ )
> > -+
> > - bld.SAMBA_MODULE('gensec_external',
> > - source='external.c',
> > - autoproto='external_proto.h',
> > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > -deleted file mode 100644
> > -index eb2e100..0000000
> > ---- a/source4/auth/gensec/schannel.c
> > -+++ /dev/null
> > -@@ -1,330 +0,0 @@
> > --/*
> > -- Unix SMB/CIFS implementation.
> > --
> > -- dcerpc schannel operations
> > --
> > -- Copyright (C) Andrew Tridgell 2004
> > -- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> > --
> > -- This program is free software; you can redistribute it and/or modify
> > -- it under the terms of the GNU General Public License as published by
> > -- the Free Software Foundation; either version 3 of the License, or
> > -- (at your option) any later version.
> > --
> > -- This program is distributed in the hope that it will be useful,
> > -- but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -- GNU General Public License for more details.
> > --
> > -- You should have received a copy of the GNU General Public License
> > -- along with this program. If not, see <http://www.gnu.org/licenses/>.
> > --*/
> > --
> > --#include "includes.h"
> > --#include "librpc/gen_ndr/ndr_schannel.h"
> > --#include "auth/auth.h"
> > --#include "auth/credentials/credentials.h"
> > --#include "auth/gensec/gensec.h"
> > --#include "auth/gensec/gensec_internal.h"
> > --#include "auth/gensec/gensec_proto.h"
> > --#include "../libcli/auth/schannel.h"
> > --#include "librpc/gen_ndr/dcerpc.h"
> > --#include "param/param.h"
> > --#include "auth/gensec/gensec_toplevel_proto.h"
> > --
> > --_PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > --
> > --static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
> > --{
> > -- struct schannel_state *state =
> > -- talloc_get_type_abort(gensec_security->private_data,
> > -- struct schannel_state);
> > --
> > -- return netsec_outgoing_sig_size(state);
> > --}
> > --
> > --static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > -- struct tevent_context *ev,
> > -- const DATA_BLOB in, DATA_BLOB *out)
> > --{
> > -- struct schannel_state *state =
> > -- talloc_get_type(gensec_security->private_data,
> > -- struct schannel_state);
> > -- NTSTATUS status;
> > -- enum ndr_err_code ndr_err;
> > -- struct NL_AUTH_MESSAGE bind_schannel;
> > -- struct NL_AUTH_MESSAGE bind_schannel_ack;
> > -- struct netlogon_creds_CredentialState *creds;
> > -- const char *workstation;
> > -- const char *domain;
> > --
> > -- *out = data_blob(NULL, 0);
> > --
> > -- switch (gensec_security->gensec_role) {
> > -- case GENSEC_CLIENT:
> > -- if (state != NULL) {
> > -- /* we could parse the bind ack, but we don't know what it is yet */
> > -- return NT_STATUS_OK;
> > -- }
> > --
> > -- creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> > -- if (creds == NULL) {
> > -- return NT_STATUS_INVALID_PARAMETER_MIX;
> > -- }
> > --
> > -- state = netsec_create_state(gensec_security,
> > -- creds, true /* initiator */);
> > -- if (state == NULL) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- gensec_security->private_data = state;
> > --
> > -- bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> > --#if 0
> > -- /* to support this we'd need to have access to the full domain name */
> > -- /* 0x17, 23 */
> > -- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > -- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
> > -- NL_FLAG_UTF8_DNS_DOMAIN_NAME |
> > -- NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
> > -- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > -- bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > -- bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
> > -- /* w2k3 refuses us if we use the full DNS workstation?
> > -- why? perhaps because we don't fill in the dNSHostName
> > -- attribute in the machine account? */
> > -- bind_schannel.utf8_netbios_computer = creds->computer_name;
> > --#else
> > -- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > -- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > -- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > -- bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > --#endif
> > --
> > -- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
> > -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -- status = ndr_map_error2ntstatus(ndr_err);
> > -- DEBUG(3, ("Could not create schannel bind: %s\n",
> > -- nt_errstr(status)));
> > -- return status;
> > -- }
> > --
> > -- return NT_STATUS_MORE_PROCESSING_REQUIRED;
> > -- case GENSEC_SERVER:
> > --
> > -- if (state != NULL) {
> > -- /* no third leg on this protocol */
> > -- return NT_STATUS_INVALID_PARAMETER;
> > -- }
> > --
> > -- /* parse the schannel startup blob */
> > -- ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
> > -- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
> > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -- status = ndr_map_error2ntstatus(ndr_err);
> > -- DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
> > -- nt_errstr(status)));
> > -- return status;
> > -- }
> > --
> > -- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
> > -- domain = bind_schannel.oem_netbios_domain.a;
> > -- if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
> > -- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> > -- domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
> > -- return NT_STATUS_LOGON_FAILURE;
> > -- }
> > -- } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
> > -- domain = bind_schannel.utf8_dns_domain.u;
> > -- if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
> > -- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> > -- domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
> > -- return NT_STATUS_LOGON_FAILURE;
> > -- }
> > -- } else {
> > -- DEBUG(3, ("Request for schannel to without domain\n"));
> > -- return NT_STATUS_LOGON_FAILURE;
> > -- }
> > --
> > -- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
> > -- workstation = bind_schannel.oem_netbios_computer.a;
> > -- } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
> > -- workstation = bind_schannel.utf8_netbios_computer.u;
> > -- } else {
> > -- DEBUG(3, ("Request for schannel to without netbios workstation\n"));
> > -- return NT_STATUS_LOGON_FAILURE;
> > -- }
> > --
> > -- status = schannel_get_creds_state(out_mem_ctx,
> > -- gensec_security->settings->lp_ctx,
> > -- workstation, &creds);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
> > -- workstation, nt_errstr(status)));
> > -- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
> > -- return NT_STATUS_LOGON_FAILURE;
> > -- }
> > -- return status;
> > -- }
> > --
> > -- state = netsec_create_state(gensec_security,
> > -- creds, false /* not initiator */);
> > -- if (state == NULL) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- gensec_security->private_data = state;
> > --
> > -- bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> > -- bind_schannel_ack.Flags = 0;
> > -- bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
> > -- * this does not have
> > -- * any meaning here
> > -- * - gd */
> > --
> > -- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
> > -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -- status = ndr_map_error2ntstatus(ndr_err);
> > -- DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
> > -- workstation, nt_errstr(status)));
> > -- return status;
> > -- }
> > --
> > -- return NT_STATUS_OK;
> > -- }
> > -- return NT_STATUS_INVALID_PARAMETER;
> > --}
> > --
> > --/**
> > -- * Returns anonymous credentials for schannel, matching Win2k3.
> > -- *
> > -- */
> > --
> > --static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- struct auth_session_info **_session_info)
> > --{
> > -- return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
> > --}
> > --
> > --static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> > --{
> > -- return NT_STATUS_OK;
> > --}
> > --
> > --static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
> > --{
> > -- return NT_STATUS_OK;
> > --}
> > --
> > --static bool schannel_have_feature(struct gensec_security *gensec_security,
> > -- uint32_t feature)
> > --{
> > -- if (feature & (GENSEC_FEATURE_SIGN |
> > -- GENSEC_FEATURE_SEAL)) {
> > -- return true;
> > -- }
> > -- if (feature & GENSEC_FEATURE_DCE_STYLE) {
> > -- return true;
> > -- }
> > -- return false;
> > --}
> > --
> > --/*
> > -- unseal a packet
> > --*/
> > --static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> > -- uint8_t *data, size_t length,
> > -- const uint8_t *whole_pdu, size_t pdu_length,
> > -- const DATA_BLOB *sig)
> > --{
> > -- struct schannel_state *state =
> > -- talloc_get_type_abort(gensec_security->private_data,
> > -- struct schannel_state);
> > --
> > -- return netsec_incoming_packet(state, true,
> > -- discard_const_p(uint8_t, data),
> > -- length, sig);
> > --}
> > --
> > --/*
> > -- check the signature on a packet
> > --*/
> > --static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> > -- const uint8_t *data, size_t length,
> > -- const uint8_t *whole_pdu, size_t pdu_length,
> > -- const DATA_BLOB *sig)
> > --{
> > -- struct schannel_state *state =
> > -- talloc_get_type_abort(gensec_security->private_data,
> > -- struct schannel_state);
> > --
> > -- return netsec_incoming_packet(state, false,
> > -- discard_const_p(uint8_t, data),
> > -- length, sig);
> > --}
> > --/*
> > -- seal a packet
> > --*/
> > --static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- uint8_t *data, size_t length,
> > -- const uint8_t *whole_pdu, size_t pdu_length,
> > -- DATA_BLOB *sig)
> > --{
> > -- struct schannel_state *state =
> > -- talloc_get_type_abort(gensec_security->private_data,
> > -- struct schannel_state);
> > --
> > -- return netsec_outgoing_packet(state, mem_ctx, true,
> > -- data, length, sig);
> > --}
> > --
> > --/*
> > -- sign a packet
> > --*/
> > --static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> > -- TALLOC_CTX *mem_ctx,
> > -- const uint8_t *data, size_t length,
> > -- const uint8_t *whole_pdu, size_t pdu_length,
> > -- DATA_BLOB *sig)
> > --{
> > -- struct schannel_state *state =
> > -- talloc_get_type_abort(gensec_security->private_data,
> > -- struct schannel_state);
> > --
> > -- return netsec_outgoing_packet(state, mem_ctx, false,
> > -- discard_const_p(uint8_t, data),
> > -- length, sig);
> > --}
> > --
> > --static const struct gensec_security_ops gensec_schannel_security_ops = {
> > -- .name = "schannel",
> > -- .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
> > -- .client_start = schannel_client_start,
> > -- .server_start = schannel_server_start,
> > -- .update = schannel_update,
> > -- .seal_packet = schannel_seal_packet,
> > -- .sign_packet = schannel_sign_packet,
> > -- .check_packet = schannel_check_packet,
> > -- .unseal_packet = schannel_unseal_packet,
> > -- .session_info = schannel_session_info,
> > -- .sig_size = schannel_sig_size,
> > -- .have_feature = schannel_have_feature,
> > -- .enabled = true,
> > -- .priority = GENSEC_SCHANNEL
> > --};
> > --
> > --_PUBLIC_ NTSTATUS gensec_schannel_init(void)
> > --{
> > -- NTSTATUS ret;
> > -- ret = gensec_register(&gensec_schannel_security_ops);
> > -- if (!NT_STATUS_IS_OK(ret)) {
> > -- DEBUG(0,("Failed to register '%s' gensec backend!\n",
> > -- gensec_schannel_security_ops.name));
> > -- return ret;
> > -- }
> > --
> > -- return ret;
> > --}
> > -diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
> > -index 04fccc5..a3eff97 100755
> > ---- a/source4/auth/gensec/wscript_build
> > -+++ b/source4/auth/gensec/wscript_build
> > -@@ -32,16 +32,6 @@ bld.SAMBA_MODULE('cyrus_sasl',
> > - )
> > -
> > -
> > --bld.SAMBA_MODULE('gensec_schannel',
> > -- source='schannel.c',
> > -- subsystem='gensec',
> > -- deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials ndr auth_session',
> > -- internal_module=True,
> > -- autoproto='schannel_proto.h',
> > -- init_function='gensec_schannel_init'
> > -- )
> > --
> > --
> > - bld.SAMBA_PYTHON('pygensec',
> > - source='pygensec.c',
> > - deps='gensec pytalloc-util pyparam_util',
> > ---
> > -1.9.3
> > -
> > -
> > -From c4829848f45db27d6c145b35a20bea2f33bcb4d7 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 17:24:49 +0200
> > -Subject: [PATCH 094/249] gensec: remove duplicate
> > - gensec_security_by_authtype() call.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -We should use the equivalent gensec_security_by_auth_type() call which is
> > -exposed in the public header.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit d433ad077f354de4fc1d5a155d991f417ae9967c)
> > ----
> > - auth/gensec/gensec_start.c | 29 ++---------------------------
> > - 1 file changed, 2 insertions(+), 27 deletions(-)
> > -
> > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > -index 3ae64d5..906ef67 100644
> > ---- a/auth/gensec/gensec_start.c
> > -+++ b/auth/gensec/gensec_start.c
> > -@@ -157,31 +157,6 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
> > -
> > - }
> > -
> > --static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
> > -- uint8_t auth_type)
> > --{
> > -- int i;
> > -- const struct gensec_security_ops **backends;
> > -- const struct gensec_security_ops *backend;
> > -- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > -- if (!mem_ctx) {
> > -- return NULL;
> > -- }
> > -- backends = gensec_security_mechs(gensec_security, mem_ctx);
> > -- for (i=0; backends && backends[i]; i++) {
> > -- if (!gensec_security_ops_enabled(backends[i], gensec_security))
> > -- continue;
> > -- if (backends[i]->auth_type == auth_type) {
> > -- backend = backends[i];
> > -- talloc_free(mem_ctx);
> > -- return backend;
> > -- }
> > -- }
> > -- talloc_free(mem_ctx);
> > --
> > -- return NULL;
> > --}
> > --
> > - _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
> > - struct gensec_security *gensec_security,
> > - const char *oid_string)
> > -@@ -719,7 +694,7 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
> > - _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
> > - uint8_t auth_type, uint8_t auth_level)
> > - {
> > -- gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
> > -+ gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type);
> > - if (!gensec_security->ops) {
> > - DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
> > - return NT_STATUS_INVALID_PARAMETER;
> > -@@ -746,7 +721,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
> > - _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
> > - {
> > - const struct gensec_security_ops *ops;
> > -- ops = gensec_security_by_authtype(gensec_security, authtype);
> > -+ ops = gensec_security_by_auth_type(gensec_security, authtype);
> > - if (ops) {
> > - return ops->name;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 8c54d2ee4861a35def7cce29b900a68112356f6b Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 17:25:55 +0200
> > -Subject: [PATCH 095/249] gensec: check for NULL gensec_security in
> > - gensec_security_by_auth_type().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -We have equivalent checks in other gensec_security_by_X calls already.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 4f979525e4137c536118a9c2b2b4ef798c270e27)
> > ----
> > - auth/gensec/gensec_start.c | 6 ++++--
> > - 1 file changed, 4 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > -index 906ef67..476134a 100644
> > ---- a/auth/gensec/gensec_start.c
> > -+++ b/auth/gensec/gensec_start.c
> > -@@ -230,8 +230,10 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
> > - }
> > - backends = gensec_security_mechs(gensec_security, mem_ctx);
> > - for (i=0; backends && backends[i]; i++) {
> > -- if (!gensec_security_ops_enabled(backends[i], gensec_security))
> > -- continue;
> > -+ if (gensec_security != NULL &&
> > -+ !gensec_security_ops_enabled(backends[i], gensec_security)) {
> > -+ continue;
> > -+ }
> > - if (backends[i]->auth_type == auth_type) {
> > - backend = backends[i];
> > - talloc_free(mem_ctx);
> > ---
> > -1.9.3
> > -
> > -
> > -From 5b941811c7ebd51bf2c8d421517fd92b3065ba47 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 17:27:28 +0200
> > -Subject: [PATCH 096/249] s3-auth: also load schannel module from
> > - auth_generic_client_prepare().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 8fce75aa58ec70547ad218bde154e141f2d17303)
> > ----
> > - source3/libsmb/auth_generic.c | 3 ++-
> > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
> > -index e30c1b7..3130dec 100644
> > ---- a/source3/libsmb/auth_generic.c
> > -+++ b/source3/libsmb/auth_generic.c
> > -@@ -78,7 +78,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> > - }
> > -
> > - backends = talloc_zero_array(gensec_settings,
> > -- const struct gensec_security_ops *, 4);
> > -+ const struct gensec_security_ops *, 5);
> > - if (backends == NULL) {
> > - TALLOC_FREE(ans);
> > - return NT_STATUS_NO_MEMORY;
> > -@@ -95,6 +95,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> > - backends[idx++] = &gensec_ntlmssp3_client_ops;
> > -
> > - backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > -+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
> > -
> > - nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 28b5f156bcc03b88f8c0f3e52cd051a0b069334e Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 17:44:10 +0200
> > -Subject: [PATCH 097/249] s3-rpc_cli: allow to pass down a netlogon
> > - CredentialState struct to gensec.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 7b570b4128f9af212048ce56abd841a1f6fdc259)
> > ----
> > - source3/rpc_client/cli_pipe.c | 5 ++++-
> > - 1 file changed, 4 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 470469f..2acbad6 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2178,6 +2178,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > - const char *username,
> > - const char *password,
> > - enum credentials_use_kerberos use_kerberos,
> > -+ struct netlogon_creds_CredentialState *creds,
> > - struct pipe_auth_data **presult)
> > - {
> > - struct auth_generic_state *auth_generic_ctx;
> > -@@ -2231,6 +2232,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > - }
> > -
> > - cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
> > -+ cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
> > -
> > - status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -2830,6 +2832,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > - server, target_service,
> > - domain, username, password,
> > - CRED_AUTO_USE_KERBEROS,
> > -+ NULL,
> > - &auth);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> > -@@ -3057,7 +3060,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> > - DCERPC_AUTH_TYPE_SPNEGO, auth_level,
> > - server, target_service,
> > - domain, username, password,
> > -- use_kerberos,
> > -+ use_kerberos, NULL,
> > - &auth);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> > ---
> > -1.9.3
> > -
> > -
> > -From 4775b3fd2905e54b2c824d901fd8a99fb8caae04 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 18:23:40 +0200
> > -Subject: [PATCH 098/249] s3-auth: register schannel gensec module in
> > - auth_generic_prepare() as well.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 090671aca5234f47f390054de771198e3c177060)
> > ----
> > - source3/auth/auth_generic.c | 5 ++++-
> > - 1 file changed, 4 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> > -index e15c87e..e07d3b7 100644
> > ---- a/source3/auth/auth_generic.c
> > -+++ b/source3/auth/auth_generic.c
> > -@@ -32,6 +32,7 @@
> > - #include "librpc/crypto/gse.h"
> > - #include "auth/credentials/credentials.h"
> > - #include "lib/param/loadparm.h"
> > -+#include "librpc/gen_ndr/dcerpc.h"
> > -
> > - static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > - TALLOC_CTX *mem_ctx,
> > -@@ -261,7 +262,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> > - }
> > -
> > - backends = talloc_zero_array(gensec_settings,
> > -- const struct gensec_security_ops *, 4);
> > -+ const struct gensec_security_ops *, 5);
> > - if (backends == NULL) {
> > - TALLOC_FREE(tmp_ctx);
> > - return NT_STATUS_NO_MEMORY;
> > -@@ -279,6 +280,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> > -
> > - backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > -
> > -+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
> > -+
> > - /*
> > - * This is anonymous for now, because we just use it
> > - * to set the kerberos state at the moment
> > ---
> > -1.9.3
> > -
> > -
> > -From 080c2ac3cbd28318bc6c682dff0aea17fad07a2c Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 18:33:14 +0200
> > -Subject: [PATCH 099/249] s3-rpc_cli: use gensec for schannel bind.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 89d0b89b5d58ceef13bc10036d396b10f8a102ae)
> > ----
> > - source3/rpc_client/cli_pipe.c | 22 +++++++++++++---------
> > - 1 file changed, 13 insertions(+), 9 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 2acbad6..8a642e2 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1120,12 +1120,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
> > -
> > - switch (auth->auth_type) {
> > - case DCERPC_AUTH_TYPE_SCHANNEL:
> > -- ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
> > -- if (!NT_STATUS_IS_OK(ret)) {
> > -- return ret;
> > -- }
> > -- break;
> > --
> > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > - case DCERPC_AUTH_TYPE_KRB5:
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > -@@ -2884,16 +2878,26 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - struct netr_Authenticator auth;
> > - struct netr_Authenticator return_auth;
> > - union netr_Capabilities capabilities;
> > -+ const char *target_service = table->authservices->names[0];
> > -
> > - status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -
> > -- status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
> > -- *pdc, &rpcauth);
> > -+ status = rpccli_generic_bind_data(rpccli,
> > -+ DCERPC_AUTH_TYPE_SCHANNEL,
> > -+ auth_level,
> > -+ NULL,
> > -+ target_service,
> > -+ domain,
> > -+ (*pdc)->computer_name,
> > -+ NULL,
> > -+ CRED_AUTO_USE_KERBEROS,
> > -+ *pdc,
> > -+ &rpcauth);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
> > -+ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> > - nt_errstr(status)));
> > - TALLOC_FREE(rpccli);
> > - return status;
> > ---
> > -1.9.3
> > -
> > -
> > -From 40ffd89f975e06821379fbd240187f5e268da5fe Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 18:34:58 +0200
> > -Subject: [PATCH 100/249] s3-rpc_srv: use gensec for schannel bind.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit a32a83ba9d6c7b5bbe9077973e5402ba65c068e7)
> > ----
> > - source3/rpc_server/srv_pipe.c | 9 +++++++--
> > - 1 file changed, 7 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > -index 9043a14..fd7a90a 100644
> > ---- a/source3/rpc_server/srv_pipe.c
> > -+++ b/source3/rpc_server/srv_pipe.c
> > -@@ -808,10 +808,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > - break;
> > -
> > - case DCERPC_AUTH_TYPE_SCHANNEL:
> > -- if (!pipe_schannel_auth_bind(p, pkt,
> > -- &auth_info, &auth_resp)) {
> > -+ if (!pipe_auth_generic_bind(p, pkt,
> > -+ &auth_info, &auth_resp)) {
> > -+ goto err_exit;
> > -+ }
> > -+ if (!session_info_set_session_key(p->session_info, generic_session_key())) {
> > -+ DEBUG(0, ("session_info_set_session_key failed\n"));
> > - goto err_exit;
> > - }
> > -+ p->pipe_bound = true;
> > - break;
> > -
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > ---
> > -1.9.3
> > -
> > -
> > -From 285de020b6e284ad5074492d62740ba8a370826a Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 18:36:19 +0200
> > -Subject: [PATCH 101/249] s3-rpc: use gensec for schannel footer processing.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 5a628490e46f428432cd9b32c2b4b3a34a3736ae)
> > ----
> > - source3/librpc/rpc/dcerpc_helpers.c | 35 +++--------------------------------
> > - 1 file changed, 3 insertions(+), 32 deletions(-)
> > -
> > -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> > -index 97999d7..b9e05cb 100644
> > ---- a/source3/librpc/rpc/dcerpc_helpers.c
> > -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> > -@@ -273,7 +273,6 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
> > - size_t max_len;
> > - size_t mod_len;
> > - struct gensec_security *gensec_security;
> > -- struct schannel_state *schannel_auth;
> > -
> > - /* no auth token cases first */
> > - switch (auth->auth_level) {
> > -@@ -307,16 +306,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > - case DCERPC_AUTH_TYPE_KRB5:
> > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > - gensec_security = talloc_get_type_abort(auth->auth_ctx,
> > - struct gensec_security);
> > - *auth_len = gensec_sig_size(gensec_security, max_len);
> > - break;
> > --
> > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > -- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
> > -- struct schannel_state);
> > -- *auth_len = netsec_outgoing_sig_size(schannel_auth);
> > -- break;
> > - default:
> > - return NT_STATUS_INVALID_PARAMETER;
> > - }
> > -@@ -548,7 +542,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
> > - NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
> > - size_t pad_len, DATA_BLOB *rpc_out)
> > - {
> > -- struct schannel_state *schannel_auth;
> > - struct gensec_security *gensec_security;
> > - char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
> > - DATA_BLOB auth_info;
> > -@@ -600,19 +593,13 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > - case DCERPC_AUTH_TYPE_KRB5:
> > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > - gensec_security = talloc_get_type_abort(auth->auth_ctx,
> > - struct gensec_security);
> > - status = add_generic_auth_footer(gensec_security,
> > - auth->auth_level,
> > - rpc_out);
> > - break;
> > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > -- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
> > -- struct schannel_state);
> > -- status = add_schannel_auth_footer(schannel_auth,
> > -- auth->auth_level,
> > -- rpc_out);
> > -- break;
> > - default:
> > - status = NT_STATUS_INVALID_PARAMETER;
> > - break;
> > -@@ -640,7 +627,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> > - DATA_BLOB *raw_pkt,
> > - size_t *pad_len)
> > - {
> > -- struct schannel_state *schannel_auth;
> > - struct gensec_security *gensec_security;
> > - NTSTATUS status;
> > - struct dcerpc_auth auth_info;
> > -@@ -710,6 +696,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > - case DCERPC_AUTH_TYPE_KRB5:
> > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > -
> > - DEBUG(10, ("GENSEC auth\n"));
> > -
> > -@@ -723,22 +710,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> > - return status;
> > - }
> > - break;
> > --
> > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > --
> > -- DEBUG(10, ("SCHANNEL auth\n"));
> > --
> > -- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
> > -- struct schannel_state);
> > -- status = get_schannel_auth_footer(pkt, schannel_auth,
> > -- auth->auth_level,
> > -- &data, &full_pkt,
> > -- &auth_info.credentials);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > -- break;
> > --
> > - default:
> > - DEBUG(0, ("process_request_pdu: "
> > - "unknown auth type %u set.\n",
> > ---
> > -1.9.3
> > -
> > -
> > -From cfa396d153cedb9b10356540a479ff299c480cae Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Thu, 19 Sep 2013 11:03:31 +0200
> > -Subject: [PATCH 102/249] s3-rpc_cli: remove unused schannel calls from
> > - dcerpc_helpers.c
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 639f60b1513a8c877d307ed86b7748250821fb3f)
> > ----
> > - source3/librpc/rpc/dcerpc.h | 3 -
> > - source3/librpc/rpc/dcerpc_helpers.c | 124 ------------------------------------
> > - 2 files changed, 127 deletions(-)
> > -
> > -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> > -index b3ae3b4..38d59cd 100644
> > ---- a/source3/librpc/rpc/dcerpc.h
> > -+++ b/source3/librpc/rpc/dcerpc.h
> > -@@ -60,9 +60,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
> > - const DATA_BLOB *blob,
> > - struct ncacn_packet *r,
> > - bool bigendian);
> > --NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
> > -- struct NL_AUTH_MESSAGE *r,
> > -- DATA_BLOB *blob);
> > - NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
> > - enum dcerpc_AuthType auth_type,
> > - enum dcerpc_AuthLevel auth_level,
> > -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> > -index b9e05cb..2400bfd 100644
> > ---- a/source3/librpc/rpc/dcerpc_helpers.c
> > -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> > -@@ -21,9 +21,6 @@
> > - #include "includes.h"
> > - #include "librpc/rpc/dcerpc.h"
> > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > --#include "librpc/gen_ndr/ndr_schannel.h"
> > --#include "../libcli/auth/schannel.h"
> > --#include "../libcli/auth/spnego.h"
> > - #include "librpc/crypto/gse.h"
> > - #include "auth/gensec/gensec.h"
> > -
> > -@@ -135,34 +132,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
> > - }
> > -
> > - /**
> > --* @brief NDR Encodes a NL_AUTH_MESSAGE
> > --*
> > --* @param mem_ctx The memory context the blob will be allocated on
> > --* @param r The NL_AUTH_MESSAGE to encode
> > --* @param blob [out] The encoded blob if successful
> > --*
> > --* @return a NTSTATUS error code
> > --*/
> > --NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
> > -- struct NL_AUTH_MESSAGE *r,
> > -- DATA_BLOB *blob)
> > --{
> > -- enum ndr_err_code ndr_err;
> > --
> > -- ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
> > -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -- return ndr_map_error2ntstatus(ndr_err);
> > -- }
> > --
> > -- if (DEBUGLEVEL >= 10) {
> > -- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
> > -- }
> > --
> > -- return NT_STATUS_OK;
> > --}
> > --
> > --/**
> > - * @brief NDR Encodes a dcerpc_auth structure
> > - *
> > - * @param mem_ctx The memory context the blob will be allocated on
> > -@@ -437,99 +406,6 @@ static NTSTATUS get_generic_auth_footer(struct gensec_security *gensec_security,
> > - }
> > - }
> > -
> > --/*******************************************************************
> > -- Create and add the schannel sign/seal auth data.
> > -- ********************************************************************/
> > --
> > --static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
> > -- enum dcerpc_AuthLevel auth_level,
> > -- DATA_BLOB *rpc_out)
> > --{
> > -- uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
> > -- size_t data_and_pad_len = rpc_out->length
> > -- - DCERPC_RESPONSE_LENGTH
> > -- - DCERPC_AUTH_TRAILER_LENGTH;
> > -- DATA_BLOB auth_blob;
> > -- NTSTATUS status;
> > --
> > -- if (!sas) {
> > -- return NT_STATUS_INVALID_PARAMETER;
> > -- }
> > --
> > -- switch (auth_level) {
> > -- case DCERPC_AUTH_LEVEL_PRIVACY:
> > -- status = netsec_outgoing_packet(sas,
> > -- rpc_out->data,
> > -- true,
> > -- data_p,
> > -- data_and_pad_len,
> > -- &auth_blob);
> > -- break;
> > -- case DCERPC_AUTH_LEVEL_INTEGRITY:
> > -- status = netsec_outgoing_packet(sas,
> > -- rpc_out->data,
> > -- false,
> > -- data_p,
> > -- data_and_pad_len,
> > -- &auth_blob);
> > -- break;
> > -- default:
> > -- status = NT_STATUS_INTERNAL_ERROR;
> > -- break;
> > -- }
> > --
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
> > -- nt_errstr(status)));
> > -- return status;
> > -- }
> > --
> > -- if (DEBUGLEVEL >= 10) {
> > -- dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
> > -- }
> > --
> > -- /* Finally attach the blob. */
> > -- if (!data_blob_append(NULL, rpc_out,
> > -- auth_blob.data, auth_blob.length)) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- data_blob_free(&auth_blob);
> > --
> > -- return NT_STATUS_OK;
> > --}
> > --
> > --/*******************************************************************
> > -- Check/unseal the Schannel auth data. (Unseal in place).
> > -- ********************************************************************/
> > --
> > --static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
> > -- struct schannel_state *auth_state,
> > -- enum dcerpc_AuthLevel auth_level,
> > -- DATA_BLOB *data, DATA_BLOB *full_pkt,
> > -- DATA_BLOB *auth_token)
> > --{
> > -- switch (auth_level) {
> > -- case DCERPC_AUTH_LEVEL_PRIVACY:
> > -- /* Data portion is encrypted. */
> > -- return netsec_incoming_packet(auth_state,
> > -- true,
> > -- data->data,
> > -- data->length,
> > -- auth_token);
> > --
> > -- case DCERPC_AUTH_LEVEL_INTEGRITY:
> > -- /* Data is signed. */
> > -- return netsec_incoming_packet(auth_state,
> > -- false,
> > -- data->data,
> > -- data->length,
> > -- auth_token);
> > --
> > -- default:
> > -- return NT_STATUS_INVALID_PARAMETER;
> > -- }
> > --}
> > --
> > - /**
> > - * @brief Append an auth footer according to what is the current mechanism
> > - *
> > ---
> > -1.9.3
> > -
> > -
> > -From 3c10a3501c04e1f5f9bd2bb1418b95b4b17248a8 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Thu, 19 Sep 2013 11:04:19 +0200
> > -Subject: [PATCH 103/249] s3-rpc_cli: remove unused schannel calls from
> > - cli_pipe.c
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 45949d721892a0e8a6b1a76e221c6b3bfd6a872f)
> > ----
> > - source3/rpc_client/cli_pipe.c | 76 -------------------------------------------
> > - 1 file changed, 76 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 8a642e2..b73f2f2 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -22,11 +22,8 @@
> > - #include "includes.h"
> > - #include "../lib/util/tevent_ntstatus.h"
> > - #include "librpc/gen_ndr/ndr_epmapper_c.h"
> > --#include "../librpc/gen_ndr/ndr_schannel.h"
> > - #include "../librpc/gen_ndr/ndr_dssetup.h"
> > - #include "../libcli/auth/schannel.h"
> > --#include "../libcli/auth/spnego.h"
> > --#include "../auth/ntlmssp/ntlmssp.h"
> > - #include "auth_generic.h"
> > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > - #include "librpc/gen_ndr/ndr_netlogon_c.h"
> > -@@ -1018,42 +1015,6 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > - }
> > -
> > - /*******************************************************************
> > -- Creates schannel auth bind.
> > -- ********************************************************************/
> > --
> > --static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > -- DATA_BLOB *auth_token)
> > --{
> > -- NTSTATUS status;
> > -- struct NL_AUTH_MESSAGE r;
> > --
> > -- if (!cli->auth->user_name || !cli->auth->user_name[0]) {
> > -- return NT_STATUS_INVALID_PARAMETER_MIX;
> > -- }
> > --
> > -- if (!cli->auth->domain || !cli->auth->domain[0]) {
> > -- return NT_STATUS_INVALID_PARAMETER_MIX;
> > -- }
> > --
> > -- /*
> > -- * Now marshall the data into the auth parse_struct.
> > -- */
> > --
> > -- r.MessageType = NL_NEGOTIATE_REQUEST;
> > -- r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > -- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > -- r.oem_netbios_domain.a = cli->auth->domain;
> > -- r.oem_netbios_computer.a = cli->auth->user_name;
> > --
> > -- status = dcerpc_push_schannel_bind(cli, &r, auth_token);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- return NT_STATUS_OK;
> > --}
> > --
> > --/*******************************************************************
> > - Creates the internals of a DCE/RPC bind request or alter context PDU.
> > - ********************************************************************/
> > -
> > -@@ -2243,43 +2204,6 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > - return status;
> > - }
> > -
> > --static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > -- const char *domain,
> > -- enum dcerpc_AuthLevel auth_level,
> > -- struct netlogon_creds_CredentialState *creds,
> > -- struct pipe_auth_data **presult)
> > --{
> > -- struct schannel_state *schannel_auth;
> > -- struct pipe_auth_data *result;
> > --
> > -- result = talloc(mem_ctx, struct pipe_auth_data);
> > -- if (result == NULL) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
> > -- result->auth_level = auth_level;
> > --
> > -- result->user_name = talloc_strdup(result, creds->computer_name);
> > -- result->domain = talloc_strdup(result, domain);
> > -- if ((result->user_name == NULL) || (result->domain == NULL)) {
> > -- goto fail;
> > -- }
> > --
> > -- schannel_auth = netsec_create_state(result, creds, true /* initiator */);
> > -- if (schannel_auth == NULL) {
> > -- goto fail;
> > -- }
> > --
> > -- result->auth_ctx = schannel_auth;
> > -- *presult = result;
> > -- return NT_STATUS_OK;
> > --
> > -- fail:
> > -- TALLOC_FREE(result);
> > -- return NT_STATUS_NO_MEMORY;
> > --}
> > --
> > - /**
> > - * Create an rpc pipe client struct, connecting to a tcp port.
> > - */
> > ---
> > -1.9.3
> > -
> > -
> > -From e4b33d6311e051501815199bd6c6dbba33f1bc55 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Thu, 19 Sep 2013 11:05:21 +0200
> > -Subject: [PATCH 104/249] s3-rpc_srv: remove unused schannel calls from
> > - srv_pipe.c
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > -Autobuild-Date(master): Thu Sep 19 12:59:04 CEST 2013 on sn-devel-104
> > -(cherry picked from commit 6965f918c04328535c55a0ef9b7fe6392fba193a)
> > ----
> > - source3/rpc_server/srv_pipe.c | 116 ------------------------------------------
> > - 1 file changed, 116 deletions(-)
> > -
> > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > -index fd7a90a..06752a8 100644
> > ---- a/source3/rpc_server/srv_pipe.c
> > -+++ b/source3/rpc_server/srv_pipe.c
> > -@@ -30,11 +30,8 @@
> > - #include "includes.h"
> > - #include "system/filesys.h"
> > - #include "srv_pipe_internal.h"
> > --#include "../librpc/gen_ndr/ndr_schannel.h"
> > - #include "../librpc/gen_ndr/dcerpc.h"
> > - #include "../librpc/rpc/rpc_common.h"
> > --#include "../libcli/auth/schannel.h"
> > --#include "../libcli/auth/spnego.h"
> > - #include "dcesrv_auth_generic.h"
> > - #include "rpc_server.h"
> > - #include "rpc_dce.h"
> > -@@ -415,119 +412,6 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
> > - }
> > -
> > - /*******************************************************************
> > -- Handle an schannel bind auth.
> > --*******************************************************************/
> > --
> > --static bool pipe_schannel_auth_bind(struct pipes_struct *p,
> > -- TALLOC_CTX *mem_ctx,
> > -- struct dcerpc_auth *auth_info,
> > -- DATA_BLOB *response)
> > --{
> > -- struct NL_AUTH_MESSAGE neg;
> > -- struct NL_AUTH_MESSAGE reply;
> > -- bool ret;
> > -- NTSTATUS status;
> > -- struct netlogon_creds_CredentialState *creds;
> > -- enum ndr_err_code ndr_err;
> > -- struct schannel_state *schannel_auth;
> > -- struct loadparm_context *lp_ctx;
> > --
> > -- ndr_err = ndr_pull_struct_blob(
> > -- &auth_info->credentials, mem_ctx, &neg,
> > -- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
> > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -- DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
> > -- return false;
> > -- }
> > --
> > -- if (DEBUGLEVEL >= 10) {
> > -- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
> > -- }
> > --
> > -- if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
> > -- DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
> > -- return false;
> > -- }
> > --
> > -- lp_ctx = loadparm_init_s3(p, loadparm_s3_helpers());
> > -- if (!lp_ctx) {
> > -- DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
> > -- return false;
> > -- }
> > --
> > -- /*
> > -- * The neg.oem_netbios_computer.a key here must match the remote computer name
> > -- * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
> > -- * operations that use credentials.
> > -- */
> > --
> > -- become_root();
> > -- status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
> > -- neg.oem_netbios_computer.a, &creds);
> > -- unbecome_root();
> > --
> > -- talloc_unlink(p, lp_ctx);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
> > -- return False;
> > -- }
> > --
> > -- schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
> > -- TALLOC_FREE(creds);
> > -- if (!schannel_auth) {
> > -- return False;
> > -- }
> > --
> > -- /*
> > -- * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
> > -- * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
> > -- * struct of the person who opened the pipe. I need to test this further. JRA.
> > -- *
> > -- * VL. As we are mapping this to guest set the generic key
> > -- * "SystemLibraryDTC" key here. It's a bit difficult to test against
> > -- * W2k3, as it does not allow schannel binds against SAMR and LSA
> > -- * anymore.
> > -- */
> > --
> > -- ret = session_info_set_session_key(p->session_info, generic_session_key());
> > --
> > -- if (!ret) {
> > -- DEBUG(0, ("session_info_set_session_key failed\n"));
> > -- return false;
> > -- }
> > --
> > -- /*** SCHANNEL verifier ***/
> > --
> > -- reply.MessageType = NL_NEGOTIATE_RESPONSE;
> > -- reply.Flags = 0;
> > -- reply.Buffer.dummy = 5; /* ??? actually I don't think
> > -- * this has any meaning
> > -- * here - gd */
> > --
> > -- ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
> > -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -- DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
> > -- return false;
> > -- }
> > --
> > -- if (DEBUGLEVEL >= 10) {
> > -- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
> > -- }
> > --
> > -- DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
> > -- neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
> > --
> > -- /* We're finished with this bind - no more packets. */
> > -- p->auth.auth_ctx = schannel_auth;
> > -- p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
> > --
> > -- p->pipe_bound = True;
> > --
> > -- return True;
> > --}
> > --
> > --/*******************************************************************
> > - Handle an NTLMSSP bind auth.
> > - *******************************************************************/
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 68fbdf567cb7d0bc3550b826204c0708a771a4dc Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Mon, 12 Aug 2013 17:22:15 +0200
> > -Subject: [PATCH 105/249] librpc/ndr: call ndr_table_list() from all ndr_X
> > - functions.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 88c1dbf722889a2d7379cdcbac1ce9b140a42356)
> > ----
> > - librpc/ndr/ndr_table.c | 6 +++---
> > - 1 file changed, 3 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
> > -index 7ca0417..01d9094 100644
> > ---- a/librpc/ndr/ndr_table.c
> > -+++ b/librpc/ndr/ndr_table.c
> > -@@ -73,7 +73,7 @@ const char *ndr_interface_name(const struct GUID *uuid, uint32_t if_version)
> > - int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
> > - {
> > - const struct ndr_interface_list *l;
> > -- for (l=ndr_interfaces;l;l=l->next){
> > -+ for (l=ndr_table_list();l;l=l->next){
> > - if (GUID_equal(&l->table->syntax_id.uuid, uuid) &&
> > - l->table->syntax_id.if_version == if_version) {
> > - return l->table->num_calls;
> > -@@ -89,7 +89,7 @@ int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
> > - const struct ndr_interface_table *ndr_table_by_name(const char *name)
> > - {
> > - const struct ndr_interface_list *l;
> > -- for (l=ndr_interfaces;l;l=l->next) {
> > -+ for (l=ndr_table_list();l;l=l->next) {
> > - if (strcasecmp(l->table->name, name) == 0) {
> > - return l->table;
> > - }
> > -@@ -103,7 +103,7 @@ const struct ndr_interface_table *ndr_table_by_name(const char *name)
> > - const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
> > - {
> > - const struct ndr_interface_list *l;
> > -- for (l=ndr_interfaces;l;l=l->next) {
> > -+ for (l=ndr_table_list();l;l=l->next) {
> > - if (GUID_equal(&l->table->syntax_id.uuid, uuid)) {
> > - return l->table;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From c936c80f7e567bab6fc749fb35e60176fca020af Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Thu, 8 Aug 2013 17:34:56 +0200
> > -Subject: [PATCH 106/249] librpc/ndr: make sure ndr_table_list() always calls
> > - ndr_init_table() first.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 21200b12dc14673f9a610c5798635b6052370dbe)
> > ----
> > - librpc/ndr/ndr_table.c | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
> > -index 01d9094..f73b9fc 100644
> > ---- a/librpc/ndr/ndr_table.c
> > -+++ b/librpc/ndr/ndr_table.c
> > -@@ -116,6 +116,7 @@ const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
> > - */
> > - const struct ndr_interface_list *ndr_table_list(void)
> > - {
> > -+ ndr_table_init();
> > - return ndr_interfaces;
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 2ced3243b3589b673967452a6401d665dd514525 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Thu, 8 Aug 2013 17:40:22 +0200
> > -Subject: [PATCH 107/249] s3-rpc: use table->name directly in DEBUG contexts.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit a94e278883c58b35d383753e86135ff6a1d14ec7)
> > ----
> > - source3/lib/netapi/cm.c | 2 +-
> > - source3/rpc_client/cli_pipe.c | 7 +++----
> > - 2 files changed, 4 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > -index 1cfdccf..bb5d6b2 100644
> > ---- a/source3/lib/netapi/cm.c
> > -+++ b/source3/lib/netapi/cm.c
> > -@@ -254,7 +254,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > - status = pipe_cm_open(ctx, ipc, table, &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
> > -- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > -+ table->name,
> > - get_friendly_nt_error_msg(status));
> > - return WERR_DEST_NOT_FOUND;
> > - }
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index b73f2f2..64e7f1c 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2692,8 +2692,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > - }
> > - DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
> > - "%s failed with error %s\n",
> > -- get_pipe_name_from_syntax(talloc_tos(),
> > -- &table->syntax_id),
> > -+ table->name,
> > - nt_errstr(status) ));
> > - TALLOC_FREE(result);
> > - return status;
> > -@@ -2701,7 +2700,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > -
> > - DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
> > - "%s and bound anonymously.\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > -+ table->name,
> > - result->desthost));
> > -
> > - *presult = result;
> > -@@ -2946,7 +2945,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - done:
> > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > - "for domain %s and bound using schannel.\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > -+ table->name,
> > - rpccli->desthost, domain));
> > -
> > - *_rpccli = rpccli;
> > ---
> > -1.9.3
> > -
> > -
> > -From cd864f1a3748c219df78600fc826a6e1d81fa07d Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 10:58:16 +0200
> > -Subject: [PATCH 108/249] s3-rpc: use ndr_interface_name() instead of
> > - get_pipe_name_from_syntax() in DEBUG.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 3135533710b2a1b64aaf6b10d30b86f3c004657d)
> > ----
> > - source3/rpc_server/rpc_handles.c | 15 +++++++++------
> > - source3/rpc_server/srv_pipe.c | 22 ++++++++++++++--------
> > - source3/rpc_server/srv_pipe_hnd.c | 16 +++++++++++-----
> > - source3/wscript_build | 3 ++-
> > - 4 files changed, 36 insertions(+), 20 deletions(-)
> > -
> > -diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
> > -index 70c3919..409299a 100644
> > ---- a/source3/rpc_server/rpc_handles.c
> > -+++ b/source3/rpc_server/rpc_handles.c
> > -@@ -27,6 +27,7 @@
> > - #include "rpc_server/rpc_pipes.h"
> > - #include "../libcli/security/security.h"
> > - #include "lib/tsocket/tsocket.h"
> > -+#include "librpc/ndr/ndr_table.h"
> > -
> > - #undef DBGC_CLASS
> > - #define DBGC_CLASS DBGC_RPC_SRV
> > -@@ -218,7 +219,8 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
> > -
> > - DEBUG(10,("init_pipe_handle_list: created handle list for "
> > - "pipe %s\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), syntax)));
> > -+ ndr_interface_name(&syntax->uuid,
> > -+ syntax->if_version)));
> > - }
> > -
> > - /*
> > -@@ -235,7 +237,7 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
> > -
> > - DEBUG(10,("init_pipe_handle_list: pipe_handles ref count = %lu for "
> > - "pipe %s\n", (unsigned long)p->pipe_handles->pipe_ref_count,
> > -- get_pipe_name_from_syntax(talloc_tos(), syntax)));
> > -+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
> > -
> > - return True;
> > - }
> > -@@ -412,8 +414,8 @@ void close_policy_by_pipe(struct pipes_struct *p)
> > - TALLOC_FREE(p->pipe_handles);
> > -
> > - DEBUG(10,("Deleted handle list for RPC connection %s\n",
> > -- get_pipe_name_from_syntax(talloc_tos(),
> > -- &p->contexts->syntax)));
> > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > -+ p->contexts->syntax.if_version)));
> > - }
> > - }
> > -
> > -@@ -456,8 +458,9 @@ void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd,
> > - if (p->pipe_handles->count > MAX_OPEN_POLS) {
> > - DEBUG(0, ("ERROR: Too many handles (%d) for RPC connection %s\n",
> > - (int) p->pipe_handles->count,
> > -- get_pipe_name_from_syntax(talloc_tos(),
> > -- &p->contexts->syntax)));
> > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > -+ p->contexts->syntax.if_version)));
> > -+
> > - *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
> > - return NULL;
> > - }
> > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > -index 06752a8..19dbc37 100644
> > ---- a/source3/rpc_server/srv_pipe.c
> > -+++ b/source3/rpc_server/srv_pipe.c
> > -@@ -41,6 +41,7 @@
> > - #include "rpc_server/srv_pipe.h"
> > - #include "rpc_server/rpc_contexts.h"
> > - #include "lib/param/param.h"
> > -+#include "librpc/ndr/ndr_table.h"
> > -
> > - #undef DBGC_CLASS
> > - #define DBGC_CLASS DBGC_RPC_SRV
> > -@@ -336,7 +337,8 @@ static bool check_bind_req(struct pipes_struct *p,
> > - bool ok;
> > -
> > - DEBUG(3,("check_bind_req for %s\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), abstract)));
> > -+ ndr_interface_name(&abstract->uuid,
> > -+ abstract->if_version)));
> > -
> > - /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
> > - if (rpc_srv_pipe_exists_by_id(abstract) &&
> > -@@ -580,7 +582,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > - if (NT_STATUS_IS_ERR(status)) {
> > - DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
> > - "%s in bind request.\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), &id)));
> > -+ ndr_interface_name(&id.uuid,
> > -+ id.if_version)));
> > -
> > - return setup_bind_nak(p, pkt);
> > - }
> > -@@ -595,8 +598,10 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > - } else {
> > - DEBUG(0, ("module %s doesn't provide functions for "
> > - "pipe %s!\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), &id),
> > -- get_pipe_name_from_syntax(talloc_tos(), &id)));
> > -+ ndr_interface_name(&id.uuid,
> > -+ id.if_version),
> > -+ ndr_interface_name(&id.uuid,
> > -+ id.if_version)));
> > - return setup_bind_nak(p, pkt);
> > - }
> > - }
> > -@@ -1206,7 +1211,8 @@ static bool api_pipe_request(struct pipes_struct *p,
> > - TALLOC_CTX *frame = talloc_stackframe();
> > -
> > - DEBUG(5, ("Requested %s rpc service\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
> > -+ ndr_interface_name(&pipe_fns->syntax.uuid,
> > -+ pipe_fns->syntax.if_version)));
> > -
> > - ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
> > - &pipe_fns->syntax);
> > -@@ -1237,7 +1243,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > -
> > - /* interpret the command */
> > - DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
> > -- get_pipe_name_from_syntax(talloc_tos(), syntax),
> > -+ ndr_interface_name(&syntax->uuid, syntax->if_version),
> > - pkt->u.request.opnum));
> > -
> > - if (DEBUGLEVEL >= 50) {
> > -@@ -1276,7 +1282,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > - /* do the actual command */
> > - if(!api_rpc_cmds[fn_num].fn(p)) {
> > - DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), syntax),
> > -+ ndr_interface_name(&syntax->uuid, syntax->if_version),
> > - api_rpc_cmds[fn_num].name));
> > - data_blob_free(&p->out_data.rdata);
> > - return False;
> > -@@ -1299,7 +1305,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > - }
> > -
> > - DEBUG(5,("api_rpcTNP: called %s successfully\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), syntax)));
> > -+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
> > -
> > - /* Check for buffer underflow in rpc parsing */
> > - if ((DEBUGLEVEL >= 10) &&
> > -diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
> > -index 3f8ff44..fcbfa77 100644
> > ---- a/source3/rpc_server/srv_pipe_hnd.c
> > -+++ b/source3/rpc_server/srv_pipe_hnd.c
> > -@@ -30,6 +30,7 @@
> > - #include "rpc_server/rpc_config.h"
> > - #include "../lib/tsocket/tsocket.h"
> > - #include "../lib/util/tevent_ntstatus.h"
> > -+#include "librpc/ndr/ndr_table.h"
> > -
> > - #undef DBGC_CLASS
> > - #define DBGC_CLASS DBGC_RPC_SRV
> > -@@ -281,7 +282,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > - }
> > -
> > - DEBUG(6,(" name: %s len: %u\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > -+ p->contexts->syntax.if_version),
> > - (unsigned int)n));
> > -
> > - /*
> > -@@ -299,7 +301,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > - DEBUG(5,("read_from_pipe: too large read (%u) requested on "
> > - "pipe %s. We can only service %d sized reads.\n",
> > - (unsigned int)n,
> > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > -+ p->contexts->syntax.if_version),
> > - RPC_MAX_PDU_FRAG_LEN ));
> > - n = RPC_MAX_PDU_FRAG_LEN;
> > - }
> > -@@ -320,7 +323,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > -
> > - DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, "
> > - "current_pdu_sent = %u returning %d bytes.\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > -+ p->contexts->syntax.if_version),
> > - (unsigned int)p->out_data.frag.length,
> > - (unsigned int)p->out_data.current_pdu_sent,
> > - (int)data_returned));
> > -@@ -341,7 +345,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > -
> > - DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length "
> > - "= %u, p->out_data.rdata.length = %u.\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > -+ p->contexts->syntax.if_version),
> > - (int)p->fault_state,
> > - (unsigned int)p->out_data.data_sent_length,
> > - (unsigned int)p->out_data.rdata.length));
> > -@@ -363,7 +368,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > -
> > - if(!create_next_pdu(p)) {
> > - DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n",
> > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax)));
> > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > -+ p->contexts->syntax.if_version)));
> > - return -1;
> > - }
> > -
> > -diff --git a/source3/wscript_build b/source3/wscript_build
> > -index 0bf84e2..bb2e928 100755
> > ---- a/source3/wscript_build
> > -+++ b/source3/wscript_build
> > -@@ -672,7 +672,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
> > - deps='''ndr ndr-standard
> > - RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
> > - LIBTSOCKET gse dcerpc-binding
> > -- libsmb''',
> > -+ libsmb
> > -+ ndr-table''',
> > - vars=locals(),
> > - private_library=True)
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 6e6ba9bb34ac4e1d55056ef82e4bad8ab2d65b0d Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Thu, 8 Aug 2013 17:33:29 +0200
> > -Subject: [PATCH 109/249] librpc: add dcerpc_default_transport_endpoint()
> > - function.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 40ee3d8a5f7439b90f1ebf5e40535fad51038fe6)
> > ----
> > - librpc/rpc/dcerpc_util.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++
> > - librpc/rpc/rpc_common.h | 3 +++
> > - 2 files changed, 58 insertions(+)
> > -
> > -diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
> > -index 0b9cca3..4046f32 100644
> > ---- a/librpc/rpc/dcerpc_util.c
> > -+++ b/librpc/rpc/dcerpc_util.c
> > -@@ -332,3 +332,58 @@ NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
> > - tevent_req_received(req);
> > - return NT_STATUS_OK;
> > - }
> > -+
> > -+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
> > -+ enum dcerpc_transport_t transport,
> > -+ const struct ndr_interface_table *table)
> > -+{
> > -+ NTSTATUS status;
> > -+ const char *p = NULL;
> > -+ const char *endpoint = NULL;
> > -+ int i;
> > -+ struct dcerpc_binding *default_binding = NULL;
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+
> > -+ /* Find one of the default pipes for this interface */
> > -+
> > -+ for (i = 0; i < table->endpoints->count; i++) {
> > -+
> > -+ status = dcerpc_parse_binding(frame, table->endpoints->names[i],
> > -+ &default_binding);
> > -+ if (NT_STATUS_IS_OK(status)) {
> > -+ if (transport == NCA_UNKNOWN &&
> > -+ default_binding->endpoint != NULL) {
> > -+ p = default_binding->endpoint;
> > -+ break;
> > -+ }
> > -+ if (default_binding->transport == transport &&
> > -+ default_binding->endpoint != NULL) {
> > -+ p = default_binding->endpoint;
> > -+ break;
> > -+ }
> > -+ }
> > -+ }
> > -+
> > -+ if (i == table->endpoints->count || p == NULL) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ /*
> > -+ * extract the pipe name without \\pipe from for example
> > -+ * ncacn_np:[\\pipe\\epmapper]
> > -+ */
> > -+ if (default_binding->transport == NCACN_NP) {
> > -+ if (strncasecmp(p, "\\pipe\\", 6) == 0) {
> > -+ p += 6;
> > -+ }
> > -+ if (strncmp(p, "\\", 1) == 0) {
> > -+ p += 1;
> > -+ }
> > -+ }
> > -+
> > -+ endpoint = talloc_strdup(mem_ctx, p);
> > -+
> > -+ done:
> > -+ talloc_free(frame);
> > -+ return endpoint;
> > -+}
> > -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
> > -index e2b3755..d2816f5 100644
> > ---- a/librpc/rpc/rpc_common.h
> > -+++ b/librpc/rpc/rpc_common.h
> > -@@ -143,6 +143,9 @@ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v);
> > - uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob);
> > - void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v);
> > - uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
> > -+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
> > -+ enum dcerpc_transport_t transport,
> > -+ const struct ndr_interface_table *table);
> > -
> > - /**
> > - * @brief Pull a dcerpc_auth structure, taking account of any auth
> > ---
> > -1.9.3
> > -
> > -
> > -From a71f6912117ef5054cba4346f8bfd555d70d7837 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 18 Sep 2013 10:59:14 +0200
> > -Subject: [PATCH 110/249] s3-rpc: use dcerpc_default_transport_endpoint
> > - function.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit b73e2d927b2221cb3fde8776789c8ca085cf2b8f)
> > ----
> > - source3/rpc_client/rpc_transport_np.c | 4 +++-
> > - source3/rpc_server/rpc_ncacn_np.c | 12 ++++++++++--
> > - source3/rpc_server/srv_pipe.c | 28 +++++++++++++++++++++-------
> > - 3 files changed, 34 insertions(+), 10 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
> > -index c0f313e..91943f4 100644
> > ---- a/source3/rpc_client/rpc_transport_np.c
> > -+++ b/source3/rpc_client/rpc_transport_np.c
> > -@@ -22,6 +22,7 @@
> > - #include "rpc_client/rpc_transport.h"
> > - #include "libsmb/cli_np_tstream.h"
> > - #include "client.h"
> > -+#include "librpc/ndr/ndr_table.h"
> > -
> > - #undef DBGC_CLASS
> > - #define DBGC_CLASS DBGC_RPC_CLI
> > -@@ -55,7 +56,8 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> > - state->ev = ev;
> > - state->cli = cli;
> > - state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
> > -- state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
> > -+ state->pipe_name = dcerpc_default_transport_endpoint(state, NCACN_NP,
> > -+ table);
> > - if (tevent_req_nomem(state->pipe_name, req)) {
> > - return tevent_req_post(req, ev);
> > - }
> > -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
> > -index 7389b3e..46b77fd 100644
> > ---- a/source3/rpc_server/rpc_ncacn_np.c
> > -+++ b/source3/rpc_server/rpc_ncacn_np.c
> > -@@ -36,6 +36,7 @@
> > - #include "../lib/util/tevent_ntstatus.h"
> > - #include "rpc_contexts.h"
> > - #include "rpc_server/rpc_config.h"
> > -+#include "librpc/ndr/ndr_table.h"
> > -
> > - #undef DBGC_CLASS
> > - #define DBGC_CLASS DBGC_RPC_SRV
> > -@@ -54,8 +55,15 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
> > - struct pipe_rpc_fns *context_fns;
> > - const char *pipe_name;
> > - int ret;
> > -+ const struct ndr_interface_table *table;
> > -
> > -- pipe_name = get_pipe_name_from_syntax(talloc_tos(), syntax);
> > -+ table = ndr_table_by_uuid(&syntax->uuid);
> > -+ if (table == NULL) {
> > -+ DEBUG(0,("unknown interface\n"));
> > -+ return NULL;
> > -+ }
> > -+
> > -+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
> > -
> > - DEBUG(4,("Create pipe requested %s\n", pipe_name));
> > -
> > -@@ -783,7 +791,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
> > -+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
> > - if (pipe_name == NULL) {
> > - status = NT_STATUS_INVALID_PARAMETER;
> > - goto done;
> > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > -index 19dbc37..5f834fb 100644
> > ---- a/source3/rpc_server/srv_pipe.c
> > -+++ b/source3/rpc_server/srv_pipe.c
> > -@@ -552,6 +552,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > - struct dcerpc_ack_ctx bind_ack_ctx;
> > - DATA_BLOB auth_resp = data_blob_null;
> > - DATA_BLOB auth_blob = data_blob_null;
> > -+ const struct ndr_interface_table *table;
> > -
> > - /* No rebinds on a bound pipe - use alter context. */
> > - if (p->pipe_bound) {
> > -@@ -569,15 +570,21 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > - * that this is a pipe name we support.
> > - */
> > - id = pkt->u.bind.ctx_list[0].abstract_syntax;
> > -+
> > -+ table = ndr_table_by_uuid(&id.uuid);
> > -+ if (table == NULL) {
> > -+ DEBUG(0,("unknown interface\n"));
> > -+ return false;
> > -+ }
> > -+
> > - if (rpc_srv_pipe_exists_by_id(&id)) {
> > - DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
> > - rpc_srv_get_pipe_cli_name(&id),
> > - rpc_srv_get_pipe_srv_name(&id)));
> > - } else {
> > - status = smb_probe_module(
> > -- "rpc", get_pipe_name_from_syntax(
> > -- talloc_tos(),
> > -- &id));
> > -+ "rpc", dcerpc_default_transport_endpoint(pkt,
> > -+ NCACN_NP, table));
> > -
> > - if (NT_STATUS_IS_ERR(status)) {
> > - DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
> > -@@ -589,8 +596,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > - }
> > -
> > - if (rpc_srv_get_pipe_interface_by_cli_name(
> > -- get_pipe_name_from_syntax(talloc_tos(),
> > -- &id),
> > -+ dcerpc_default_transport_endpoint(pkt,
> > -+ NCACN_NP, table),
> > - &id)) {
> > - DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
> > - rpc_srv_get_pipe_cli_name(&id),
> > -@@ -1240,16 +1247,23 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > - {
> > - int fn_num;
> > - uint32_t offset1;
> > -+ const struct ndr_interface_table *table;
> > -
> > - /* interpret the command */
> > - DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
> > - ndr_interface_name(&syntax->uuid, syntax->if_version),
> > - pkt->u.request.opnum));
> > -
> > -+ table = ndr_table_by_uuid(&syntax->uuid);
> > -+ if (table == NULL) {
> > -+ DEBUG(0,("unknown interface\n"));
> > -+ return false;
> > -+ }
> > -+
> > - if (DEBUGLEVEL >= 50) {
> > - fstring name;
> > - slprintf(name, sizeof(name)-1, "in_%s",
> > -- get_pipe_name_from_syntax(talloc_tos(), syntax));
> > -+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
> > - dump_pdu_region(name, pkt->u.request.opnum,
> > - &p->in_data.data, 0,
> > - p->in_data.data.length);
> > -@@ -1298,7 +1312,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > - if (DEBUGLEVEL >= 50) {
> > - fstring name;
> > - slprintf(name, sizeof(name)-1, "out_%s",
> > -- get_pipe_name_from_syntax(talloc_tos(), syntax));
> > -+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
> > - dump_pdu_region(name, pkt->u.request.opnum,
> > - &p->out_data.rdata, offset1,
> > - p->out_data.rdata.length);
> > ---
> > -1.9.3
> > -
> > -
> > -From 8bb6f177b210159ea6317b20e2cc12732b4d273a Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 7 Aug 2013 17:43:08 +0200
> > -Subject: [PATCH 111/249] s3-rpc: remove unused source3/librpc/rpc/rpc_common.c
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > -Autobuild-Date(master): Fri Sep 20 14:57:06 CEST 2013 on sn-devel-104
> > -(cherry picked from commit 807628ecac445999e75ec9ea1abdc5f2fde356d6)
> > ----
> > - source3/librpc/rpc/dcerpc.h | 8 --
> > - source3/librpc/rpc/rpc_common.c | 209 ----------------------------------------
> > - source3/wscript_build | 1 -
> > - 3 files changed, 218 deletions(-)
> > - delete mode 100644 source3/librpc/rpc/rpc_common.c
> > -
> > -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> > -index 38d59cd..b18b7ba 100644
> > ---- a/source3/librpc/rpc/dcerpc.h
> > -+++ b/source3/librpc/rpc/dcerpc.h
> > -@@ -85,12 +85,4 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> > - DATA_BLOB *raw_pkt,
> > - size_t *pad_len);
> > -
> > --/* The following definitions come from librpc/rpc/rpc_common.c */
> > --
> > --bool smb_register_ndr_interface(const struct ndr_interface_table *interface);
> > --const struct ndr_interface_table *get_iface_from_syntax(
> > -- const struct ndr_syntax_id *syntax);
> > --const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
> > -- const struct ndr_syntax_id *syntax);
> > --
> > - #endif /* __S3_DCERPC_H__ */
> > -diff --git a/source3/librpc/rpc/rpc_common.c b/source3/librpc/rpc/rpc_common.c
> > -deleted file mode 100644
> > -index 1219b2d..0000000
> > ---- a/source3/librpc/rpc/rpc_common.c
> > -+++ /dev/null
> > -@@ -1,209 +0,0 @@
> > --/*
> > -- * Unix SMB/CIFS implementation.
> > -- * RPC Pipe client / server routines
> > -- * Largely rewritten by Jeremy Allison 2005.
> > -- *
> > -- * This program is free software; you can redistribute it and/or modify
> > -- * it under the terms of the GNU General Public License as published by
> > -- * the Free Software Foundation; either version 3 of the License, or
> > -- * (at your option) any later version.
> > -- *
> > -- * This program is distributed in the hope that it will be useful,
> > -- * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -- * GNU General Public License for more details.
> > -- *
> > -- * You should have received a copy of the GNU General Public License
> > -- * along with this program; if not, see <http://www.gnu.org/licenses/>.
> > -- */
> > --
> > --#include "includes.h"
> > --#include "librpc/rpc/dcerpc.h"
> > --#include "../librpc/gen_ndr/ndr_lsa.h"
> > --#include "../librpc/gen_ndr/ndr_dssetup.h"
> > --#include "../librpc/gen_ndr/ndr_samr.h"
> > --#include "../librpc/gen_ndr/ndr_netlogon.h"
> > --#include "../librpc/gen_ndr/ndr_srvsvc.h"
> > --#include "../librpc/gen_ndr/ndr_wkssvc.h"
> > --#include "../librpc/gen_ndr/ndr_winreg.h"
> > --#include "../librpc/gen_ndr/ndr_spoolss.h"
> > --#include "../librpc/gen_ndr/ndr_dfs.h"
> > --#include "../librpc/gen_ndr/ndr_echo.h"
> > --#include "../librpc/gen_ndr/ndr_initshutdown.h"
> > --#include "../librpc/gen_ndr/ndr_svcctl.h"
> > --#include "../librpc/gen_ndr/ndr_eventlog.h"
> > --#include "../librpc/gen_ndr/ndr_ntsvcs.h"
> > --#include "../librpc/gen_ndr/ndr_epmapper.h"
> > --#include "../librpc/gen_ndr/ndr_drsuapi.h"
> > --#include "../librpc/gen_ndr/ndr_fsrvp.h"
> > --
> > --static const char *get_pipe_name_from_iface(
> > -- TALLOC_CTX *mem_ctx, const struct ndr_interface_table *interface)
> > --{
> > -- int i;
> > -- const struct ndr_interface_string_array *ep = interface->endpoints;
> > -- char *p;
> > --
> > -- for (i=0; i<ep->count; i++) {
> > -- if (strncmp(ep->names[i], "ncacn_np:[\\pipe\\", 16) == 0) {
> > -- break;
> > -- }
> > -- }
> > -- if (i == ep->count) {
> > -- return NULL;
> > -- }
> > --
> > -- /*
> > -- * extract the pipe name without \\pipe from for example
> > -- * ncacn_np:[\\pipe\\epmapper]
> > -- */
> > -- p = strchr(ep->names[i]+15, ']');
> > -- if (p == NULL) {
> > -- return "PIPE";
> > -- }
> > -- return talloc_strndup(mem_ctx, ep->names[i]+15, p - ep->names[i] - 15);
> > --}
> > --
> > --static const struct ndr_interface_table **interfaces;
> > --
> > --bool smb_register_ndr_interface(const struct ndr_interface_table *interface)
> > --{
> > -- int num_interfaces = talloc_array_length(interfaces);
> > -- const struct ndr_interface_table **tmp;
> > -- int i;
> > --
> > -- for (i=0; i<num_interfaces; i++) {
> > -- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id,
> > -- &interface->syntax_id)) {
> > -- return true;
> > -- }
> > -- }
> > --
> > -- tmp = talloc_realloc(NULL, interfaces,
> > -- const struct ndr_interface_table *,
> > -- num_interfaces + 1);
> > -- if (tmp == NULL) {
> > -- DEBUG(1, ("smb_register_ndr_interface: talloc failed\n"));
> > -- return false;
> > -- }
> > -- interfaces = tmp;
> > -- interfaces[num_interfaces] = interface;
> > -- return true;
> > --}
> > --
> > --static bool initialize_interfaces(void)
> > --{
> > -- if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_samr)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_winreg)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_eventlog)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
> > -- return false;
> > -- }
> > -- if (!smb_register_ndr_interface(&ndr_table_FileServerVssAgent)) {
> > -- return false;
> > -- }
> > -- return true;
> > --}
> > --
> > --const struct ndr_interface_table *get_iface_from_syntax(
> > -- const struct ndr_syntax_id *syntax)
> > --{
> > -- int num_interfaces;
> > -- int i;
> > --
> > -- if (interfaces == NULL) {
> > -- if (!initialize_interfaces()) {
> > -- return NULL;
> > -- }
> > -- }
> > -- num_interfaces = talloc_array_length(interfaces);
> > --
> > -- for (i=0; i<num_interfaces; i++) {
> > -- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id, syntax)) {
> > -- return interfaces[i];
> > -- }
> > -- }
> > --
> > -- return NULL;
> > --}
> > --
> > --/****************************************************************************
> > -- Return the pipe name from the interface.
> > -- ****************************************************************************/
> > --
> > --const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
> > -- const struct ndr_syntax_id *syntax)
> > --{
> > -- const struct ndr_interface_table *interface;
> > -- char *guid_str;
> > -- const char *result;
> > --
> > -- interface = get_iface_from_syntax(syntax);
> > -- if (interface != NULL) {
> > -- result = get_pipe_name_from_iface(mem_ctx, interface);
> > -- if (result != NULL) {
> > -- return result;
> > -- }
> > -- }
> > --
> > -- /*
> > -- * Here we should ask \\epmapper, but for now our code is only
> > -- * interested in the known pipes mentioned in pipe_names[]
> > -- */
> > --
> > -- guid_str = GUID_string(talloc_tos(), &syntax->uuid);
> > -- if (guid_str == NULL) {
> > -- return NULL;
> > -- }
> > -- result = talloc_asprintf(mem_ctx, "Interface %s.%d", guid_str,
> > -- (int)syntax->if_version);
> > -- TALLOC_FREE(guid_str);
> > --
> > -- if (result == NULL) {
> > -- return "PIPE";
> > -- }
> > -- return result;
> > --}
> > --
> > -diff --git a/source3/wscript_build b/source3/wscript_build
> > -index bb2e928..8126cf6 100755
> > ---- a/source3/wscript_build
> > -+++ b/source3/wscript_build
> > -@@ -141,7 +141,6 @@ LIBSMB_SRC = '''libsmb/clientgen.c libsmb/cliconnect.c libsmb/clifile.c
> > -
> > - LIBMSRPC_SRC = '''
> > - rpc_client/cli_pipe.c
> > -- librpc/rpc/rpc_common.c
> > - rpc_client/rpc_transport_np.c
> > - rpc_client/rpc_transport_sock.c
> > - rpc_client/rpc_transport_tstream.c
> > ---
> > -1.9.3
> > -
> > -
> > -From 2b2d978bd97299371a1fd7798d69ab377a76d389 Mon Sep 17 00:00:00 2001
> > -From: Volker Lendecke <vl@samba.org>
> > -Date: Wed, 14 Aug 2013 09:27:59 +0000
> > -Subject: [PATCH 112/249] winbind3: Fix an invalid free
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -This fixes a warning I've never seen before :-)
> > -
> > -../source3/winbindd/winbindd_cm.c:781:59: warning: attempt to free a non-heap object ‘machine_krb5_principal’ [-Wfree-nonheap-object]
> > -
> > -Signed-off-by: Volker Lendecke <vl@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > -Autobuild-Date(master): Wed Aug 14 14:04:16 CEST 2013 on sn-devel-104
> > -(cherry picked from commit 5f75814586f2d6f7c2dc8fd9342cb045c1f7e68c)
> > ----
> > - source3/winbindd/winbindd_cm.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > -index facef64..d868826 100644
> > ---- a/source3/winbindd/winbindd_cm.c
> > -+++ b/source3/winbindd/winbindd_cm.c
> > -@@ -840,7 +840,7 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
> > - }
> > -
> > - if (!strupper_m(*machine_krb5_principal)) {
> > -- SAFE_FREE(machine_krb5_principal);
> > -+ SAFE_FREE(*machine_krb5_principal);
> > - return NT_STATUS_INVALID_PARAMETER;
> > - }
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 1b88903c4f5931397e22874b3751dd05a03a2dea Mon Sep 17 00:00:00 2001
> > -From: Andrew Bartlett <abartlet@samba.org>
> > -Date: Fri, 11 Oct 2013 13:34:13 +1300
> > -Subject: [PATCH 113/249] s3-winbindd: Remove undocumented winbindd:socket dir
> > - parameter
> > -
> > -This uses the documeted "winbindd socket directory" parameter instead.
> > -
> > -This came about due to the merge of the two smb.conf tables in s3 and
> > -s4 for the Samba 4.0 release. The s4 code used a real parameter,
> > -which caused this to be documented, whereas no automatic procedure
> > -existed to notice the parametric option and the need to document that.
> > -The fact that this was not used consistently in both codebases is one
> > -of the many areas of technical debt we still need to pay off here.
> > -
> > -Andrew Bartlett
> > -
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit e512491552d9ed0dc1005a23ffc8f77ba237f863)
> > ----
> > - selftest/target/Samba3.pm | 2 +-
> > - source3/include/proto.h | 1 +
> > - source3/param/loadparm.c | 1 +
> > - source3/winbindd/winbindd.c | 9 ++-------
> > - source3/winbindd/winbindd_proto.h | 1 -
> > - 5 files changed, 5 insertions(+), 9 deletions(-)
> > -
> > -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
> > -index ba01154..d8f0c27 100755
> > ---- a/selftest/target/Samba3.pm
> > -+++ b/selftest/target/Samba3.pm
> > -@@ -972,7 +972,7 @@ sub provision($$$$$$)
> > - printing = bsd
> > - printcap name = /dev/null
> > -
> > -- winbindd:socket dir = $wbsockdir
> > -+ winbindd socket directory = $wbsockdir
> > - nmbd:socket dir = $nmbdsockdir
> > - idmap config * : range = 100000-200000
> > - winbind enum users = yes
> > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > -index cbad7ac..53cd59d 100644
> > ---- a/source3/include/proto.h
> > -+++ b/source3/include/proto.h
> > -@@ -1069,6 +1069,7 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
> > - const char *lp_template_homedir(void);
> > - const char *lp_template_shell(void);
> > - const char *lp_winbind_separator(void);
> > -+const char *lp_winbindd_socket_directory(void);
> > - bool lp_winbind_enum_users(void);
> > - bool lp_winbind_enum_groups(void);
> > - bool lp_winbind_use_default_domain(void);
> > -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> > -index 4b31023..b2804ae 100644
> > ---- a/source3/param/loadparm.c
> > -+++ b/source3/param/loadparm.c
> > -@@ -961,6 +961,7 @@ static void init_globals(bool reinit_globals)
> > - string_set(&Globals.szTemplateShell, "/bin/false");
> > - string_set(&Globals.szTemplateHomedir, "/home/%D/%U");
> > - string_set(&Globals.szWinbindSeparator, "\\");
> > -+ string_set(&Globals.szWinbinddSocketDirectory, dyn_WINBINDD_SOCKET_DIR);
> > -
> > - string_set(&Globals.szCupsServer, "");
> > - string_set(&Globals.szIPrintServer, "");
> > -diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
> > -index f101e52..69a17bf 100644
> > ---- a/source3/winbindd/winbindd.c
> > -+++ b/source3/winbindd/winbindd.c
> > -@@ -189,7 +189,7 @@ static void terminate(bool is_parent)
> > - char *path = NULL;
> > -
> > - if (asprintf(&path, "%s/%s",
> > -- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME) > 0) {
> > -+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME) > 0) {
> > - unlink(path);
> > - SAFE_FREE(path);
> > - }
> > -@@ -1067,11 +1067,6 @@ static void winbindd_listen_fde_handler(struct tevent_context *ev,
> > - * Winbindd socket accessor functions
> > - */
> > -
> > --const char *get_winbind_pipe_dir(void)
> > --{
> > -- return lp_parm_const_string(-1, "winbindd", "socket dir", get_dyn_WINBINDD_SOCKET_DIR());
> > --}
> > --
> > - char *get_winbind_priv_pipe_dir(void)
> > - {
> > - return state_path(WINBINDD_PRIV_SOCKET_SUBDIR);
> > -@@ -1092,7 +1087,7 @@ static bool winbindd_setup_listeners(void)
> > -
> > - pub_state->privileged = false;
> > - pub_state->fd = create_pipe_sock(
> > -- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
> > -+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME, 0755);
> > - if (pub_state->fd == -1) {
> > - goto failed;
> > - }
> > -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
> > -index 3df7d7c..cfc19d0 100644
> > ---- a/source3/winbindd/winbindd_proto.h
> > -+++ b/source3/winbindd/winbindd_proto.h
> > -@@ -34,7 +34,6 @@ bool winbindd_setup_stdin_handler(bool parent, bool foreground);
> > - bool winbindd_setup_sig_hup_handler(const char *lfile);
> > - bool winbindd_use_idmap_cache(void);
> > - bool winbindd_use_cache(void);
> > --const char *get_winbind_pipe_dir(void);
> > - char *get_winbind_priv_pipe_dir(void);
> > - struct tevent_context *winbind_event_context(void);
> > - int main(int argc, char **argv, char **envp);
> > ---
> > -1.9.3
> > -
> > -
> > -From d0ae2d10385dea4b8fae3d8932d40f546ff8905b Mon Sep 17 00:00:00 2001
> > -From: Andrew Bartlett <abartlet@samba.org>
> > -Date: Mon, 14 Oct 2013 15:33:20 +1300
> > -Subject: [PATCH 114/249] lib/param: lp_magicchar takes a const struct
> > - share_params *p so should be FN_LOCAL_PARM_CHAR
> > -
> > -This was found when trying to autogenerate prototypes for lp_ functions again.
> > -
> > -Andrew Bartlett
> > -
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - lib/param/loadparm.c | 2 +-
> > - lib/param/param_functions.c | 2 +-
> > - source3/param/loadparm.c | 2 +-
> > - 3 files changed, 3 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> > -index 455c5e6..4497dbf 100644
> > ---- a/lib/param/loadparm.c
> > -+++ b/lib/param/loadparm.c
> > -@@ -314,7 +314,7 @@ static struct loadparm_context *global_loadparm_context;
> > -
> > - #define FN_LOCAL_PARM_INTEGER(fn_name, val) FN_LOCAL_INTEGER(fn_name, val)
> > -
> > --#define FN_LOCAL_CHAR(fn_name,val) \
> > -+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
> > - _PUBLIC_ char lpcfg_ ## fn_name(struct loadparm_service *service, \
> > - struct loadparm_service *sDefault) { \
> > - return((service != NULL)? service->val : sDefault->val); \
> > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > -index d9d5df6..60f9c07 100644
> > ---- a/lib/param/param_functions.c
> > -+++ b/lib/param/param_functions.c
> > -@@ -147,7 +147,7 @@ FN_LOCAL_INTEGER(aio_write_size, iAioWriteSize)
> > - FN_LOCAL_INTEGER(map_readonly, iMap_readonly)
> > - FN_LOCAL_INTEGER(directory_name_cache_size, iDirectoryNameCacheSize)
> > - FN_LOCAL_INTEGER(smb_encrypt, ismb_encrypt)
> > --FN_LOCAL_CHAR(magicchar, magic_char)
> > -+FN_LOCAL_PARM_CHAR(magicchar, magic_char)
> > - FN_LOCAL_STRING(cups_options, szCupsOptions)
> > - FN_LOCAL_PARM_BOOL(change_notify, bChangeNotify)
> > - FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
> > -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> > -index b2804ae..40f3242 100644
> > ---- a/source3/param/loadparm.c
> > -+++ b/source3/param/loadparm.c
> > -@@ -1116,7 +1116,7 @@ char *lp_ ## fn_name(TALLOC_CTX *ctx,int i) {return(lp_string((ctx), (LP_SNUM_OK
> > - bool lp_ ## fn_name(const struct share_params *p) {return(bool)(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
> > - #define FN_LOCAL_PARM_INTEGER(fn_name,val) \
> > - int lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
> > --#define FN_LOCAL_CHAR(fn_name,val) \
> > -+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
> > - char lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
> > -
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From bf5cb3b6c6e2d3171b70fff5deb9a7767d6609a8 Mon Sep 17 00:00:00 2001
> > -From: Andrew Bartlett <abartlet@samba.org>
> > -Date: Mon, 14 Oct 2013 13:47:27 +1300
> > -Subject: [PATCH 115/249] build: Move loadparm-related build rules to
> > - source3/param/wscript_build
> > -
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/param/wscript_build | 32 ++++++++++++++++++++++++++++++++
> > - source3/wscript_build | 36 ++----------------------------------
> > - 2 files changed, 34 insertions(+), 34 deletions(-)
> > - create mode 100644 source3/param/wscript_build
> > -
> > -diff --git a/source3/param/wscript_build b/source3/param/wscript_build
> > -new file mode 100644
> > -index 0000000..278d5f5
> > ---- /dev/null
> > -+++ b/source3/param/wscript_build
> > -@@ -0,0 +1,32 @@
> > -+#!/usr/bin/env python
> > -+
> > -+bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
> > -+ source='util.c',
> > -+ deps='talloc')
> > -+
> > -+bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
> > -+ source='loadparm_ctx.c',
> > -+ deps='''talloc s3_param_h param''')
> > -+
> > -+bld.SAMBA_GENERATOR('s3_param_global_h',
> > -+ source= '../../script/mkparamdefs.pl loadparm.c ../../lib/param/param_functions.c',
> > -+ target='param_global.h',
> > -+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
> > -+
> > -+bld.SAMBA3_PYTHON('pys3param',
> > -+ source='pyparam.c',
> > -+ deps='param',
> > -+ public_deps='samba-hostconfig pytalloc-util talloc',
> > -+ realname='samba/samba3/param.so')
> > -+
> > -+bld.SAMBA3_SUBSYSTEM('param_service',
> > -+ source='service.c',
> > -+ deps = 'USER_UTIL param PRINTING')
> > -+
> > -+bld.SAMBA3_BINARY('test_lp_load',
> > -+ source='test_lp_load.c',
> > -+ deps='''
> > -+ talloc
> > -+ param
> > -+ popt_samba3''',
> > -+ install=False)
> > -diff --git a/source3/wscript_build b/source3/wscript_build
> > -index 8126cf6..13d15c3 100755
> > ---- a/source3/wscript_build
> > -+++ b/source3/wscript_build
> > -@@ -751,33 +751,9 @@ bld.SAMBA3_SUBSYSTEM('SERVER_MUTEX',
> > - source=SERVER_MUTEX_SRC,
> > - deps='talloc')
> > -
> > --bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
> > -- source=PARAM_UTIL_SRC,
> > -- deps='talloc')
> > --
> > --bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
> > -- source='param/loadparm_ctx.c',
> > -- deps='''talloc s3_param_h param''',
> > -- vars=locals())
> > --
> > --bld.SAMBA_GENERATOR('param/param_global_h',
> > -- source= '../script/mkparamdefs.pl param/loadparm.c ../lib/param/param_functions.c',
> > -- target='param/param_global.h',
> > -- rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
> > --
> > - bld.SAMBA3_SUBSYSTEM('param',
> > - source=PARAM_WITHOUT_REG_SRC,
> > -- deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h param/param_global_h cups''')
> > --
> > --bld.SAMBA3_PYTHON('pys3param',
> > -- source='param/pyparam.c',
> > -- deps='param',
> > -- public_deps='samba-hostconfig pytalloc-util talloc',
> > -- realname='samba/samba3/param.so')
> > --
> > --bld.SAMBA3_SUBSYSTEM('param_service',
> > -- source='param/service.c',
> > -- deps = 'USER_UTIL param PRINTING')
> > -+ deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h s3_param_global_h cups''')
> > -
> > - bld.SAMBA3_SUBSYSTEM('REGFIO',
> > - source=REGFIO_SRC,
> > -@@ -1566,15 +1542,6 @@ bld.SAMBA3_BINARY('rpc_open_tcp',
> > - install=False,
> > - vars=locals())
> > -
> > --bld.SAMBA3_BINARY('test_lp_load',
> > -- source=TEST_LP_LOAD_SRC,
> > -- deps='''
> > -- talloc
> > -- param
> > -- popt_samba3''',
> > -- install=False,
> > -- vars=locals())
> > --
> > - bld.SAMBA3_BINARY('dbwrap_tool',
> > - source=DBWRAP_TOOL_SRC,
> > - deps='''
> > -@@ -1638,6 +1605,7 @@ bld.RECURSE('librpc/idl')
> > - bld.RECURSE('libsmb')
> > - bld.RECURSE('modules')
> > - bld.RECURSE('pam_smbpass')
> > -+bld.RECURSE('param')
> > - bld.RECURSE('passdb')
> > - bld.RECURSE('rpc_server')
> > - bld.RECURSE('script')
> > ---
> > -1.9.3
> > -
> > -
> > -From 281cb415404f7044a4bdbc93a21b2f755cbc74ee Mon Sep 17 00:00:00 2001
> > -From: Andrew Bartlett <abartlet@samba.org>
> > -Date: Mon, 14 Oct 2013 15:34:40 +1300
> > -Subject: [PATCH 116/249] lib/param: Do not attempt to access the s3 function
> > - for allocated and subbed string parameters
> > -
> > -This allows us not to generate array entries for these, which in turn allows
> > -us to avoid initialising them. The issue is that we do not have the
> > -% macro sub context nor a talloc context handy (yet).
> > -
> > -Andrew Bartlett
> > -
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - lib/param/loadparm.c | 21 ++++++++++-----------
> > - 1 file changed, 10 insertions(+), 11 deletions(-)
> > -
> > -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> > -index 4497dbf..23b45e2 100644
> > ---- a/lib/param/loadparm.c
> > -+++ b/lib/param/loadparm.c
> > -@@ -232,7 +232,16 @@ static struct loadparm_context *global_loadparm_context;
> > - #define lpcfg_default_service global_loadparm_context->sDefault
> > - #define lpcfg_global_service(i) global_loadparm_context->services[i]
> > -
> > --#define FN_GLOBAL_STRING(fn_name,var_name) \
> > -+#define FN_GLOBAL_STRING(fn_name,var_name) \
> > -+ _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
> > -+ if (lp_ctx == NULL) return NULL; \
> > -+ if (lp_ctx->s3_fns) { \
> > -+ smb_panic( __location__ ": " #fn_name " not implemented because it is an allocated and substiuted string"); \
> > -+ } \
> > -+ return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
> > -+}
> > -+
> > -+#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
> > - _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
> > - if (lp_ctx == NULL) return NULL; \
> > - if (lp_ctx->s3_fns) { \
> > -@@ -242,16 +251,6 @@ static struct loadparm_context *global_loadparm_context;
> > - return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
> > - }
> > -
> > --#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
> > -- _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
> > -- if (lp_ctx == NULL) return NULL; \
> > -- if (lp_ctx->s3_fns) { \
> > -- SMB_ASSERT(lp_ctx->s3_fns->fn_name); \
> > -- return lp_ctx->s3_fns->fn_name(); \
> > -- } \
> > -- return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
> > -- }
> > --
> > - #define FN_GLOBAL_LIST(fn_name,var_name) \
> > - _PUBLIC_ const char **lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
> > - if (lp_ctx == NULL) return NULL; \
> > ---
> > -1.9.3
> > -
> > -
> > -From e610d185d26910e6cb96ddf8507c31c5f1503271 Mon Sep 17 00:00:00 2001
> > -From: Andrew Bartlett <abartlet@samba.org>
> > -Date: Mon, 14 Oct 2013 15:36:18 +1300
> > -Subject: [PATCH 117/249] param: Skip generating hooks for local and string
> > - parameters
> > -
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - script/mks3param.pl | 9 ++++++++-
> > - 1 file changed, 8 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/script/mks3param.pl b/script/mks3param.pl
> > -index 4222ca5..799958c 100644
> > ---- a/script/mks3param.pl
> > -+++ b/script/mks3param.pl
> > -@@ -108,7 +108,14 @@ sub handle_loadparm($$)
> > - {
> > - my ($file,$line) = @_;
> > -
> > -- if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
> > -+ # Local parameters don't need the ->s3_fns because the struct
> > -+ # loadparm_service is shared and lpcfg_service() checks the ->s3_fns
> > -+ # hook
> > -+ #
> > -+ # STRING isn't handled as we do not yet have a way to pass in a memory context nor
> > -+ # do we have a good way of dealing with the % macros yet.
> > -+
> > -+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
> > - my $scope = $1;
> > - my $type = $2;
> > - my $name = $3;
> > ---
> > -1.9.3
> > -
> > -
> > -From 970290dc75404ab366617210edfca718fe21864b Mon Sep 17 00:00:00 2001
> > -From: Andrew Bartlett <abartlet@samba.org>
> > -Date: Mon, 14 Oct 2013 15:39:10 +1300
> > -Subject: [PATCH 118/249] s3/param: Autogenerate parameters prototypes again
> > - after proto.h was frozen
> > -
> > -This autogenerates the parameters so that we can keep everything in sync easier,
> > -particularly when adding new parameters. This will also make it easier to move
> > -to a fully autogenerated system in the future, as it reduces special cases.
> > -
> > -Andrew Bartlett
> > -
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - script/mks3param_proto.pl | 199 ++++++++++++++++++++++++++++++++++++++++++++
> > - source3/include/proto.h | 2 +
> > - source3/param/wscript_build | 5 ++
> > - 3 files changed, 206 insertions(+)
> > - create mode 100644 script/mks3param_proto.pl
> > -
> > -diff --git a/script/mks3param_proto.pl b/script/mks3param_proto.pl
> > -new file mode 100644
> > -index 0000000..446e343
> > ---- /dev/null
> > -+++ b/script/mks3param_proto.pl
> > -@@ -0,0 +1,199 @@
> > -+#!/usr/bin/perl
> > -+# Generate loadparm interfaces tables for Samba3/Samba4 integration
> > -+# by Andrew Bartlett
> > -+# based on mkproto.pl Written by Jelmer Vernooij
> > -+# based on the original mkproto.sh by Andrew Tridgell
> > -+
> > -+use strict;
> > -+
> > -+# don't use warnings module as it is not portable enough
> > -+# use warnings;
> > -+
> > -+use Getopt::Long;
> > -+use File::Basename;
> > -+use File::Path;
> > -+
> > -+#####################################################################
> > -+# read a file into a string
> > -+
> > -+my $file = undef;
> > -+my $public_define = undef;
> > -+my $_public = "";
> > -+my $_private = "";
> > -+my $public_data = \$_public;
> > -+my $builddir = ".";
> > -+my $srcdir = ".";
> > -+
> > -+sub public($)
> > -+{
> > -+ my ($d) = @_;
> > -+ $$public_data .= $d;
> > -+}
> > -+
> > -+sub usage()
> > -+{
> > -+ print "Usage: mks3param.pl [options] [c files]\n";
> > -+ print "OPTIONS:\n";
> > -+ print " --srcdir=path Read files relative to this directory\n";
> > -+ print " --builddir=path Write file relative to this directory\n";
> > -+ print " --help Print this help message\n\n";
> > -+ exit 0;
> > -+}
> > -+
> > -+GetOptions(
> > -+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
> > -+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
> > -+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
> > -+ 'help' => \&usage
> > -+) or exit(1);
> > -+
> > -+sub normalize_define($$)
> > -+{
> > -+ my ($define, $file) = @_;
> > -+
> > -+ if (not defined($define) and defined($file)) {
> > -+ $define = "__" . uc($file) . "__";
> > -+ $define =~ tr{./}{__};
> > -+ $define =~ tr{\-}{_};
> > -+ } elsif (not defined($define)) {
> > -+ $define = '_S3_PARAM_PROTO_H_';
> > -+ }
> > -+
> > -+ return $define;
> > -+}
> > -+
> > -+$public_define = normalize_define($public_define, $file);
> > -+
> > -+sub file_load($)
> > -+{
> > -+ my($filename) = @_;
> > -+ local(*INPUTFILE);
> > -+ open(INPUTFILE, $filename) or return undef;
> > -+ my($saved_delim) = $/;
> > -+ undef $/;
> > -+ my($data) = <INPUTFILE>;
> > -+ close(INPUTFILE);
> > -+ $/ = $saved_delim;
> > -+ return $data;
> > -+}
> > -+
> > -+sub print_header($$)
> > -+{
> > -+ my ($file, $header_name) = @_;
> > -+ $file->("#ifndef $header_name\n");
> > -+ $file->("#define $header_name\n\n");
> > -+ $file->("/* This file was automatically generated by mks3param_proto.pl. DO NOT EDIT */\n\n");
> > -+}
> > -+
> > -+sub print_footer($$)
> > -+{
> > -+ my ($file, $header_name) = @_;
> > -+ $file->("\n#endif /* $header_name */\n\n");
> > -+}
> > -+
> > -+sub handle_loadparm($$)
> > -+{
> > -+ my ($file,$line) = @_;
> > -+
> > -+ my $scope;
> > -+ my $type;
> > -+ my $name;
> > -+ my $var;
> > -+ my $param;
> > -+
> > -+ if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
> > -+ $scope = $1;
> > -+ $type = $2;
> > -+ $name = $3;
> > -+ $var = $4;
> > -+ $param = "int";
> > -+ } elsif ($line =~ /^FN_(GLOBAL|LOCAL)_PARM_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
> > -+ $scope = $1;
> > -+ $type = $2;
> > -+ $name = $3;
> > -+ $var = $4;
> > -+ $param = "const struct share_params *p";
> > -+ } else {
> > -+ return;
> > -+ }
> > -+
> > -+ my %tmap = (
> > -+ "BOOL" => "bool ",
> > -+ "CONST_STRING" => "const char *",
> > -+ "STRING" => "char *",
> > -+ "INTEGER" => "int ",
> > -+ "CHAR" => "char ",
> > -+ "LIST" => "const char **",
> > -+ );
> > -+
> > -+ my %smap = (
> > -+ "GLOBAL" => "void",
> > -+ "LOCAL" => "$param"
> > -+ );
> > -+
> > -+ if (($type eq "STRING") and ($scope eq "GLOBAL")) {
> > -+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx);\n");
> > -+ } elsif (($type eq "STRING") and ($scope eq "LOCAL")) {
> > -+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx, $smap{$scope});\n");
> > -+ } else {
> > -+ $file->("$tmap{$type}lp_$name($smap{$scope});\n");
> > -+ }
> > -+}
> > -+
> > -+sub process_file($$)
> > -+{
> > -+ my ($file, $filename) = @_;
> > -+
> > -+ $filename =~ s/\.o$/\.c/g;
> > -+
> > -+ if ($filename =~ /^\//) {
> > -+ open(FH, "<$filename") or die("Failed to open $filename");
> > -+ } elsif (!open(FH, "< $builddir/$filename")) {
> > -+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
> > -+ }
> > -+
> > -+ my $comment = undef;
> > -+ my $incomment = 0;
> > -+ while (my $line = <FH>) {
> > -+ if ($line =~ /^\/\*\*/) {
> > -+ $comment = "";
> > -+ $incomment = 1;
> > -+ }
> > -+
> > -+ if ($incomment) {
> > -+ $comment .= $line;
> > -+ if ($line =~ /\*\//) {
> > -+ $incomment = 0;
> > -+ }
> > -+ }
> > -+
> > -+ # these are ordered for maximum speed
> > -+ next if ($line =~ /^\s/);
> > -+
> > -+ next unless ($line =~ /\(/);
> > -+
> > -+ next if ($line =~ /^\/|[;]/);
> > -+
> > -+ if ($line =~ /^FN_/) {
> > -+ handle_loadparm($file, $line);
> > -+ }
> > -+ next;
> > -+ }
> > -+
> > -+ close(FH);
> > -+}
> > -+
> > -+
> > -+print_header(\&public, $public_define);
> > -+
> > -+process_file(\&public, $_) foreach (@ARGV);
> > -+print_footer(\&public, $public_define);
> > -+
> > -+if (not defined($file)) {
> > -+ print STDOUT $$public_data;
> > -+}
> > -+
> > -+mkpath(dirname($file), 0, 0755);
> > -+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
> > -+print PUBLIC "$$public_data";
> > -+close(PUBLIC);
> > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > -index 53cd59d..614baa4 100644
> > ---- a/source3/include/proto.h
> > -+++ b/source3/include/proto.h
> > -@@ -993,6 +993,8 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
> > -
> > - /* The following definitions come from param/loadparm.c */
> > -
> > -+#include "source3/param/param_proto.h"
> > -+
> > - const char **lp_smb_ports(void);
> > - const char *lp_dos_charset(void);
> > - const char *lp_unix_charset(void);
> > -diff --git a/source3/param/wscript_build b/source3/param/wscript_build
> > -index 278d5f5..643c27e 100644
> > ---- a/source3/param/wscript_build
> > -+++ b/source3/param/wscript_build
> > -@@ -13,6 +13,11 @@ bld.SAMBA_GENERATOR('s3_param_global_h',
> > - target='param_global.h',
> > - rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
> > -
> > -+bld.SAMBA_GENERATOR('s3_param_proto_h',
> > -+ source= '../../script/mks3param_proto.pl loadparm.c ../../lib/param/param_functions.c',
> > -+ target='param_proto.h',
> > -+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> > -+
> > - bld.SAMBA3_PYTHON('pys3param',
> > - source='pyparam.c',
> > - deps='param',
> > ---
> > -1.9.3
> > -
> > -
> > -From 4f87a4ca65b386e90cca479aabdf9051de2c67e3 Mon Sep 17 00:00:00 2001
> > -From: Andrew Bartlett <abartlet@samba.org>
> > -Date: Mon, 14 Oct 2013 15:46:43 +1300
> > -Subject: [PATCH 119/249] param: Autogenerate s3 lp_ctx glue table
> > -
> > -This allows us to use more lpcfg_ functions without adding them
> > -manually.
> > -
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - lib/param/wscript_build | 1 +
> > - script/mks3param_ctx_table.pl | 139 ++++++++++++++++++++++++++++++++++++++++++
> > - source3/param/loadparm_ctx.c | 64 +------------------
> > - source3/param/wscript_build | 5 ++
> > - 4 files changed, 146 insertions(+), 63 deletions(-)
> > - create mode 100644 script/mks3param_ctx_table.pl
> > -
> > -diff --git a/lib/param/wscript_build b/lib/param/wscript_build
> > -index 10e05a3..0e1a2e0 100644
> > ---- a/lib/param/wscript_build
> > -+++ b/lib/param/wscript_build
> > -@@ -11,6 +11,7 @@ bld.SAMBA_GENERATOR('s3_param_h',
> > - target='s3_param.h',
> > - rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> > -
> > -+
> > - bld.SAMBA_GENERATOR('param_global_h',
> > - source= '../../script/mkparamdefs.pl loadparm.c param_functions.c',
> > - target='param_global.h',
> > -diff --git a/script/mks3param_ctx_table.pl b/script/mks3param_ctx_table.pl
> > -new file mode 100644
> > -index 0000000..cfd6e02
> > ---- /dev/null
> > -+++ b/script/mks3param_ctx_table.pl
> > -@@ -0,0 +1,139 @@
> > -+#!/usr/bin/perl
> > -+# Generate loadparm interfaces tables for Samba3/Samba4 integration
> > -+# by Andrew Bartlett
> > -+# based on mkproto.pl Written by Jelmer Vernooij
> > -+# based on the original mkproto.sh by Andrew Tridgell
> > -+
> > -+use strict;
> > -+
> > -+# don't use warnings module as it is not portable enough
> > -+# use warnings;
> > -+
> > -+use Getopt::Long;
> > -+use File::Basename;
> > -+use File::Path;
> > -+
> > -+#####################################################################
> > -+# read a file into a string
> > -+
> > -+my $file = undef;
> > -+my $public_define = undef;
> > -+my $_public = "";
> > -+my $_private = "";
> > -+my $public_data = \$_public;
> > -+my $builddir = ".";
> > -+my $srcdir = ".";
> > -+
> > -+sub public($)
> > -+{
> > -+ my ($d) = @_;
> > -+ $$public_data .= $d;
> > -+}
> > -+
> > -+sub usage()
> > -+{
> > -+ print "Usage: mks3param.pl [options] [c files]\n";
> > -+ print "OPTIONS:\n";
> > -+ print " --srcdir=path Read files relative to this directory\n";
> > -+ print " --builddir=path Write file relative to this directory\n";
> > -+ print " --help Print this help message\n\n";
> > -+ exit 0;
> > -+}
> > -+
> > -+GetOptions(
> > -+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
> > -+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
> > -+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
> > -+ 'help' => \&usage
> > -+) or exit(1);
> > -+
> > -+sub file_load($)
> > -+{
> > -+ my($filename) = @_;
> > -+ local(*INPUTFILE);
> > -+ open(INPUTFILE, $filename) or return undef;
> > -+ my($saved_delim) = $/;
> > -+ undef $/;
> > -+ my($data) = <INPUTFILE>;
> > -+ close(INPUTFILE);
> > -+ $/ = $saved_delim;
> > -+ return $data;
> > -+}
> > -+
> > -+sub print_header($)
> > -+{
> > -+ my ($file) = @_;
> > -+ $file->("/* This file was automatically generated by mks3param_ctx.pl. DO NOT EDIT */\n\n");
> > -+ $file->("static const struct loadparm_s3_helpers s3_fns = \n");
> > -+ $file->("{\n");
> > -+ $file->("\t.get_parametric = lp_parm_const_string_service,\n");
> > -+ $file->("\t.get_parm_struct = lp_get_parameter,\n");
> > -+ $file->("\t.get_parm_ptr = lp_parm_ptr,\n");
> > -+ $file->("\t.get_service = lp_service_for_s4_ctx,\n");
> > -+ $file->("\t.get_servicebynum = lp_servicebynum_for_s4_ctx,\n");
> > -+ $file->("\t.get_default_loadparm_service = lp_default_loadparm_service,\n");
> > -+ $file->("\t.get_numservices = lp_numservices,\n");
> > -+ $file->("\t.load = lp_load_for_s4_ctx,\n");
> > -+ $file->("\t.set_cmdline = lp_set_cmdline,\n");
> > -+ $file->("\t.dump = lp_dump,\n");
> > -+}
> > -+
> > -+sub print_footer($)
> > -+{
> > -+ my ($file) = @_;
> > -+ $file->("};");
> > -+}
> > -+
> > -+sub handle_loadparm($$)
> > -+{
> > -+ my ($file,$line) = @_;
> > -+
> > -+ # STRING isn't handled here, as we still don't know what to do with the substituted vars */
> > -+ # LOCAL also isn't handled here
> > -+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
> > -+ my $scope = $1;
> > -+ my $type = $2;
> > -+ my $name = $3;
> > -+
> > -+ $file->(".$name = lp_$name,\n");
> > -+ }
> > -+}
> > -+
> > -+sub process_file($$)
> > -+{
> > -+ my ($file, $filename) = @_;
> > -+
> > -+ $filename =~ s/\.o$/\.c/g;
> > -+
> > -+ if ($filename =~ /^\//) {
> > -+ open(FH, "<$filename") or die("Failed to open $filename");
> > -+ } elsif (!open(FH, "< $builddir/$filename")) {
> > -+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
> > -+ }
> > -+
> > -+ my $comment = undef;
> > -+ my $incomment = 0;
> > -+ while (my $line = <FH>) {
> > -+ if ($line =~ /^FN_/) {
> > -+ handle_loadparm($file, $line);
> > -+ }
> > -+ next;
> > -+ }
> > -+
> > -+ close(FH);
> > -+}
> > -+
> > -+
> > -+print_header(\&public);
> > -+
> > -+process_file(\&public, $_) foreach (@ARGV);
> > -+print_footer(\&public);
> > -+
> > -+if (not defined($file)) {
> > -+ print STDOUT $$public_data;
> > -+}
> > -+
> > -+mkpath(dirname($file), 0, 0755);
> > -+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
> > -+print PUBLIC "$$public_data";
> > -+close(PUBLIC);
> > -diff --git a/source3/param/loadparm_ctx.c b/source3/param/loadparm_ctx.c
> > -index 63ead53..5cbc920 100644
> > ---- a/source3/param/loadparm_ctx.c
> > -+++ b/source3/param/loadparm_ctx.c
> > -@@ -56,69 +56,7 @@ static bool lp_load_for_s4_ctx(const char *filename)
> > - return status;
> > - }
> > -
> > --/* These are in the order that they appear in the s4 loadparm file.
> > -- * All of the s4 loadparm functions should be here eventually, once
> > -- * they are implemented in the s3 loadparm, have the same format (enum
> > -- * values in particular) and defaults. */
> > --static const struct loadparm_s3_helpers s3_fns =
> > --{
> > -- .get_parametric = lp_parm_const_string_service,
> > -- .get_parm_struct = lp_get_parameter,
> > -- .get_parm_ptr = lp_parm_ptr,
> > -- .get_service = lp_service_for_s4_ctx,
> > -- .get_servicebynum = lp_servicebynum_for_s4_ctx,
> > -- .get_default_loadparm_service = lp_default_loadparm_service,
> > -- .get_numservices = lp_numservices,
> > -- .load = lp_load_for_s4_ctx,
> > -- .set_cmdline = lp_set_cmdline,
> > -- .dump = lp_dump,
> > --
> > -- ._server_role = lp__server_role,
> > -- ._security = lp__security,
> > -- ._domain_master = lp__domain_master,
> > -- ._domain_logons = lp__domain_logons,
> > --
> > -- .winbind_separator = lp_winbind_separator,
> > -- .template_homedir = lp_template_homedir,
> > -- .template_shell = lp_template_shell,
> > --
> > -- .dos_charset = lp_dos_charset,
> > -- .unix_charset = lp_unix_charset,
> > --
> > -- .realm = lp_realm,
> > -- .dnsdomain = lp_dnsdomain,
> > -- .socket_options = lp_socket_options,
> > -- .workgroup = lp_workgroup,
> > --
> > -- .netbios_name = lp_netbios_name,
> > -- .netbios_scope = lp_netbios_scope,
> > -- .netbios_aliases = lp_netbios_aliases,
> > --
> > -- .lanman_auth = lp_lanman_auth,
> > -- .ntlm_auth = lp_ntlm_auth,
> > --
> > -- .client_plaintext_auth = lp_client_plaintext_auth,
> > -- .client_lanman_auth = lp_client_lanman_auth,
> > -- .client_ntlmv2_auth = lp_client_ntlmv2_auth,
> > -- .client_use_spnego_principal = lp_client_use_spnego_principal,
> > --
> > -- .private_dir = lp_private_dir,
> > -- .ncalrpc_dir = lp_ncalrpc_dir,
> > -- .lockdir = lp_lockdir,
> > --
> > -- .passdb_backend = lp_passdb_backend,
> > --
> > -- .host_msdfs = lp_host_msdfs,
> > -- .unix_extensions = lp_unix_extensions,
> > -- .use_spnego = lp_use_spnego,
> > -- .use_mmap = lp_use_mmap,
> > -- .use_ntdb = lp_use_ntdb,
> > --
> > -- .srv_minprotocol = lp_srv_minprotocol,
> > -- .srv_maxprotocol = lp_srv_maxprotocol,
> > --
> > -- .passwordserver = lp_passwordserver
> > --};
> > -+#include "loadparm_ctx_table.c"
> > -
> > - const struct loadparm_s3_helpers *loadparm_s3_helpers(void)
> > - {
> > -diff --git a/source3/param/wscript_build b/source3/param/wscript_build
> > -index 643c27e..673cb4d 100644
> > ---- a/source3/param/wscript_build
> > -+++ b/source3/param/wscript_build
> > -@@ -18,6 +18,11 @@ bld.SAMBA_GENERATOR('s3_param_proto_h',
> > - target='param_proto.h',
> > - rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> > -
> > -+bld.SAMBA_GENERATOR('s3_loadparm_ctx_table_c',
> > -+ source= ' ../../script/mks3param_ctx_table.pl ../../lib/param/loadparm.c ../../lib/param/param_functions.c',
> > -+ target='loadparm_ctx_table.c',
> > -+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> > -+
> > - bld.SAMBA3_PYTHON('pys3param',
> > - source='pyparam.c',
> > - deps='param',
> > ---
> > -1.9.3
> > -
> > -
> > -From 0046f49e1c690cf5b119859650f06559697fd103 Mon Sep 17 00:00:00 2001
> > -From: Andrew Bartlett <abartlet@samba.org>
> > -Date: Mon, 14 Oct 2013 15:49:25 +1300
> > -Subject: [PATCH 120/249] proto: Remove manually written lp_ prototypes
> > -
> > -This also ensures we remove prototypes from parameters we remove or
> > -rename, and easily see how many special cases we have left.
> > -
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/include/proto.h | 361 +-----------------------------------------------
> > - 1 file changed, 1 insertion(+), 360 deletions(-)
> > -
> > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > -index 614baa4..5e068d2 100644
> > ---- a/source3/include/proto.h
> > -+++ b/source3/include/proto.h
> > -@@ -995,379 +995,20 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
> > -
> > - #include "source3/param/param_proto.h"
> > -
> > --const char **lp_smb_ports(void);
> > --const char *lp_dos_charset(void);
> > --const char *lp_unix_charset(void);
> > --char *lp_logfile(TALLOC_CTX *ctx);
> > --char *lp_configfile(TALLOC_CTX *ctx);
> > --const char *lp_smb_passwd_file(void);
> > --const char *lp_private_dir(void);
> > --char *lp_serverstring(TALLOC_CTX *ctx);
> > --int lp_printcap_cache_time(void);
> > --char *lp_addport_cmd(TALLOC_CTX *ctx);
> > --char *lp_enumports_cmd(TALLOC_CTX *ctx);
> > --char *lp_addprinter_cmd(TALLOC_CTX *ctx);
> > --char *lp_deleteprinter_cmd(TALLOC_CTX *ctx);
> > --char *lp_os2_driver_map(TALLOC_CTX *ctx);
> > --const char *lp_lockdir(void);
> > - const char *lp_statedir(void);
> > - const char *lp_cachedir(void);
> > --const char *lp_piddir(void);
> > --char *lp_mangling_method(TALLOC_CTX *ctx);
> > --int lp_mangle_prefix(void);
> > --const char *lp_utmpdir(void);
> > --const char *lp_wtmpdir(void);
> > --bool lp_utmp(void);
> > --char *lp_rootdir(TALLOC_CTX *ctx);
> > --char *lp_defaultservice(TALLOC_CTX *ctx);
> > --char *lp_msg_command(TALLOC_CTX *ctx);
> > --char *lp_get_quota_command(TALLOC_CTX *ctx);
> > --char *lp_set_quota_command(TALLOC_CTX *ctx);
> > --char *lp_auto_services(TALLOC_CTX *ctx);
> > --char *lp_passwd_program(TALLOC_CTX *ctx);
> > --char *lp_passwd_chat(TALLOC_CTX *ctx);
> > --const char *lp_passwordserver(void);
> > --const char **lp_name_resolve_order(void);
> > --const char *lp_netbios_scope(void);
> > --const char *lp_netbios_name(void);
> > --const char *lp_workgroup(void);
> > --const char *lp_realm(void);
> > --const char *lp_dnsdomain(void);
> > --const char *lp_afs_username_map(void);
> > --int lp_afs_token_lifetime(void);
> > --char *lp_log_nt_token_command(TALLOC_CTX *ctx);
> > --char *lp_username_map(TALLOC_CTX *ctx);
> > --const char *lp_logon_script(void);
> > --const char *lp_logon_path(void);
> > --const char *lp_logon_drive(void);
> > --const char *lp_logon_home(void);
> > --char *lp_remote_announce(TALLOC_CTX *ctx);
> > --char *lp_remote_browse_sync(TALLOC_CTX *ctx);
> > --bool lp_nmbd_bind_explicit_broadcast(void);
> > --const char **lp_wins_server_list(void);
> > --const char **lp_interfaces(void);
> > --const char *lp_nbt_client_socket_address(void);
> > --char *lp_nis_home_map_name(TALLOC_CTX *ctx);
> > --const char **lp_netbios_aliases(void);
> > --const char *lp_passdb_backend(void);
> > --const char **lp_preload_modules(void);
> > --char *lp_panic_action(TALLOC_CTX *ctx);
> > --char *lp_adduser_script(TALLOC_CTX *ctx);
> > --char *lp_renameuser_script(TALLOC_CTX *ctx);
> > --char *lp_deluser_script(TALLOC_CTX *ctx);
> > --const char *lp_guestaccount(void);
> > --char *lp_addgroup_script(TALLOC_CTX *ctx);
> > --char *lp_delgroup_script(TALLOC_CTX *ctx);
> > --char *lp_addusertogroup_script(TALLOC_CTX *ctx);
> > --char *lp_deluserfromgroup_script(TALLOC_CTX *ctx);
> > --char *lp_setprimarygroup_script(TALLOC_CTX *ctx);
> > --char *lp_addmachine_script(TALLOC_CTX *ctx);
> > --char *lp_shutdown_script(TALLOC_CTX *ctx);
> > --char *lp_abort_shutdown_script(TALLOC_CTX *ctx);
> > --char *lp_username_map_script(TALLOC_CTX *ctx);
> > --int lp_username_map_cache_time(void);
> > --char *lp_check_password_script(TALLOC_CTX *ctx);
> > --char *lp_wins_hook(TALLOC_CTX *ctx);
> > --const char *lp_template_homedir(void);
> > --const char *lp_template_shell(void);
> > --const char *lp_winbind_separator(void);
> > --const char *lp_winbindd_socket_directory(void);
> > --bool lp_winbind_enum_users(void);
> > --bool lp_winbind_enum_groups(void);
> > --bool lp_winbind_use_default_domain(void);
> > --bool lp_winbind_trusted_domains_only(void);
> > --bool lp_winbind_nested_groups(void);
> > --int lp_winbind_expand_groups(void);
> > --bool lp_winbind_refresh_tickets(void);
> > --bool lp_winbind_offline_logon(void);
> > --bool lp_winbind_normalize_names(void);
> > --bool lp_winbind_rpc_only(void);
> > --bool lp_create_krb5_conf(void);
> > - int lp_winbind_max_domain_connections(void);
> > --int lp_idmap_cache_time(void);
> > --int lp_idmap_negative_cache_time(void);
> > - bool lp_idmap_range(const char *domain_name, uint32_t *low, uint32_t *high);
> > - bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
> > - const char *lp_idmap_backend(const char *domain_name);
> > - const char *lp_idmap_default_backend (void);
> > --int lp_keepalive(void);
> > --bool lp_passdb_expand_explicit(void);
> > --char *lp_ldap_suffix(TALLOC_CTX *ctx);
> > --char *lp_ldap_admin_dn(TALLOC_CTX *ctx);
> > --int lp_ldap_ssl(void);
> > --bool lp_ldap_ssl_ads(void);
> > --int lp_ldap_deref(void);
> > --int lp_ldap_follow_referral(void);
> > --int lp_ldap_passwd_sync(void);
> > --bool lp_ldap_delete_dn(void);
> > --int lp_ldap_replication_sleep(void);
> > --int lp_ldap_timeout(void);
> > --int lp_ldap_connection_timeout(void);
> > --int lp_ldap_page_size(void);
> > --int lp_ldap_debug_level(void);
> > --int lp_ldap_debug_threshold(void);
> > --char *lp_add_share_cmd(TALLOC_CTX *ctx);
> > --char *lp_change_share_cmd(TALLOC_CTX *ctx);
> > --char *lp_delete_share_cmd(TALLOC_CTX *ctx);
> > --char *lp_usershare_path(TALLOC_CTX *ctx);
> > --const char **lp_usershare_prefix_allow_list(void);
> > --const char **lp_usershare_prefix_deny_list(void);
> > --const char **lp_eventlog_list(void);
> > --bool lp_registry_shares(void);
> > --bool lp_usershare_allow_guests(void);
> > --bool lp_usershare_owner_only(void);
> > --bool lp_disable_netbios(void);
> > --bool lp_reset_on_zero_vc(void);
> > --bool lp_log_writeable_files_on_exit(void);
> > --bool lp_ms_add_printer_wizard(void);
> > --bool lp_wins_dns_proxy(void);
> > --bool lp_we_are_a_wins_server(void);
> > --bool lp_wins_proxy(void);
> > --bool lp_local_master(void);
> > --const char **lp_init_logon_delayed_hosts(void);
> > --int lp_init_logon_delay(void);
> > --bool lp_load_printers(void);
> > - bool lp_readraw(void);
> > --bool lp_large_readwrite(void);
> > - bool lp_writeraw(void);
> > --bool lp_null_passwords(void);
> > --bool lp_obey_pam_restrictions(void);
> > --bool lp_encrypted_passwords(void);
> > --int lp_client_schannel(void);
> > --int lp_server_schannel(void);
> > --bool lp_syslog_only(void);
> > --bool lp_timestamp_logs(void);
> > --bool lp_debug_prefix_timestamp(void);
> > --bool lp_debug_hires_timestamp(void);
> > --bool lp_debug_pid(void);
> > --bool lp_debug_uid(void);
> > --bool lp_debug_class(void);
> > --bool lp_enable_core_files(void);
> > --bool lp_browse_list(void);
> > --bool lp_nis_home_map(void);
> > --bool lp_bind_interfaces_only(void);
> > --bool lp_pam_password_change(void);
> > --bool lp_unix_password_sync(void);
> > --bool lp_passwd_chat_debug(void);
> > --int lp_passwd_chat_timeout(void);
> > --bool lp_nt_pipe_support(void);
> > --bool lp_nt_status_support(void);
> > --bool lp_stat_cache(void);
> > --int lp_max_stat_cache_size(void);
> > --bool lp_allow_trusted_domains(void);
> > --bool lp_map_untrusted_to_domain(void);
> > --int lp_restrict_anonymous(void);
> > --bool lp_lanman_auth(void);
> > --bool lp_ntlm_auth(void);
> > --bool lp_client_plaintext_auth(void);
> > --bool lp_client_lanman_auth(void);
> > --bool lp_client_ntlmv2_auth(void);
> > --bool lp_host_msdfs(void);
> > --bool lp_enhanced_browsing(void);
> > --bool lp_use_mmap(void);
> > --bool lp_use_ntdb(void);
> > --bool lp_unix_extensions(void);
> > --bool lp_unicode(void);
> > --bool lp_use_spnego(void);
> > --bool lp_client_use_spnego(void);
> > --bool lp_client_use_spnego_principal(void);
> > --bool lp_hostname_lookups(void);
> > --bool lp_change_notify(const struct share_params *p );
> > --bool lp_kernel_change_notify(const struct share_params *p );
> > --const char * lp_dedicated_keytab_file(void);
> > --int lp_kerberos_method(void);
> > --bool lp_defer_sharing_violations(void);
> > --bool lp_enable_privileges(void);
> > --bool lp_enable_asu_support(void);
> > --int lp_os_level(void);
> > --int lp_max_ttl(void);
> > --int lp_max_wins_ttl(void);
> > --int lp_min_wins_ttl(void);
> > --int lp_max_log_size(void);
> > --int lp_max_open_files(void);
> > --int lp_open_files_db_hash_size(void);
> > --int lp_max_xmit(void);
> > --int lp_maxmux(void);
> > --int lp_passwordlevel(void);
> > --int lp_usernamelevel(void);
> > --int lp_deadtime(void);
> > --bool lp_getwd_cache(void);
> > --int lp_srv_maxprotocol(void);
> > --int lp_srv_minprotocol(void);
> > --int lp_cli_maxprotocol(void);
> > --int lp_cli_minprotocol(void);
> > - int lp_security(void);
> > --int lp__server_role(void);
> > --int lp__security(void);
> > --int lp__domain_master(void);
> > --bool lp__domain_logons(void);
> > --const char **lp_auth_methods(void);
> > --bool lp_paranoid_server_security(void);
> > --int lp_maxdisksize(void);
> > --int lp_lpqcachetime(void);
> > --int lp_max_smbd_processes(void);
> > --bool lp__disable_spoolss(void);
> > --int lp_syslog(void);
> > --int lp_lm_announce(void);
> > --int lp_lm_interval(void);
> > --int lp_machine_password_timeout(void);
> > --int lp_map_to_guest(void);
> > --int lp_oplock_break_wait_time(void);
> > --int lp_lock_spin_time(void);
> > --int lp_usershare_max_shares(void);
> > --const char *lp_socket_options(void);
> > --int lp_config_backend(void);
> > --int lp_smb2_max_read(void);
> > --int lp_smb2_max_write(void);
> > --int lp_smb2_max_trans(void);
> > - int lp_smb2_max_credits(void);
> > --char *lp_preexec(TALLOC_CTX *ctx, int );
> > --char *lp_postexec(TALLOC_CTX *ctx, int );
> > --char *lp_rootpreexec(TALLOC_CTX *ctx, int );
> > --char *lp_rootpostexec(TALLOC_CTX *ctx, int );
> > --char *lp_servicename(TALLOC_CTX *ctx, int );
> > --const char *lp_const_servicename(int );
> > --char *lp_pathname(TALLOC_CTX *ctx, int );
> > --char *lp_dontdescend(TALLOC_CTX *ctx, int );
> > --char *lp_username(TALLOC_CTX *ctx, int );
> > --const char **lp_invalid_users(int );
> > --const char **lp_valid_users(int );
> > --const char **lp_admin_users(int );
> > --const char **lp_svcctl_list(void);
> > --char *lp_cups_options(TALLOC_CTX *ctx, int );
> > --char *lp_cups_server(TALLOC_CTX *ctx);
> > - int lp_cups_encrypt(void);
> > --char *lp_iprint_server(TALLOC_CTX *ctx);
> > --int lp_cups_connection_timeout(void);
> > --const char *lp_ctdbd_socket(void);
> > --const char *_lp_ctdbd_socket(void);
> > --const char **lp_cluster_addresses(void);
> > --bool lp_clustering(void);
> > --int lp_ctdb_timeout(void);
> > --int lp_ctdb_locktime_warn_threshold(void);
> > --char *lp_printcommand(TALLOC_CTX *ctx, int );
> > --char *lp_lpqcommand(TALLOC_CTX *ctx, int );
> > --char *lp_lprmcommand(TALLOC_CTX *ctx, int );
> > --char *lp_lppausecommand(TALLOC_CTX *ctx, int );
> > --char *lp_lpresumecommand(TALLOC_CTX *ctx, int );
> > --char *lp_queuepausecommand(TALLOC_CTX *ctx, int );
> > --char *lp_queueresumecommand(TALLOC_CTX *ctx, int );
> > --const char *lp_printjob_username(int );
> > --const char **lp_hostsallow(int );
> > --const char **lp_hostsdeny(int );
> > --char *lp_magicscript(TALLOC_CTX *ctx, int );
> > --char *lp_magicoutput(TALLOC_CTX *ctx, int );
> > --char *lp_comment(TALLOC_CTX *ctx, int );
> > --char *lp_force_user(TALLOC_CTX *ctx, int );
> > --char *lp_force_group(TALLOC_CTX *ctx, int );
> > --const char **lp_readlist(int );
> > --const char **lp_writelist(int );
> > --char *lp_fstype(TALLOC_CTX *ctx, int );
> > --const char **lp_vfs_objects(int );
> > --char *lp_msdfs_proxy(TALLOC_CTX *ctx, int );
> > --char *lp_veto_files(TALLOC_CTX *ctx, int );
> > --char *lp_hide_files(TALLOC_CTX *ctx, int );
> > --char *lp_veto_oplocks(TALLOC_CTX *ctx, int );
> > --bool lp_msdfs_root(int );
> > --char *lp_aio_write_behind(TALLOC_CTX *ctx, int );
> > --char *lp_dfree_command(TALLOC_CTX *ctx, int );
> > --bool lp_autoloaded(int );
> > --bool lp_preexec_close(int );
> > --bool lp_rootpreexec_close(int );
> > --int lp_casesensitive(int );
> > --bool lp_preservecase(int );
> > --bool lp_shortpreservecase(int );
> > --bool lp_hide_dot_files(int );
> > --bool lp_hide_special_files(int );
> > --bool lp_hideunreadable(int );
> > --bool lp_hideunwriteable_files(int );
> > --bool lp_browseable(int );
> > --bool lp_access_based_share_enum(int );
> > --bool lp_readonly(int );
> > --bool lp_guest_ok(int );
> > --bool lp_guest_only(int );
> > --bool lp_administrative_share(int );
> > --bool lp_print_ok(int );
> > --bool lp_print_notify_backchannel(int );
> > --bool lp_map_hidden(int );
> > --bool lp_map_archive(int );
> > --bool lp_store_dos_attributes(int );
> > --bool lp_dmapi_support(int );
> > --bool lp_locking(const struct share_params *p );
> > --int lp_strict_locking(const struct share_params *p );
> > --bool lp_posix_locking(const struct share_params *p );
> > --bool lp_oplocks(int );
> > --bool lp_kernel_oplocks(int );
> > --bool lp_level2_oplocks(int );
> > --bool lp_kernel_share_modes(int);
> > --bool lp_onlyuser(int );
> > --bool lp_manglednames(const struct share_params *p );
> > --bool lp_allow_insecure_widelinks(void);
> > - bool lp_widelinks(int );
> > --bool lp_symlinks(int );
> > --bool lp_syncalways(int );
> > --bool lp_strict_allocate(int );
> > --bool lp_strict_sync(int );
> > --bool lp_map_system(int );
> > --bool lp_delete_readonly(int );
> > --bool lp_fake_oplocks(int );
> > --bool lp_recursive_veto_delete(int );
> > --bool lp_dos_filemode(int );
> > --bool lp_dos_filetimes(int );
> > --bool lp_dos_filetime_resolution(int );
> > --bool lp_fake_dir_create_times(int);
> > --bool lp_async_smb_echo_handler(void);
> > --bool lp_multicast_dns_register(void);
> > --bool lp_blocking_locks(int );
> > --bool lp_inherit_perms(int );
> > --bool lp_inherit_acls(int );
> > --bool lp_inherit_owner(int );
> > --bool lp_use_client_driver(int );
> > --bool lp_default_devmode(int );
> > --bool lp_force_printername(int );
> > --bool lp_nt_acl_support(int );
> > --bool lp_force_unknown_acl_user(int );
> > --bool lp_ea_support(int );
> > --bool lp__use_sendfile(int );
> > --bool lp_profile_acls(int );
> > --bool lp_map_acl_inherit(int );
> > --bool lp_afs_share(int );
> > --bool lp_acl_check_permissions(int );
> > --bool lp_acl_group_control(int );
> > --bool lp_acl_map_full_control(int );
> > --bool lp_acl_allow_execute_always(int);
> > --bool lp_durable_handles(int);
> > --int lp_create_mask(int );
> > --int lp_force_create_mode(int );
> > --int lp_dir_mask(int );
> > --int lp_force_dir_mode(int );
> > --int lp_max_connections(int );
> > --int lp_defaultcase(int );
> > --int lp_minprintspace(int );
> > --int lp_printing(int );
> > --int lp_max_reported_jobs(int );
> > --int lp_oplock_contention_limit(int );
> > --int lp_csc_policy(int );
> > --int lp_write_cache_size(int );
> > --int lp_block_size(int );
> > --int lp_dfree_cache_time(int );
> > --int lp_allocation_roundup_size(int );
> > --int lp_aio_read_size(int );
> > --int lp_aio_write_size(int );
> > --int lp_map_readonly(int );
> > --int lp_directory_name_cache_size(int );
> > --int lp_smb_encrypt(int );
> > --char lp_magicchar(const struct share_params *p );
> > --int lp_winbind_cache_time(void);
> > --int lp_winbind_reconnect_delay(void);
> > --int lp_winbind_request_timeout(void);
> > --int lp_winbind_max_clients(void);
> > --const char **lp_winbind_nss_info(void);
> > --int lp_algorithmic_rid_base(void);
> > --int lp_name_cache_timeout(void);
> > --int lp_client_signing(void);
> > --int lp_server_signing(void);
> > --int lp_client_ldap_sasl_wrapping(void);
> > -+
> > - char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def);
> > - const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
> > - struct loadparm_service;
> > ---
> > -1.9.3
> > -
> > -
> > -From 5d2278756b5a7372106cbdf9b8d66fb8a0cf5033 Mon Sep 17 00:00:00 2001
> > -From: Andrew Bartlett <abartlet@samba.org>
> > -Date: Wed, 16 Oct 2013 14:45:31 +1300
> > -Subject: [PATCH 121/249] lib/param: Add documentation on how loadparm works
> > -
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Volker Lendecke <vl@samba.org>
> > ----
> > - lib/param/README | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > - 1 file changed, 69 insertions(+)
> > -
> > -diff --git a/lib/param/README b/lib/param/README
> > -index 403a217..b567d71 100644
> > ---- a/lib/param/README
> > -+++ b/lib/param/README
> > -@@ -1,4 +1,73 @@
> > -+libsamba-hostconfig
> > -+-------------------
> > -+
> > - This directory contains "libsamba-hostconfig".
> > -
> > - The libsamba-hostconfig library provides access to all host-wide configuration
> > - such as the configured shares, default parameter values and host secret keys.
> > -+
> > -+
> > -+Adding a parameter
> > -+------------------
> > -+
> > -+To add or change an smb.conf option, you only have to modify
> > -+lib/param/param_table.c and lib/param/param_functions.c. The rest is
> > -+generated for you.
> > -+
> > -+
> > -+Using smb.conf parameters in the code
> > -+-------------------------------------
> > -+
> > -+Call the lpcfg_*() function. To get the lp_ctx, have the caller pass
> > -+it to you. To get a lp_ctx for the source3/param loadparm system, use:
> > -+
> > -+struct loadparm_context *lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
> > -+
> > -+Remember to talloc_unlink(tmp_ctx, lp_ctx) the result when you are done!
> > -+
> > -+To get a lp_ctx for the lib/param loadparm system, typically the
> > -+pointer is already set up by popt at startup, and is passed down from
> > -+cmdline_lp_ctx.
> > -+
> > -+In pure source3/ code, you may use lp_*() functions, but are
> > -+encouraged to use the lpcfg_*() functions so that code can be made
> > -+common.
> > -+
> > -+
> > -+How does loadparm_init_s3() work?
> > -+---------------------------------
> > -+
> > -+loadparm_s3_helpers() returns a initialised table of function
> > -+pointers, pointing at all global lp_*() functions, except for those
> > -+that return substituted strings (% macros). The lpcfg_*() function
> > -+then calls this plugged in function, allowing the one function and
> > -+pattern to use either loadparm system.
> > -+
> > -+
> > -+There is a lot of generated code, here, what generates what?
> > -+------------------------------------------------------------
> > -+
> > -+The regular format of the CPP macros in param_functions.c is used to
> > -+generate up the prototypes (mkproto.pl, mks3param_proto.pl), the service
> > -+and globals table (mkparamdefs.pl), the glue table (mmks3param.pl) and
> > -+the initilisation of the glue table (mks3param_ctx_table.pl).
> > -+
> > -+I have tried combining some of these, but it just makes the scripts more
> > -+complex.
> > -+
> > -+The CPP macros are defined in and expand in lib/param/loadparm.c and
> > -+source3/param/loadparm.c to read the values from the generated
> > -+stuctures. They are CPP #included into these files so that the same
> > -+macro has two definitions, depending on the system it is loading into.
> > -+
> > -+
> > -+Why was this done, rather than a 'proper' fix, or just using one system or the other?
> > -+-------------------------------------------------------------------------------------
> > -+
> > -+This was done to allow merging from both ends - merging more parts of
> > -+the loadparm handling, and merging code that needs to read the
> > -+smb.conf, without having to do it all at once. Ideally
> > -+param_functions.c would be generated from param_table.c or (even
> > -+better) our XML manpage source, and the CPP macros would instead be
> > -+generated expanded as generated C files, but this is a task nobody has
> > -+taken on yet.
> > ---
> > -1.9.3
> > -
> > -
> > -From 7734a867500f5b7415f818077229f74486101c51 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 12 Aug 2013 08:19:08 +0200
> > -Subject: [PATCH 122/249] librpc/rpc: add dcerpc_binding_handle_auth_info()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - librpc/rpc/binding_handle.c | 25 +++++++++++++++++++++++++
> > - librpc/rpc/rpc_common.h | 8 ++++++++
> > - 2 files changed, 33 insertions(+)
> > -
> > -diff --git a/librpc/rpc/binding_handle.c b/librpc/rpc/binding_handle.c
> > -index 9354bbd..714baa7 100644
> > ---- a/librpc/rpc/binding_handle.c
> > -+++ b/librpc/rpc/binding_handle.c
> > -@@ -98,6 +98,31 @@ uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
> > - return h->ops->set_timeout(h, timeout);
> > - }
> > -
> > -+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
> > -+ enum dcerpc_AuthType *auth_type,
> > -+ enum dcerpc_AuthLevel *auth_level)
> > -+{
> > -+ enum dcerpc_AuthType _auth_type;
> > -+ enum dcerpc_AuthLevel _auth_level;
> > -+
> > -+ if (auth_type == NULL) {
> > -+ auth_type = &_auth_type;
> > -+ }
> > -+
> > -+ if (auth_level == NULL) {
> > -+ auth_level = &_auth_level;
> > -+ }
> > -+
> > -+ *auth_type = DCERPC_AUTH_TYPE_NONE;
> > -+ *auth_level = DCERPC_AUTH_LEVEL_NONE;
> > -+
> > -+ if (h->ops->auth_info == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ h->ops->auth_info(h, auth_type, auth_level);
> > -+}
> > -+
> > - struct dcerpc_binding_handle_raw_call_state {
> > - const struct dcerpc_binding_handle_ops *ops;
> > - uint8_t *out_data;
> > -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
> > -index d2816f5..978229e 100644
> > ---- a/librpc/rpc/rpc_common.h
> > -+++ b/librpc/rpc/rpc_common.h
> > -@@ -189,6 +189,10 @@ struct dcerpc_binding_handle_ops {
> > - uint32_t (*set_timeout)(struct dcerpc_binding_handle *h,
> > - uint32_t timeout);
> > -
> > -+ void (*auth_info)(struct dcerpc_binding_handle *h,
> > -+ enum dcerpc_AuthType *auth_type,
> > -+ enum dcerpc_AuthLevel *auth_level);
> > -+
> > - struct tevent_req *(*raw_call_send)(TALLOC_CTX *mem_ctx,
> > - struct tevent_context *ev,
> > - struct dcerpc_binding_handle *h,
> > -@@ -259,6 +263,10 @@ bool dcerpc_binding_handle_is_connected(struct dcerpc_binding_handle *h);
> > - uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
> > - uint32_t timeout);
> > -
> > -+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
> > -+ enum dcerpc_AuthType *auth_type,
> > -+ enum dcerpc_AuthLevel *auth_level);
> > -+
> > - struct tevent_req *dcerpc_binding_handle_raw_call_send(TALLOC_CTX *mem_ctx,
> > - struct tevent_context *ev,
> > - struct dcerpc_binding_handle *h,
> > ---
> > -1.9.3
> > -
> > -
> > -From 04a9531474630c62c3f717e251d9f1469013f5ae Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 12 Aug 2013 08:19:35 +0200
> > -Subject: [PATCH 123/249] s3:rpc_client: implement
> > - dcerpc_binding_handle_auth_info()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/rpc_client/cli_pipe.c | 20 ++++++++++++++++++++
> > - 1 file changed, 20 insertions(+)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 64e7f1c..a343997 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1867,6 +1867,25 @@ static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
> > - return rpccli_set_timeout(hs->rpc_cli, timeout);
> > - }
> > -
> > -+static void rpccli_bh_auth_info(struct dcerpc_binding_handle *h,
> > -+ enum dcerpc_AuthType *auth_type,
> > -+ enum dcerpc_AuthLevel *auth_level)
> > -+{
> > -+ struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
> > -+ struct rpccli_bh_state);
> > -+
> > -+ if (hs->rpc_cli == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (hs->rpc_cli->auth == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ *auth_type = hs->rpc_cli->auth->auth_type;
> > -+ *auth_level = hs->rpc_cli->auth->auth_level;
> > -+}
> > -+
> > - struct rpccli_bh_raw_call_state {
> > - DATA_BLOB in_data;
> > - DATA_BLOB out_data;
> > -@@ -2046,6 +2065,7 @@ static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
> > - .name = "rpccli",
> > - .is_connected = rpccli_bh_is_connected,
> > - .set_timeout = rpccli_bh_set_timeout,
> > -+ .auth_info = rpccli_bh_auth_info,
> > - .raw_call_send = rpccli_bh_raw_call_send,
> > - .raw_call_recv = rpccli_bh_raw_call_recv,
> > - .disconnect_send = rpccli_bh_disconnect_send,
> > ---
> > -1.9.3
> > -
> > -
> > -From 1db891bac30bb6c3bb0a022c5d1529a9f001237d Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 12 Aug 2013 08:19:57 +0200
> > -Subject: [PATCH 124/249] s4:librpc: implement
> > - dcerpc_binding_handle_auth_info()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source4/librpc/rpc/dcerpc.c | 24 ++++++++++++++++++++++++
> > - 1 file changed, 24 insertions(+)
> > -
> > -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
> > -index 2826160..56b821e 100644
> > ---- a/source4/librpc/rpc/dcerpc.c
> > -+++ b/source4/librpc/rpc/dcerpc.c
> > -@@ -200,6 +200,29 @@ static uint32_t dcerpc_bh_set_timeout(struct dcerpc_binding_handle *h,
> > - return old;
> > - }
> > -
> > -+static void dcerpc_bh_auth_info(struct dcerpc_binding_handle *h,
> > -+ enum dcerpc_AuthType *auth_type,
> > -+ enum dcerpc_AuthLevel *auth_level)
> > -+{
> > -+ struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
> > -+ struct dcerpc_bh_state);
> > -+
> > -+ if (hs->p == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (hs->p->conn == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (hs->p->conn->security_state.auth_info == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ *auth_type = hs->p->conn->security_state.auth_info->auth_type;
> > -+ *auth_level = hs->p->conn->security_state.auth_info->auth_level;
> > -+}
> > -+
> > - struct dcerpc_bh_raw_call_state {
> > - struct tevent_context *ev;
> > - struct dcerpc_binding_handle *h;
> > -@@ -552,6 +575,7 @@ static const struct dcerpc_binding_handle_ops dcerpc_bh_ops = {
> > - .name = "dcerpc",
> > - .is_connected = dcerpc_bh_is_connected,
> > - .set_timeout = dcerpc_bh_set_timeout,
> > -+ .auth_info = dcerpc_bh_auth_info,
> > - .raw_call_send = dcerpc_bh_raw_call_send,
> > - .raw_call_recv = dcerpc_bh_raw_call_recv,
> > - .disconnect_send = dcerpc_bh_disconnect_send,
> > ---
> > -1.9.3
> > -
> > -
> > -From 76304ed57d561eb89dceb3881236a78209dd592c Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 17 Sep 2013 04:25:39 +0200
> > -Subject: [PATCH 125/249] s3:winbindd: don't hide the error in cm_connect_lsa()
> > -
> > -We should not overwrite the error with NT_STATUS_PIPE_NOT_AVAILABLE.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/winbindd/winbindd_cm.c | 1 -
> > - 1 file changed, 1 deletion(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > -index d868826..c4f59d3 100644
> > ---- a/source3/winbindd/winbindd_cm.c
> > -+++ b/source3/winbindd/winbindd_cm.c
> > -@@ -2677,7 +2677,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - &ndr_table_lsarpc,
> > - &conn->lsa_pipe);
> > - if (!NT_STATUS_IS_OK(result)) {
> > -- result = NT_STATUS_PIPE_NOT_AVAILABLE;
> > - goto done;
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 9948366e88b1d11127317008c79a2f7182a34d65 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 2 Sep 2013 09:24:42 +0200
> > -Subject: [PATCH 126/249] s3:include: add forward declaration for struct
> > - messaging_context; in g_lock.h
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/include/g_lock.h | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/source3/include/g_lock.h b/source3/include/g_lock.h
> > -index 004c452..f513349 100644
> > ---- a/source3/include/g_lock.h
> > -+++ b/source3/include/g_lock.h
> > -@@ -23,6 +23,7 @@
> > - #include "dbwrap/dbwrap.h"
> > -
> > - struct g_lock_ctx;
> > -+struct messaging_context;
> > -
> > - enum g_lock_type {
> > - G_LOCK_READ = 0,
> > ---
> > -1.9.3
> > -
> > -
> > -From 4c30267e3c26cb065b908ff396ca21937fc870c4 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 2 Sep 2013 19:29:05 +0200
> > -Subject: [PATCH 127/249] s3:include: fix messaging_send_buf() protype in
> > - messages.h
> > -
> > -The function already used 'uint8_t' instead of 'uint8'.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/include/messages.h | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/source3/include/messages.h b/source3/include/messages.h
> > -index 09c39cc..50b2a84 100644
> > ---- a/source3/include/messages.h
> > -+++ b/source3/include/messages.h
> > -@@ -139,7 +139,7 @@ NTSTATUS messaging_send(struct messaging_context *msg_ctx,
> > -
> > - NTSTATUS messaging_send_buf(struct messaging_context *msg_ctx,
> > - struct server_id server, uint32_t msg_type,
> > -- const uint8 *buf, size_t len);
> > -+ const uint8_t *buf, size_t len);
> > - void messaging_dispatch_rec(struct messaging_context *msg_ctx,
> > - struct messaging_rec *rec);
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From ff45e4d1ca6cff9b2f329d18e98ebd4883639ed9 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 27 Aug 2013 12:09:51 +0200
> > -Subject: [PATCH 128/249] s3:auth_domain: remove dead code in
> > - check_trustdomain_security()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/auth/auth_domain.c | 22 ----------------------
> > - 1 file changed, 22 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > -index 06078e2..9f88c4a 100644
> > ---- a/source3/auth/auth_domain.c
> > -+++ b/source3/auth/auth_domain.c
> > -@@ -378,8 +378,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
> > - struct auth_serversupplied_info **server_info)
> > - {
> > - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
> > -- unsigned char trust_md4_password[16];
> > -- char *trust_password;
> > - fstring dc_name;
> > - struct sockaddr_storage dc_ss;
> > -
> > -@@ -408,26 +406,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
> > - if ( !is_trusted_domain( user_info->mapped.domain_name ) )
> > - return NT_STATUS_NOT_IMPLEMENTED;
> > -
> > -- /*
> > -- * Get the trusted account password for the trusted domain
> > -- * No need to become_root() as secrets_init() is done at startup.
> > -- */
> > --
> > -- if (!pdb_get_trusteddom_pw(user_info->mapped.domain_name, &trust_password,
> > -- NULL, NULL)) {
> > -- DEBUG(0, ("check_trustdomain_security: could not fetch trust "
> > -- "account password for domain %s\n",
> > -- user_info->mapped.domain_name));
> > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > -- }
> > --
> > --#ifdef DEBUG_PASSWORD
> > -- DEBUG(100, ("Trust password for domain %s is %s\n", user_info->mapped.domain_name,
> > -- trust_password));
> > --#endif
> > -- E_md4hash(trust_password, trust_md4_password);
> > -- SAFE_FREE(trust_password);
> > --
> > - /* use get_dc_name() for consistency even through we know that it will be
> > - a netbios name */
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From d9160b0834f74508b711eeec0354aa43d5a1b215 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 2 Sep 2013 20:18:39 +0200
> > -Subject: [PATCH 129/249] s3:libsmb: remove unused
> > - change_trust_account_password()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/include/proto.h | 1 -
> > - source3/libsmb/trusts_util.c | 72 --------------------------------------------
> > - 2 files changed, 73 deletions(-)
> > -
> > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > -index 5e068d2..a40d3c1 100644
> > ---- a/source3/include/proto.h
> > -+++ b/source3/include/proto.h
> > -@@ -989,7 +989,6 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> > - NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > - TALLOC_CTX *mem_ctx,
> > - const char *domain) ;
> > --NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine);
> > -
> > - /* The following definitions come from param/loadparm.c */
> > -
> > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > -index 6156ba0..8a0e53d 100644
> > ---- a/source3/libsmb/trusts_util.c
> > -+++ b/source3/libsmb/trusts_util.c
> > -@@ -135,75 +135,3 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > - sec_channel_type);
> > - }
> > -
> > --NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
> > --{
> > -- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
> > -- struct sockaddr_storage pdc_ss;
> > -- fstring dc_name;
> > -- struct cli_state *cli = NULL;
> > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > --
> > -- DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
> > -- domain));
> > --
> > -- if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
> > -- /* Use the PDC *only* for this */
> > --
> > -- if ( !get_pdc_ip(domain, &pdc_ss) ) {
> > -- DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
> > -- goto failed;
> > -- }
> > --
> > -- if ( !name_status_find( domain, 0x1b, 0x20, &pdc_ss, dc_name) )
> > -- goto failed;
> > -- } else {
> > -- /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
> > -- fstrcpy( dc_name, remote_machine );
> > -- }
> > --
> > -- /* if this next call fails, then give up. We can't do
> > -- password changes on BDC's --jerry */
> > --
> > -- if (!NT_STATUS_IS_OK(cli_full_connection(&cli, lp_netbios_name(), dc_name,
> > -- NULL, 0,
> > -- "IPC$", "IPC",
> > -- "", "",
> > -- "", 0, SMB_SIGNING_DEFAULT))) {
> > -- DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name));
> > -- nt_status = NT_STATUS_UNSUCCESSFUL;
> > -- goto failed;
> > -- }
> > --
> > -- /*
> > -- * Ok - we have an anonymous connection to the IPC$ share.
> > -- * Now start the NT Domain stuff :-).
> > -- */
> > --
> > -- /* Shouldn't we open this with schannel ? JRA. */
> > --
> > -- nt_status = cli_rpc_pipe_open_noauth(
> > -- cli, &ndr_table_netlogon, &netlogon_pipe);
> > -- if (!NT_STATUS_IS_OK(nt_status)) {
> > -- DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
> > -- dc_name, nt_errstr(nt_status)));
> > -- cli_shutdown(cli);
> > -- cli = NULL;
> > -- goto failed;
> > -- }
> > --
> > -- nt_status = trust_pw_find_change_and_store_it(
> > -- netlogon_pipe, netlogon_pipe, domain);
> > --
> > -- cli_shutdown(cli);
> > -- cli = NULL;
> > --
> > --failed:
> > -- if (!NT_STATUS_IS_OK(nt_status)) {
> > -- DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
> > -- current_timestring(talloc_tos(), False), domain));
> > -- }
> > -- else
> > -- DEBUG(5,("change_trust_account_password: sucess!\n"));
> > --
> > -- return nt_status;
> > --}
> > ---
> > -1.9.3
> > -
> > -
> > -From c6b50a3d8c382f19a8ae16428d557928438be464 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 2 Sep 2013 20:19:28 +0200
> > -Subject: [PATCH 130/249] s3:libsmb: inline trust_pw_change_and_store_it() into
> > - trust_pw_find_change_and_store_it()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/include/proto.h | 5 -----
> > - source3/libsmb/trusts_util.c | 50 +++++++++++++-------------------------------
> > - 2 files changed, 15 insertions(+), 40 deletions(-)
> > -
> > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > -index a40d3c1..216a377 100644
> > ---- a/source3/include/proto.h
> > -+++ b/source3/include/proto.h
> > -@@ -981,11 +981,6 @@ void update_trustdom_cache( void );
> > -
> > - /* The following definitions come from libsmb/trusts_util.c */
> > -
> > --NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
> > -- const char *domain,
> > -- const char *account_name,
> > -- unsigned char orig_trust_passwd_hash[16],
> > -- enum netr_SchannelType sec_channel_type);
> > - NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > - TALLOC_CTX *mem_ctx,
> > - const char *domain) ;
> > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > -index 8a0e53d..428e0c1 100644
> > ---- a/source3/libsmb/trusts_util.c
> > -+++ b/source3/libsmb/trusts_util.c
> > -@@ -29,20 +29,27 @@
> > -
> > - /*********************************************************
> > - Change the domain password on the PDC.
> > -- Store the password ourselves, but use the supplied password
> > -- Caller must have already setup the connection to the NETLOGON pipe
> > -+ Do most of the legwork ourselfs. Caller must have
> > -+ already setup the connection to the NETLOGON pipe
> > - **********************************************************/
> > -
> > --NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
> > -- const char *domain,
> > -- const char *account_name,
> > -- unsigned char orig_trust_passwd_hash[16],
> > -- enum netr_SchannelType sec_channel_type)
> > -+NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ const char *domain)
> > - {
> > -+ unsigned char old_trust_passwd_hash[16];
> > - unsigned char new_trust_passwd_hash[16];
> > -+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> > -+ const char *account_name;
> > - char *new_trust_passwd;
> > - NTSTATUS nt_status;
> > -
> > -+ if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
> > -+ &sec_channel_type)) {
> > -+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> > -+ return NT_STATUS_UNSUCCESSFUL;
> > -+ }
> > -+
> > - switch (sec_channel_type) {
> > - case SEC_CHAN_WKSTA:
> > - case SEC_CHAN_DOMAIN:
> > -@@ -64,7 +71,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> > -
> > - nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
> > - account_name,
> > -- orig_trust_passwd_hash,
> > -+ old_trust_passwd_hash,
> > - new_trust_passwd,
> > - new_trust_passwd_hash,
> > - sec_channel_type);
> > -@@ -108,30 +115,3 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> > -
> > - return nt_status;
> > - }
> > --
> > --/*********************************************************
> > -- Change the domain password on the PDC.
> > -- Do most of the legwork ourselfs. Caller must have
> > -- already setup the connection to the NETLOGON pipe
> > --**********************************************************/
> > --
> > --NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- const char *domain)
> > --{
> > -- unsigned char old_trust_passwd_hash[16];
> > -- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> > -- const char *account_name;
> > --
> > -- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
> > -- &sec_channel_type)) {
> > -- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> > -- return NT_STATUS_UNSUCCESSFUL;
> > -- }
> > --
> > -- return trust_pw_change_and_store_it(cli, mem_ctx, domain,
> > -- account_name,
> > -- old_trust_passwd_hash,
> > -- sec_channel_type);
> > --}
> > --
> > ---
> > -1.9.3
> > -
> > -
> > -From fdac5d6b0ed96f262830a3a923b9d2a42d7fd98d Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 20 Sep 2013 04:14:00 +0200
> > -Subject: [PATCH 131/249] s4:librpc: make dcerpc_schannel_key_send/recv static
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source4/librpc/rpc/dcerpc_schannel.c | 4 ++--
> > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
> > -index 130ebeb..cd62508 100644
> > ---- a/source4/librpc/rpc/dcerpc_schannel.c
> > -+++ b/source4/librpc/rpc/dcerpc_schannel.c
> > -@@ -306,7 +306,7 @@ static void continue_srv_auth2(struct tevent_req *subreq)
> > - Initiate establishing a schannel key using netlogon challenge
> > - on a secondary pipe
> > - */
> > --struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> > -+static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> > - struct dcerpc_pipe *p,
> > - struct cli_credentials *credentials,
> > - struct loadparm_context *lp_ctx)
> > -@@ -369,7 +369,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> > - /*
> > - Receive result of schannel key request
> > - */
> > --NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
> > -+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
> > - {
> > - NTSTATUS status = composite_wait(c);
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From de42a3f8b1a69a5abd5fb1a95e1c5f80ee68430e Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 20 Sep 2013 04:16:00 +0200
> > -Subject: [PATCH 132/249] s4:librpc: let dcerpc_schannel_key_recv() return
> > - netlogon_creds_CredentialState
> > -
> > -cli_credentials_set_netlogon_creds() should only be used directly before
> > -a DCERPC bind in order to pass the session information to the
> > -gensec layer.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source4/librpc/rpc/dcerpc_schannel.c | 24 +++++++++++++++---------
> > - 1 file changed, 15 insertions(+), 9 deletions(-)
> > -
> > -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
> > -index cd62508..c4bedfa 100644
> > ---- a/source4/librpc/rpc/dcerpc_schannel.c
> > -+++ b/source4/librpc/rpc/dcerpc_schannel.c
> > -@@ -296,9 +296,6 @@ static void continue_srv_auth2(struct tevent_req *subreq)
> > - return;
> > - }
> > -
> > -- /* setup current netlogon credentials */
> > -- cli_credentials_set_netlogon_creds(s->credentials, s->creds);
> > --
> > - composite_done(c);
> > - }
> > -
> > -@@ -369,10 +366,19 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> > - /*
> > - Receive result of schannel key request
> > - */
> > --static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
> > -+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState **creds)
> > - {
> > - NTSTATUS status = composite_wait(c);
> > --
> > -+
> > -+ if (NT_STATUS_IS_OK(status)) {
> > -+ struct schannel_key_state *s =
> > -+ talloc_get_type_abort(c->private_data,
> > -+ struct schannel_key_state);
> > -+ *creds = talloc_move(mem_ctx, &s->creds);
> > -+ }
> > -+
> > - talloc_free(c);
> > - return status;
> > - }
> > -@@ -410,13 +416,15 @@ static void continue_schannel_key(struct composite_context *ctx)
> > - NTSTATUS status;
> > -
> > - /* receive schannel key */
> > -- status = c->status = dcerpc_schannel_key_recv(ctx);
> > -+ status = c->status = dcerpc_schannel_key_recv(ctx, s, &s->creds_state);
> > - if (!composite_is_ok(c)) {
> > - DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
> > - return;
> > - }
> > -
> > - /* send bind auth request with received creds */
> > -+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
> > -+
> > - auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
> > - lpcfg_gensec_settings(c, s->lp_ctx),
> > - DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
> > -@@ -447,9 +455,6 @@ static void continue_bind_auth(struct composite_context *ctx)
> > - &ndr_table_netlogon.syntax_id)) {
> > - ZERO_STRUCT(s->return_auth);
> > -
> > -- s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
> > -- if (composite_nomem(s->creds_state, c)) return;
> > --
> > - s->save_creds_state = *s->creds_state;
> > - netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
> > -
> > -@@ -528,6 +533,7 @@ static void continue_get_capabilities(struct tevent_req *subreq)
> > - }
> > -
> > - *s->creds_state = s->save_creds_state;
> > -+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
> > -
> > - if (!NT_STATUS_IS_OK(s->c.out.result)) {
> > - composite_error(c, s->c.out.result);
> > ---
> > -1.9.3
> > -
> > -
> > -From f6a6e4e91b676461dc8b6dd5abca4120d9bf920a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 20 Sep 2013 04:33:07 +0200
> > -Subject: [PATCH 133/249] auth:credentials: avoid talloc_reference in
> > - cli_credentials_set_netlogon_creds()
> > -
> > -Typically cli_credentials_set_netlogon_creds() should be used directly
> > -before the DCERPC bind. And cli_credentials_get_netlogon_creds()
> > -should be only used by the gensec layer, which only needs a copy.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - auth/credentials/credentials.c | 6 +++++-
> > - 1 file changed, 5 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > -index 57a7c0b..9ce38d0 100644
> > ---- a/auth/credentials/credentials.c
> > -+++ b/auth/credentials/credentials.c
> > -@@ -814,7 +814,11 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
> > - _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
> > - struct netlogon_creds_CredentialState *netlogon_creds)
> > - {
> > -- cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
> > -+ TALLOC_FREE(cred->netlogon_creds);
> > -+ if (netlogon_creds == NULL) {
> > -+ return;
> > -+ }
> > -+ cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds);
> > - }
> > -
> > - /**
> > ---
> > -1.9.3
> > -
> > -
> > -From 14b9bb276a798ad71776ebcb698afeeb44aa173a Mon Sep 17 00:00:00 2001
> > -From: Volker Lendecke <vl@samba.org>
> > -Date: Sat, 9 Nov 2013 19:14:15 +0100
> > -Subject: [PATCH 134/249] libsmb: Fix CID 1127343 Dead default in switch
> > -
> > -We have checked sec_channel_type a few lines above already
> > -
> > -Signed-off-by: Volker Lendecke <vl@samba.org>
> > -Reviewed-by: Ira Cooper <ira@samba.org>
> > -(cherry picked from commit 1cae867f72b79995a02eed96265fe9f69ce945da)
> > ----
> > - source3/libsmb/trusts_util.c | 2 --
> > - 1 file changed, 2 deletions(-)
> > -
> > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > -index 428e0c1..52fb481 100644
> > ---- a/source3/libsmb/trusts_util.c
> > -+++ b/source3/libsmb/trusts_util.c
> > -@@ -108,8 +108,6 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > - }
> > - break;
> > - }
> > -- default:
> > -- break;
> > - }
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From efb32bbe25d534f69aca03e0945220cb5049c366 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 29 Nov 2013 09:46:01 +0100
> > -Subject: [PATCH 135/249] s3:rpc_server: use make_session_info_guest() directly
> > -
> > -This removes the useless static auth_anonymous_session_info() wrapper.
> > -
> > -auth_anonymous_session_info() is also a public function in source4.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit ae6720117ae5fb3c922486ce46e2b0d51e020301)
> > ----
> > - source3/rpc_server/rpc_server.c | 22 ++++++----------------
> > - 1 file changed, 6 insertions(+), 16 deletions(-)
> > -
> > -diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
> > -index de54ddc..c3a7f28 100644
> > ---- a/source3/rpc_server/rpc_server.c
> > -+++ b/source3/rpc_server/rpc_server.c
> > -@@ -37,19 +37,6 @@
> > - #define SERVER_TCP_LOW_PORT 1024
> > - #define SERVER_TCP_HIGH_PORT 1300
> > -
> > --static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
> > -- struct auth_session_info **session_info)
> > --{
> > -- NTSTATUS status;
> > --
> > -- status = make_session_info_guest(mem_ctx, session_info);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- return NT_STATUS_OK;
> > --}
> > --
> > - /* Creates a pipes_struct and initializes it with the information
> > - * sent from the client */
> > - static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
> > -@@ -1067,11 +1054,14 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx,
> > - }
> > -
> > - if (ncacn_conn->session_info == NULL) {
> > -- status = auth_anonymous_session_info(ncacn_conn,
> > -- &ncacn_conn->session_info);
> > -+ /*
> > -+ * TODO: use auth_anonymous_session_info() here?
> > -+ */
> > -+ status = make_session_info_guest(ncacn_conn,
> > -+ &ncacn_conn->session_info);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(2, ("Failed to create "
> > -- "auth_anonymous_session_info - %s\n",
> > -+ "make_session_info_guest - %s\n",
> > - nt_errstr(status)));
> > - talloc_free(ncacn_conn);
> > - return;
> > ---
> > -1.9.3
> > -
> > -
> > -From 215d591403e63b785308ff5d6b2e3c87ad9ee408 Mon Sep 17 00:00:00 2001
> > -From: Garming Sam <garming@catalyst.net.nz>
> > -Date: Fri, 29 Nov 2013 16:51:08 +1300
> > -Subject: [PATCH 136/249] selftest: add new rpc client test
> > -
> > -Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
> > -
> > -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 0e46205ff83d137ca486868e4376b258b6dfa1a2)
> > ----
> > - source3/script/tests/test_rpcclient_samlogon.sh | 27 +++++++++++++++++++++++++
> > - source3/selftest/tests.py | 2 ++
> > - 2 files changed, 29 insertions(+)
> > - create mode 100755 source3/script/tests/test_rpcclient_samlogon.sh
> > -
> > -diff --git a/source3/script/tests/test_rpcclient_samlogon.sh b/source3/script/tests/test_rpcclient_samlogon.sh
> > -new file mode 100755
> > -index 0000000..01af7f8
> > ---- /dev/null
> > -+++ b/source3/script/tests/test_rpcclient_samlogon.sh
> > -@@ -0,0 +1,27 @@
> > -+#!/bin/sh
> > -+
> > -+if [ $# -lt 3 ]; then
> > -+cat <<EOF
> > -+Usage: test_rpcclient_samlogon.sh USERNAME PASSWORD binding <rpcclient commands>
> > -+EOF
> > -+exit 1;
> > -+fi
> > -+
> > -+USERNAME="$1"
> > -+PASSWORD="$2"
> > -+shift 2
> > -+ADDARGS="$*"
> > -+
> > -+rpcclient_samlogon()
> > -+{
> > -+ $VALGRIND $BINDIR/rpcclient -U% -c "samlogon $USERNAME $PASSWORD;samlogon $USERNAME $PASSWORD" $@
> > -+}
> > -+
> > -+
> > -+incdir=`dirname $0`/../../../testprogs/blackbox
> > -+. $incdir/subunit.sh
> > -+testit "rpcclient dsenumdomtrusts" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "dsenumdomtrusts" || failed=`expr $failed + 1`
> > -+testit "rpcclient getdcsitecoverage" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "getdcsitecoverage" || failed=`expr $failed + 1`
> > -+testit "rpcclient samlogon" rpcclient_samlogon $ADDARGS || failed=`expr $failed +1`
> > -+
> > -+testok $0 $failed
> > -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
> > -index 85d67d6..f9cc3d1 100755
> > ---- a/source3/selftest/tests.py
> > -+++ b/source3/selftest/tests.py
> > -@@ -394,6 +394,8 @@ for s in signseal_options:
> > - plantestsuite("samba3.blackbox.rpcclient krb5 ncacn_np with [%s%s%s] " % (a, s, e), "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
> > - "$PREFIX/ktest/krb5_ccache-3", binding_string, "-k", configuration])
> > -
> > -+plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
> > -+ "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
> > -
> > - options_list = ["", "-e"]
> > - for options in options_list:
> > ---
> > -1.9.3
> > -
> > -
> > -From 05251d449931c29a0bb0c0b8ad194253dc5b66cb Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 29 Nov 2013 08:45:38 +0100
> > -Subject: [PATCH 137/249] s3:rpcclient: close the connection if setting up the
> > - netlogon secure channel fails
> > -
> > -This is based on a patch from Garming Sam <garming@catalyst.net.nz>.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 2fae806550f3355298541a344b217bf810bf92e4)
> > ----
> > - source3/rpcclient/rpcclient.c | 5 +++++
> > - 1 file changed, 5 insertions(+)
> > -
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index cb7b70f..0cbec20 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -768,6 +768,10 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - trust_password, &machine_account,
> > - &sec_channel_type))
> > - {
> > -+ DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
> > -+ get_cmdline_auth_info_domain(auth_info),
> > -+ cmd_entry->table->name));
> > -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> > - talloc_free(mem_ctx);
> > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > - }
> > -@@ -784,6 +788,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - if (!NT_STATUS_IS_OK(ntresult)) {
> > - DEBUG(0, ("Could not initialise credentials for %s.\n",
> > - cmd_entry->table->name));
> > -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> > - talloc_free(mem_ctx);
> > - return ntresult;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 8d3336b9a61a185a4194313fec338321fed6b151 Mon Sep 17 00:00:00 2001
> > -From: Garming Sam <garming@catalyst.net.nz>
> > -Date: Mon, 2 Dec 2013 13:20:39 +1300
> > -Subject: [PATCH 138/249] selftest: add new credential change test
> > -
> > -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 48820b95285f7dffd827143ba56f432f3e283a6f)
> > ----
> > - source3/script/tests/test_net_cred_change.sh | 16 ++++++++++++++++
> > - source3/selftest/tests.py | 3 +++
> > - 2 files changed, 19 insertions(+)
> > - create mode 100755 source3/script/tests/test_net_cred_change.sh
> > -
> > -diff --git a/source3/script/tests/test_net_cred_change.sh b/source3/script/tests/test_net_cred_change.sh
> > -new file mode 100755
> > -index 0000000..9013d07
> > ---- /dev/null
> > -+++ b/source3/script/tests/test_net_cred_change.sh
> > -@@ -0,0 +1,16 @@
> > -+#!/bin/sh
> > -+
> > -+if [ $# -lt 1 ]; then
> > -+cat <<EOF
> > -+Usage: test_net_cred_change.sh CONFIGURATION
> > -+EOF
> > -+exit 1;
> > -+fi
> > -+
> > -+incdir=`dirname $0`/../../../testprogs/blackbox
> > -+. $incdir/subunit.sh
> > -+testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
> > -+testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed =`expr $failed + 1`
> > -+testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
> > -+
> > -+testok $0 $failed
> > -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
> > -index f9cc3d1..aac1bbb 100755
> > ---- a/source3/selftest/tests.py
> > -+++ b/source3/selftest/tests.py
> > -@@ -165,6 +165,9 @@ for env in ["s3dc", "member", "s3member"]:
> > -
> > - plantestsuite("samba3.ntlm_auth.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_s3.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
> > -
> > -+for env in ["member", "s3member"]:
> > -+ plantestsuite("samba3.blackbox.net_cred_change.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_net_cred_change.sh"), configuration])
> > -+
> > - env = "s3member"
> > - t = "--krb5auth=$DOMAIN\\\\$DC_USERNAME%$DC_PASSWORD"
> > - plantestsuite("samba3.wbinfo_s3.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_wbinfo_s3.sh"), t])
> > ---
> > -1.9.3
> > -
> > -
> > -From 4b97cece12602437f3a2c9a395f5ed62cc00c0c4 Mon Sep 17 00:00:00 2001
> > -From: Garming Sam <garming@catalyst.net.nz>
> > -Date: Mon, 23 Dec 2013 17:12:39 +1300
> > -Subject: [PATCH 139/249] selftest: add rodc and other env tests for wbinfo
> > -
> > -Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
> > -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > -Autobuild-Date(master): Mon Dec 23 17:17:39 CET 2013 on sn-devel-104
> > -(cherry picked from commit 819e1f561df5074ae21db77c6558b34f4b0e1351)
> > ----
> > - source4/selftest/tests.py | 4 ++--
> > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> > -index e738d1d9..c3a33c7 100755
> > ---- a/source4/selftest/tests.py
> > -+++ b/source4/selftest/tests.py
> > -@@ -309,8 +309,8 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
> > - plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
> > - plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
> > - plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
> > --plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"])
> > --plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"])
> > -+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
> > -+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
> > - plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
> > - plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
> > - plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
> > ---
> > -1.9.3
> > -
> > -
> > -From 689deff949e8ce9b6aa900e7b0c714d5a025d516 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 17 Dec 2013 19:35:37 +0100
> > -Subject: [PATCH 140/249] libcli/auth: set the return_authenticator->timestamp
> > - = 0
> > -
> > -This is what windows returns, the value is ignored by the client anyway.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 202bcf9096e53d94b294936d6144ae77f1536b72)
> > ----
> > - libcli/auth/credentials.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > -index 1f664d3..197db86 100644
> > ---- a/libcli/auth/credentials.c
> > -+++ b/libcli/auth/credentials.c
> > -@@ -479,7 +479,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
> > - netlogon_creds_step(creds);
> > - if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
> > - return_authenticator->cred = creds->server;
> > -- return_authenticator->timestamp = creds->sequence;
> > -+ return_authenticator->timestamp = 0;
> > - return NT_STATUS_OK;
> > - } else {
> > - ZERO_STRUCTP(return_authenticator);
> > ---
> > -1.9.3
> > -
> > -
> > -From fe8a979787c9528bb3b403272be3dc6a313bbebd Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 17 Dec 2013 19:40:15 +0100
> > -Subject: [PATCH 141/249] libcli/auth: remove bogus comment regarding replay
> > - attacks
> > -
> > -creds->sequence (timestamp) is the value that is used to increment the internal
> > -state, it's not a real sequence number. The sequence comes
> > -from adding all timestamps of the whole session.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 636daac3b7b08ccb8845dab060157918d296ef67)
> > ----
> > - libcli/auth/credentials.c | 2 --
> > - 1 file changed, 2 deletions(-)
> > -
> > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > -index 197db86..afb4a04 100644
> > ---- a/libcli/auth/credentials.c
> > -+++ b/libcli/auth/credentials.c
> > -@@ -473,8 +473,6 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
> > - return NT_STATUS_ACCESS_DENIED;
> > - }
> > -
> > -- /* TODO: this may allow the a replay attack on a non-signed
> > -- connection. Should we check that this is increasing? */
> > - creds->sequence = received_authenticator->timestamp;
> > - netlogon_creds_step(creds);
> > - if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
> > ---
> > -1.9.3
> > -
> > -
> > -From 1f6a52bb1f756be05e28dc9e16725ac73b005d00 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 17 Dec 2013 19:55:12 +0100
> > -Subject: [PATCH 142/249] libcli/auth: try to use the current timestamp
> > - creds->sequence
> > -
> > -If the last usage of netlogon_creds_client_authenticator()
> > -is in the past try to use the current timestamp and increment
> > -more than just 2.
> > -
> > -If we use netlogon_creds_client_authenticator() a lot within a
> > -second, we increment keep incrementing by 2.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -
> > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > -Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
> > -(cherry picked from commit e6afeae69537f55ed187b28b60ad29b9e237ec6e)
> > ----
> > - libcli/auth/credentials.c | 22 ++++++++++++++++++++++
> > - 1 file changed, 22 insertions(+)
> > -
> > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > -index afb4a04..f52538a 100644
> > ---- a/libcli/auth/credentials.c
> > -+++ b/libcli/auth/credentials.c
> > -@@ -344,7 +344,29 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
> > - void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
> > - struct netr_Authenticator *next)
> > - {
> > -+ uint32_t t32n = (uint32_t)time(NULL);
> > -+
> > -+ /*
> > -+ * we always increment and ignore an overflow here
> > -+ */
> > - creds->sequence += 2;
> > -+
> > -+ if (t32n > creds->sequence) {
> > -+ /*
> > -+ * we may increment more
> > -+ */
> > -+ creds->sequence = t32n;
> > -+ } else {
> > -+ uint32_t d = creds->sequence - t32n;
> > -+
> > -+ if (d >= INT32_MAX) {
> > -+ /*
> > -+ * got an overflow of time_t vs. uint32_t
> > -+ */
> > -+ creds->sequence = t32n;
> > -+ }
> > -+ }
> > -+
> > - netlogon_creds_step(creds);
> > -
> > - next->cred = creds->client;
> > ---
> > -1.9.3
> > -
> > -
> > -From 1cc32f5bf176a6daba93603a5b9aa4fc4fe42479 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 3 Jan 2014 12:56:38 +0100
> > -Subject: [PATCH 143/249] s4:selftest: run wbinfo tests at the end...
> > -
> > -This avoids flakey crashes in the promoted_dc environment.
> > -
> > -See the examples below, we had up to 50% of the daily build failing...
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -
> > -https://git.samba.org/autobuild.flakey/2013-12-23-1942/samba.stdout
> > -
> > - [1586/1594 in 1h39m20s] samba4.drs.fsmo.python(promoted_dc)
> > - Testing for schema role transfer from localdc.samba.example.com to PROMOTEDVDC.samba.example.com
> > - FSMO transfer of 'schema' role successful
> > - Testing for schema role transfer from PROMOTEDVDC.samba.example.com to localdc.samba.example.com
> > - ERROR: Failed to initiate transfer of 'schema' role: LDAP error 52 LDAP_UNAVAILABLE - <Failed FSMO transfer: WERR_DS_DRA_INTERNAL_ERROR> <>
> > - UNEXPECTED(failure): samba4.drs.fsmo.python(promoted_dc).fsmo.DrsFsmoTestCase.test_SchemaMasterTransfer(promoted_dc)
> > - REASON: _StringException: _StringException: Content-Type: text/x-traceback;charset=utf8,language=python
> > - traceback
> > - 380
> > -
> > -https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stdout
> > -
> > - [1583/1594 in 1h36m4s] samba.tests.blackbox.samba_tool_drs
> > - ERROR: Testsuite[samba.tests.blackbox.samba_tool_drs]
> > - REASON: unable to set up environment promoted_dc - exiting
> > -
> > -https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stderr
> > -
> > - Unable to convert 1.2.840.86419.1.5.9939 to an attid, and can_change_pfm=false!
> > - Unable to convert governsID on CN=test-class30318,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com to DRS object - WERR_NOT_FOUND
> > - ../source4/rpc_server/drsuapi/getncchanges.c:1646: DsGetNCChanges 2nd replication on different DN CN=Configuration,DC=samba,DC=example,DC=com CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com (last_dn CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com)
> > - ===============================================================
> > - INTERNAL ERROR: Signal 11 in pid 884274 (4.2.0pre1-DEVELOPERBUILD)
> > - Please read the Trouble-Shooting section of the Samba HOWTO
> > - ===============================================================
> > - smb_panic(): calling panic action [/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274]
> > - [Thread debugging using libthread_db enabled]
> > - 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
> > - stat_loc=0x7fff67c7709c, options=<value optimized out>)
> > - at ../sysdeps/unix/sysv/linux/waitpid.c:32
> > - 32 ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
> > - in ../sysdeps/unix/sysv/linux/waitpid.c
> > - #0 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
> > - stat_loc=0x7fff67c7709c, options=<value optimized out>)
> > - at ../sysdeps/unix/sysv/linux/waitpid.c:32
> > - oldtype = <value optimized out>
> > - result = <value optimized out>
> > - #1 0x00002af6b5baeb39 in do_system (line=<value optimized out>)
> > - at ../sysdeps/posix/system.c:149
> > - __result = -512
> > - _buffer = {__routine = 0x2af6b5baee90 <cancel_handler>,
> > - __arg = 0x7fff67c77098, __canceltype = 0, __prev = 0x0}
> > - _avail = 1
> > - status = <value optimized out>
> > - save = <value optimized out>
> > - pid = 886733
> > - sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1},
> > - sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0,
> > - sa_restorer = 0x2af6b5b730f0}
> > - omask = {__val = {7808, 4294967295, 140734934511616, 1, 2195512, 0,
> > - 0, 0, 47239032274944, 47239027992529, 140733193388033, 0, 0,
> > - 47239099003120, 140734934511792, 47239558787328}}
> > - #2 0x00002af6b311821f in smb_panic_default (
> > - why=0x2af6b312a875 "internal error") at ../lib/util/fault.c:134
> > - result = 32767
> > - pidstr = "884274\000\000\001\375\376\320\366*\000\000\260\377\377\377"
> > - cmdstring = "/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274\000\307g\377\177\000\000\001\000\000\000\000\000\000\000\320\301#", '\000' <repeats 30 times>"\240, \017\263\366*\000\000\321\247{\261\366*\000\000\001\000\000\000\005", '\000' <repeats 11 times>"\260, \016\v\321\366*\000\000X\351\017\263\366*\000\000\260q\307g\377\177\000\000\000\361\036\321\366*\000\000\020r\307g\377\177\000\000\240\301z\326\366*\000\000\000Z\304\320\366*\000"
> > - __FUNCTION__ = "smb_panic_default"
> > - #3 0x00002af6b31183b5 in smb_panic (why=0x2af6b312a875 "internal error")
> > - at ../lib/util/fault.c:162
> > - No locals.
> > - #4 0x00002af6b311809f in fault_report (sig=11) at ../lib/util/fault.c:77
> > - counter = 1
> > - __FUNCTION__ = "fault_report"
> > - #5 0x00002af6b31180b4 in sig_fault (sig=11) at ../lib/util/fault.c:88
> > - No locals.
> > - #6 <signal handler called>
> > - No symbol table info available.
> > - #7 0x00002af6cabef930 in replmd_check_urgent_objectclass (
> > - objectclass_el=0x0, situation=REPL_URGENT_ON_UPDATE)
> > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:205
> > - i = 2
> > - j = 0
> > - #8 0x00002af6cabf29b6 in replmd_update_rpmd (module=0x2af6b17f2c20,
> > - schema=0x2af6d05e5570, req=0x2af6d05e8ad0, rename_attrs=0x0,
> > - msg=0x2af6d11ef100, seq_num=0x2af6d0c315b8, t=1387895162,
> > - is_urgent=0x7fff67c778bf, rodc=0x7fff67c778be)
> > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1432
> > - omd_value = 0x7fff67c77810
> > - ndr_err = 3508465920
> > - omd = {version = 1741125552, reserved = 32767, ctr = {ctr1 = {
> > - count = 3008684740, reserved = 10998, array = 0x7fff67c777b0}}}
> > - i = 10998
> > - now = 130323687620000000
> > - our_invocation_id = 0x2af6d1796390
> > - ret = 0
> > - attrs = 0x7fff67c77750
> > - attrs1 = {0x2af6cabff775 "replPropertyMetaData", 0x2af6cabffc8b "*",
> > - 0x0}
> > - attrs2 = {0x2af6cabff76a "uSNChanged", 0x2af6cabffa98 "objectClass",
> > - 0x2af6cabffc8d "instanceType", 0x0}
> > - res = 0x2af6d10b0eb0
> > - ldb = 0x2af6b17f2470
> > - objectclass_el = 0x0
> > - situation = REPL_URGENT_ON_UPDATE
> > - rmd_is_provided = false
> > - __FUNCTION__ = "replmd_update_rpmd"
> > - #9 0x00002af6cabf5a06 in replmd_modify (module=0x2af6b17f2c20,
> > - req=0x2af6d05e8ad0)
> > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:2455
> > - msds_intid_struct = 0x2af6d05e8ad0
> > - ldb = 0x2af6b17f2470
> > - ac = 0x2af6d0c31580
> > - down_req = 0x2af6d0e6a100
> > - msg = 0x2af6d11ef100
> > - t = 1387895162
> > - ret = 1741125936
> > - is_urgent = false
> > - rodc = false
> > - functional_level = 3
> > - guid_blob = 0x0
> > - sd_propagation_control = 0x0
> > - #10 0x00002af6bf69f94d in dsdb_module_modify (module=0x2af6b17f2c20,
> > - message=0x2af6d1183fe0, dsdb_flags=4194304, parent=0x2af6ce6ea980)
> > - at ../source4/dsdb/samdb/ldb_modules/util.c:460
> > - ops = 0x2af6cae06b40
> > - mod_req = 0x2af6d05e8ad0
> > - ret = 0
> > - ldb = 0x2af6b17f2470
> > - tmp_ctx = 0x2af6d0ed62f0
> > - res = 0x2af6d0e6a100
> > - __FUNCTION__ = "dsdb_module_modify"
> > - #11 0x00002af6cabf7ebc in replmd_delete_internals (module=0x2af6b17f2c20,
> > - req=0x2af6ce6ea980, re_delete=true)
> > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3309
> > - ret = 0
> > - retb = true
> > - disallow_move_on_delete = false
> > - old_dn = 0x2af6d6a2a010
> > - new_dn = 0x2af6d0794a90
> > - rdn_name = 0x2af6d0885c10 "CN"
> > - rdn_value = 0x2af6d10d7368
> > - new_rdn_value = 0x2af6d0c45a00
> > - guid = {time_low = 48, time_mid = 0, time_hi_and_version = 0,
> > - clock_seq = "\200\251", node = "n\316\366*\000"}
> > - ldb = 0x2af6b17f2470
> > - schema = 0x2af6d05e5570
> > - msg = 0x2af6d1183fe0
> > - old_msg = 0x2af6d1902800
> > - el = 0x2af6d0874900
> > - tmp_ctx = 0x2af6d0b77560
> > - res = 0x2af6d0d57980
> > - parent_res = 0x30
> > - preserved_attrs = {0x2af6cac00fe1 "nTSecurityDescriptor",
> > - 0x2af6cac055c3 "attributeID", 0x2af6cac055cf "attributeSyntax",
> > - 0x2af6cac055df "dNReferenceUpdate", 0x2af6cac055f1 "dNSHostName",
> > - 0x2af6cac055fd "flatName", 0x2af6cac05606 "governsID",
> > - 0x2af6cac05610 "groupType", 0x2af6cabffc8d "instanceType",
> > - 0x2af6cac0561a "lDAPDisplayName",
> > - 0x2af6cac0562a "legacyExchangeDN", 0x2af6cabfe94d "isDeleted",
> > - 0x2af6cabfe957 "isRecycled", 0x2af6cac020f8 "lastKnownParent",
> > - 0x2af6cac021e8 "msDS-LastKnownRDN",
> > - 0x2af6cac0563b "mS-DS-CreatorSID", 0x2af6cac0564c "mSMQOwnerID",
> > - 0x2af6cac05658 "nCName", 0x2af6cabffa98 "objectClass",
> > - 0x2af6cac0565f "distinguishedName", 0x2af6cabff5b5 "objectGUID",
> > - 0x2af6cac05671 "objectSid", 0x2af6cac0567b "oMSyntax",
> > - 0x2af6cac05684 "proxiedObjectName", 0x2af6cac014d8 "name",
> > - 0x2af6cabff775 "replPropertyMetaData",
> > - 0x2af6cac05696 "sAMAccountName",
> > - 0x2af6cac056a5 "securityIdentifier", 0x2af6cac056b8 "sIDHistory",
> > - 0x2af6cac056c3 "subClassOf", 0x2af6cac01ba8 "systemFlags",
> > - 0x2af6cac056ce "trustPartner", 0x2af6cac056db "trustDirection",
> > - 0x2af6cac056ea "trustType", 0x2af6cac056f4 "trustAttributes",
> > - 0x2af6cabfe9b8 "userAccountControl", 0x2af6cabff76a "uSNChanged",
> > - 0x2af6cabff75f "uSNCreated", 0x2af6cabff747 "whenCreated",
> > - 0x2af6cabff753 "whenChanged", 0x0}
> > - i = 12
> > - el_count = 1
> > - deletion_state = OBJECT_TOMBSTONE
> > - next_deletion_state = OBJECT_TOMBSTONE
> > - __FUNCTION__ = "replmd_delete_internals"
> > - #12 0x00002af6cabfbbe3 in replmd_replicated_apply_isDeleted (
> > - ar=0x2af6d74c0b40)
> > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4718
> > - del_req = 0x2af6ce6ea980
> > - res = 0x2af6d0cdebf0
> > - tmp_ctx = 0x2af6d0949230
> > - deleted_objects_dn = 0x2af6d1a49f00
> > - msg = 0x2af6d0a39620
> > - ret = 0
> > - #13 0x00002af6cabf0766 in replmd_op_callback (req=0x2af6d05a21e0,
> > - ares=0x2af6d0d715c0)
> > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:526
> > - ret = 10998
> > - ac = 0x2af6d74c0b40
> > - replmd_private = 0x2af6b188c7c0
> > - modified_partition = 0x2af6d141b670
> > - partition_ctrl = 0x2af6d1905f40
> > - partition = 0x2af6ce6bdbe0
> > - controls = 0x0
> > - __FUNCTION__ = "replmd_op_callback"
> > - #14 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
> > - ctrls=0x2af6d1629aa0, response=0x0, error=0)
> > - at ../lib/ldb/common/ldb_modules.c:832
> > - ares = 0x2af6d0d715c0
> > - #15 0x00002af6cabf896b in replmd_op_possible_conflict_callback (
> > - req=0x2af6d05a21e0, ares=0x2af6b1883eb0,
> > - callback=0x2af6cabf0334 <replmd_op_callback>)
> > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3606
> > - conflict_dn = 0x2af6cac03470
> > - ar = 0x2af6d74c0b40
> > - res = 0x2af6b354f89b
> > - attrs = {0x2af6cabff775 "replPropertyMetaData",
> > - 0x2af6cabff5b5 "objectGUID", 0x0}
> > - ret = -682882240
> > - omd_value = 0x7fff67c77e20
> > - omd = {version = 1741127104, reserved = 32767, ctr = {ctr1 = {
> > - count = 0, reserved = 0, array = 0x28}}}
> > - rmd = 0x2af6d74c0ae0
> > - ndr_err = 10998
> > - rename_incoming_record = false
> > - rodc = false
> > - rmd_name = 0x7fff67c77e10
> > - omd_name = 0x2af6d74c0b40
> > - msg = 0x2af6b1883e50
> > - __FUNCTION__ = "replmd_op_possible_conflict_callback"
> > - #16 0x00002af6cabf93fb in replmd_op_add_callback (req=0x2af6d05a21e0,
> > - ares=0x2af6b1883eb0)
> > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3802
> > - ar = 0x2af6d74c0b40
> > - #17 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
> > - ctrls=0x2af6d1629aa0, response=0x0, error=0)
> > - at ../lib/ldb/common/ldb_modules.c:832
> > - ares = 0x2af6b1883eb0
> > - #18 0x00002af6ca3c8b6a in partition_req_callback (req=0x2af6d087a1e0,
> > - ares=0x2af6d05a1fa0) at ../source4/dsdb/samdb/ldb_modules/partition.c:213
> > - ac = 0x2af6d0949370
> > - module = 0x2af6cd27bf12
> > - nreq = 0x2af6d05b67b0
> > - ret = 0
> > - partition_ctrl = 0x2af6d0d71740
> > - #19 0x00002af6cd2752ab in ltdb_request_done (ctx=0x2af6d1cd7ed0, error=0)
> > - at ../lib/ldb/ldb_tdb/ldb_tdb.c:1280
> > - ldb = 0x2af6b17f2470
> > - req = 0x2af6d087a1e0
> > - ares = 0x2af6d05a1fa0
> > - #20 0x00002af6cd275597 in ltdb_callback (ev=0x2af6b17ef8c0,
> > - te=0x2af6d17f75d0, t=..., private_data=0x2af6d1cd7ed0)
> > - at ../lib/ldb/ldb_tdb/ldb_tdb.c:1390
> > - ctx = 0x2af6d1cd7ed0
> > - ret = 0
> > - #21 0x00002af6b3343259 in tevent_common_loop_timer_delay (ev=0x2af6b17ef8c0)
> > - at ../lib/tevent/tevent_timed.c:341
> > - current_time = {tv_sec = 0, tv_usec = 0}
> > - te = 0x2af6d17f75d0
> > - #22 0x00002af6b334558a in epoll_event_loop_once (ev=0x2af6b17ef8c0,
> > - location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
> > - at ../lib/tevent/tevent_epoll.c:912
> > - epoll_ev = 0x2af6b17efb00
> > - tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
> > - panic_triggered = false
> > - #23 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
> > - location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
> > - at ../lib/tevent/tevent_standard.c:112
> > - glue_ptr = 0x2af6b17ef9b0
> > - glue = 0x2af6b17ef9b0
> > - ret = 10998
> > - #24 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
> > - location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
> > - at ../lib/tevent/tevent.c:530
> > - ret = 0
> > - nesting_stack_ptr = 0x0
> > - #25 0x00002af6b1e154c4 in ldb_wait (handle=0x2af6d67624c0, type=LDB_WAIT_ALL)
> > - at ../lib/ldb/common/ldb.c:621
> > - ev = 0x2af6b17ef8c0
> > - ret = 0
> > - #26 0x00002af6b1e1786b in ldb_extended (ldb=0x2af6b17f2470,
> > - oid=0x2af6b4c4f9ce "1.3.6.1.4.1.7165.4.4.1", data=0x2af6d0e2bc60,
> > - _res=0x7fff67c78240) at ../lib/ldb/common/ldb.c:1506
> > - req = 0x2af6d0c45a00
> > - ret = 0
> > - res = 0x2af6d69238f0
> > - #27 0x00002af6b4c4a0d6 in dsdb_replicated_objects_commit (ldb=0x2af6b17f2470,
> > - working_schema=0x0, objects=0x2af6d0e2bc60, notify_uSN=0x2af6d14a65f0)
> > - at ../source4/dsdb/repl/replicated_objects.c:773
> > - werr = {w = 0}
> > - ext_res = 0x0
> > - cur_schema = 0x0
> > - new_schema = 0x0
> > - ret = 0
> > - seq_num1 = 5554
> > - seq_num2 = 47239626746464
> > - used_global_schema = false
> > - tmp_ctx = 0x2af6d03c5860
> > - __FUNCTION__ = "dsdb_replicated_objects_commit"
> > - #28 0x00002af6c1c6babb in dreplsrv_op_pull_source_apply_changes_trigger (
> > - req=0x2af6d17daed0, r=0x2af6d17db0d0, ctr_level=6, ctr1=0x0,
> > - ctr6=0x2af6d1b02bb0) at ../source4/dsdb/repl/drepl_out_helpers.c:717
> > - state = 0x2af6d17db050
> > - rf1 = {blobsize = 274, consecutive_sync_failures = 0,
> > - last_success = 130323684670000000,
> > - last_attempt = 130323687610000000, result_last_attempt = {w = 0},
> > - other_info = 0x2af6d0949910, other_info_length = 66,
> > - replica_flags = 112, schedule = '\021' <repeats 84 times>,
> > - reserved = 0, highwatermark = {tmp_highest_usn = 12398,
> > - reserved_usn = 0, highest_usn = 12398}, source_dsa_obj_guid = {
> > - time_low = 984092159, time_mid = 850,
> > - time_hi_and_version = 18870, clock_seq = "\251X",
> > - node = "UF\324\223\205\241"}, source_dsa_invocation_id = {
> > - time_low = 1460694408, time_mid = 52035,
> > - time_hi_and_version = 18738, clock_seq = "\204}",
> > - node = "\264\365\276\372\256\303"}, transport_guid = {
> > - time_low = 0, time_mid = 0, time_hi_and_version = 0,
> > - clock_seq = "\000", node = "\000\000\000\000\000"}}
> > - service = 0x2af6d0ff6b00
> > - partition = 0x2af6d0b6f220
> > - drsuapi = 0x2af6d1c8d480
> > - schema = 0x2af6d05e5570
> > - working_schema = 0x0
> > - mapping_ctr = 0x2af6d1b02c10
> > - object_count = 50
> > - first_object = 0x2af6d0571800
> > - linked_attributes_count = 0
> > - linked_attributes = 0x2af6d5212140
> > - uptodateness_vector = 0x2af6d1a741c0
> > - objects = 0x2af6d0e2bc60
> > - more_data = false
> > - status = {w = 0}
> > - nt_status = {v = 3006553120}
> > - dsdb_repl_flags = 0
> > - __FUNCTION__ = "dreplsrv_op_pull_source_apply_changes_trigger"
> > - #29 0x00002af6c1c6b3e7 in dreplsrv_op_pull_source_get_changes_done (
> > - subreq=0x0) at ../source4/dsdb/repl/drepl_out_helpers.c:599
> > - req = 0x2af6d17daed0
> > - state = 0x2af6d17db050
> > - status = {v = 0}
> > - r = 0x2af6d17db0d0
> > - ctr_level = 6
> > - ctr1 = 0x0
> > - ctr6 = 0x2af6d1b02bb0
> > - extended_ret = DRSUAPI_EXOP_ERR_NONE
> > - #30 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d1a73f70,
> > - location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
> > - at ../lib/tevent/tevent_req.c:102
> > - No locals.
> > - #31 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d1a73f70,
> > - state=TEVENT_REQ_DONE,
> > - location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
> > - at ../lib/tevent/tevent_req.c:117
> > - No locals.
> > - #32 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d1a73f70,
> > - location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
> > - at ../lib/tevent/tevent_req.c:123
> > - No locals.
> > - #33 0x00002af6c1c708df in dcerpc_drsuapi_DsGetNCChanges_r_done (
> > - subreq=0x2af6d122f4c0) at default/librpc/gen_ndr/ndr_drsuapi_c.c:712
> > - req = 0x2af6d1a73f70
> > - status = {v = 0}
> > - #34 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d122f4c0,
> > - location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
> > - at ../lib/tevent/tevent_req.c:102
> > - No locals.
> > - #35 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d122f4c0,
> > - state=TEVENT_REQ_DONE,
> > - location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
> > - at ../lib/tevent/tevent_req.c:117
> > - No locals.
> > - #36 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d122f4c0,
> > - location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
> > - at ../lib/tevent/tevent_req.c:123
> > - No locals.
> > - #37 0x00002af6b5757ede in dcerpc_binding_handle_call_done (subreq=0x0)
> > - at ../librpc/rpc/binding_handle.c:517
> > - req = 0x2af6d122f4c0
> > - state = 0x2af6d122f640
> > - h = 0x2af6d0959d10
> > - error = {v = 0}
> > - out_flags = 0
> > - ndr_err = NDR_ERR_SUCCESS
> > - #38 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d522f7a0,
> > - location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
> > - at ../lib/tevent/tevent_req.c:102
> > - No locals.
> > - #39 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d522f7a0,
> > - state=TEVENT_REQ_DONE,
> > - location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
> > - at ../lib/tevent/tevent_req.c:117
> > - No locals.
> > - #40 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d522f7a0,
> > - location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
> > - at ../lib/tevent/tevent_req.c:123
> > - No locals.
> > - #41 0x00002af6b5757398 in dcerpc_binding_handle_raw_call_done (subreq=0x0)
> > - at ../librpc/rpc/binding_handle.c:188
> > - req = 0x2af6d522f7a0
> > - state = 0x2af6d522f920
> > - error = {v = 0}
> > - #42 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d0712430,
> > - location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
> > - at ../lib/tevent/tevent_req.c:102
> > - No locals.
> > - #43 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d0712430,
> > - state=TEVENT_REQ_DONE,
> > - location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
> > - at ../lib/tevent/tevent_req.c:117
> > - No locals.
> > - #44 0x00002af6b333e472 in tevent_req_trigger (ev=0x2af6b17ef8c0,
> > - im=0x2af6d0712500, private_data=0x2af6d0712430)
> > - at ../lib/tevent/tevent_req.c:174
> > - req = 0x2af6d0712430
> > - #45 0x00002af6b333d6d4 in tevent_common_loop_immediate (ev=0x2af6b17ef8c0)
> > - at ../lib/tevent/tevent_immediate.c:135
> > - im = 0x2af6d0712500
> > - handler = 0x2af6b333e423 <tevent_req_trigger>
> > - private_data = 0x2af6d0712430
> > - #46 0x00002af6b3345570 in epoll_event_loop_once (ev=0x2af6b17ef8c0,
> > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > - at ../lib/tevent/tevent_epoll.c:907
> > - epoll_ev = 0x2af6b17efb00
> > - tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
> > - panic_triggered = false
> > - #47 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
> > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > - at ../lib/tevent/tevent_standard.c:112
> > - glue_ptr = 0x2af6b17ef9b0
> > - glue = 0x2af6b17ef9b0
> > - ret = 10998
> > - #48 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
> > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > - at ../lib/tevent/tevent.c:530
> > - ret = 0
> > - nesting_stack_ptr = 0x0
> > - #49 0x00002af6b333ca11 in tevent_common_loop_wait (ev=0x2af6b17ef8c0,
> > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > - at ../lib/tevent/tevent.c:634
> > - ret = 0
> > - #50 0x00002af6b3342405 in std_event_loop_wait (ev=0x2af6b17ef8c0,
> > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > - at ../lib/tevent/tevent_standard.c:138
> > - glue_ptr = 0x2af6b17ef9b0
> > - glue = 0x2af6b17ef9b0
> > - ret = 10998
> > - #51 0x00002af6b333cadc in _tevent_loop_wait (ev=0x2af6b17ef8c0,
> > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > - at ../lib/tevent/tevent.c:653
> > - No locals.
> > - #52 0x00002af6b15a37bc in binary_smbd_main (
> > - binary_name=0x2af6b15a737b "samba", argc=6, argv=0x7fff67c78de8)
> > - at ../source4/smbd/server.c:503
> > - opt_daemon = false
> > - opt_interactive = true
> > - opt = -1
> > - pc = 0x2af6b17d5040
> > - static_init = {0x2af6b2ac7d8c <server_service_auth_init>,
> > - 0x2af6b2aca9e7 <server_service_echo_init>, 0}
> > - shared_init = 0x2af6b18143b0
> > - event_ctx = 0x2af6b17ef8c0
> > - stdin_event_flags = 1
> > - status = {v = 0}
> > - model = 0x2af6b17d5b90 "single"
> > - max_runtime = 7500
> > -
> > -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> > -Autobuild-Date(master): Mon Jan 6 01:16:13 CET 2014 on sn-devel-104
> > -(cherry picked from commit 056008df62cb66090b3e30cb09c0edacfbdb5720)
> > ----
> > - source4/selftest/tests.py | 6 ++++--
> > - 1 file changed, 4 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> > -index c3a33c7..9567a8e 100755
> > ---- a/source4/selftest/tests.py
> > -+++ b/source4/selftest/tests.py
> > -@@ -309,8 +309,6 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
> > - plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
> > - plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
> > - plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
> > --for env in ["dc", "s4member", "rodc", "promoted_dc"]:
> > -- plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
> > - plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
> > - plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
> > - plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
> > -@@ -502,6 +500,10 @@ for env in ['vampire_dc', 'promoted_dc']:
> > - extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
> > -
> > - plantestsuite("samba4.blackbox.samba_tool_demote(%s)" % env, env, [os.path.join(samba4srcdir, "utils/tests/test_demote.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$DOMAIN', '$DC_SERVER', '$PREFIX/%s' % env, smbclient4])
> > -+
> > -+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
> > -+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
> > -+
> > - # TODO: Verifying the databases really should be a part of the
> > - # environment teardown.
> > - # check the databases are all OK. PLEASE LEAVE THIS AS THE LAST TEST
> > ---
> > -1.9.3
> > -
> > -
> > -From 3e44e7485dbfea37cb84034c4d13c96059bd9687 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 3 Jan 2014 08:35:27 +0100
> > -Subject: [PATCH 144/249] s4:librpc: always try to negotiate
> > - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
> > -
> > -If the gensec backend supports it there's no reason not sign the header.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 7db1dc13b0149441a2beebca65b75f6e11af13a3)
> > ----
> > - librpc/rpc/binding.c | 1 -
> > - librpc/rpc/rpc_common.h | 5 ++++-
> > - source4/librpc/rpc/dcerpc.c | 12 ++----------
> > - source4/librpc/rpc/dcerpc_auth.c | 14 ++++++++++----
> > - 4 files changed, 16 insertions(+), 16 deletions(-)
> > -
> > -diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
> > -index 49651e8..52122cf 100644
> > ---- a/librpc/rpc/binding.c
> > -+++ b/librpc/rpc/binding.c
> > -@@ -88,7 +88,6 @@ static const struct {
> > - {"padcheck", DCERPC_DEBUG_PAD_CHECK},
> > - {"bigendian", DCERPC_PUSH_BIGENDIAN},
> > - {"smb2", DCERPC_SMB2},
> > -- {"hdrsign", DCERPC_HEADER_SIGNING},
> > - {"ndr64", DCERPC_NDR64},
> > - {"localaddress", DCERPC_LOCALADDRESS}
> > - };
> > -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
> > -index 978229e..93d3bb4 100644
> > ---- a/librpc/rpc/rpc_common.h
> > -+++ b/librpc/rpc/rpc_common.h
> > -@@ -98,7 +98,7 @@ struct dcerpc_binding {
> > - /* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */
> > - #define DCERPC_CONCURRENT_MULTIPLEX (1<<19)
> > -
> > --/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
> > -+/* this indicates DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag was negotiated */
> > - #define DCERPC_HEADER_SIGNING (1<<20)
> > -
> > - /* use NDR64 transport */
> > -@@ -113,6 +113,9 @@ struct dcerpc_binding {
> > - /* use aes schannel with hmac-sh256 session key */
> > - #define DCERPC_SCHANNEL_AES (1<<24)
> > -
> > -+/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
> > -+#define DCERPC_PROPOSE_HEADER_SIGNING (1<<25)
> > -+
> > - /* The following definitions come from ../librpc/rpc/dcerpc_error.c */
> > -
> > - const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
> > -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
> > -index 56b821e..2f6c8dd 100644
> > ---- a/source4/librpc/rpc/dcerpc.c
> > -+++ b/source4/librpc/rpc/dcerpc.c
> > -@@ -1162,7 +1162,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx,
> > - pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
> > - }
> > -
> > -- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
> > -+ if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) {
> > - pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > - }
> > -
> > -@@ -1304,7 +1304,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq,
> > - conn->flags |= DCERPC_CONCURRENT_MULTIPLEX;
> > - }
> > -
> > -- if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) &&
> > -+ if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) &&
> > - (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
> > - conn->flags |= DCERPC_HEADER_SIGNING;
> > - }
> > -@@ -1352,10 +1352,6 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
> > - pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
> > - }
> > -
> > -- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
> > -- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > -- }
> > --
> > - /* construct the NDR form of the packet */
> > - status = ncacn_push_auth(&blob, mem_ctx,
> > - &pkt,
> > -@@ -2046,10 +2042,6 @@ struct tevent_req *dcerpc_alter_context_send(TALLOC_CTX *mem_ctx,
> > - pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
> > - }
> > -
> > -- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
> > -- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > -- }
> > --
> > - pkt.u.alter.max_xmit_frag = 5840;
> > - pkt.u.alter.max_recv_frag = 5840;
> > - pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;
> > -diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
> > -index d5e5620..9a5d04d 100644
> > ---- a/source4/librpc/rpc/dcerpc_auth.c
> > -+++ b/source4/librpc/rpc/dcerpc_auth.c
> > -@@ -173,10 +173,6 @@ static void bind_auth_next_step(struct composite_context *c)
> > -
> > - if (!composite_is_ok(c)) return;
> > -
> > -- if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
> > -- gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
> > -- }
> > --
> > - if (state->credentials.length == 0) {
> > - composite_done(c);
> > - return;
> > -@@ -234,6 +230,12 @@ static void bind_auth_recv_bindreply(struct tevent_req *subreq)
> > - TALLOC_FREE(subreq);
> > - if (!composite_is_ok(c)) return;
> > -
> > -+ if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
> > -+ struct dcecli_security *sec = &state->pipe->conn->security_state;
> > -+
> > -+ gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
> > -+ }
> > -+
> > - if (!state->more_processing) {
> > - /* The first gensec_update has not requested a second run, so
> > - * we're done here. */
> > -@@ -395,6 +397,10 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
> > -
> > - sec->auth_info->credentials = state->credentials;
> > -
> > -+ if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
> > -+ state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
> > -+ }
> > -+
> > - /* The first request always is a dcerpc_bind. The subsequent ones
> > - * depend on gensec results */
> > - subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
> > ---
> > -1.9.3
> > -
> > -
> > -From 6bdc135a63647fbbc31c7b2e673396231541641d Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 3 Jan 2014 08:39:12 +0100
> > -Subject: [PATCH 145/249] s4:rpc_server: support
> > - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default
> > -
> > -If the gensec backend supports it there's no reason to disable it.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 661fe3cf890b91f8750872b0f5a09da536f76ae2)
> > ----
> > - source4/rpc_server/dcerpc_server.c | 6 ------
> > - source4/rpc_server/dcesrv_auth.c | 37 ++++++++++++++++++++++++++++++++-----
> > - 2 files changed, 32 insertions(+), 11 deletions(-)
> > -
> > -diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
> > -index ad53685..3b35703 100644
> > ---- a/source4/rpc_server/dcerpc_server.c
> > -+++ b/source4/rpc_server/dcerpc_server.c
> > -@@ -610,12 +610,6 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
> > - call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
> > - }
> > -
> > -- if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
> > -- lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
> > -- call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
> > -- extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > -- }
> > --
> > - /* handle any authentication that is being requested */
> > - if (!dcesrv_auth_bind(call)) {
> > - talloc_free(call->context);
> > -diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
> > -index c891cc6..152715b 100644
> > ---- a/source4/rpc_server/dcesrv_auth.c
> > -+++ b/source4/rpc_server/dcesrv_auth.c
> > -@@ -92,10 +92,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
> > - return false;
> > - }
> > -
> > -- if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
> > -- gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER);
> > -- }
> > --
> > - return true;
> > - }
> > -
> > -@@ -107,11 +103,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
> > - {
> > - struct dcesrv_connection *dce_conn = call->conn;
> > - NTSTATUS status;
> > -+ bool want_header_signing = false;
> > -
> > - if (!call->conn->auth_state.gensec_security) {
> > - return NT_STATUS_OK;
> > - }
> > -
> > -+ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
> > -+ want_header_signing = true;
> > -+ }
> > -+
> > -+ if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
> > -+ want_header_signing = false;
> > -+ }
> > -+
> > - status = gensec_update(dce_conn->auth_state.gensec_security,
> > - call, call->event_ctx,
> > - dce_conn->auth_state.auth_info->credentials,
> > -@@ -126,9 +131,17 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
> > - return status;
> > - }
> > -
> > -- if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
> > -+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
> > -+ GENSEC_FEATURE_SIGN_PKT_HEADER))
> > -+ {
> > -+ want_header_signing = false;
> > -+ }
> > -+
> > -+ if (want_header_signing) {
> > - gensec_want_feature(dce_conn->auth_state.gensec_security,
> > - GENSEC_FEATURE_SIGN_PKT_HEADER);
> > -+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
> > -+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > - }
> > -
> > - /* Now that we are authenticated, go back to the generic session key... */
> > -@@ -137,6 +150,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
> > - } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
> > - dce_conn->auth_state.auth_info->auth_pad_length = 0;
> > - dce_conn->auth_state.auth_info->auth_reserved = 0;
> > -+
> > -+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
> > -+ GENSEC_FEATURE_SIGN_PKT_HEADER))
> > -+ {
> > -+ want_header_signing = false;
> > -+ }
> > -+
> > -+ if (want_header_signing) {
> > -+ gensec_want_feature(dce_conn->auth_state.gensec_security,
> > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > -+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
> > -+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > -+ }
> > -+
> > - return NT_STATUS_OK;
> > - } else {
> > - DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
> > ---
> > -1.9.3
> > -
> > -
> > -From 868676160bb3bcfb4145a5c4b47fbb513c0bfac4 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 31 Dec 2013 09:53:55 +0100
> > -Subject: [PATCH 146/249] auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is
> > - always supported
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 64fc015a85f9b5ed74f3dabe05dbdff185093278)
> > ----
> > - auth/ntlmssp/gensec_ntlmssp.c | 4 ++++
> > - 1 file changed, 4 insertions(+)
> > -
> > -diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
> > -index 654c0e3..5672589 100644
> > ---- a/auth/ntlmssp/gensec_ntlmssp.c
> > -+++ b/auth/ntlmssp/gensec_ntlmssp.c
> > -@@ -102,6 +102,10 @@ bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
> > - return true;
> > - }
> > - }
> > -+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > -+ return true;
> > -+ }
> > -+
> > - return false;
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From e486316c74d3781413e66e451b51737fc194bdc2 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 31 Dec 2013 09:54:54 +0100
> > -Subject: [PATCH 147/249] s4:auth/gensec_gssapi: handle
> > - GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 14f6c41754960d73f46aca1bade2266b7e934d03)
> > ----
> > - source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
> > - 1 file changed, 12 insertions(+)
> > -
> > -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> > -index 63a53bf..ffdefcf 100644
> > ---- a/source4/auth/gensec/gensec_gssapi.c
> > -+++ b/source4/auth/gensec/gensec_gssapi.c
> > -@@ -1275,6 +1275,18 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
> > - if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
> > - return true;
> > - }
> > -+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > -+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
> > -+ /* TODO: implement this using gss_wrap_iov() */
> > -+ return false;
> > -+ }
> > -+
> > -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
> > -+ return true;
> > -+ }
> > -+
> > -+ return false;
> > -+ }
> > - return false;
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From fa8d0a7726240f8fc6648424d9724bcd65949bfd Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 3 Jan 2014 15:30:46 +0100
> > -Subject: [PATCH 148/249] s4:gensec_gssapi: make sure
> > - gensec_gssapi_[un]seal_packet() rejects header signing
> > -
> > -If header signing is requested we should error out instead of
> > -silently ignoring it, our peer would hopefully reject it,
> > -but we should also do that.
> > -
> > -TODO: we should implement header signing using gss_wrap_iov().
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 54b5b3067f5b7a0eb6dd9f1326c903f9fe4a5592)
> > ----
> > - source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
> > - 1 file changed, 12 insertions(+)
> > -
> > -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> > -index ffdefcf..b8f007d 100644
> > ---- a/source4/auth/gensec/gensec_gssapi.c
> > -+++ b/source4/auth/gensec/gensec_gssapi.c
> > -@@ -1028,6 +1028,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
> > - int conf_state;
> > - ssize_t sig_length;
> > -
> > -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > -+ DEBUG(1, ("gensec_gssapi_seal_packet: "
> > -+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
> > -+ return NT_STATUS_ACCESS_DENIED;
> > -+ }
> > -+
> > - input_token.length = length;
> > - input_token.value = data;
> > -
> > -@@ -1082,6 +1088,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
> > -
> > - dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
> > -
> > -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > -+ DEBUG(1, ("gensec_gssapi_unseal_packet: "
> > -+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
> > -+ return NT_STATUS_ACCESS_DENIED;
> > -+ }
> > -+
> > - in = data_blob_talloc(gensec_security, NULL, sig->length + length);
> > -
> > - memcpy(in.data, sig->data, sig->length);
> > ---
> > -1.9.3
> > -
> > -
> > -From 2b1f62e3d99047e2981dcdd32c6820346917dc04 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 31 Dec 2013 09:42:36 +0100
> > -Subject: [PATCH 149/249] auth/gensec: move libcli/auth/schannel_sign.c into
> > - schannel.c
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 616cd009955b1722e6749019e2c1cac8bbb94e52)
> > ----
> > - auth/gensec/schannel.c | 380 ++++++++++++++++++++++++++++++++++++++++
> > - libcli/auth/schannel_proto.h | 14 --
> > - libcli/auth/schannel_sign.c | 404 -------------------------------------------
> > - libcli/auth/wscript_build | 2 +-
> > - 4 files changed, 381 insertions(+), 419 deletions(-)
> > - delete mode 100644 libcli/auth/schannel_sign.c
> > -
> > -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
> > -index eb2e100..c60ab4f 100644
> > ---- a/auth/gensec/schannel.c
> > -+++ b/auth/gensec/schannel.c
> > -@@ -31,6 +31,386 @@
> > - #include "librpc/gen_ndr/dcerpc.h"
> > - #include "param/param.h"
> > - #include "auth/gensec/gensec_toplevel_proto.h"
> > -+#include "lib/crypto/crypto.h"
> > -+
> > -+struct schannel_state {
> > -+ uint64_t seq_num;
> > -+ bool initiator;
> > -+ struct netlogon_creds_CredentialState *creds;
> > -+};
> > -+
> > -+#define SETUP_SEQNUM(state, buf, initiator) do { \
> > -+ uint8_t *_buf = buf; \
> > -+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> > -+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
> > -+ if (initiator) { \
> > -+ _seq_num_high |= 0x80000000; \
> > -+ } \
> > -+ RSIVAL(_buf, 0, _seq_num_low); \
> > -+ RSIVAL(_buf, 4, _seq_num_high); \
> > -+} while(0)
> > -+
> > -+static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState *creds,
> > -+ bool initiator)
> > -+{
> > -+ struct schannel_state *state;
> > -+
> > -+ state = talloc(mem_ctx, struct schannel_state);
> > -+ if (state == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ state->initiator = initiator;
> > -+ state->seq_num = 0;
> > -+ state->creds = netlogon_creds_copy(state, creds);
> > -+ if (state->creds == NULL) {
> > -+ talloc_free(state);
> > -+ return NULL;
> > -+ }
> > -+
> > -+ return state;
> > -+}
> > -+
> > -+static void netsec_offset_and_sizes(struct schannel_state *state,
> > -+ bool do_seal,
> > -+ uint32_t *_min_sig_size,
> > -+ uint32_t *_used_sig_size,
> > -+ uint32_t *_checksum_length,
> > -+ uint32_t *_confounder_ofs)
> > -+{
> > -+ uint32_t min_sig_size;
> > -+ uint32_t used_sig_size;
> > -+ uint32_t checksum_length;
> > -+ uint32_t confounder_ofs;
> > -+
> > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ min_sig_size = 48;
> > -+ used_sig_size = 56;
> > -+ /*
> > -+ * Note: windows has a bug here and uses the old values...
> > -+ *
> > -+ * checksum_length = 32;
> > -+ * confounder_ofs = 48;
> > -+ */
> > -+ checksum_length = 8;
> > -+ confounder_ofs = 24;
> > -+ } else {
> > -+ min_sig_size = 24;
> > -+ used_sig_size = 32;
> > -+ checksum_length = 8;
> > -+ confounder_ofs = 24;
> > -+ }
> > -+
> > -+ if (do_seal) {
> > -+ min_sig_size += 8;
> > -+ }
> > -+
> > -+ if (_min_sig_size) {
> > -+ *_min_sig_size = min_sig_size;
> > -+ }
> > -+
> > -+ if (_used_sig_size) {
> > -+ *_used_sig_size = used_sig_size;
> > -+ }
> > -+
> > -+ if (_checksum_length) {
> > -+ *_checksum_length = checksum_length;
> > -+ }
> > -+
> > -+ if (_confounder_ofs) {
> > -+ *_confounder_ofs = confounder_ofs;
> > -+ }
> > -+}
> > -+
> > -+/*******************************************************************
> > -+ Encode or Decode the sequence number (which is symmetric)
> > -+ ********************************************************************/
> > -+static void netsec_do_seq_num(struct schannel_state *state,
> > -+ const uint8_t *checksum,
> > -+ uint32_t checksum_length,
> > -+ uint8_t seq_num[8])
> > -+{
> > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ AES_KEY key;
> > -+ uint8_t iv[AES_BLOCK_SIZE];
> > -+
> > -+ AES_set_encrypt_key(state->creds->session_key, 128, &key);
> > -+ ZERO_STRUCT(iv);
> > -+ memcpy(iv+0, checksum, 8);
> > -+ memcpy(iv+8, checksum, 8);
> > -+
> > -+ aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
> > -+ } else {
> > -+ static const uint8_t zeros[4];
> > -+ uint8_t sequence_key[16];
> > -+ uint8_t digest1[16];
> > -+
> > -+ hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
> > -+ hmac_md5(digest1, checksum, checksum_length, sequence_key);
> > -+ arcfour_crypt(seq_num, sequence_key, 8);
> > -+ }
> > -+
> > -+ state->seq_num++;
> > -+}
> > -+
> > -+static void netsec_do_seal(struct schannel_state *state,
> > -+ const uint8_t seq_num[8],
> > -+ uint8_t confounder[8],
> > -+ uint8_t *data, uint32_t length,
> > -+ bool forward)
> > -+{
> > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ AES_KEY key;
> > -+ uint8_t iv[AES_BLOCK_SIZE];
> > -+ uint8_t sess_kf0[16];
> > -+ int i;
> > -+
> > -+ for (i = 0; i < 16; i++) {
> > -+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> > -+ }
> > -+
> > -+ AES_set_encrypt_key(sess_kf0, 128, &key);
> > -+ ZERO_STRUCT(iv);
> > -+ memcpy(iv+0, seq_num, 8);
> > -+ memcpy(iv+8, seq_num, 8);
> > -+
> > -+ if (forward) {
> > -+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
> > -+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
> > -+ } else {
> > -+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
> > -+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
> > -+ }
> > -+ } else {
> > -+ uint8_t sealing_key[16];
> > -+ static const uint8_t zeros[4];
> > -+ uint8_t digest2[16];
> > -+ uint8_t sess_kf0[16];
> > -+ int i;
> > -+
> > -+ for (i = 0; i < 16; i++) {
> > -+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> > -+ }
> > -+
> > -+ hmac_md5(sess_kf0, zeros, 4, digest2);
> > -+ hmac_md5(digest2, seq_num, 8, sealing_key);
> > -+
> > -+ arcfour_crypt(confounder, sealing_key, 8);
> > -+ arcfour_crypt(data, sealing_key, length);
> > -+ }
> > -+}
> > -+
> > -+/*******************************************************************
> > -+ Create a digest over the entire packet (including the data), and
> > -+ MD5 it with the session key.
> > -+ ********************************************************************/
> > -+static void netsec_do_sign(struct schannel_state *state,
> > -+ const uint8_t *confounder,
> > -+ const uint8_t *data, size_t length,
> > -+ uint8_t header[8],
> > -+ uint8_t *checksum)
> > -+{
> > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ struct HMACSHA256Context ctx;
> > -+
> > -+ hmac_sha256_init(state->creds->session_key,
> > -+ sizeof(state->creds->session_key),
> > -+ &ctx);
> > -+
> > -+ if (confounder) {
> > -+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> > -+ SSVAL(header, 2, NL_SEAL_AES128);
> > -+ SSVAL(header, 4, 0xFFFF);
> > -+ SSVAL(header, 6, 0x0000);
> > -+
> > -+ hmac_sha256_update(header, 8, &ctx);
> > -+ hmac_sha256_update(confounder, 8, &ctx);
> > -+ } else {
> > -+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> > -+ SSVAL(header, 2, NL_SEAL_NONE);
> > -+ SSVAL(header, 4, 0xFFFF);
> > -+ SSVAL(header, 6, 0x0000);
> > -+
> > -+ hmac_sha256_update(header, 8, &ctx);
> > -+ }
> > -+
> > -+ hmac_sha256_update(data, length, &ctx);
> > -+
> > -+ hmac_sha256_final(checksum, &ctx);
> > -+ } else {
> > -+ uint8_t packet_digest[16];
> > -+ static const uint8_t zeros[4];
> > -+ MD5_CTX ctx;
> > -+
> > -+ MD5Init(&ctx);
> > -+ MD5Update(&ctx, zeros, 4);
> > -+ if (confounder) {
> > -+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> > -+ SSVAL(header, 2, NL_SEAL_RC4);
> > -+ SSVAL(header, 4, 0xFFFF);
> > -+ SSVAL(header, 6, 0x0000);
> > -+
> > -+ MD5Update(&ctx, header, 8);
> > -+ MD5Update(&ctx, confounder, 8);
> > -+ } else {
> > -+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> > -+ SSVAL(header, 2, NL_SEAL_NONE);
> > -+ SSVAL(header, 4, 0xFFFF);
> > -+ SSVAL(header, 6, 0x0000);
> > -+
> > -+ MD5Update(&ctx, header, 8);
> > -+ }
> > -+ MD5Update(&ctx, data, length);
> > -+ MD5Final(packet_digest, &ctx);
> > -+
> > -+ hmac_md5(state->creds->session_key,
> > -+ packet_digest, sizeof(packet_digest),
> > -+ checksum);
> > -+ }
> > -+}
> > -+
> > -+static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > -+ bool do_unseal,
> > -+ uint8_t *data, size_t length,
> > -+ const DATA_BLOB *sig)
> > -+{
> > -+ uint32_t min_sig_size = 0;
> > -+ uint8_t header[8];
> > -+ uint8_t checksum[32];
> > -+ uint32_t checksum_length = sizeof(checksum_length);
> > -+ uint8_t _confounder[8];
> > -+ uint8_t *confounder = NULL;
> > -+ uint32_t confounder_ofs = 0;
> > -+ uint8_t seq_num[8];
> > -+ int ret;
> > -+
> > -+ netsec_offset_and_sizes(state,
> > -+ do_unseal,
> > -+ &min_sig_size,
> > -+ NULL,
> > -+ &checksum_length,
> > -+ &confounder_ofs);
> > -+
> > -+ if (sig->length < min_sig_size) {
> > -+ return NT_STATUS_ACCESS_DENIED;
> > -+ }
> > -+
> > -+ if (do_unseal) {
> > -+ confounder = _confounder;
> > -+ memcpy(confounder, sig->data+confounder_ofs, 8);
> > -+ } else {
> > -+ confounder = NULL;
> > -+ }
> > -+
> > -+ SETUP_SEQNUM(state, seq_num, !state->initiator);
> > -+
> > -+ if (do_unseal) {
> > -+ netsec_do_seal(state, seq_num,
> > -+ confounder,
> > -+ data, length,
> > -+ false);
> > -+ }
> > -+
> > -+ netsec_do_sign(state, confounder,
> > -+ data, length,
> > -+ header, checksum);
> > -+
> > -+ ret = memcmp(checksum, sig->data+16, checksum_length);
> > -+ if (ret != 0) {
> > -+ dump_data_pw("calc digest:", checksum, checksum_length);
> > -+ dump_data_pw("wire digest:", sig->data+16, checksum_length);
> > -+ return NT_STATUS_ACCESS_DENIED;
> > -+ }
> > -+
> > -+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> > -+
> > -+ ret = memcmp(seq_num, sig->data+8, 8);
> > -+ if (ret != 0) {
> > -+ dump_data_pw("calc seq num:", seq_num, 8);
> > -+ dump_data_pw("wire seq num:", sig->data+8, 8);
> > -+ return NT_STATUS_ACCESS_DENIED;
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+static uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
> > -+{
> > -+ uint32_t sig_size = 0;
> > -+
> > -+ netsec_offset_and_sizes(state,
> > -+ true,
> > -+ NULL,
> > -+ &sig_size,
> > -+ NULL,
> > -+ NULL);
> > -+
> > -+ return sig_size;
> > -+}
> > -+
> > -+static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ bool do_seal,
> > -+ uint8_t *data, size_t length,
> > -+ DATA_BLOB *sig)
> > -+{
> > -+ uint32_t min_sig_size = 0;
> > -+ uint32_t used_sig_size = 0;
> > -+ uint8_t header[8];
> > -+ uint8_t checksum[32];
> > -+ uint32_t checksum_length = sizeof(checksum_length);
> > -+ uint8_t _confounder[8];
> > -+ uint8_t *confounder = NULL;
> > -+ uint32_t confounder_ofs = 0;
> > -+ uint8_t seq_num[8];
> > -+
> > -+ netsec_offset_and_sizes(state,
> > -+ do_seal,
> > -+ &min_sig_size,
> > -+ &used_sig_size,
> > -+ &checksum_length,
> > -+ &confounder_ofs);
> > -+
> > -+ SETUP_SEQNUM(state, seq_num, state->initiator);
> > -+
> > -+ if (do_seal) {
> > -+ confounder = _confounder;
> > -+ generate_random_buffer(confounder, 8);
> > -+ } else {
> > -+ confounder = NULL;
> > -+ }
> > -+
> > -+ netsec_do_sign(state, confounder,
> > -+ data, length,
> > -+ header, checksum);
> > -+
> > -+ if (do_seal) {
> > -+ netsec_do_seal(state, seq_num,
> > -+ confounder,
> > -+ data, length,
> > -+ true);
> > -+ }
> > -+
> > -+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> > -+
> > -+ (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
> > -+
> > -+ memcpy(sig->data, header, 8);
> > -+ memcpy(sig->data+8, seq_num, 8);
> > -+ memcpy(sig->data+16, checksum, checksum_length);
> > -+
> > -+ if (confounder) {
> > -+ memcpy(sig->data+confounder_ofs, confounder, 8);
> > -+ }
> > -+
> > -+ dump_data_pw("signature:", sig->data+ 0, 8);
> > -+ dump_data_pw("seq_num :", sig->data+ 8, 8);
> > -+ dump_data_pw("digest :", sig->data+16, checksum_length);
> > -+ dump_data_pw("confound :", sig->data+confounder_ofs, 8);
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -
> > - _PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > -
> > -diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
> > -index da76559..bce37c8 100644
> > ---- a/libcli/auth/schannel_proto.h
> > -+++ b/libcli/auth/schannel_proto.h
> > -@@ -28,18 +28,4 @@ struct schannel_state;
> > - struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
> > - struct loadparm_context *lp_ctx);
> > -
> > --struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > -- struct netlogon_creds_CredentialState *creds,
> > -- bool initiator);
> > --NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > -- bool do_unseal,
> > -- uint8_t *data, size_t length,
> > -- const DATA_BLOB *sig);
> > --uint32_t netsec_outgoing_sig_size(struct schannel_state *state);
> > --NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > -- TALLOC_CTX *mem_ctx,
> > -- bool do_seal,
> > -- uint8_t *data, size_t length,
> > -- DATA_BLOB *sig);
> > --
> > - #endif
> > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > -deleted file mode 100644
> > -index 9502cba..0000000
> > ---- a/libcli/auth/schannel_sign.c
> > -+++ /dev/null
> > -@@ -1,404 +0,0 @@
> > --/*
> > -- Unix SMB/CIFS implementation.
> > --
> > -- schannel library code
> > --
> > -- Copyright (C) Andrew Tridgell 2004
> > -- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
> > --
> > -- This program is free software; you can redistribute it and/or modify
> > -- it under the terms of the GNU General Public License as published by
> > -- the Free Software Foundation; either version 3 of the License, or
> > -- (at your option) any later version.
> > --
> > -- This program is distributed in the hope that it will be useful,
> > -- but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -- GNU General Public License for more details.
> > --
> > -- You should have received a copy of the GNU General Public License
> > -- along with this program. If not, see <http://www.gnu.org/licenses/>.
> > --*/
> > --
> > --#include "includes.h"
> > --#include "../libcli/auth/schannel.h"
> > --#include "../lib/crypto/crypto.h"
> > --
> > --struct schannel_state {
> > -- uint64_t seq_num;
> > -- bool initiator;
> > -- struct netlogon_creds_CredentialState *creds;
> > --};
> > --
> > --#define SETUP_SEQNUM(state, buf, initiator) do { \
> > -- uint8_t *_buf = buf; \
> > -- uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> > -- uint32_t _seq_num_high = (state)->seq_num >> 32; \
> > -- if (initiator) { \
> > -- _seq_num_high |= 0x80000000; \
> > -- } \
> > -- RSIVAL(_buf, 0, _seq_num_low); \
> > -- RSIVAL(_buf, 4, _seq_num_high); \
> > --} while(0)
> > --
> > --struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > -- struct netlogon_creds_CredentialState *creds,
> > -- bool initiator)
> > --{
> > -- struct schannel_state *state;
> > --
> > -- state = talloc(mem_ctx, struct schannel_state);
> > -- if (state == NULL) {
> > -- return NULL;
> > -- }
> > --
> > -- state->initiator = initiator;
> > -- state->seq_num = 0;
> > -- state->creds = netlogon_creds_copy(state, creds);
> > -- if (state->creds == NULL) {
> > -- talloc_free(state);
> > -- return NULL;
> > -- }
> > --
> > -- return state;
> > --}
> > --
> > --static void netsec_offset_and_sizes(struct schannel_state *state,
> > -- bool do_seal,
> > -- uint32_t *_min_sig_size,
> > -- uint32_t *_used_sig_size,
> > -- uint32_t *_checksum_length,
> > -- uint32_t *_confounder_ofs)
> > --{
> > -- uint32_t min_sig_size;
> > -- uint32_t used_sig_size;
> > -- uint32_t checksum_length;
> > -- uint32_t confounder_ofs;
> > --
> > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- min_sig_size = 48;
> > -- used_sig_size = 56;
> > -- /*
> > -- * Note: windows has a bug here and uses the old values...
> > -- *
> > -- * checksum_length = 32;
> > -- * confounder_ofs = 48;
> > -- */
> > -- checksum_length = 8;
> > -- confounder_ofs = 24;
> > -- } else {
> > -- min_sig_size = 24;
> > -- used_sig_size = 32;
> > -- checksum_length = 8;
> > -- confounder_ofs = 24;
> > -- }
> > --
> > -- if (do_seal) {
> > -- min_sig_size += 8;
> > -- }
> > --
> > -- if (_min_sig_size) {
> > -- *_min_sig_size = min_sig_size;
> > -- }
> > --
> > -- if (_used_sig_size) {
> > -- *_used_sig_size = used_sig_size;
> > -- }
> > --
> > -- if (_checksum_length) {
> > -- *_checksum_length = checksum_length;
> > -- }
> > --
> > -- if (_confounder_ofs) {
> > -- *_confounder_ofs = confounder_ofs;
> > -- }
> > --}
> > --
> > --/*******************************************************************
> > -- Encode or Decode the sequence number (which is symmetric)
> > -- ********************************************************************/
> > --static void netsec_do_seq_num(struct schannel_state *state,
> > -- const uint8_t *checksum,
> > -- uint32_t checksum_length,
> > -- uint8_t seq_num[8])
> > --{
> > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- AES_KEY key;
> > -- uint8_t iv[AES_BLOCK_SIZE];
> > --
> > -- AES_set_encrypt_key(state->creds->session_key, 128, &key);
> > -- ZERO_STRUCT(iv);
> > -- memcpy(iv+0, checksum, 8);
> > -- memcpy(iv+8, checksum, 8);
> > --
> > -- aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
> > -- } else {
> > -- static const uint8_t zeros[4];
> > -- uint8_t sequence_key[16];
> > -- uint8_t digest1[16];
> > --
> > -- hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
> > -- hmac_md5(digest1, checksum, checksum_length, sequence_key);
> > -- arcfour_crypt(seq_num, sequence_key, 8);
> > -- }
> > --
> > -- state->seq_num++;
> > --}
> > --
> > --static void netsec_do_seal(struct schannel_state *state,
> > -- const uint8_t seq_num[8],
> > -- uint8_t confounder[8],
> > -- uint8_t *data, uint32_t length,
> > -- bool forward)
> > --{
> > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- AES_KEY key;
> > -- uint8_t iv[AES_BLOCK_SIZE];
> > -- uint8_t sess_kf0[16];
> > -- int i;
> > --
> > -- for (i = 0; i < 16; i++) {
> > -- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> > -- }
> > --
> > -- AES_set_encrypt_key(sess_kf0, 128, &key);
> > -- ZERO_STRUCT(iv);
> > -- memcpy(iv+0, seq_num, 8);
> > -- memcpy(iv+8, seq_num, 8);
> > --
> > -- if (forward) {
> > -- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
> > -- aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
> > -- } else {
> > -- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
> > -- aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
> > -- }
> > -- } else {
> > -- uint8_t sealing_key[16];
> > -- static const uint8_t zeros[4];
> > -- uint8_t digest2[16];
> > -- uint8_t sess_kf0[16];
> > -- int i;
> > --
> > -- for (i = 0; i < 16; i++) {
> > -- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> > -- }
> > --
> > -- hmac_md5(sess_kf0, zeros, 4, digest2);
> > -- hmac_md5(digest2, seq_num, 8, sealing_key);
> > --
> > -- arcfour_crypt(confounder, sealing_key, 8);
> > -- arcfour_crypt(data, sealing_key, length);
> > -- }
> > --}
> > --
> > --/*******************************************************************
> > -- Create a digest over the entire packet (including the data), and
> > -- MD5 it with the session key.
> > -- ********************************************************************/
> > --static void netsec_do_sign(struct schannel_state *state,
> > -- const uint8_t *confounder,
> > -- const uint8_t *data, size_t length,
> > -- uint8_t header[8],
> > -- uint8_t *checksum)
> > --{
> > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- struct HMACSHA256Context ctx;
> > --
> > -- hmac_sha256_init(state->creds->session_key,
> > -- sizeof(state->creds->session_key),
> > -- &ctx);
> > --
> > -- if (confounder) {
> > -- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> > -- SSVAL(header, 2, NL_SEAL_AES128);
> > -- SSVAL(header, 4, 0xFFFF);
> > -- SSVAL(header, 6, 0x0000);
> > --
> > -- hmac_sha256_update(header, 8, &ctx);
> > -- hmac_sha256_update(confounder, 8, &ctx);
> > -- } else {
> > -- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> > -- SSVAL(header, 2, NL_SEAL_NONE);
> > -- SSVAL(header, 4, 0xFFFF);
> > -- SSVAL(header, 6, 0x0000);
> > --
> > -- hmac_sha256_update(header, 8, &ctx);
> > -- }
> > --
> > -- hmac_sha256_update(data, length, &ctx);
> > --
> > -- hmac_sha256_final(checksum, &ctx);
> > -- } else {
> > -- uint8_t packet_digest[16];
> > -- static const uint8_t zeros[4];
> > -- MD5_CTX ctx;
> > --
> > -- MD5Init(&ctx);
> > -- MD5Update(&ctx, zeros, 4);
> > -- if (confounder) {
> > -- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> > -- SSVAL(header, 2, NL_SEAL_RC4);
> > -- SSVAL(header, 4, 0xFFFF);
> > -- SSVAL(header, 6, 0x0000);
> > --
> > -- MD5Update(&ctx, header, 8);
> > -- MD5Update(&ctx, confounder, 8);
> > -- } else {
> > -- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> > -- SSVAL(header, 2, NL_SEAL_NONE);
> > -- SSVAL(header, 4, 0xFFFF);
> > -- SSVAL(header, 6, 0x0000);
> > --
> > -- MD5Update(&ctx, header, 8);
> > -- }
> > -- MD5Update(&ctx, data, length);
> > -- MD5Final(packet_digest, &ctx);
> > --
> > -- hmac_md5(state->creds->session_key,
> > -- packet_digest, sizeof(packet_digest),
> > -- checksum);
> > -- }
> > --}
> > --
> > --NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > -- bool do_unseal,
> > -- uint8_t *data, size_t length,
> > -- const DATA_BLOB *sig)
> > --{
> > -- uint32_t min_sig_size = 0;
> > -- uint8_t header[8];
> > -- uint8_t checksum[32];
> > -- uint32_t checksum_length = sizeof(checksum_length);
> > -- uint8_t _confounder[8];
> > -- uint8_t *confounder = NULL;
> > -- uint32_t confounder_ofs = 0;
> > -- uint8_t seq_num[8];
> > -- int ret;
> > --
> > -- netsec_offset_and_sizes(state,
> > -- do_unseal,
> > -- &min_sig_size,
> > -- NULL,
> > -- &checksum_length,
> > -- &confounder_ofs);
> > --
> > -- if (sig->length < min_sig_size) {
> > -- return NT_STATUS_ACCESS_DENIED;
> > -- }
> > --
> > -- if (do_unseal) {
> > -- confounder = _confounder;
> > -- memcpy(confounder, sig->data+confounder_ofs, 8);
> > -- } else {
> > -- confounder = NULL;
> > -- }
> > --
> > -- SETUP_SEQNUM(state, seq_num, !state->initiator);
> > --
> > -- if (do_unseal) {
> > -- netsec_do_seal(state, seq_num,
> > -- confounder,
> > -- data, length,
> > -- false);
> > -- }
> > --
> > -- netsec_do_sign(state, confounder,
> > -- data, length,
> > -- header, checksum);
> > --
> > -- ret = memcmp(checksum, sig->data+16, checksum_length);
> > -- if (ret != 0) {
> > -- dump_data_pw("calc digest:", checksum, checksum_length);
> > -- dump_data_pw("wire digest:", sig->data+16, checksum_length);
> > -- return NT_STATUS_ACCESS_DENIED;
> > -- }
> > --
> > -- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> > --
> > -- ret = memcmp(seq_num, sig->data+8, 8);
> > -- if (ret != 0) {
> > -- dump_data_pw("calc seq num:", seq_num, 8);
> > -- dump_data_pw("wire seq num:", sig->data+8, 8);
> > -- return NT_STATUS_ACCESS_DENIED;
> > -- }
> > --
> > -- return NT_STATUS_OK;
> > --}
> > --
> > --uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
> > --{
> > -- uint32_t sig_size = 0;
> > --
> > -- netsec_offset_and_sizes(state,
> > -- true,
> > -- NULL,
> > -- &sig_size,
> > -- NULL,
> > -- NULL);
> > --
> > -- return sig_size;
> > --}
> > --
> > --NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > -- TALLOC_CTX *mem_ctx,
> > -- bool do_seal,
> > -- uint8_t *data, size_t length,
> > -- DATA_BLOB *sig)
> > --{
> > -- uint32_t min_sig_size = 0;
> > -- uint32_t used_sig_size = 0;
> > -- uint8_t header[8];
> > -- uint8_t checksum[32];
> > -- uint32_t checksum_length = sizeof(checksum_length);
> > -- uint8_t _confounder[8];
> > -- uint8_t *confounder = NULL;
> > -- uint32_t confounder_ofs = 0;
> > -- uint8_t seq_num[8];
> > --
> > -- netsec_offset_and_sizes(state,
> > -- do_seal,
> > -- &min_sig_size,
> > -- &used_sig_size,
> > -- &checksum_length,
> > -- &confounder_ofs);
> > --
> > -- SETUP_SEQNUM(state, seq_num, state->initiator);
> > --
> > -- if (do_seal) {
> > -- confounder = _confounder;
> > -- generate_random_buffer(confounder, 8);
> > -- } else {
> > -- confounder = NULL;
> > -- }
> > --
> > -- netsec_do_sign(state, confounder,
> > -- data, length,
> > -- header, checksum);
> > --
> > -- if (do_seal) {
> > -- netsec_do_seal(state, seq_num,
> > -- confounder,
> > -- data, length,
> > -- true);
> > -- }
> > --
> > -- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> > --
> > -- (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
> > --
> > -- memcpy(sig->data, header, 8);
> > -- memcpy(sig->data+8, seq_num, 8);
> > -- memcpy(sig->data+16, checksum, checksum_length);
> > --
> > -- if (confounder) {
> > -- memcpy(sig->data+confounder_ofs, confounder, 8);
> > -- }
> > --
> > -- dump_data_pw("signature:", sig->data+ 0, 8);
> > -- dump_data_pw("seq_num :", sig->data+ 8, 8);
> > -- dump_data_pw("digest :", sig->data+16, checksum_length);
> > -- dump_data_pw("confound :", sig->data+confounder_ofs, 8);
> > --
> > -- return NT_STATUS_OK;
> > --}
> > -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
> > -index df23058..ca2be2d 100755
> > ---- a/libcli/auth/wscript_build
> > -+++ b/libcli/auth/wscript_build
> > -@@ -24,7 +24,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
> > -
> > -
> > - bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
> > -- source='schannel_state_tdb.c schannel_sign.c',
> > -+ source='schannel_state_tdb.c',
> > - deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
> > - )
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 307627065568a259eb9e94953b872bf723477be6 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 31 Dec 2013 10:11:18 +0100
> > -Subject: [PATCH 150/249] auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER
> > - in schannel.c
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 03006d0e4471465f071517097145806fbe46fdba)
> > ----
> > - auth/gensec/schannel.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
> > - 1 file changed, 46 insertions(+), 10 deletions(-)
> > -
> > -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
> > -index c60ab4f..3d30e83 100644
> > ---- a/auth/gensec/schannel.c
> > -+++ b/auth/gensec/schannel.c
> > -@@ -34,6 +34,7 @@
> > - #include "lib/crypto/crypto.h"
> > -
> > - struct schannel_state {
> > -+ struct gensec_security *gensec;
> > - uint64_t seq_num;
> > - bool initiator;
> > - struct netlogon_creds_CredentialState *creds;
> > -@@ -50,17 +51,19 @@ struct schannel_state {
> > - RSIVAL(_buf, 4, _seq_num_high); \
> > - } while(0)
> > -
> > --static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > -+static struct schannel_state *netsec_create_state(
> > -+ struct gensec_security *gensec,
> > - struct netlogon_creds_CredentialState *creds,
> > - bool initiator)
> > - {
> > - struct schannel_state *state;
> > -
> > -- state = talloc(mem_ctx, struct schannel_state);
> > -+ state = talloc(gensec, struct schannel_state);
> > - if (state == NULL) {
> > - return NULL;
> > - }
> > -
> > -+ state->gensec = gensec;
> > - state->initiator = initiator;
> > - state->seq_num = 0;
> > - state->creds = netlogon_creds_copy(state, creds);
> > -@@ -69,6 +72,8 @@ static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > - return NULL;
> > - }
> > -
> > -+ gensec->private_data = state;
> > -+
> > - return state;
> > - }
> > -
> > -@@ -273,6 +278,7 @@ static void netsec_do_sign(struct schannel_state *state,
> > - static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > - bool do_unseal,
> > - uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > - const DATA_BLOB *sig)
> > - {
> > - uint32_t min_sig_size = 0;
> > -@@ -284,6 +290,8 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > - uint32_t confounder_ofs = 0;
> > - uint8_t seq_num[8];
> > - int ret;
> > -+ const uint8_t *sign_data = NULL;
> > -+ size_t sign_length = 0;
> > -
> > - netsec_offset_and_sizes(state,
> > - do_unseal,
> > -@@ -312,8 +320,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > - false);
> > - }
> > -
> > -+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > -+ sign_data = whole_pdu;
> > -+ sign_length = pdu_length;
> > -+ } else {
> > -+ sign_data = data;
> > -+ sign_length = length;
> > -+ }
> > -+
> > - netsec_do_sign(state, confounder,
> > -- data, length,
> > -+ sign_data, sign_length,
> > - header, checksum);
> > -
> > - ret = memcmp(checksum, sig->data+16, checksum_length);
> > -@@ -353,6 +369,7 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > - TALLOC_CTX *mem_ctx,
> > - bool do_seal,
> > - uint8_t *data, size_t length,
> > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > - DATA_BLOB *sig)
> > - {
> > - uint32_t min_sig_size = 0;
> > -@@ -364,6 +381,8 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > - uint8_t *confounder = NULL;
> > - uint32_t confounder_ofs = 0;
> > - uint8_t seq_num[8];
> > -+ const uint8_t *sign_data = NULL;
> > -+ size_t sign_length = 0;
> > -
> > - netsec_offset_and_sizes(state,
> > - do_seal,
> > -@@ -381,8 +400,16 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > - confounder = NULL;
> > - }
> > -
> > -+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > -+ sign_data = whole_pdu;
> > -+ sign_length = pdu_length;
> > -+ } else {
> > -+ sign_data = data;
> > -+ sign_length = length;
> > -+ }
> > -+
> > - netsec_do_sign(state, confounder,
> > -- data, length,
> > -+ sign_data, sign_length,
> > - header, checksum);
> > -
> > - if (do_seal) {
> > -@@ -457,7 +484,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > - if (state == NULL) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -- gensec_security->private_data = state;
> > -
> > - bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> > - #if 0
> > -@@ -553,7 +579,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > - if (state == NULL) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -- gensec_security->private_data = state;
> > -
> > - bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> > - bind_schannel_ack.Flags = 0;
> > -@@ -608,6 +633,9 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
> > - if (feature & GENSEC_FEATURE_DCE_STYLE) {
> > - return true;
> > - }
> > -+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > -+ return true;
> > -+ }
> > - return false;
> > - }
> > -
> > -@@ -625,7 +653,9 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> > -
> > - return netsec_incoming_packet(state, true,
> > - discard_const_p(uint8_t, data),
> > -- length, sig);
> > -+ length,
> > -+ whole_pdu, pdu_length,
> > -+ sig);
> > - }
> > -
> > - /*
> > -@@ -642,7 +672,9 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> > -
> > - return netsec_incoming_packet(state, false,
> > - discard_const_p(uint8_t, data),
> > -- length, sig);
> > -+ length,
> > -+ whole_pdu, pdu_length,
> > -+ sig);
> > - }
> > - /*
> > - seal a packet
> > -@@ -658,7 +690,9 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> > - struct schannel_state);
> > -
> > - return netsec_outgoing_packet(state, mem_ctx, true,
> > -- data, length, sig);
> > -+ data, length,
> > -+ whole_pdu, pdu_length,
> > -+ sig);
> > - }
> > -
> > - /*
> > -@@ -676,7 +710,9 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> > -
> > - return netsec_outgoing_packet(state, mem_ctx, false,
> > - discard_const_p(uint8_t, data),
> > -- length, sig);
> > -+ length,
> > -+ whole_pdu, pdu_length,
> > -+ sig);
> > - }
> > -
> > - static const struct gensec_security_ops gensec_schannel_security_ops = {
> > ---
> > -1.9.3
> > -
> > -
> > -From 5b457559dfaeaf8f3d9227a93e5b75e0e7464c23 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sun, 5 Jan 2014 06:16:03 +0100
> > -Subject: [PATCH 151/249] s3:rpc_client: talloc_zero pipe_auth_data
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 5b39a351a8ceb3bec04236ceb4b2fe10651958a9)
> > ----
> > - source3/rpc_client/cli_pipe.c | 6 +++---
> > - 1 file changed, 3 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index a343997..7d1e347 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -2101,7 +2101,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
> > - {
> > - struct pipe_auth_data *result;
> > -
> > -- result = talloc(mem_ctx, struct pipe_auth_data);
> > -+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
> > - if (result == NULL) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -@@ -2125,7 +2125,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
> > - {
> > - struct pipe_auth_data *result;
> > -
> > -- result = talloc(mem_ctx, struct pipe_auth_data);
> > -+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
> > - if (result == NULL) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -@@ -2160,7 +2160,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > - struct pipe_auth_data *result;
> > - NTSTATUS status;
> > -
> > -- result = talloc(mem_ctx, struct pipe_auth_data);
> > -+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
> > - if (result == NULL) {
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From dd35874efea280b91ccaadf14a9a18e8a9017ea4 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sun, 5 Jan 2014 06:31:44 +0100
> > -Subject: [PATCH 152/249] s3:rpc_client: make rpc_api_pipe_req_send/recv static
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 946e29dbc148d40fadbee81d4d530a36c0f2f1e6)
> > ----
> > - source3/rpc_client/cli_pipe.c | 4 ++--
> > - source3/rpc_client/cli_pipe.h | 10 ----------
> > - 2 files changed, 2 insertions(+), 12 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 7d1e347..3d12454 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1153,7 +1153,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq);
> > - static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > - bool *is_last_frag);
> > -
> > --struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > -+static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > - struct tevent_context *ev,
> > - struct rpc_pipe_client *cli,
> > - uint8_t op_num,
> > -@@ -1366,7 +1366,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
> > - tevent_req_done(req);
> > - }
> > -
> > --NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
> > -+static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
> > - DATA_BLOB *reply_pdu)
> > - {
> > - struct rpc_api_pipe_req_state *state = tevent_req_data(
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index ab99373..826f9bf 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -27,16 +27,6 @@
> > -
> > - /* The following definitions come from rpc_client/cli_pipe.c */
> > -
> > --struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > -- struct tevent_context *ev,
> > -- struct rpc_pipe_client *cli,
> > -- uint8_t op_num,
> > -- DATA_BLOB *req_data);
> > --
> > --NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req,
> > -- TALLOC_CTX *mem_ctx,
> > -- DATA_BLOB *reply_pdu);
> > --
> > - struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
> > - struct tevent_context *ev,
> > - struct rpc_pipe_client *cli,
> > ---
> > -1.9.3
> > -
> > -
> > -From 9ea586bbac52bf17e6a1147420bfc9648e697706 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sun, 5 Jan 2014 07:56:20 +0100
> > -Subject: [PATCH 153/249] s3:rpc_client: add some const to
> > - rpc_api_pipe_req_send()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 4d3376e919b5c33f272b3a584d8172729a7468e0)
> > ----
> > - source3/rpc_client/cli_pipe.c | 4 ++--
> > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 3d12454..6b7fee2 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1142,7 +1142,7 @@ struct rpc_api_pipe_req_state {
> > - struct rpc_pipe_client *cli;
> > - uint8_t op_num;
> > - uint32_t call_id;
> > -- DATA_BLOB *req_data;
> > -+ const DATA_BLOB *req_data;
> > - uint32_t req_data_sent;
> > - DATA_BLOB rpc_out;
> > - DATA_BLOB reply_pdu;
> > -@@ -1157,7 +1157,7 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > - struct tevent_context *ev,
> > - struct rpc_pipe_client *cli,
> > - uint8_t op_num,
> > -- DATA_BLOB *req_data)
> > -+ const DATA_BLOB *req_data)
> > - {
> > - struct tevent_req *req, *subreq;
> > - struct rpc_api_pipe_req_state *state;
> > ---
> > -1.9.3
> > -
> > -
> > -From cc6303171f06ae26bce9d54013a63a6296563dd7 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sun, 5 Jan 2014 08:26:15 +0100
> > -Subject: [PATCH 154/249] s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as
> > - any other gensec backend
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit f7bf7e705e704d2f1702e42a8e400baff9521066)
> > ----
> > - source3/rpc_client/cli_pipe.c | 4 ++--
> > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 6b7fee2..b142774 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1627,11 +1627,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> > -
> > - case DCERPC_AUTH_TYPE_NONE:
> > - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
> > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > - /* Bind complete. */
> > - tevent_req_done(req);
> > - return;
> > -
> > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > - case DCERPC_AUTH_TYPE_KRB5:
> > -@@ -1666,11 +1666,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> > -
> > - case DCERPC_AUTH_TYPE_NONE:
> > - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
> > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > - /* Bind complete. */
> > - tevent_req_done(req);
> > - return;
> > -
> > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > - case DCERPC_AUTH_TYPE_KRB5:
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > ---
> > -1.9.3
> > -
> > -
> > -From 044ca24f9d8a3bf57d6981c89e6dcc5e4477059d Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 3 Jan 2014 22:41:33 +0100
> > -Subject: [PATCH 155/249] s3:rpc_client: implement
> > - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 61bdbc23cd09a594a63f49ff8626934c85a8e51a)
> > ----
> > - source3/librpc/rpc/dcerpc.h | 4 +++-
> > - source3/rpc_client/cli_pipe.c | 44 +++++++++++++++++++++++++++++++++++++------
> > - 2 files changed, 41 insertions(+), 7 deletions(-)
> > -
> > -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> > -index b18b7ba..aaf8d68 100644
> > ---- a/source3/librpc/rpc/dcerpc.h
> > -+++ b/source3/librpc/rpc/dcerpc.h
> > -@@ -39,7 +39,9 @@ struct NL_AUTH_MESSAGE;
> > - struct pipe_auth_data {
> > - enum dcerpc_AuthType auth_type;
> > - enum dcerpc_AuthLevel auth_level;
> > --
> > -+ bool client_hdr_signing;
> > -+ bool hdr_signing;
> > -+
> > - void *auth_ctx;
> > -
> > - /* Only the client code uses these 3 for now */
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index b142774..1cab580 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1002,16 +1002,31 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
> > -
> > - static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > - TALLOC_CTX *mem_ctx,
> > -- DATA_BLOB *auth_token)
> > -+ DATA_BLOB *auth_token,
> > -+ bool *client_hdr_signing)
> > - {
> > - struct gensec_security *gensec_security;
> > - DATA_BLOB null_blob = data_blob_null;
> > -+ NTSTATUS status;
> > -
> > - gensec_security = talloc_get_type_abort(cli->auth->auth_ctx,
> > - struct gensec_security);
> > -
> > - DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
> > -- return gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
> > -+ status = gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
> > -+
> > -+ if (!NT_STATUS_IS_OK(status) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
> > -+ {
> > -+ return status;
> > -+ }
> > -+
> > -+ if (client_hdr_signing != NULL) {
> > -+ *client_hdr_signing = gensec_have_feature(gensec_security,
> > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > -+ }
> > -+
> > -+ return status;
> > - }
> > -
> > - /*******************************************************************
> > -@@ -1024,17 +1039,23 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
> > - const struct ndr_syntax_id *abstract,
> > - const struct ndr_syntax_id *transfer,
> > - const DATA_BLOB *auth_info,
> > -+ bool client_hdr_signing,
> > - DATA_BLOB *blob)
> > - {
> > - uint16 auth_len = auth_info->length;
> > - NTSTATUS status;
> > - union dcerpc_payload u;
> > - struct dcerpc_ctx_list ctx_list;
> > -+ uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
> > -
> > - if (auth_len) {
> > - auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
> > - }
> > -
> > -+ if (client_hdr_signing) {
> > -+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > -+ }
> > -+
> > - ctx_list.context_id = 0;
> > - ctx_list.num_transfer_syntaxes = 1;
> > - ctx_list.abstract_syntax = *abstract;
> > -@@ -1048,9 +1069,7 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
> > - u.bind.auth_info = *auth_info;
> > -
> > - status = dcerpc_push_ncacn_packet(mem_ctx,
> > -- ptype,
> > -- DCERPC_PFC_FLAG_FIRST |
> > -- DCERPC_PFC_FLAG_LAST,
> > -+ ptype, pfc_flags,
> > - auth_len,
> > - rpc_call_id,
> > - &u,
> > -@@ -1084,7 +1103,9 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
> > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > - case DCERPC_AUTH_TYPE_KRB5:
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > -- ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
> > -+ ret = create_generic_auth_rpc_bind_req(cli, mem_ctx,
> > -+ &auth_token,
> > -+ &auth->client_hdr_signing);
> > -
> > - if (!NT_STATUS_IS_OK(ret) &&
> > - !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
> > -@@ -1126,6 +1147,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
> > - abstract,
> > - transfer,
> > - &auth_info,
> > -+ auth->client_hdr_signing,
> > - rpc_out);
> > - return ret;
> > - }
> > -@@ -1507,6 +1529,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
> > - abstract,
> > - transfer,
> > - &auth_info,
> > -+ false, /* client_hdr_signing */
> > - rpc_out);
> > - data_blob_free(&auth_info);
> > - return status;
> > -@@ -1676,6 +1699,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> > - case DCERPC_AUTH_TYPE_SPNEGO:
> > - gensec_security = talloc_get_type_abort(pauth->auth_ctx,
> > - struct gensec_security);
> > -+
> > -+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
> > -+ if (pauth->client_hdr_signing) {
> > -+ pauth->hdr_signing = true;
> > -+ gensec_want_feature(gensec_security,
> > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > -+ }
> > -+ }
> > -+
> > - status = gensec_update(gensec_security, state, NULL,
> > - auth.credentials, &auth_token);
> > - if (NT_STATUS_EQUAL(status,
> > ---
> > -1.9.3
> > -
> > -
> > -From 472b11d1b0fdbb1ca61e64979e4b5fd7dc1756a5 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 3 Jan 2014 22:56:03 +0100
> > -Subject: [PATCH 156/249] s3:rpc_server: add support for
> > - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
> > -
> > -If the backend supports it there's no reason to avoid it.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 523d616268af5f94e11c863f9acdebabace80608)
> > ----
> > - source3/rpc_server/srv_pipe.c | 25 ++++++++++++++++++++++---
> > - 1 file changed, 22 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > -index 5f834fb..f572819 100644
> > ---- a/source3/rpc_server/srv_pipe.c
> > -+++ b/source3/rpc_server/srv_pipe.c
> > -@@ -42,6 +42,7 @@
> > - #include "rpc_server/rpc_contexts.h"
> > - #include "lib/param/param.h"
> > - #include "librpc/ndr/ndr_table.h"
> > -+#include "auth/gensec/gensec.h"
> > -
> > - #undef DBGC_CLASS
> > - #define DBGC_CLASS DBGC_RPC_SRV
> > -@@ -418,10 +419,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
> > - *******************************************************************/
> > -
> > - static bool pipe_auth_generic_bind(struct pipes_struct *p,
> > -- TALLOC_CTX *mem_ctx,
> > -+ struct ncacn_packet *pkt,
> > - struct dcerpc_auth *auth_info,
> > - DATA_BLOB *response)
> > - {
> > -+ TALLOC_CTX *mem_ctx = pkt;
> > - struct gensec_security *gensec_security = NULL;
> > - NTSTATUS status;
> > -
> > -@@ -444,6 +446,17 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
> > - p->auth.auth_ctx = gensec_security;
> > - p->auth.auth_type = auth_info->auth_type;
> > -
> > -+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
> > -+ p->auth.client_hdr_signing = true;
> > -+ p->auth.hdr_signing = gensec_have_feature(gensec_security,
> > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > -+ }
> > -+
> > -+ if (p->auth.hdr_signing) {
> > -+ gensec_want_feature(gensec_security,
> > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > -+ }
> > -+
> > - return true;
> > - }
> > -
> > -@@ -548,6 +561,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > - unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
> > - NTSTATUS status;
> > - struct ndr_syntax_id id;
> > -+ uint8_t pfc_flags = 0;
> > - union dcerpc_payload u;
> > - struct dcerpc_ack_ctx bind_ack_ctx;
> > - DATA_BLOB auth_resp = data_blob_null;
> > -@@ -792,10 +806,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > - * header and are never sending more than one PDU here.
> > - */
> > -
> > -+ pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
> > -+
> > -+ if (p->auth.hdr_signing) {
> > -+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > -+ }
> > -+
> > - status = dcerpc_push_ncacn_packet(p->mem_ctx,
> > - DCERPC_PKT_BIND_ACK,
> > -- DCERPC_PFC_FLAG_FIRST |
> > -- DCERPC_PFC_FLAG_LAST,
> > -+ pfc_flags,
> > - auth_resp.length,
> > - pkt->call_id,
> > - &u,
> > ---
> > -1.9.3
> > -
> > -
> > -From 4e6bea89ffcca074e0320b98e65485f348a469a5 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 3 Jan 2014 09:25:23 +0100
> > -Subject: [PATCH 157/249] librpc/ndr: add
> > - LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
> > -
> > -This lets ndr_pull_subcontext_end() make sure that all
> > -subcontext bytes are consumed otherwise it returns NDR_ERR_UNREAD_BYTES.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit b62308ed994e9734dfd934d230531010d9e7cefa)
> > ----
> > - librpc/idl/idl_types.h | 2 ++
> > - librpc/ndr/libndr.h | 6 ++++++
> > - librpc/ndr/ndr.c | 20 ++++++++++++++++++++
> > - 3 files changed, 28 insertions(+)
> > -
> > -diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h
> > -index c50efac..838c219 100644
> > ---- a/librpc/idl/idl_types.h
> > -+++ b/librpc/idl/idl_types.h
> > -@@ -53,3 +53,5 @@
> > -
> > - #define NDR_RELATIVE_REVERSE LIBNDR_FLAG_RELATIVE_REVERSE
> > - #define NDR_NO_RELATIVE_REVERSE LIBNDR_FLAG_NO_RELATIVE_REVERSE
> > -+
> > -+#define NDR_SUBCONTEXT_NO_UNREAD_BYTES LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
> > -diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
> > -index a950519..8070c3c 100644
> > ---- a/librpc/ndr/libndr.h
> > -+++ b/librpc/ndr/libndr.h
> > -@@ -123,6 +123,12 @@ struct ndr_print {
> > - #define LIBNDR_FLAG_STR_RAW8 (1<<13)
> > - #define LIBNDR_STRING_FLAGS (0x7FFC)
> > -
> > -+/*
> > -+ * This lets ndr_pull_subcontext_end() return
> > -+ * NDR_ERR_UNREAD_BYTES.
> > -+ */
> > -+#define LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES (1<<17)
> > -+
> > - /* set if relative pointers should *not* be marshalled in reverse order */
> > - #define LIBNDR_FLAG_NO_RELATIVE_REVERSE (1<<18)
> > -
> > -diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
> > -index e86cf2f..15a7f12 100644
> > ---- a/librpc/ndr/ndr.c
> > -+++ b/librpc/ndr/ndr.c
> > -@@ -638,6 +638,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
> > - ssize_t size_is)
> > - {
> > - uint32_t advance;
> > -+ uint32_t highest_ofs;
> > -+
> > - if (size_is >= 0) {
> > - advance = size_is;
> > - } else if (header_size > 0) {
> > -@@ -645,6 +647,24 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
> > - } else {
> > - advance = subndr->offset;
> > - }
> > -+
> > -+ if (subndr->offset > ndr->relative_highest_offset) {
> > -+ highest_ofs = subndr->offset;
> > -+ } else {
> > -+ highest_ofs = subndr->relative_highest_offset;
> > -+ }
> > -+ if (!(subndr->flags & LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES)) {
> > -+ /*
> > -+ * avoid an error unless SUBCONTEXT_NO_UNREAD_BYTES is specified
> > -+ */
> > -+ highest_ofs = advance;
> > -+ }
> > -+ if (highest_ofs < advance) {
> > -+ return ndr_pull_error(subndr, NDR_ERR_UNREAD_BYTES,
> > -+ "not all bytes consumed ofs[%u] advance[%u]",
> > -+ highest_ofs, advance);
> > -+ }
> > -+
> > - NDR_CHECK(ndr_pull_advance(ndr, advance));
> > - return NDR_ERR_SUCCESS;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 5960d93d9cddca327ad8d24a41c64421ac6bb561 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 3 Jan 2014 15:06:23 +0100
> > -Subject: [PATCH 158/249] dcerpc.idl: add documentation references
> > -
> > -To [C706 - DCE 1.1: Remote Procedure Call] and [MS-RPCE].
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 66c39420e29e7c257d9cdc5d04c061472bbefd19)
> > ----
> > - librpc/idl/dcerpc.idl | 13 +++++++++++--
> > - 1 file changed, 11 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
> > -index 86f22a4..23cac89 100644
> > ---- a/librpc/idl/dcerpc.idl
> > -+++ b/librpc/idl/dcerpc.idl
> > -@@ -5,8 +5,17 @@
> > - but given that pidl can handle it nicely it simplifies things a lot
> > - to do it this way
> > -
> > -- see http://www.opengroup.org/onlinepubs/9629399/chap12.htm for packet
> > -- layouts
> > -+ See [C706 - DCE 1.1: Remote Procedure Call] for the OpenGroup
> > -+ DCERPC specification:
> > -+ http://pubs.opengroup.org/onlinepubs/9629399/toc.htm
> > -+
> > -+ See C706 - Chapter 12: RPC PDU Encodings for packet layouts:
> > -+ http://www.opengroup.org/onlinepubs/9629399/chap12.htm
> > -+
> > -+ See also [MS-RPCE] for the Microsoft
> > -+ "Remote Procedure Call Protocol Extensions".
> > -+ http://msdn.microsoft.com/en-us/library/cc243560.aspx
> > -+
> > - */
> > - import "misc.idl";
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 812cb7e6010b39fb752cf85026fd8d8a5dccbb39 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 2 Jan 2014 11:18:38 +0100
> > -Subject: [PATCH 159/249] dcerpc.idl: add dcerpc_sec_verification_trailer
> > -
> > -See [MS-RPCE] 2.2.2.13 Verification Trailer for details.
> > -
> > -Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
> > -
> > -Signed-off-by: Gregor Beck <gbeck@sernet.de>
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit c0dc2fb7e1dadcef35a132040448cb27ff1d5bfa)
> > ----
> > - librpc/idl/dcerpc.idl | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
> > - librpc/ndr/ndr_dcerpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
> > - librpc/wscript_build | 2 +-
> > - 3 files changed, 134 insertions(+), 1 deletion(-)
> > - create mode 100644 librpc/ndr/ndr_dcerpc.c
> > -
> > -diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
> > -index 23cac89..8e9be0e 100644
> > ---- a/librpc/idl/dcerpc.idl
> > -+++ b/librpc/idl/dcerpc.idl
> > -@@ -19,6 +19,8 @@
> > - */
> > - import "misc.idl";
> > -
> > -+cpp_quote("extern const uint8_t DCERPC_SEC_VT_MAGIC[8];")
> > -+
> > - interface dcerpc
> > - {
> > - typedef struct {
> > -@@ -514,4 +516,69 @@ interface dcerpc
> > - uint8 serial_low;
> > - [switch_is(ptype)] dcerpc_payload u;
> > - } ncadg_packet;
> > -+
> > -+ typedef [bitmap16bit] bitmap {
> > -+ DCERPC_SEC_VT_COMMAND_ENUM = 0x3FFF,
> > -+ DCERPC_SEC_VT_COMMAND_END = 0x4000,
> > -+ DCERPC_SEC_VT_MUST_PROCESS = 0x8000
> > -+ } dcerpc_sec_vt_command;
> > -+
> > -+ typedef [enum16bit] enum {
> > -+ DCERPC_SEC_VT_COMMAND_BITMASK1 = 0x0001,
> > -+ DCERPC_SEC_VT_COMMAND_PCONTEXT = 0x0002,
> > -+ DCERPC_SEC_VT_COMMAND_HEADER2 = 0x0003
> > -+ } dcerpc_sec_vt_command_enum;
> > -+
> > -+ typedef [bitmap32bit] bitmap {
> > -+ DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING = 0x00000001
> > -+ } dcerpc_sec_vt_bitmask1;
> > -+
> > -+ typedef struct {
> > -+ ndr_syntax_id abstract_syntax;
> > -+ ndr_syntax_id transfer_syntax;
> > -+ } dcerpc_sec_vt_pcontext;
> > -+
> > -+ typedef struct {
> > -+ dcerpc_pkt_type ptype; /* Packet type */
> > -+ [value(0)] uint8 reserved1;
> > -+ [value(0)] uint16 reserved2;
> > -+ uint8 drep[4]; /* NDR data representation */
> > -+ uint32 call_id; /* Call identifier */
> > -+ uint16 context_id;
> > -+ uint16 opnum;
> > -+ } dcerpc_sec_vt_header2;
> > -+
> > -+ typedef [switch_type(dcerpc_sec_vt_command_enum),nodiscriminant] union {
> > -+ [case(DCERPC_SEC_VT_COMMAND_BITMASK1)] dcerpc_sec_vt_bitmask1 bitmask1;
> > -+ [case(DCERPC_SEC_VT_COMMAND_PCONTEXT)] dcerpc_sec_vt_pcontext pcontext;
> > -+ [case(DCERPC_SEC_VT_COMMAND_HEADER2)] dcerpc_sec_vt_header2 header2;
> > -+ [default,flag(NDR_REMAINING)] DATA_BLOB _unknown;
> > -+ } dcerpc_sec_vt_union;
> > -+
> > -+ typedef struct {
> > -+ dcerpc_sec_vt_command command;
> > -+ [switch_is(command & DCERPC_SEC_VT_COMMAND_ENUM)]
> > -+ [subcontext(2),flag(NDR_SUBCONTEXT_NO_UNREAD_BYTES)]
> > -+ dcerpc_sec_vt_union u;
> > -+ } dcerpc_sec_vt;
> > -+
> > -+ typedef [public,nopush,nopull] struct {
> > -+ uint16 count;
> > -+ } dcerpc_sec_vt_count;
> > -+
> > -+ /*
> > -+ * We assume that the whole verification trailer fits into
> > -+ * the last 1024 bytes after the stub data.
> > -+ *
> > -+ * There're currently only 3 commands defined and each should
> > -+ * only be used once.
> > -+ */
> > -+ const uint16 DCERPC_SEC_VT_MAX_SIZE = 1024;
> > -+
> > -+ typedef [public,flag(NDR_PAHEX)] struct {
> > -+ [flag(NDR_ALIGN4)] DATA_BLOB _pad;
> > -+ [value(DCERPC_SEC_VT_MAGIC)] uint8 magic[8];
> > -+ dcerpc_sec_vt_count count;
> > -+ dcerpc_sec_vt commands[count.count];
> > -+ } dcerpc_sec_verification_trailer;
> > - }
> > -diff --git a/librpc/ndr/ndr_dcerpc.c b/librpc/ndr/ndr_dcerpc.c
> > -new file mode 100644
> > -index 0000000..88a7f38
> > ---- /dev/null
> > -+++ b/librpc/ndr/ndr_dcerpc.c
> > -@@ -0,0 +1,66 @@
> > -+/*
> > -+ Unix SMB/CIFS implementation.
> > -+
> > -+ Manually parsed structures found in the DCERPC protocol
> > -+
> > -+ Copyright (C) Stefan Metzmacher 2014
> > -+ Copyright (C) Gregor Beck 2014
> > -+
> > -+ This program is free software; you can redistribute it and/or modify
> > -+ it under the terms of the GNU General Public License as published by
> > -+ the Free Software Foundation; either version 3 of the License, or
> > -+ (at your option) any later version.
> > -+
> > -+ This program is distributed in the hope that it will be useful,
> > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -+ GNU General Public License for more details.
> > -+
> > -+ You should have received a copy of the GNU General Public License
> > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > -+*/
> > -+
> > -+#include "includes.h"
> > -+#include "bin/default/librpc/gen_ndr/ndr_dcerpc.h"
> > -+
> > -+#include "librpc/gen_ndr/ndr_misc.h"
> > -+
> > -+const uint8_t DCERPC_SEC_VT_MAGIC[] = {0x8a,0xe3,0x13,0x71,0x02,0xf4,0x36,0x71};
> > -+
> > -+_PUBLIC_ enum ndr_err_code ndr_push_dcerpc_sec_vt_count(struct ndr_push *ndr, int ndr_flags, const struct dcerpc_sec_vt_count *r)
> > -+{
> > -+ NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
> > -+ /* nothing */
> > -+ return NDR_ERR_SUCCESS;
> > -+}
> > -+
> > -+_PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_sec_vt_count(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_sec_vt_count *r)
> > -+{
> > -+ uint32_t _saved_ofs = ndr->offset;
> > -+
> > -+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
> > -+
> > -+ if (!(ndr_flags & NDR_SCALARS)) {
> > -+ return NDR_ERR_SUCCESS;
> > -+ }
> > -+
> > -+ r->count = 0;
> > -+
> > -+ while (true) {
> > -+ uint16_t command;
> > -+ uint16_t length;
> > -+
> > -+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &command));
> > -+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &length));
> > -+ NDR_CHECK(ndr_pull_advance(ndr, length));
> > -+
> > -+ r->count += 1;
> > -+
> > -+ if (command & DCERPC_SEC_VT_COMMAND_END) {
> > -+ break;
> > -+ }
> > -+ }
> > -+
> > -+ ndr->offset = _saved_ofs;
> > -+ return NDR_ERR_SUCCESS;
> > -+}
> > -diff --git a/librpc/wscript_build b/librpc/wscript_build
> > -index 2017a29..a5cf687 100644
> > ---- a/librpc/wscript_build
> > -+++ b/librpc/wscript_build
> > -@@ -301,7 +301,7 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP',
> > - )
> > -
> > - bld.SAMBA_SUBSYSTEM('NDR_DCERPC',
> > -- source='gen_ndr/ndr_dcerpc.c',
> > -+ source='gen_ndr/ndr_dcerpc.c ndr/ndr_dcerpc.c',
> > - public_deps='ndr',
> > - public_headers='gen_ndr/ndr_dcerpc.h gen_ndr/dcerpc.h',
> > - header_path= [ ('*gen_ndr*', 'gen_ndr') ],
> > ---
> > -1.9.3
> > -
> > -
> > -From 3480b809bd9426ce6b976b9965a54de32d246a66 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sun, 5 Jan 2014 07:57:51 +0100
> > -Subject: [PATCH 160/249] s3:rpc_client: fill alloc_hint with the remaining
> > - data not the total data.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit f0532fe0cd69aeb161088ca990d376f119102e61)
> > ----
> > - source3/rpc_client/cli_pipe.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 1cab580..5edd897 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1277,7 +1277,7 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > -
> > - ZERO_STRUCT(u.request);
> > -
> > -- u.request.alloc_hint = state->req_data->length;
> > -+ u.request.alloc_hint = data_left;
> > - u.request.context_id = 0;
> > - u.request.opnum = state->op_num;
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From bd675cd6e4848bee8798dacf1768556de48f3112 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sun, 5 Jan 2014 08:12:45 +0100
> > -Subject: [PATCH 161/249] s3:rpc_client: send a dcerpc_sec_verification_trailer
> > - if needed
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -
> > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > -Autobuild-Date(master): Tue Jan 7 02:24:42 CET 2014 on sn-devel-104
> > -(cherry picked from commit 6ab9164c74e0ad57bdde8abb568953026b644e27)
> > ----
> > - source3/librpc/rpc/dcerpc.h | 1 +
> > - source3/rpc_client/cli_pipe.c | 202 ++++++++++++++++++++++++++++++++++++++--
> > - source3/rpc_client/rpc_client.h | 1 +
> > - 3 files changed, 194 insertions(+), 10 deletions(-)
> > -
> > -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> > -index aaf8d68..9d0f861 100644
> > ---- a/source3/librpc/rpc/dcerpc.h
> > -+++ b/source3/librpc/rpc/dcerpc.h
> > -@@ -41,6 +41,7 @@ struct pipe_auth_data {
> > - enum dcerpc_AuthLevel auth_level;
> > - bool client_hdr_signing;
> > - bool hdr_signing;
> > -+ bool verified_bitmask1;
> > -
> > - void *auth_ctx;
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 5edd897..a45023f 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -1166,12 +1166,17 @@ struct rpc_api_pipe_req_state {
> > - uint32_t call_id;
> > - const DATA_BLOB *req_data;
> > - uint32_t req_data_sent;
> > -+ DATA_BLOB req_trailer;
> > -+ uint32_t req_trailer_sent;
> > -+ bool verify_bitmask1;
> > -+ bool verify_pcontext;
> > - DATA_BLOB rpc_out;
> > - DATA_BLOB reply_pdu;
> > - };
> > -
> > - static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
> > - static void rpc_api_pipe_req_done(struct tevent_req *subreq);
> > -+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
> > - static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > - bool *is_last_frag);
> > -
> > -@@ -1207,6 +1212,11 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > - goto post_status;
> > - }
> > -
> > -+ status = prepare_verification_trailer(state);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ goto post_status;
> > -+ }
> > -+
> > - status = prepare_next_frag(state, &is_last_frag);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - goto post_status;
> > -@@ -1241,25 +1251,164 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > - return NULL;
> > - }
> > -
> > -+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
> > -+{
> > -+ struct pipe_auth_data *a = state->cli->auth;
> > -+ struct dcerpc_sec_verification_trailer *t;
> > -+ struct dcerpc_sec_vt *c = NULL;
> > -+ struct ndr_push *ndr = NULL;
> > -+ enum ndr_err_code ndr_err;
> > -+ size_t align = 0;
> > -+ size_t pad = 0;
> > -+
> > -+ if (a == NULL) {
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
> > -+ if (t == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ if (!a->verified_bitmask1) {
> > -+ t->commands = talloc_realloc(t, t->commands,
> > -+ struct dcerpc_sec_vt,
> > -+ t->count.count + 1);
> > -+ if (t->commands == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ c = &t->commands[t->count.count++];
> > -+ ZERO_STRUCTP(c);
> > -+
> > -+ c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
> > -+ if (a->client_hdr_signing) {
> > -+ c->u.bitmask1 = DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING;
> > -+ }
> > -+ state->verify_bitmask1 = true;
> > -+ }
> > -+
> > -+ if (!state->cli->verified_pcontext) {
> > -+ t->commands = talloc_realloc(t, t->commands,
> > -+ struct dcerpc_sec_vt,
> > -+ t->count.count + 1);
> > -+ if (t->commands == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ c = &t->commands[t->count.count++];
> > -+ ZERO_STRUCTP(c);
> > -+
> > -+ c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
> > -+ c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
> > -+ c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
> > -+
> > -+ state->verify_pcontext = true;
> > -+ }
> > -+
> > -+ if (!a->hdr_signing) {
> > -+ t->commands = talloc_realloc(t, t->commands,
> > -+ struct dcerpc_sec_vt,
> > -+ t->count.count + 1);
> > -+ if (t->commands == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ c = &t->commands[t->count.count++];
> > -+ ZERO_STRUCTP(c);
> > -+
> > -+ c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
> > -+ c->u.header2.ptype = DCERPC_PKT_REQUEST;
> > -+ c->u.header2.drep[0] = DCERPC_DREP_LE;
> > -+ c->u.header2.drep[1] = 0;
> > -+ c->u.header2.drep[2] = 0;
> > -+ c->u.header2.drep[3] = 0;
> > -+ c->u.header2.call_id = state->call_id;
> > -+ c->u.header2.context_id = 0;
> > -+ c->u.header2.opnum = state->op_num;
> > -+ }
> > -+
> > -+ if (t->count.count == 0) {
> > -+ TALLOC_FREE(t);
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ c = &t->commands[t->count.count - 1];
> > -+ c->command |= DCERPC_SEC_VT_COMMAND_END;
> > -+
> > -+ if (DEBUGLEVEL >= 10) {
> > -+ NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
> > -+ }
> > -+
> > -+ ndr = ndr_push_init_ctx(state);
> > -+ if (ndr == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
> > -+ NDR_SCALARS | NDR_BUFFERS,
> > -+ t);
> > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -+ return ndr_map_error2ntstatus(ndr_err);
> > -+ }
> > -+ state->req_trailer = ndr_push_blob(ndr);
> > -+
> > -+ align = state->req_data->length & 0x3;
> > -+ if (align > 0) {
> > -+ pad = 4 - align;
> > -+ }
> > -+ if (pad > 0) {
> > -+ bool ok;
> > -+ uint8_t *p;
> > -+ const uint8_t zeros[4] = { 0, };
> > -+
> > -+ ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
> > -+ if (!ok) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ /* move the padding to the start */
> > -+ p = state->req_trailer.data;
> > -+ memmove(p + pad, p, state->req_trailer.length - pad);
> > -+ memset(p, 0, pad);
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > - static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > - bool *is_last_frag)
> > - {
> > -- size_t data_sent_thistime;
> > - size_t auth_len;
> > - size_t frag_len;
> > - uint8_t flags = 0;
> > - size_t pad_len;
> > - size_t data_left;
> > -+ size_t data_thistime;
> > -+ size_t trailer_left;
> > -+ size_t trailer_thistime = 0;
> > -+ size_t total_left;
> > -+ size_t total_thistime;
> > - NTSTATUS status;
> > -+ bool ok;
> > - union dcerpc_payload u;
> > -
> > - data_left = state->req_data->length - state->req_data_sent;
> > -+ trailer_left = state->req_trailer.length - state->req_trailer_sent;
> > -+ total_left = data_left + trailer_left;
> > -+ if ((total_left < data_left) || (total_left < trailer_left)) {
> > -+ /*
> > -+ * overflow
> > -+ */
> > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > -+ }
> > -
> > - status = dcerpc_guess_sizes(state->cli->auth,
> > -- DCERPC_REQUEST_LENGTH, data_left,
> > -+ DCERPC_REQUEST_LENGTH, total_left,
> > - state->cli->max_xmit_frag,
> > - CLIENT_NDR_PADDING_SIZE,
> > -- &data_sent_thistime,
> > -+ &total_thistime,
> > - &frag_len, &auth_len, &pad_len);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > -@@ -1269,15 +1418,20 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > - flags = DCERPC_PFC_FLAG_FIRST;
> > - }
> > -
> > -- if (data_sent_thistime == data_left) {
> > -+ if (total_thistime == total_left) {
> > - flags |= DCERPC_PFC_FLAG_LAST;
> > - }
> > -
> > -+ data_thistime = MIN(total_thistime, data_left);
> > -+ if (data_thistime < total_thistime) {
> > -+ trailer_thistime = total_thistime - data_thistime;
> > -+ }
> > -+
> > - data_blob_free(&state->rpc_out);
> > -
> > - ZERO_STRUCT(u.request);
> > -
> > -- u.request.alloc_hint = data_left;
> > -+ u.request.alloc_hint = total_left;
> > - u.request.context_id = 0;
> > - u.request.opnum = state->op_num;
> > -
> > -@@ -1297,11 +1451,26 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > - * at this stage */
> > - dcerpc_set_frag_length(&state->rpc_out, frag_len);
> > -
> > -- /* Copy in the data. */
> > -- if (!data_blob_append(NULL, &state->rpc_out,
> > -+ if (data_thistime > 0) {
> > -+ /* Copy in the data. */
> > -+ ok = data_blob_append(NULL, &state->rpc_out,
> > - state->req_data->data + state->req_data_sent,
> > -- data_sent_thistime)) {
> > -- return NT_STATUS_NO_MEMORY;
> > -+ data_thistime);
> > -+ if (!ok) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ state->req_data_sent += data_thistime;
> > -+ }
> > -+
> > -+ if (trailer_thistime > 0) {
> > -+ /* Copy in the verification trailer. */
> > -+ ok = data_blob_append(NULL, &state->rpc_out,
> > -+ state->req_trailer.data + state->req_trailer_sent,
> > -+ trailer_thistime);
> > -+ if (!ok) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ state->req_trailer_sent += trailer_thistime;
> > - }
> > -
> > - switch (state->cli->auth->auth_level) {
> > -@@ -1321,7 +1490,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > - return NT_STATUS_INVALID_PARAMETER;
> > - }
> > -
> > -- state->req_data_sent += data_sent_thistime;
> > - *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
> > -
> > - return status;
> > -@@ -1385,6 +1553,20 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
> > - tevent_req_nterror(req, status);
> > - return;
> > - }
> > -+
> > -+ if (state->cli->auth == NULL) {
> > -+ tevent_req_done(req);
> > -+ return;
> > -+ }
> > -+
> > -+ if (state->verify_bitmask1) {
> > -+ state->cli->auth->verified_bitmask1 = true;
> > -+ }
> > -+
> > -+ if (state->verify_pcontext) {
> > -+ state->cli->verified_pcontext = true;
> > -+ }
> > -+
> > - tevent_req_done(req);
> > - }
> > -
> > -diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
> > -index 6561b28..8024f01 100644
> > ---- a/source3/rpc_client/rpc_client.h
> > -+++ b/source3/rpc_client/rpc_client.h
> > -@@ -39,6 +39,7 @@ struct rpc_pipe_client {
> > -
> > - struct ndr_syntax_id abstract_syntax;
> > - struct ndr_syntax_id transfer_syntax;
> > -+ bool verified_pcontext;
> > -
> > - char *desthost;
> > - char *srv_name_slash;
> > ---
> > -1.9.3
> > -
> > -
> > -From 3df8f8c1dda254a85e4fa02b74d23a4802bc595c Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 18 Apr 2013 19:16:42 +0200
> > -Subject: [PATCH 162/249] libcli/auth: add netlogon_creds_cli* infrastructure
> > -
> > -This provides an abstraction to hide netlogon_creds_CredentialState,
> > -which is stored in a node local tdb.
> > -
> > -Where the global state (netlogon_creds_CredentialState) between client and
> > -server was only kept in memory (on the client side), we now use
> > -the abstracted netlogon_creds_cli_context.
> > -
> > -We now use a node specific computer name in order to establish
> > -individual netlogon sessions per node.
> > -
> > -If the caller wants to use some netlogon calls with credential chain
> > -(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
> > -to get the current netlogon_creds_CredentialState in a g_lock'ed
> > -fashion, a talloc_free() will release the lock.
> > -
> > -The locking is needed as there might be more than one process
> > -(multiple winbindd child, cmdline tools) which want to talk
> > -to a specific domain controller. The usage of netlogon_creds_CredentialState
> > -needs to be serialized as it uses sequence numbers.
> > -
> > -LogonSamLogonEx doesn't use the credential chain, but for some operations
> > -it needs the global session in order to de/encrypt individual fields.
> > -It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
> > -functions, which just make sure the session hasn't changed between
> > -get and validate.
> > -
> > -This is prepares the proper fix for a large number of bugs:
> > -https://bugzilla.samba.org/show_bug.cgi?id=6563
> > -https://bugzilla.samba.org/show_bug.cgi?id=7944
> > -https://bugzilla.samba.org/show_bug.cgi?id=7945
> > -https://bugzilla.samba.org/show_bug.cgi?id=7568
> > -https://bugzilla.samba.org/show_bug.cgi?id=8599
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 6e6d9f9f12284ed06a21cc02080e436b7326065f)
> > ----
> > - libcli/auth/netlogon_creds_cli.c | 2596 ++++++++++++++++++++++++++++++++++++++
> > - libcli/auth/netlogon_creds_cli.h | 138 ++
> > - libcli/auth/wscript_build | 4 +
> > - 3 files changed, 2738 insertions(+)
> > - create mode 100644 libcli/auth/netlogon_creds_cli.c
> > - create mode 100644 libcli/auth/netlogon_creds_cli.h
> > -
> > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > -new file mode 100644
> > -index 0000000..75d6b2c
> > ---- /dev/null
> > -+++ b/libcli/auth/netlogon_creds_cli.c
> > -@@ -0,0 +1,2596 @@
> > -+/*
> > -+ Unix SMB/CIFS implementation.
> > -+
> > -+ module to store/fetch session keys for the schannel client
> > -+
> > -+ Copyright (C) Stefan Metzmacher 2013
> > -+
> > -+ This program is free software; you can redistribute it and/or modify
> > -+ it under the terms of the GNU General Public License as published by
> > -+ the Free Software Foundation; either version 3 of the License, or
> > -+ (at your option) any later version.
> > -+
> > -+ This program is distributed in the hope that it will be useful,
> > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -+ GNU General Public License for more details.
> > -+
> > -+ You should have received a copy of the GNU General Public License
> > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > -+*/
> > -+
> > -+#include "includes.h"
> > -+#include "system/filesys.h"
> > -+#include <tevent.h>
> > -+#include "lib/util/tevent_ntstatus.h"
> > -+#include "lib/dbwrap/dbwrap.h"
> > -+#include "lib/dbwrap/dbwrap_rbt.h"
> > -+#include "lib/util/util_tdb.h"
> > -+#include "libcli/security/security.h"
> > -+#include "../lib/param/param.h"
> > -+#include "../libcli/auth/schannel.h"
> > -+#include "../librpc/gen_ndr/ndr_schannel.h"
> > -+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > -+#include "../librpc/gen_ndr/server_id.h"
> > -+#include "netlogon_creds_cli.h"
> > -+#include "source3/include/messages.h"
> > -+#include "source3/include/g_lock.h"
> > -+
> > -+struct netlogon_creds_cli_locked_state;
> > -+
> > -+struct netlogon_creds_cli_context {
> > -+ struct {
> > -+ const char *computer;
> > -+ const char *account;
> > -+ uint32_t proposed_flags;
> > -+ uint32_t required_flags;
> > -+ enum netr_SchannelType type;
> > -+ enum dcerpc_AuthLevel auth_level;
> > -+ } client;
> > -+
> > -+ struct {
> > -+ const char *computer;
> > -+ const char *netbios_domain;
> > -+ uint32_t cached_flags;
> > -+ bool try_validation6;
> > -+ bool try_logon_ex;
> > -+ bool try_logon_with;
> > -+ } server;
> > -+
> > -+ struct {
> > -+ const char *key_name;
> > -+ TDB_DATA key_data;
> > -+ struct db_context *ctx;
> > -+ struct g_lock_ctx *g_ctx;
> > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > -+ } db;
> > -+};
> > -+
> > -+struct netlogon_creds_cli_locked_state {
> > -+ struct netlogon_creds_cli_context *context;
> > -+ bool is_glocked;
> > -+ struct netlogon_creds_CredentialState *creds;
> > -+};
> > -+
> > -+static int netlogon_creds_cli_locked_state_destructor(
> > -+ struct netlogon_creds_cli_locked_state *state)
> > -+{
> > -+ struct netlogon_creds_cli_context *context = state->context;
> > -+
> > -+ if (context == NULL) {
> > -+ return 0;
> > -+ }
> > -+
> > -+ if (context->db.locked_state == state) {
> > -+ context->db.locked_state = NULL;
> > -+ }
> > -+
> > -+ if (state->is_glocked) {
> > -+ g_lock_unlock(context->db.g_ctx,
> > -+ context->db.key_name);
> > -+ }
> > -+
> > -+ return 0;
> > -+}
> > -+
> > -+static NTSTATUS netlogon_creds_cli_context_common(
> > -+ const char *client_computer,
> > -+ const char *client_account,
> > -+ enum netr_SchannelType type,
> > -+ enum dcerpc_AuthLevel auth_level,
> > -+ uint32_t proposed_flags,
> > -+ uint32_t required_flags,
> > -+ const char *server_computer,
> > -+ const char *server_netbios_domain,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **_context)
> > -+{
> > -+ struct netlogon_creds_cli_context *context = NULL;
> > -+
> > -+ *_context = NULL;
> > -+
> > -+ context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> > -+ if (context == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ context->client.computer = talloc_strdup(context, client_computer);
> > -+ if (context->client.computer == NULL) {
> > -+ talloc_free(context);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ context->client.account = talloc_strdup(context, client_account);
> > -+ if (context->client.account == NULL) {
> > -+ talloc_free(context);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ context->client.proposed_flags = proposed_flags;
> > -+ context->client.required_flags = required_flags;
> > -+ context->client.type = type;
> > -+ context->client.auth_level = auth_level;
> > -+
> > -+ context->server.computer = talloc_strdup(context, server_computer);
> > -+ if (context->server.computer == NULL) {
> > -+ talloc_free(context);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
> > -+ if (context->server.netbios_domain == NULL) {
> > -+ talloc_free(context);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
> > -+ client_computer,
> > -+ client_account,
> > -+ server_computer,
> > -+ server_netbios_domain);
> > -+ if (context->db.key_name == NULL) {
> > -+ talloc_free(context);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ context->db.key_data = string_term_tdb_data(context->db.key_name);
> > -+
> > -+ *_context = context;
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+static struct db_context *netlogon_creds_cli_global_db;
> > -+
> > -+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
> > -+{
> > -+ char *fname;
> > -+ struct db_context *global_db;
> > -+
> > -+ if (netlogon_creds_cli_global_db != NULL) {
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ fname = lpcfg_private_db_path(talloc_autofree_context(), lp_ctx, "netlogon_creds_cli");
> > -+ if (fname == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ global_db = dbwrap_local_open(talloc_autofree_context(), lp_ctx,
> > -+ fname, 0,
> > -+ TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > -+ O_RDWR|O_CREAT,
> > -+ 0600, DBWRAP_LOCK_ORDER_2);
> > -+ if (global_db == NULL) {
> > -+ DEBUG(0,("netlogon_creds_cli_open_global_db: Failed to open %s - %s\n",
> > -+ fname, strerror(errno)));
> > -+ talloc_free(fname);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ TALLOC_FREE(fname);
> > -+
> > -+ netlogon_creds_cli_global_db = global_db;
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > -+ struct messaging_context *msg_ctx,
> > -+ const char *client_account,
> > -+ enum netr_SchannelType type,
> > -+ const char *server_computer,
> > -+ const char *server_netbios_domain,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **_context)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ NTSTATUS status;
> > -+ struct netlogon_creds_cli_context *context = NULL;
> > -+ const char *client_computer;
> > -+ uint32_t proposed_flags;
> > -+ uint32_t required_flags = 0;
> > -+ bool reject_md5_servers = false;
> > -+ bool require_strong_key = false;
> > -+ int require_sign_or_seal = true;
> > -+ bool seal_secure_channel = true;
> > -+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
> > -+ bool neutralize_nt4_emulation = false;
> > -+ struct server_id self = {
> > -+ .vnn = NONCLUSTER_VNN,
> > -+ .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
> > -+ };
> > -+
> > -+ if (msg_ctx != NULL) {
> > -+ self = messaging_server_id(msg_ctx);
> > -+ }
> > -+
> > -+ *_context = NULL;
> > -+
> > -+ if (self.vnn != NONCLUSTER_VNN) {
> > -+ client_computer = talloc_asprintf(frame,
> > -+ "%s_cluster_vnn_%u",
> > -+ lpcfg_netbios_name(lp_ctx),
> > -+ (unsigned)self.vnn);
> > -+ if (client_computer == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ } else {
> > -+ client_computer = lpcfg_netbios_name(lp_ctx);
> > -+ }
> > -+
> > -+ /*
> > -+ * allow overwrite per domain
> > -+ * reject md5 servers:<netbios_domain>
> > -+ */
> > -+ //TODO: add lpcfp_reject_md5_servers()
> > -+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> > -+ "__default__",
> > -+ "reject md5 servers",
> > -+ reject_md5_servers);
> > -+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> > -+ "reject md5 servers",
> > -+ server_netbios_domain,
> > -+ reject_md5_servers);
> > -+
> > -+ /*
> > -+ * allow overwrite per domain
> > -+ * require strong key:<netbios_domain>
> > -+ */
> > -+ //TODO: add lpcfp_require_strong_key()
> > -+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> > -+ "__default__",
> > -+ "require strong key",
> > -+ require_strong_key);
> > -+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> > -+ "require strong key",
> > -+ server_netbios_domain,
> > -+ require_strong_key);
> > -+
> > -+ /*
> > -+ * allow overwrite per domain
> > -+ * client schannel:<netbios_domain>
> > -+ */
> > -+ require_sign_or_seal = lpcfg_client_schannel(lp_ctx);
> > -+ require_sign_or_seal = lpcfg_parm_int(lp_ctx, NULL,
> > -+ "client schannel",
> > -+ server_netbios_domain,
> > -+ require_sign_or_seal);
> > -+
> > -+ /*
> > -+ * allow overwrite per domain
> > -+ * winbind sealed pipes:<netbios_domain>
> > -+ */
> > -+ seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
> > -+ seal_secure_channel = lpcfg_parm_bool(lp_ctx, NULL,
> > -+ "winbind sealed pipes",
> > -+ server_netbios_domain,
> > -+ seal_secure_channel);
> > -+
> > -+ /*
> > -+ * allow overwrite per domain
> > -+ * neutralize nt4 emulation:<netbios_domain>
> > -+ */
> > -+ //TODO: add lpcfp_neutralize_nt4_emulation()
> > -+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> > -+ "__default__",
> > -+ "neutralize nt4 emulation",
> > -+ neutralize_nt4_emulation);
> > -+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> > -+ "neutralize nt4 emulation",
> > -+ server_netbios_domain,
> > -+ neutralize_nt4_emulation);
> > -+
> > -+ proposed_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > -+ proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
> > -+
> > -+ switch (type) {
> > -+ case SEC_CHAN_WKSTA:
> > -+ if (lpcfg_security(lp_ctx) == SEC_ADS) {
> > -+ /*
> > -+ * AD domains should be secure
> > -+ */
> > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > -+ require_sign_or_seal = true;
> > -+ require_strong_key = true;
> > -+ }
> > -+ break;
> > -+
> > -+ case SEC_CHAN_DOMAIN:
> > -+ break;
> > -+
> > -+ case SEC_CHAN_DNS_DOMAIN:
> > -+ /*
> > -+ * AD domains should be secure
> > -+ */
> > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > -+ require_sign_or_seal = true;
> > -+ require_strong_key = true;
> > -+ neutralize_nt4_emulation = true;
> > -+ break;
> > -+
> > -+ case SEC_CHAN_BDC:
> > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > -+ require_sign_or_seal = true;
> > -+ require_strong_key = true;
> > -+ break;
> > -+
> > -+ case SEC_CHAN_RODC:
> > -+ required_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
> > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > -+ require_sign_or_seal = true;
> > -+ require_strong_key = true;
> > -+ neutralize_nt4_emulation = true;
> > -+ break;
> > -+
> > -+ default:
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > -+ }
> > -+
> > -+ if (neutralize_nt4_emulation) {
> > -+ proposed_flags |= NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
> > -+ }
> > -+
> > -+ if (require_sign_or_seal == false) {
> > -+ proposed_flags &= ~NETLOGON_NEG_AUTHENTICATED_RPC;
> > -+ } else {
> > -+ required_flags |= NETLOGON_NEG_ARCFOUR;
> > -+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
> > -+ }
> > -+
> > -+ if (reject_md5_servers) {
> > -+ required_flags |= NETLOGON_NEG_ARCFOUR;
> > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > -+ required_flags |= NETLOGON_NEG_SUPPORTS_AES;
> > -+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
> > -+ }
> > -+
> > -+ if (require_strong_key) {
> > -+ required_flags |= NETLOGON_NEG_ARCFOUR;
> > -+ required_flags |= NETLOGON_NEG_STRONG_KEYS;
> > -+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
> > -+ }
> > -+
> > -+ proposed_flags |= required_flags;
> > -+
> > -+ if (seal_secure_channel) {
> > -+ auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> > -+ } else {
> > -+ auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_context_common(client_computer,
> > -+ client_account,
> > -+ type,
> > -+ auth_level,
> > -+ proposed_flags,
> > -+ required_flags,
> > -+ server_computer,
> > -+ server_netbios_domain,
> > -+ mem_ctx,
> > -+ &context);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ if (msg_ctx != NULL) {
> > -+ context->db.g_ctx = g_lock_ctx_init(context, msg_ctx);
> > -+ if (context->db.g_ctx == NULL) {
> > -+ TALLOC_FREE(context);
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ }
> > -+
> > -+ if (netlogon_creds_cli_global_db != NULL) {
> > -+ context->db.ctx = netlogon_creds_cli_global_db;
> > -+ *_context = context;
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_open_global_db(lp_ctx);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(context);
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ context->db.ctx = netlogon_creds_cli_global_db;
> > -+ *_context = context;
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> > -+ const char *client_account,
> > -+ enum netr_SchannelType type,
> > -+ uint32_t proposed_flags,
> > -+ uint32_t required_flags,
> > -+ enum dcerpc_AuthLevel auth_level,
> > -+ const char *server_computer,
> > -+ const char *server_netbios_domain,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **_context)
> > -+{
> > -+ NTSTATUS status;
> > -+ struct netlogon_creds_cli_context *context = NULL;
> > -+
> > -+ *_context = NULL;
> > -+
> > -+ status = netlogon_creds_cli_context_common(client_computer,
> > -+ client_account,
> > -+ type,
> > -+ auth_level,
> > -+ proposed_flags,
> > -+ required_flags,
> > -+ server_computer,
> > -+ server_netbios_domain,
> > -+ mem_ctx,
> > -+ &context);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ context->db.ctx = db_open_rbt(context);
> > -+ if (context->db.ctx == NULL) {
> > -+ talloc_free(context);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ *_context = context;
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_context_copy(
> > -+ const struct netlogon_creds_cli_context *src,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **_dst)
> > -+{
> > -+ struct netlogon_creds_cli_context *dst;
> > -+
> > -+ dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> > -+ if (dst == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ *dst = *src;
> > -+
> > -+ dst->client.computer = talloc_strdup(dst, src->client.computer);
> > -+ if (dst->client.computer == NULL) {
> > -+ TALLOC_FREE(dst);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ dst->client.account = talloc_strdup(dst, src->client.account);
> > -+ if (dst->client.account == NULL) {
> > -+ TALLOC_FREE(dst);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ dst->server.computer = talloc_strdup(dst, src->server.computer);
> > -+ if (dst->server.computer == NULL) {
> > -+ TALLOC_FREE(dst);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
> > -+ if (dst->server.netbios_domain == NULL) {
> > -+ TALLOC_FREE(dst);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ dst->db.key_name = talloc_strdup(dst, src->db.key_name);
> > -+ if (dst->db.key_name == NULL) {
> > -+ TALLOC_FREE(dst);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ dst->db.key_data = string_term_tdb_data(dst->db.key_name);
> > -+
> > -+ *_dst = dst;
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> > -+ struct netlogon_creds_cli_context *context)
> > -+{
> > -+ return context->client.auth_level;
> > -+}
> > -+
> > -+struct netlogon_creds_cli_fetch_state {
> > -+ TALLOC_CTX *mem_ctx;
> > -+ struct netlogon_creds_CredentialState *creds;
> > -+ uint32_t required_flags;
> > -+ NTSTATUS status;
> > -+};
> > -+
> > -+static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
> > -+ void *private_data)
> > -+{
> > -+ struct netlogon_creds_cli_fetch_state *state =
> > -+ (struct netlogon_creds_cli_fetch_state *)private_data;
> > -+ enum ndr_err_code ndr_err;
> > -+ DATA_BLOB blob;
> > -+ uint32_t tmp_flags;
> > -+
> > -+ state->creds = talloc_zero(state->mem_ctx,
> > -+ struct netlogon_creds_CredentialState);
> > -+ if (state->creds == NULL) {
> > -+ state->status = NT_STATUS_NO_MEMORY;
> > -+ return;
> > -+ }
> > -+
> > -+ blob.data = data.dptr;
> > -+ blob.length = data.dsize;
> > -+
> > -+ ndr_err = ndr_pull_struct_blob(&blob, state->creds, state->creds,
> > -+ (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
> > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -+ TALLOC_FREE(state->creds);
> > -+ state->status = ndr_map_error2ntstatus(ndr_err);
> > -+ return;
> > -+ }
> > -+
> > -+ tmp_flags = state->creds->negotiate_flags;
> > -+ tmp_flags &= state->required_flags;
> > -+ if (tmp_flags != state->required_flags) {
> > -+ TALLOC_FREE(state->creds);
> > -+ state->status = NT_STATUS_DOWNGRADE_DETECTED;
> > -+ return;
> > -+ }
> > -+
> > -+ state->status = NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState **_creds)
> > -+{
> > -+ NTSTATUS status;
> > -+ struct netlogon_creds_cli_fetch_state fstate = {
> > -+ .mem_ctx = mem_ctx,
> > -+ .status = NT_STATUS_INTERNAL_ERROR,
> > -+ .required_flags = context->client.required_flags,
> > -+ };
> > -+ static const struct netr_Credential zero_creds;
> > -+
> > -+ *_creds = NULL;
> > -+
> > -+ status = dbwrap_parse_record(context->db.ctx,
> > -+ context->db.key_data,
> > -+ netlogon_creds_cli_fetch_parser,
> > -+ &fstate);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+ status = fstate.status;
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ /*
> > -+ * mark it as invalid for step operations.
> > -+ */
> > -+ fstate.creds->sequence = 0;
> > -+ fstate.creds->seed = zero_creds;
> > -+ fstate.creds->client = zero_creds;
> > -+ fstate.creds->server = zero_creds;
> > -+
> > -+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
> > -+ *_creds = fstate.creds;
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ /*
> > -+ * It is really important to try SamLogonEx here,
> > -+ * because multiple processes can talk to the same
> > -+ * domain controller, without using the credential
> > -+ * chain.
> > -+ *
> > -+ * With a normal SamLogon call, we must keep the
> > -+ * credentials chain updated and intact between all
> > -+ * users of the machine account (which would imply
> > -+ * cross-node communication for every NTLM logon).
> > -+ *
> > -+ * The credentials chain is not per NETLOGON pipe
> > -+ * connection, but globally on the server/client pair
> > -+ * by computer name, while the client is free to use
> > -+ * any computer name. We include the cluster node number
> > -+ * in our computer name in order to avoid cross node
> > -+ * coordination of the credential chain.
> > -+ *
> > -+ * It's also important to use NetlogonValidationSamInfo4 (6),
> > -+ * because it relies on the rpc transport encryption
> > -+ * and avoids using the global netlogon schannel
> > -+ * session key to en/decrypt secret information
> > -+ * like the user_session_key for network logons.
> > -+ *
> > -+ * [MS-APDS] 3.1.5.2 NTLM Network Logon
> > -+ * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
> > -+ * NETLOGON_NEG_AUTHENTICATED_RPC set together
> > -+ * are the indication that the server supports
> > -+ * NetlogonValidationSamInfo4 (6). And it must only
> > -+ * be used if "SealSecureChannel" is used.
> > -+ *
> > -+ * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
> > -+ * check is done in netlogon_creds_cli_LogonSamLogon*().
> > -+ */
> > -+ context->server.cached_flags = fstate.creds->negotiate_flags;
> > -+ context->server.try_validation6 = true;
> > -+ context->server.try_logon_ex = true;
> > -+ context->server.try_logon_with = true;
> > -+
> > -+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > -+ context->server.try_validation6 = false;
> > -+ context->server.try_logon_ex = false;
> > -+ }
> > -+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
> > -+ context->server.try_validation6 = false;
> > -+ }
> > -+
> > -+ *_creds = fstate.creds;
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
> > -+ const struct netlogon_creds_CredentialState *creds1)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct netlogon_creds_CredentialState *creds2;
> > -+ DATA_BLOB blob1;
> > -+ DATA_BLOB blob2;
> > -+ NTSTATUS status;
> > -+ enum ndr_err_code ndr_err;
> > -+ int cmp;
> > -+
> > -+ status = netlogon_creds_cli_get(context, frame, &creds2);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return false;
> > -+ }
> > -+
> > -+ ndr_err = ndr_push_struct_blob(&blob1, frame, creds1,
> > -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -+ TALLOC_FREE(frame);
> > -+ return false;
> > -+ }
> > -+
> > -+ ndr_err = ndr_push_struct_blob(&blob2, frame, creds2,
> > -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -+ TALLOC_FREE(frame);
> > -+ return false;
> > -+ }
> > -+
> > -+ if (blob1.length != blob2.length) {
> > -+ TALLOC_FREE(frame);
> > -+ return false;
> > -+ }
> > -+
> > -+ cmp = memcmp(blob1.data, blob2.data, blob1.length);
> > -+ if (cmp != 0) {
> > -+ TALLOC_FREE(frame);
> > -+ return false;
> > -+ }
> > -+
> > -+ TALLOC_FREE(frame);
> > -+ return true;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
> > -+ struct netlogon_creds_CredentialState **_creds)
> > -+{
> > -+ struct netlogon_creds_CredentialState *creds = *_creds;
> > -+ NTSTATUS status;
> > -+ enum ndr_err_code ndr_err;
> > -+ DATA_BLOB blob;
> > -+ TDB_DATA data;
> > -+
> > -+ *_creds = NULL;
> > -+
> > -+ if (context->db.locked_state == NULL) {
> > -+ /*
> > -+ * this was not the result of netlogon_creds_cli_lock*()
> > -+ */
> > -+ TALLOC_FREE(creds);
> > -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> > -+ }
> > -+
> > -+ if (context->db.locked_state->creds != creds) {
> > -+ /*
> > -+ * this was not the result of netlogon_creds_cli_lock*()
> > -+ */
> > -+ TALLOC_FREE(creds);
> > -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> > -+ }
> > -+
> > -+ ndr_err = ndr_push_struct_blob(&blob, creds, creds,
> > -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -+ TALLOC_FREE(creds);
> > -+ status = ndr_map_error2ntstatus(ndr_err);
> > -+ return status;
> > -+ }
> > -+
> > -+ data.dptr = blob.data;
> > -+ data.dsize = blob.length;
> > -+
> > -+ status = dbwrap_store(context->db.ctx,
> > -+ context->db.key_data,
> > -+ data, TDB_REPLACE);
> > -+ TALLOC_FREE(creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
> > -+ struct netlogon_creds_CredentialState **_creds)
> > -+{
> > -+ struct netlogon_creds_CredentialState *creds = *_creds;
> > -+ NTSTATUS status;
> > -+
> > -+ *_creds = NULL;
> > -+
> > -+ if (context->db.locked_state == NULL) {
> > -+ /*
> > -+ * this was not the result of netlogon_creds_cli_lock*()
> > -+ */
> > -+ TALLOC_FREE(creds);
> > -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> > -+ }
> > -+
> > -+ if (context->db.locked_state->creds != creds) {
> > -+ /*
> > -+ * this was not the result of netlogon_creds_cli_lock*()
> > -+ */
> > -+ TALLOC_FREE(creds);
> > -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> > -+ }
> > -+
> > -+ status = dbwrap_delete(context->db.ctx,
> > -+ context->db.key_data);
> > -+ TALLOC_FREE(creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+struct netlogon_creds_cli_lock_state {
> > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > -+ struct netlogon_creds_CredentialState *creds;
> > -+};
> > -+
> > -+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
> > -+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context)
> > -+{
> > -+ struct tevent_req *req;
> > -+ struct netlogon_creds_cli_lock_state *state;
> > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > -+ struct tevent_req *subreq;
> > -+
> > -+ req = tevent_req_create(mem_ctx, &state,
> > -+ struct netlogon_creds_cli_lock_state);
> > -+ if (req == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ if (context->db.locked_state != NULL) {
> > -+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
> > -+ if (tevent_req_nomem(locked_state, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+ talloc_set_destructor(locked_state,
> > -+ netlogon_creds_cli_locked_state_destructor);
> > -+ locked_state->context = context;
> > -+
> > -+ context->db.locked_state = locked_state;
> > -+ state->locked_state = locked_state;
> > -+
> > -+ if (context->db.g_ctx == NULL) {
> > -+ netlogon_creds_cli_lock_fetch(req);
> > -+ if (!tevent_req_is_in_progress(req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ return req;
> > -+ }
> > -+
> > -+ subreq = g_lock_lock_send(state, ev,
> > -+ context->db.g_ctx,
> > -+ context->db.key_name,
> > -+ G_LOCK_WRITE);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+ tevent_req_set_callback(subreq, netlogon_creds_cli_lock_done, req);
> > -+
> > -+ return req;
> > -+}
> > -+
> > -+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct netlogon_creds_cli_lock_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_lock_state);
> > -+ NTSTATUS status;
> > -+
> > -+ status = g_lock_lock_recv(subreq);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+ state->locked_state->is_glocked = true;
> > -+
> > -+ netlogon_creds_cli_lock_fetch(req);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
> > -+{
> > -+ struct netlogon_creds_cli_lock_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_lock_state);
> > -+ struct netlogon_creds_cli_context *context = state->locked_state->context;
> > -+ struct netlogon_creds_cli_fetch_state fstate = {
> > -+ .status = NT_STATUS_INTERNAL_ERROR,
> > -+ .required_flags = context->client.required_flags,
> > -+ };
> > -+ NTSTATUS status;
> > -+
> > -+ fstate.mem_ctx = state;
> > -+ status = dbwrap_parse_record(context->db.ctx,
> > -+ context->db.key_data,
> > -+ netlogon_creds_cli_fetch_parser,
> > -+ &fstate);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+ status = fstate.status;
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
> > -+ state->creds = fstate.creds;
> > -+ tevent_req_done(req);
> > -+ return;
> > -+ }
> > -+
> > -+ context->server.cached_flags = fstate.creds->negotiate_flags;
> > -+ context->server.try_validation6 = true;
> > -+ context->server.try_logon_ex = true;
> > -+ context->server.try_logon_with = true;
> > -+
> > -+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > -+ context->server.try_validation6 = false;
> > -+ context->server.try_logon_ex = false;
> > -+ }
> > -+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
> > -+ context->server.try_validation6 = false;
> > -+ }
> > -+
> > -+ state->creds = fstate.creds;
> > -+ tevent_req_done(req);
> > -+ return;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState **creds)
> > -+{
> > -+ struct netlogon_creds_cli_lock_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_lock_state);
> > -+ NTSTATUS status;
> > -+
> > -+ if (tevent_req_is_nterror(req, &status)) {
> > -+ tevent_req_received(req);
> > -+ return status;
> > -+ }
> > -+
> > -+ talloc_steal(state->creds, state->locked_state);
> > -+ state->locked_state->creds = state->creds;
> > -+ *creds = talloc_move(mem_ctx, &state->creds);
> > -+ tevent_req_received(req);
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState **creds)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct tevent_context *ev;
> > -+ struct tevent_req *req;
> > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > -+
> > -+ ev = samba_tevent_context_init(frame);
> > -+ if (ev == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ req = netlogon_creds_cli_lock_send(frame, ev, context);
> > -+ if (req == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > -+ goto fail;
> > -+ }
> > -+ status = netlogon_creds_cli_lock_recv(req, mem_ctx, creds);
> > -+ fail:
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+}
> > -+
> > -+struct netlogon_creds_cli_auth_state {
> > -+ struct tevent_context *ev;
> > -+ struct netlogon_creds_cli_context *context;
> > -+ struct dcerpc_binding_handle *binding_handle;
> > -+ struct samr_Password current_nt_hash;
> > -+ struct samr_Password previous_nt_hash;
> > -+ struct samr_Password used_nt_hash;
> > -+ char *srv_name_slash;
> > -+ uint32_t current_flags;
> > -+ struct netr_Credential client_challenge;
> > -+ struct netr_Credential server_challenge;
> > -+ struct netlogon_creds_CredentialState *creds;
> > -+ struct netr_Credential client_credential;
> > -+ struct netr_Credential server_credential;
> > -+ uint32_t rid;
> > -+ bool try_auth3;
> > -+ bool try_auth2;
> > -+ bool require_auth2;
> > -+ bool try_previous_nt_hash;
> > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > -+};
> > -+
> > -+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq);
> > -+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ struct samr_Password current_nt_hash,
> > -+ const struct samr_Password *previous_nt_hash)
> > -+{
> > -+ struct tevent_req *req;
> > -+ struct netlogon_creds_cli_auth_state *state;
> > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > -+ NTSTATUS status;
> > -+
> > -+ req = tevent_req_create(mem_ctx, &state,
> > -+ struct netlogon_creds_cli_auth_state);
> > -+ if (req == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ state->ev = ev;
> > -+ state->context = context;
> > -+ state->binding_handle = b;
> > -+ state->current_nt_hash = current_nt_hash;
> > -+ if (previous_nt_hash != NULL) {
> > -+ state->previous_nt_hash = *previous_nt_hash;
> > -+ state->try_previous_nt_hash = true;
> > -+ }
> > -+
> > -+ if (context->db.locked_state != NULL) {
> > -+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
> > -+ if (tevent_req_nomem(locked_state, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+ talloc_set_destructor(locked_state,
> > -+ netlogon_creds_cli_locked_state_destructor);
> > -+ locked_state->context = context;
> > -+
> > -+ context->db.locked_state = locked_state;
> > -+ state->locked_state = locked_state;
> > -+
> > -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> > -+ context->server.computer);
> > -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ state->try_auth3 = true;
> > -+ state->try_auth2 = true;
> > -+
> > -+ if (context->client.required_flags != 0) {
> > -+ state->require_auth2 = true;
> > -+ }
> > -+
> > -+ state->used_nt_hash = state->current_nt_hash;
> > -+ state->current_flags = context->client.proposed_flags;
> > -+
> > -+ if (context->db.g_ctx != NULL) {
> > -+ struct tevent_req *subreq;
> > -+
> > -+ subreq = g_lock_lock_send(state, ev,
> > -+ context->db.g_ctx,
> > -+ context->db.key_name,
> > -+ G_LOCK_WRITE);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_auth_locked,
> > -+ req);
> > -+
> > -+ return req;
> > -+ }
> > -+
> > -+ status = dbwrap_delete(state->context->db.ctx,
> > -+ state->context->db.key_data);
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
> > -+ status = NT_STATUS_OK;
> > -+ }
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ netlogon_creds_cli_auth_challenge_start(req);
> > -+ if (!tevent_req_is_in_progress(req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ return req;
> > -+}
> > -+
> > -+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct netlogon_creds_cli_auth_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_auth_state);
> > -+ NTSTATUS status;
> > -+
> > -+ status = g_lock_lock_recv(subreq);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+ state->locked_state->is_glocked = true;
> > -+
> > -+ status = dbwrap_delete(state->context->db.ctx,
> > -+ state->context->db.key_data);
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
> > -+ status = NT_STATUS_OK;
> > -+ }
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+
> > -+ netlogon_creds_cli_auth_challenge_start(req);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq);
> > -+
> > -+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
> > -+{
> > -+ struct netlogon_creds_cli_auth_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_auth_state);
> > -+ struct tevent_req *subreq;
> > -+
> > -+ TALLOC_FREE(state->creds);
> > -+
> > -+ generate_random_buffer(state->client_challenge.data,
> > -+ sizeof(state->client_challenge.data));
> > -+
> > -+ subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->context->client.computer,
> > -+ &state->client_challenge,
> > -+ &state->server_challenge);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ return;
> > -+ }
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_auth_challenge_done,
> > -+ req);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq);
> > -+
> > -+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct netlogon_creds_cli_auth_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_auth_state);
> > -+ NTSTATUS status;
> > -+ NTSTATUS result;
> > -+
> > -+ status = dcerpc_netr_ServerReqChallenge_recv(subreq, state, &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+ if (tevent_req_nterror(req, result)) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (!state->try_auth3 && !state->try_auth2) {
> > -+ state->current_flags = 0;
> > -+ }
> > -+
> > -+ /* Calculate the session key and client credentials */
> > -+
> > -+ state->creds = netlogon_creds_client_init(state,
> > -+ state->context->client.account,
> > -+ state->context->client.computer,
> > -+ state->context->client.type,
> > -+ &state->client_challenge,
> > -+ &state->server_challenge,
> > -+ &state->used_nt_hash,
> > -+ &state->client_credential,
> > -+ state->current_flags);
> > -+ if (tevent_req_nomem(state->creds, req)) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (state->try_auth3) {
> > -+ subreq = dcerpc_netr_ServerAuthenticate3_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->context->client.account,
> > -+ state->context->client.type,
> > -+ state->context->client.computer,
> > -+ &state->client_credential,
> > -+ &state->server_credential,
> > -+ &state->creds->negotiate_flags,
> > -+ &state->rid);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ return;
> > -+ }
> > -+ } else if (state->try_auth2) {
> > -+ state->rid = 0;
> > -+
> > -+ subreq = dcerpc_netr_ServerAuthenticate2_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->context->client.account,
> > -+ state->context->client.type,
> > -+ state->context->client.computer,
> > -+ &state->client_credential,
> > -+ &state->server_credential,
> > -+ &state->creds->negotiate_flags);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ return;
> > -+ }
> > -+ } else {
> > -+ state->rid = 0;
> > -+
> > -+ subreq = dcerpc_netr_ServerAuthenticate_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->context->client.account,
> > -+ state->context->client.type,
> > -+ state->context->client.computer,
> > -+ &state->client_credential,
> > -+ &state->server_credential);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ return;
> > -+ }
> > -+ }
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_auth_srvauth_done,
> > -+ req);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct netlogon_creds_cli_auth_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_auth_state);
> > -+ NTSTATUS status;
> > -+ NTSTATUS result;
> > -+ bool ok;
> > -+ enum ndr_err_code ndr_err;
> > -+ DATA_BLOB blob;
> > -+ TDB_DATA data;
> > -+ uint32_t tmp_flags;
> > -+
> > -+ if (state->try_auth3) {
> > -+ status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
> > -+ &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -+ state->try_auth3 = false;
> > -+ netlogon_creds_cli_auth_challenge_start(req);
> > -+ return;
> > -+ }
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+ } else if (state->try_auth2) {
> > -+ status = dcerpc_netr_ServerAuthenticate2_recv(subreq, state,
> > -+ &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -+ state->try_auth2 = false;
> > -+ if (state->require_auth2) {
> > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > -+ tevent_req_nterror(req, status);
> > -+ return;
> > -+ }
> > -+ netlogon_creds_cli_auth_challenge_start(req);
> > -+ return;
> > -+ }
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+ } else {
> > -+ status = dcerpc_netr_ServerAuthenticate_recv(subreq, state,
> > -+ &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+ }
> > -+
> > -+ if (!NT_STATUS_IS_OK(result) &&
> > -+ !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
> > -+ {
> > -+ tevent_req_nterror(req, result);
> > -+ return;
> > -+ }
> > -+
> > -+ tmp_flags = state->creds->negotiate_flags;
> > -+ tmp_flags &= state->context->client.required_flags;
> > -+ if (tmp_flags != state->context->client.required_flags) {
> > -+ if (NT_STATUS_IS_OK(result)) {
> > -+ tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
> > -+ return;
> > -+ }
> > -+ tevent_req_nterror(req, result);
> > -+ return;
> > -+ }
> > -+
> > -+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
> > -+
> > -+ tmp_flags = state->context->client.proposed_flags;
> > -+ if ((state->current_flags == tmp_flags) &&
> > -+ (state->creds->negotiate_flags != tmp_flags))
> > -+ {
> > -+ /*
> > -+ * lets retry with the negotiated flags
> > -+ */
> > -+ state->current_flags = state->creds->negotiate_flags;
> > -+ netlogon_creds_cli_auth_challenge_start(req);
> > -+ return;
> > -+ }
> > -+
> > -+ if (!state->try_previous_nt_hash) {
> > -+ /*
> > -+ * we already retried, giving up...
> > -+ */
> > -+ tevent_req_nterror(req, result);
> > -+ return;
> > -+ }
> > -+
> > -+ /*
> > -+ * lets retry with the old nt hash.
> > -+ */
> > -+ state->try_previous_nt_hash = false;
> > -+ state->used_nt_hash = state->previous_nt_hash;
> > -+ state->current_flags = state->context->client.proposed_flags;
> > -+ netlogon_creds_cli_auth_challenge_start(req);
> > -+ return;
> > -+ }
> > -+
> > -+ ok = netlogon_creds_client_check(state->creds,
> > -+ &state->server_credential);
> > -+ if (!ok) {
> > -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> > -+ return;
> > -+ }
> > -+
> > -+ ndr_err = ndr_push_struct_blob(&blob, state, state->creds,
> > -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > -+ status = ndr_map_error2ntstatus(ndr_err);
> > -+ tevent_req_nterror(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ data.dptr = blob.data;
> > -+ data.dsize = blob.length;
> > -+
> > -+ status = dbwrap_store(state->context->db.ctx,
> > -+ state->context->db.key_data,
> > -+ data, TDB_REPLACE);
> > -+ TALLOC_FREE(state->locked_state);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+
> > -+ tevent_req_done(req);
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
> > -+{
> > -+ NTSTATUS status;
> > -+
> > -+ if (tevent_req_is_nterror(req, &status)) {
> > -+ tevent_req_received(req);
> > -+ return status;
> > -+ }
> > -+
> > -+ tevent_req_received(req);
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ struct samr_Password current_nt_hash,
> > -+ const struct samr_Password *previous_nt_hash)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct tevent_context *ev;
> > -+ struct tevent_req *req;
> > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > -+
> > -+ ev = samba_tevent_context_init(frame);
> > -+ if (ev == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ req = netlogon_creds_cli_auth_send(frame, ev, context, b,
> > -+ current_nt_hash,
> > -+ previous_nt_hash);
> > -+ if (req == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > -+ goto fail;
> > -+ }
> > -+ status = netlogon_creds_cli_auth_recv(req);
> > -+ fail:
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+}
> > -+
> > -+struct netlogon_creds_cli_check_state {
> > -+ struct tevent_context *ev;
> > -+ struct netlogon_creds_cli_context *context;
> > -+ struct dcerpc_binding_handle *binding_handle;
> > -+
> > -+ char *srv_name_slash;
> > -+
> > -+ union netr_Capabilities caps;
> > -+
> > -+ struct netlogon_creds_CredentialState *creds;
> > -+ struct netlogon_creds_CredentialState tmp_creds;
> > -+ struct netr_Authenticator req_auth;
> > -+ struct netr_Authenticator rep_auth;
> > -+};
> > -+
> > -+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
> > -+ NTSTATUS status);
> > -+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b)
> > -+{
> > -+ struct tevent_req *req;
> > -+ struct netlogon_creds_cli_check_state *state;
> > -+ struct tevent_req *subreq;
> > -+ enum dcerpc_AuthType auth_type;
> > -+ enum dcerpc_AuthLevel auth_level;
> > -+
> > -+ req = tevent_req_create(mem_ctx, &state,
> > -+ struct netlogon_creds_cli_check_state);
> > -+ if (req == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ state->ev = ev;
> > -+ state->context = context;
> > -+ state->binding_handle = b;
> > -+
> > -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> > -+ context->server.computer);
> > -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ dcerpc_binding_handle_auth_info(state->binding_handle,
> > -+ &auth_type, &auth_level);
> > -+
> > -+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
> > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ switch (auth_level) {
> > -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> > -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> > -+ break;
> > -+ default:
> > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
> > -+ state->context);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_check_locked,
> > -+ req);
> > -+
> > -+ return req;
> > -+}
> > -+
> > -+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
> > -+ NTSTATUS status)
> > -+{
> > -+ struct netlogon_creds_cli_check_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_check_state);
> > -+
> > -+ if (state->creds == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
> > -+ TALLOC_FREE(state->creds);
> > -+ return;
> > -+ }
> > -+
> > -+ netlogon_creds_cli_delete(state->context, &state->creds);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq);
> > -+
> > -+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct netlogon_creds_cli_check_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_check_state);
> > -+ NTSTATUS status;
> > -+
> > -+ status = netlogon_creds_cli_lock_recv(subreq, state,
> > -+ &state->creds);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+
> > -+ /*
> > -+ * we defer all callbacks in order to cleanup
> > -+ * the database record.
> > -+ */
> > -+ tevent_req_defer_callback(req, state->ev);
> > -+
> > -+ state->tmp_creds = *state->creds;
> > -+ netlogon_creds_client_authenticator(&state->tmp_creds,
> > -+ &state->req_auth);
> > -+ ZERO_STRUCT(state->rep_auth);
> > -+
> > -+ subreq = dcerpc_netr_LogonGetCapabilities_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->context->client.computer,
> > -+ &state->req_auth,
> > -+ &state->rep_auth,
> > -+ 1,
> > -+ &state->caps);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_check_caps,
> > -+ req);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct netlogon_creds_cli_check_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_check_state);
> > -+ NTSTATUS status;
> > -+ NTSTATUS result;
> > -+ bool ok;
> > -+
> > -+ status = dcerpc_netr_LogonGetCapabilities_recv(subreq, state,
> > -+ &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -+ /*
> > -+ * Note that the negotiated flags are already checked
> > -+ * for our required flags after the ServerAuthenticate3/2 call.
> > -+ */
> > -+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
> > -+
> > -+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ /*
> > -+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
> > -+ * already, we expect this to work!
> > -+ */
> > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > -+ tevent_req_nterror(req, status);
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ if (negotiated & NETLOGON_NEG_STRONG_KEYS) {
> > -+ /*
> > -+ * If we have negotiated NETLOGON_NEG_STRONG_KEYS
> > -+ * we expect this to work at least as far as the
> > -+ * NOT_SUPPORTED error handled below!
> > -+ *
> > -+ * NT 4.0 and Old Samba servers are not
> > -+ * allowed without "require strong key = no"
> > -+ */
> > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > -+ tevent_req_nterror(req, status);
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ /*
> > -+ * If we not require NETLOGON_NEG_SUPPORTS_AES or
> > -+ * NETLOGON_NEG_STRONG_KEYS, it's ok to ignore
> > -+ * NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> > -+ *
> > -+ * This is needed against NT 4.0 and old Samba servers.
> > -+ *
> > -+ * As we're using DCERPC_AUTH_TYPE_SCHANNEL with
> > -+ * DCERPC_AUTH_LEVEL_INTEGRITY or DCERPC_AUTH_LEVEL_PRIVACY
> > -+ * we should detect a faked NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
> > -+ * with the next request as the sequence number processing
> > -+ * gets out of sync.
> > -+ */
> > -+ netlogon_creds_cli_check_cleanup(req, result);
> > -+ tevent_req_done(req);
> > -+ return;
> > -+ }
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
> > -+ /*
> > -+ * Note that the negotiated flags are already checked
> > -+ * for our required flags after the ServerAuthenticate3/2 call.
> > -+ */
> > -+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
> > -+
> > -+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ /*
> > -+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
> > -+ * already, we expect this to work!
> > -+ */
> > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > -+ tevent_req_nterror(req, status);
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ /*
> > -+ * This is ok, the server does not support
> > -+ * NETLOGON_NEG_SUPPORTS_AES.
> > -+ *
> > -+ * netr_LogonGetCapabilities() was
> > -+ * netr_LogonDummyRoutine1() before
> > -+ * NETLOGON_NEG_SUPPORTS_AES was invented.
> > -+ */
> > -+ netlogon_creds_cli_check_cleanup(req, result);
> > -+ tevent_req_done(req);
> > -+ return;
> > -+ }
> > -+
> > -+ ok = netlogon_creds_client_check(&state->tmp_creds,
> > -+ &state->rep_auth.cred);
> > -+ if (!ok) {
> > -+ status = NT_STATUS_ACCESS_DENIED;
> > -+ tevent_req_nterror(req, status);
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ if (tevent_req_nterror(req, result)) {
> > -+ netlogon_creds_cli_check_cleanup(req, result);
> > -+ return;
> > -+ }
> > -+
> > -+ if (state->caps.server_capabilities != state->tmp_creds.negotiate_flags) {
> > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > -+ tevent_req_nterror(req, status);
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ /*
> > -+ * This is the key check that makes this check secure. If we
> > -+ * get OK here (rather than NOT_SUPPORTED), then the server
> > -+ * did support AES. If the server only proposed STRONG_KEYS
> > -+ * and not AES, then it should have failed with
> > -+ * NOT_IMPLEMENTED. We always send AES as a client, so the
> > -+ * server should always have returned it.
> > -+ */
> > -+ if (!(state->caps.server_capabilities & NETLOGON_NEG_SUPPORTS_AES)) {
> > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > -+ tevent_req_nterror(req, status);
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ *state->creds = state->tmp_creds;
> > -+ status = netlogon_creds_cli_store(state->context,
> > -+ &state->creds);
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+
> > -+ tevent_req_done(req);
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req)
> > -+{
> > -+ NTSTATUS status;
> > -+
> > -+ if (tevent_req_is_nterror(req, &status)) {
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > -+ tevent_req_received(req);
> > -+ return status;
> > -+ }
> > -+
> > -+ tevent_req_received(req);
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct tevent_context *ev;
> > -+ struct tevent_req *req;
> > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > -+
> > -+ ev = samba_tevent_context_init(frame);
> > -+ if (ev == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ req = netlogon_creds_cli_check_send(frame, ev, context, b);
> > -+ if (req == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > -+ goto fail;
> > -+ }
> > -+ status = netlogon_creds_cli_check_recv(req);
> > -+ fail:
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+}
> > -+
> > -+struct netlogon_creds_cli_ServerPasswordSet_state {
> > -+ struct tevent_context *ev;
> > -+ struct netlogon_creds_cli_context *context;
> > -+ struct dcerpc_binding_handle *binding_handle;
> > -+ uint32_t old_timeout;
> > -+
> > -+ char *srv_name_slash;
> > -+ enum dcerpc_AuthType auth_type;
> > -+ enum dcerpc_AuthLevel auth_level;
> > -+
> > -+ struct samr_CryptPassword samr_crypt_password;
> > -+ struct netr_CryptPassword netr_crypt_password;
> > -+ struct samr_Password samr_password;
> > -+
> > -+ struct netlogon_creds_CredentialState *creds;
> > -+ struct netlogon_creds_CredentialState tmp_creds;
> > -+ struct netr_Authenticator req_auth;
> > -+ struct netr_Authenticator rep_auth;
> > -+};
> > -+
> > -+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
> > -+ NTSTATUS status);
> > -+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ const char *new_password,
> > -+ const uint32_t *new_version)
> > -+{
> > -+ struct tevent_req *req;
> > -+ struct netlogon_creds_cli_ServerPasswordSet_state *state;
> > -+ struct tevent_req *subreq;
> > -+ bool ok;
> > -+
> > -+ req = tevent_req_create(mem_ctx, &state,
> > -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> > -+ if (req == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ state->ev = ev;
> > -+ state->context = context;
> > -+ state->binding_handle = b;
> > -+
> > -+ /*
> > -+ * netr_ServerPasswordSet
> > -+ */
> > -+ E_md4hash(new_password, state->samr_password.hash);
> > -+
> > -+ /*
> > -+ * netr_ServerPasswordSet2
> > -+ */
> > -+ ok = encode_pw_buffer(state->samr_crypt_password.data,
> > -+ new_password, STR_UNICODE);
> > -+ if (!ok) {
> > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ if (new_version != NULL) {
> > -+ struct NL_PASSWORD_VERSION version;
> > -+ uint32_t len = IVAL(state->samr_crypt_password.data, 512);
> > -+ uint32_t ofs = 512 - len;
> > -+ uint8_t *p;
> > -+
> > -+ if (ofs < 12) {
> > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+ ofs -= 12;
> > -+
> > -+ version.ReservedField = 0;
> > -+ version.PasswordVersionNumber = *new_version;
> > -+ version.PasswordVersionPresent =
> > -+ NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT;
> > -+
> > -+ p = state->samr_crypt_password.data + ofs;
> > -+ SIVAL(p, 0, version.ReservedField);
> > -+ SIVAL(p, 4, version.PasswordVersionNumber);
> > -+ SIVAL(p, 8, version.PasswordVersionPresent);
> > -+ }
> > -+
> > -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> > -+ context->server.computer);
> > -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ dcerpc_binding_handle_auth_info(state->binding_handle,
> > -+ &state->auth_type,
> > -+ &state->auth_level);
> > -+
> > -+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
> > -+ state->context);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_ServerPasswordSet_locked,
> > -+ req);
> > -+
> > -+ return req;
> > -+}
> > -+
> > -+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
> > -+ NTSTATUS status)
> > -+{
> > -+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> > -+
> > -+ if (state->creds == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ dcerpc_binding_handle_set_timeout(state->binding_handle,
> > -+ state->old_timeout);
> > -+
> > -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
> > -+ TALLOC_FREE(state->creds);
> > -+ return;
> > -+ }
> > -+
> > -+ netlogon_creds_cli_delete(state->context, &state->creds);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq);
> > -+
> > -+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> > -+ NTSTATUS status;
> > -+
> > -+ status = netlogon_creds_cli_lock_recv(subreq, state,
> > -+ &state->creds);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
> > -+ switch (state->auth_level) {
> > -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> > -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> > -+ break;
> > -+ default:
> > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > -+ return;
> > -+ }
> > -+ } else {
> > -+ uint32_t tmp = state->creds->negotiate_flags;
> > -+
> > -+ if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
> > -+ /*
> > -+ * if DCERPC_AUTH_TYPE_SCHANNEL is supported
> > -+ * it should be used, which means
> > -+ * we had a chance to verify no downgrade
> > -+ * happened.
> > -+ *
> > -+ * This relies on netlogon_creds_cli_check*
> > -+ * being called before, as first request after
> > -+ * the DCERPC bind.
> > -+ */
> > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > -+ return;
> > -+ }
> > -+ }
> > -+
> > -+ state->old_timeout = dcerpc_binding_handle_set_timeout(
> > -+ state->binding_handle, 600000);
> > -+
> > -+ /*
> > -+ * we defer all callbacks in order to cleanup
> > -+ * the database record.
> > -+ */
> > -+ tevent_req_defer_callback(req, state->ev);
> > -+
> > -+ state->tmp_creds = *state->creds;
> > -+ netlogon_creds_client_authenticator(&state->tmp_creds,
> > -+ &state->req_auth);
> > -+ ZERO_STRUCT(state->rep_auth);
> > -+
> > -+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
> > -+
> > -+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ netlogon_creds_aes_encrypt(&state->tmp_creds,
> > -+ state->samr_crypt_password.data,
> > -+ 516);
> > -+ } else {
> > -+ netlogon_creds_arcfour_crypt(&state->tmp_creds,
> > -+ state->samr_crypt_password.data,
> > -+ 516);
> > -+ }
> > -+
> > -+ memcpy(state->netr_crypt_password.data,
> > -+ state->samr_crypt_password.data, 512);
> > -+ state->netr_crypt_password.length =
> > -+ IVAL(state->samr_crypt_password.data, 512);
> > -+
> > -+ subreq = dcerpc_netr_ServerPasswordSet2_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->tmp_creds.account_name,
> > -+ state->tmp_creds.secure_channel_type,
> > -+ state->tmp_creds.computer_name,
> > -+ &state->req_auth,
> > -+ &state->rep_auth,
> > -+ &state->netr_crypt_password);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ } else {
> > -+ netlogon_creds_des_encrypt(&state->tmp_creds,
> > -+ &state->samr_password);
> > -+
> > -+ subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->tmp_creds.account_name,
> > -+ state->tmp_creds.secure_channel_type,
> > -+ state->tmp_creds.computer_name,
> > -+ &state->req_auth,
> > -+ &state->rep_auth,
> > -+ &state->samr_password);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ }
> > -+
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_ServerPasswordSet_done,
> > -+ req);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> > -+ NTSTATUS status;
> > -+ NTSTATUS result;
> > -+ bool ok;
> > -+
> > -+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
> > -+ status = dcerpc_netr_ServerPasswordSet2_recv(subreq, state,
> > -+ &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ } else {
> > -+ status = dcerpc_netr_ServerPasswordSet_recv(subreq, state,
> > -+ &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ }
> > -+
> > -+ ok = netlogon_creds_client_check(&state->tmp_creds,
> > -+ &state->rep_auth.cred);
> > -+ if (!ok) {
> > -+ status = NT_STATUS_ACCESS_DENIED;
> > -+ tevent_req_nterror(req, status);
> > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ if (tevent_req_nterror(req, result)) {
> > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, result);
> > -+ return;
> > -+ }
> > -+
> > -+ dcerpc_binding_handle_set_timeout(state->binding_handle,
> > -+ state->old_timeout);
> > -+
> > -+ *state->creds = state->tmp_creds;
> > -+ status = netlogon_creds_cli_store(state->context,
> > -+ &state->creds);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ tevent_req_done(req);
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
> > -+{
> > -+ NTSTATUS status;
> > -+
> > -+ if (tevent_req_is_nterror(req, &status)) {
> > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > -+ tevent_req_received(req);
> > -+ return status;
> > -+ }
> > -+
> > -+ tevent_req_received(req);
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ const char *new_password,
> > -+ const uint32_t *new_version)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct tevent_context *ev;
> > -+ struct tevent_req *req;
> > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > -+
> > -+ ev = samba_tevent_context_init(frame);
> > -+ if (ev == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ req = netlogon_creds_cli_ServerPasswordSet_send(frame, ev, context, b,
> > -+ new_password,
> > -+ new_version);
> > -+ if (req == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > -+ goto fail;
> > -+ }
> > -+ status = netlogon_creds_cli_ServerPasswordSet_recv(req);
> > -+ fail:
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+}
> > -+
> > -+struct netlogon_creds_cli_LogonSamLogon_state {
> > -+ struct tevent_context *ev;
> > -+ struct netlogon_creds_cli_context *context;
> > -+ struct dcerpc_binding_handle *binding_handle;
> > -+
> > -+ char *srv_name_slash;
> > -+
> > -+ enum netr_LogonInfoClass logon_level;
> > -+ const union netr_LogonLevel *const_logon;
> > -+ union netr_LogonLevel *logon;
> > -+ uint32_t flags;
> > -+
> > -+ uint16_t validation_level;
> > -+ union netr_Validation *validation;
> > -+ uint8_t authoritative;
> > -+
> > -+ /*
> > -+ * do we need encryption at the application layer?
> > -+ */
> > -+ bool user_encrypt;
> > -+ bool try_logon_ex;
> > -+ bool try_validation6;
> > -+
> > -+ /*
> > -+ * the read only credentials before we started the operation
> > -+ */
> > -+ struct netlogon_creds_CredentialState *ro_creds;
> > -+
> > -+ struct netlogon_creds_CredentialState *lk_creds;
> > -+
> > -+ struct netlogon_creds_CredentialState tmp_creds;
> > -+ struct netr_Authenticator req_auth;
> > -+ struct netr_Authenticator rep_auth;
> > -+};
> > -+
> > -+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req);
> > -+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
> > -+ NTSTATUS status);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ enum netr_LogonInfoClass logon_level,
> > -+ const union netr_LogonLevel *logon,
> > -+ uint32_t flags)
> > -+{
> > -+ struct tevent_req *req;
> > -+ struct netlogon_creds_cli_LogonSamLogon_state *state;
> > -+
> > -+ req = tevent_req_create(mem_ctx, &state,
> > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > -+ if (req == NULL) {
> > -+ return NULL;
> > -+ }
> > -+
> > -+ state->ev = ev;
> > -+ state->context = context;
> > -+ state->binding_handle = b;
> > -+
> > -+ state->logon_level = logon_level;
> > -+ state->const_logon = logon;
> > -+ state->flags = flags;
> > -+
> > -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> > -+ context->server.computer);
> > -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ switch (logon_level) {
> > -+ case NetlogonInteractiveInformation:
> > -+ case NetlogonInteractiveTransitiveInformation:
> > -+ case NetlogonServiceInformation:
> > -+ case NetlogonServiceTransitiveInformation:
> > -+ case NetlogonGenericInformation:
> > -+ state->user_encrypt = true;
> > -+ break;
> > -+
> > -+ case NetlogonNetworkInformation:
> > -+ case NetlogonNetworkTransitiveInformation:
> > -+ break;
> > -+ }
> > -+
> > -+ state->validation = talloc_zero(state, union netr_Validation);
> > -+ if (tevent_req_nomem(state->validation, req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > -+ if (!tevent_req_is_in_progress(req)) {
> > -+ return tevent_req_post(req, ev);
> > -+ }
> > -+
> > -+ /*
> > -+ * we defer all callbacks in order to cleanup
> > -+ * the database record.
> > -+ */
> > -+ tevent_req_defer_callback(req, state->ev);
> > -+ return req;
> > -+}
> > -+
> > -+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
> > -+ NTSTATUS status)
> > -+{
> > -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > -+
> > -+ if (state->lk_creds == NULL) {
> > -+ return;
> > -+ }
> > -+
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -+ /*
> > -+ * This is a hack to recover from a bug in old
> > -+ * Samba servers, when LogonSamLogonEx() fails:
> > -+ *
> > -+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
> > -+ *
> > -+ * All following request will get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> > -+ *
> > -+ * A second bug generates NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE,
> > -+ * instead of NT_STATUS_ACCESS_DENIED or NT_STATUS_RPC_SEC_PKG_ERROR
> > -+ * If the sign/seal check fails.
> > -+ *
> > -+ * In that case we need to cleanup the netlogon session.
> > -+ *
> > -+ * It's the job of the caller to disconnect the current
> > -+ * connection, if netlogon_creds_cli_LogonSamLogon()
> > -+ * returns NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> > -+ */
> > -+ if (!state->context->server.try_logon_with) {
> > -+ status = NT_STATUS_NETWORK_ACCESS_DENIED;
> > -+ }
> > -+ }
> > -+
> > -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
> > -+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
> > -+ TALLOC_FREE(state->lk_creds);
> > -+ return;
> > -+ }
> > -+
> > -+ netlogon_creds_cli_delete(state->context, &state->lk_creds);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq);
> > -+
> > -+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
> > -+{
> > -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > -+ struct tevent_req *subreq;
> > -+ NTSTATUS status;
> > -+ enum dcerpc_AuthType auth_type;
> > -+ enum dcerpc_AuthLevel auth_level;
> > -+
> > -+ TALLOC_FREE(state->ro_creds);
> > -+ TALLOC_FREE(state->logon);
> > -+ ZERO_STRUCTP(state->validation);
> > -+
> > -+ dcerpc_binding_handle_auth_info(state->binding_handle,
> > -+ &auth_type, &auth_level);
> > -+
> > -+ state->try_logon_ex = state->context->server.try_logon_ex;
> > -+ state->try_validation6 = state->context->server.try_validation6;
> > -+
> > -+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
> > -+ state->try_logon_ex = false;
> > -+ }
> > -+
> > -+ if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
> > -+ state->try_validation6 = false;
> > -+ }
> > -+
> > -+ if (state->try_logon_ex) {
> > -+ if (state->try_validation6) {
> > -+ state->validation_level = 6;
> > -+ } else {
> > -+ state->validation_level = 3;
> > -+ state->user_encrypt = true;
> > -+ }
> > -+
> > -+ state->logon = netlogon_creds_shallow_copy_logon(state,
> > -+ state->logon_level,
> > -+ state->const_logon);
> > -+ if (tevent_req_nomem(state->logon, req)) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ if (state->user_encrypt) {
> > -+ status = netlogon_creds_cli_get(state->context,
> > -+ state,
> > -+ &state->ro_creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ status = NT_STATUS_ACCESS_DENIED;
> > -+ tevent_req_nterror(req, status);
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
> > -+ state->logon_level,
> > -+ state->logon);
> > -+ }
> > -+
> > -+ subreq = dcerpc_netr_LogonSamLogonEx_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->context->client.computer,
> > -+ state->logon_level,
> > -+ state->logon,
> > -+ state->validation_level,
> > -+ state->validation,
> > -+ &state->authoritative,
> > -+ &state->flags);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_LogonSamLogon_done,
> > -+ req);
> > -+ return;
> > -+ }
> > -+
> > -+ if (state->lk_creds == NULL) {
> > -+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
> > -+ state->context);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_LogonSamLogon_done,
> > -+ req);
> > -+ return;
> > -+ }
> > -+
> > -+ state->tmp_creds = *state->lk_creds;
> > -+ netlogon_creds_client_authenticator(&state->tmp_creds,
> > -+ &state->req_auth);
> > -+ ZERO_STRUCT(state->rep_auth);
> > -+
> > -+ state->logon = netlogon_creds_shallow_copy_logon(state,
> > -+ state->logon_level,
> > -+ state->const_logon);
> > -+ if (tevent_req_nomem(state->logon, req)) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
> > -+ state->logon_level,
> > -+ state->logon);
> > -+
> > -+ state->validation_level = 3;
> > -+
> > -+ if (state->context->server.try_logon_with) {
> > -+ subreq = dcerpc_netr_LogonSamLogonWithFlags_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->context->client.computer,
> > -+ &state->req_auth,
> > -+ &state->rep_auth,
> > -+ state->logon_level,
> > -+ state->logon,
> > -+ state->validation_level,
> > -+ state->validation,
> > -+ &state->authoritative,
> > -+ &state->flags);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ } else {
> > -+ state->flags = 0;
> > -+
> > -+ subreq = dcerpc_netr_LogonSamLogon_send(state, state->ev,
> > -+ state->binding_handle,
> > -+ state->srv_name_slash,
> > -+ state->context->client.computer,
> > -+ &state->req_auth,
> > -+ &state->rep_auth,
> > -+ state->logon_level,
> > -+ state->logon,
> > -+ state->validation_level,
> > -+ state->validation,
> > -+ &state->authoritative);
> > -+ if (tevent_req_nomem(subreq, req)) {
> > -+ status = NT_STATUS_NO_MEMORY;
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ }
> > -+
> > -+ tevent_req_set_callback(subreq,
> > -+ netlogon_creds_cli_LogonSamLogon_done,
> > -+ req);
> > -+}
> > -+
> > -+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
> > -+{
> > -+ struct tevent_req *req =
> > -+ tevent_req_callback_data(subreq,
> > -+ struct tevent_req);
> > -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > -+ NTSTATUS status;
> > -+ NTSTATUS result;
> > -+ bool ok;
> > -+
> > -+ if (state->try_logon_ex) {
> > -+ status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
> > -+ state->validation,
> > -+ &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -+ state->context->server.try_validation6 = false;
> > -+ state->context->server.try_logon_ex = false;
> > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > -+ return;
> > -+ }
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ if ((state->validation_level == 6) &&
> > -+ (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
> > -+ NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
> > -+ NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)))
> > -+ {
> > -+ state->context->server.try_validation6 = false;
> > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > -+ return;
> > -+ }
> > -+
> > -+ if (tevent_req_nterror(req, result)) {
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
> > -+ return;
> > -+ }
> > -+
> > -+ if (state->ro_creds == NULL) {
> > -+ tevent_req_done(req);
> > -+ return;
> > -+ }
> > -+
> > -+ ok = netlogon_creds_cli_validate(state->context, state->ro_creds);
> > -+ if (!ok) {
> > -+ /*
> > -+ * We got a race, lets retry with on authenticator
> > -+ * protection.
> > -+ */
> > -+ TALLOC_FREE(state->ro_creds);
> > -+ state->try_logon_ex = false;
> > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > -+ return;
> > -+ }
> > -+
> > -+ netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
> > -+ state->validation_level,
> > -+ state->validation);
> > -+
> > -+ tevent_req_done(req);
> > -+ return;
> > -+ }
> > -+
> > -+ if (state->lk_creds == NULL) {
> > -+ status = netlogon_creds_cli_lock_recv(subreq, state,
> > -+ &state->lk_creds);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > -+ return;
> > -+ }
> > -+
> > -+ if (state->context->server.try_logon_with) {
> > -+ status = dcerpc_netr_LogonSamLogonWithFlags_recv(subreq,
> > -+ state->validation,
> > -+ &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -+ state->context->server.try_logon_with = false;
> > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > -+ return;
> > -+ }
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ } else {
> > -+ status = dcerpc_netr_LogonSamLogon_recv(subreq,
> > -+ state->validation,
> > -+ &result);
> > -+ TALLOC_FREE(subreq);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+ }
> > -+
> > -+ ok = netlogon_creds_client_check(&state->tmp_creds,
> > -+ &state->rep_auth.cred);
> > -+ if (!ok) {
> > -+ status = NT_STATUS_ACCESS_DENIED;
> > -+ tevent_req_nterror(req, status);
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ *state->lk_creds = state->tmp_creds;
> > -+ status = netlogon_creds_cli_store(state->context,
> > -+ &state->lk_creds);
> > -+ if (tevent_req_nterror(req, status)) {
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ return;
> > -+ }
> > -+
> > -+ if (tevent_req_nterror(req, result)) {
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
> > -+ return;
> > -+ }
> > -+
> > -+ netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
> > -+ state->validation_level,
> > -+ state->validation);
> > -+
> > -+ tevent_req_done(req);
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ uint16_t *validation_level,
> > -+ union netr_Validation **validation,
> > -+ uint8_t *authoritative,
> > -+ uint32_t *flags)
> > -+{
> > -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> > -+ tevent_req_data(req,
> > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > -+ NTSTATUS status;
> > -+
> > -+ /* authoritative is also returned on error */
> > -+ *authoritative = state->authoritative;
> > -+
> > -+ if (tevent_req_is_nterror(req, &status)) {
> > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > -+ tevent_req_received(req);
> > -+ return status;
> > -+ }
> > -+
> > -+ *validation_level = state->validation_level;
> > -+ *validation = talloc_move(mem_ctx, &state->validation);
> > -+ *flags = state->flags;
> > -+
> > -+ tevent_req_received(req);
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS netlogon_creds_cli_LogonSamLogon(
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ enum netr_LogonInfoClass logon_level,
> > -+ const union netr_LogonLevel *logon,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ uint16_t *validation_level,
> > -+ union netr_Validation **validation,
> > -+ uint8_t *authoritative,
> > -+ uint32_t *flags)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct tevent_context *ev;
> > -+ struct tevent_req *req;
> > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > -+
> > -+ ev = samba_tevent_context_init(frame);
> > -+ if (ev == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ req = netlogon_creds_cli_LogonSamLogon_send(frame, ev, context, b,
> > -+ logon_level, logon,
> > -+ *flags);
> > -+ if (req == NULL) {
> > -+ goto fail;
> > -+ }
> > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > -+ goto fail;
> > -+ }
> > -+ status = netlogon_creds_cli_LogonSamLogon_recv(req, mem_ctx,
> > -+ validation_level,
> > -+ validation,
> > -+ authoritative,
> > -+ flags);
> > -+ fail:
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+}
> > -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
> > -new file mode 100644
> > -index 0000000..f8f2bef
> > ---- /dev/null
> > -+++ b/libcli/auth/netlogon_creds_cli.h
> > -@@ -0,0 +1,138 @@
> > -+/*
> > -+ Unix SMB/CIFS implementation.
> > -+
> > -+ module to store/fetch session keys for the schannel client
> > -+
> > -+ Copyright (C) Stefan Metzmacher 2013
> > -+
> > -+ This program is free software; you can redistribute it and/or modify
> > -+ it under the terms of the GNU General Public License as published by
> > -+ the Free Software Foundation; either version 3 of the License, or
> > -+ (at your option) any later version.
> > -+
> > -+ This program is distributed in the hope that it will be useful,
> > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > -+ GNU General Public License for more details.
> > -+
> > -+ You should have received a copy of the GNU General Public License
> > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > -+*/
> > -+
> > -+#ifndef NETLOGON_CREDS_CLI_H
> > -+#define NETLOGON_CREDS_CLI_H
> > -+
> > -+#include "librpc/gen_ndr/dcerpc.h"
> > -+#include "librpc/gen_ndr/schannel.h"
> > -+
> > -+struct netlogon_creds_cli_context;
> > -+struct messaging_context;
> > -+struct dcerpc_binding_handle;
> > -+
> > -+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
> > -+
> > -+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > -+ struct messaging_context *msg_ctx,
> > -+ const char *client_account,
> > -+ enum netr_SchannelType type,
> > -+ const char *server_computer,
> > -+ const char *server_netbios_domain,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **_context);
> > -+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> > -+ const char *client_account,
> > -+ enum netr_SchannelType type,
> > -+ enum dcerpc_AuthLevel auth_level,
> > -+ uint32_t proposed_flags,
> > -+ uint32_t required_flags,
> > -+ const char *server_computer,
> > -+ const char *server_netbios_domain,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **_context);
> > -+NTSTATUS netlogon_creds_cli_context_copy(
> > -+ const struct netlogon_creds_cli_context *src,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **_dst);
> > -+
> > -+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> > -+ struct netlogon_creds_cli_context *context);
> > -+
> > -+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState **_creds);
> > -+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
> > -+ const struct netlogon_creds_CredentialState *creds1);
> > -+
> > -+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
> > -+ struct netlogon_creds_CredentialState **_creds);
> > -+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
> > -+ struct netlogon_creds_CredentialState **_creds);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context);
> > -+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState **creds);
> > -+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_CredentialState **creds);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ struct samr_Password current_nt_hash,
> > -+ const struct samr_Password *previous_nt_hash);
> > -+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
> > -+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ struct samr_Password current_nt_hash,
> > -+ const struct samr_Password *previous_nt_hash);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b);
> > -+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req);
> > -+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ const char *new_password,
> > -+ const uint32_t *new_version);
> > -+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
> > -+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ const char *new_password,
> > -+ const uint32_t *new_version);
> > -+
> > -+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
> > -+ struct tevent_context *ev,
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ enum netr_LogonInfoClass logon_level,
> > -+ const union netr_LogonLevel *logon,
> > -+ uint32_t flags);
> > -+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ uint16_t *validation_level,
> > -+ union netr_Validation **validation,
> > -+ uint8_t *authoritative,
> > -+ uint32_t *flags);
> > -+NTSTATUS netlogon_creds_cli_LogonSamLogon(
> > -+ struct netlogon_creds_cli_context *context,
> > -+ struct dcerpc_binding_handle *b,
> > -+ enum netr_LogonInfoClass logon_level,
> > -+ const union netr_LogonLevel *logon,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ uint16_t *validation_level,
> > -+ union netr_Validation **validation,
> > -+ uint8_t *authoritative,
> > -+ uint32_t *flags);
> > -+
> > -+#endif /* NETLOGON_CREDS_CLI_H */
> > -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
> > -index ca2be2d..51eb293 100755
> > ---- a/libcli/auth/wscript_build
> > -+++ b/libcli/auth/wscript_build
> > -@@ -28,6 +28,10 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
> > - deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
> > - )
> > -
> > -+bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
> > -+ source='netlogon_creds_cli.c',
> > -+ deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
> > -+ )
> > -
> > - bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
> > - source='pam_errors.c',
> > ---
> > -1.9.3
> > -
> > -
> > -From e4a4e18ea7f9a9742de16e477917da6ae11ac42e Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 13 Dec 2013 17:31:45 +0100
> > -Subject: [PATCH 163/249] libcli/auth: use unique key_name values in
> > - netlogon_creds_cli_context_common()
> > -
> > -Until all callers are fixed to pass the same 'server_computer'
> > -value, we try to calculate a server_netbios_name and use this
> > -as unique identifier for a specific domain controller.
> > -
> > -Otherwise winbind would use 'hostname.example.com'
> > -while 'net rpc testjoin' would use 'HOSTNAME',
> > -which leads to 2 records in netlogon_creds_cli.tdb
> > -for the same domain controller.
> > -
> > -Once all callers are fixed we can think about reverting this
> > -commit.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit dc96b1ddccfe8eb1a631355f9471ee0b620d682c)
> > ----
> > - libcli/auth/netlogon_creds_cli.c | 58 +++++++++++++++++++++++++++++++++-------
> > - 1 file changed, 48 insertions(+), 10 deletions(-)
> > -
> > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > -index 75d6b2c..a872b31 100644
> > ---- a/libcli/auth/netlogon_creds_cli.c
> > -+++ b/libcli/auth/netlogon_creds_cli.c
> > -@@ -106,23 +106,30 @@ static NTSTATUS netlogon_creds_cli_context_common(
> > - struct netlogon_creds_cli_context **_context)
> > - {
> > - struct netlogon_creds_cli_context *context = NULL;
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ char *_key_name = NULL;
> > -+ char *server_netbios_name = NULL;
> > -+ char *p = NULL;
> > -
> > - *_context = NULL;
> > -
> > - context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> > - if (context == NULL) {
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > - context->client.computer = talloc_strdup(context, client_computer);
> > - if (context->client.computer == NULL) {
> > -- talloc_free(context);
> > -+ TALLOC_FREE(context);
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > - context->client.account = talloc_strdup(context, client_account);
> > - if (context->client.account == NULL) {
> > -- talloc_free(context);
> > -+ TALLOC_FREE(context);
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -@@ -133,29 +140,60 @@ static NTSTATUS netlogon_creds_cli_context_common(
> > -
> > - context->server.computer = talloc_strdup(context, server_computer);
> > - if (context->server.computer == NULL) {
> > -- talloc_free(context);
> > -+ TALLOC_FREE(context);
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > - context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
> > - if (context->server.netbios_domain == NULL) {
> > -- talloc_free(context);
> > -+ TALLOC_FREE(context);
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
> > -- client_computer,
> > -- client_account,
> > -- server_computer,
> > -- server_netbios_domain);
> > -+ /*
> > -+ * TODO:
> > -+ * Force the callers to provide a unique
> > -+ * value for server_computer and use this directly.
> > -+ *
> > -+ * For now we have to deal with
> > -+ * "HOSTNAME" vs. "hostname.example.com".
> > -+ */
> > -+ server_netbios_name = talloc_strdup(frame, server_computer);
> > -+ if (server_netbios_name == NULL) {
> > -+ TALLOC_FREE(context);
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ p = strchr(server_netbios_name, '.');
> > -+ if (p != NULL) {
> > -+ p[0] = '\0';
> > -+ }
> > -+
> > -+ _key_name = talloc_asprintf(frame, "CLI[%s/%s]/SRV[%s/%s]",
> > -+ client_computer,
> > -+ client_account,
> > -+ server_netbios_name,
> > -+ server_netbios_domain);
> > -+ if (_key_name == NULL) {
> > -+ TALLOC_FREE(context);
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ context->db.key_name = talloc_strdup_upper(context, _key_name);
> > - if (context->db.key_name == NULL) {
> > -- talloc_free(context);
> > -+ TALLOC_FREE(context);
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > - context->db.key_data = string_term_tdb_data(context->db.key_name);
> > -
> > - *_context = context;
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_OK;
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 29bc7cb7a1c0ef62c923ce859cdd07de2846c5f5 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 17 Oct 2013 19:01:28 +0200
> > -Subject: [PATCH 164/249] s3:param: set Globals.bWinbindSealedPipes = true
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 99d8653d83aa2e2e3a0ea097ab7cb65d62d76daf)
> > ----
> > - source3/param/loadparm.c | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> > -index 40f3242..7d95256 100644
> > ---- a/source3/param/loadparm.c
> > -+++ b/source3/param/loadparm.c
> > -@@ -834,6 +834,7 @@ static void init_globals(bool reinit_globals)
> > - Globals.security = SEC_USER;
> > - Globals.bEncryptPasswords = true;
> > - Globals.clientSchannel = Auto;
> > -+ Globals.bWinbindSealedPipes = true;
> > - Globals.serverSchannel = Auto;
> > - Globals.bReadRaw = true;
> > - Globals.bWriteRaw = true;
> > ---
> > -1.9.3
> > -
> > -
> > -From 21b9d9847ba236d78156de07dd24032e64f2124d Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 17 Oct 2013 18:39:56 +0200
> > -Subject: [PATCH 165/249] lib/param: add "neutralize nt4 emulation" option,
> > - defaulting to false
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit b39ca3a2aefdd43a55b9cdd8fa5136254b283927)
> > ----
> > - .../smbdotconf/winbind/netutralizent4emulation.xml | 19 +++++++++++++++++++
> > - lib/param/param_functions.c | 1 +
> > - lib/param/param_table.c | 9 +++++++++
> > - 3 files changed, 29 insertions(+)
> > - create mode 100644 docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
> > -
> > -diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
> > -new file mode 100644
> > -index 0000000..8294a90
> > ---- /dev/null
> > -+++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
> > -@@ -0,0 +1,19 @@
> > -+<samba:parameter name="neutralize nt4 emulation"
> > -+ context="G"
> > -+ type="boolean"
> > -+ advanced="1" developer="1"
> > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > -+<description>
> > -+ <para>This option controls whether winbindd sends
> > -+ the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
> > -+ the NT4 emulation of a domain controller.</para>
> > -+
> > -+ <para>Typically you should not need set this.
> > -+ It can be useful for upgrades from NT4 to AD domains.</para>
> > -+
> > -+ <para>The behavior can be controlled per netbios domain
> > -+ by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
> > -+</description>
> > -+
> > -+<value type="default">no</value>
> > -+</samba:parameter>
> > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > -index 60f9c07..aef091b 100644
> > ---- a/lib/param/param_functions.c
> > -+++ b/lib/param/param_functions.c
> > -@@ -192,6 +192,7 @@ FN_GLOBAL_BOOL(log_writeable_files_on_exit, bLogWriteableFilesOnExit)
> > - FN_GLOBAL_BOOL(map_untrusted_to_domain, bMapUntrustedToDomain)
> > - FN_GLOBAL_BOOL(ms_add_printer_wizard, bMsAddPrinterWizard)
> > - FN_GLOBAL_BOOL(multicast_dns_register, bMulticastDnsRegister)
> > -+FN_GLOBAL_BOOL(neutralize_nt4_emulation, bNeutralizeNT4Emulation)
> > - FN_GLOBAL_BOOL(nis_home_map, bNISHomeMap)
> > - FN_GLOBAL_BOOL(nmbd_bind_explicit_broadcast, bNmbdBindExplicitBroadcast)
> > - FN_GLOBAL_BOOL(ntlm_auth, bNTLMAuth)
> > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > -index 8e3f952..edf6829 100644
> > ---- a/lib/param/param_table.c
> > -+++ b/lib/param/param_table.c
> > -@@ -4188,6 +4188,15 @@ static struct parm_struct parm_table[] = {
> > - .enum_list = NULL,
> > - .flags = FLAG_ADVANCED,
> > - },
> > -+ {
> > -+ .label = "neutralize nt4 emulation",
> > -+ .type = P_BOOL,
> > -+ .p_class = P_GLOBAL,
> > -+ .offset = GLOBAL_VAR(bNeutralizeNT4Emulation),
> > -+ .special = NULL,
> > -+ .enum_list = NULL,
> > -+ .flags = FLAG_ADVANCED,
> > -+ },
> > -
> > - {N_("DNS options"), P_SEP, P_SEPARATOR},
> > - {
> > ---
> > -1.9.3
> > -
> > -
> > -From d1cfe2d0f3f72e8b7700eee01e47b0bb9d3b9ca3 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 17 Oct 2013 18:39:56 +0200
> > -Subject: [PATCH 166/249] lib/param: add "reject md5 servers" option,
> > - defaulting to false
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit de4f8f0825790452455a9d51e9d84d4d4a5c0d3b)
> > ----
> > - docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 23 +++++++++++++++++++++++
> > - lib/param/param_functions.c | 1 +
> > - lib/param/param_table.c | 9 +++++++++
> > - 3 files changed, 33 insertions(+)
> > - create mode 100644 docs-xml/smbdotconf/winbind/rejectmd5servers.xml
> > -
> > -diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
> > -new file mode 100644
> > -index 0000000..18f8bcb
> > ---- /dev/null
> > -+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
> > -@@ -0,0 +1,23 @@
> > -+<samba:parameter name="reject md5 servers"
> > -+ context="G"
> > -+ type="boolean"
> > -+ advanced="1"
> > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > -+<description>
> > -+ <para>This option controls whether winbindd requires support
> > -+ for aes support for the netlogon secure channel.</para>
> > -+
> > -+ <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
> > -+ NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
> > -+
> > -+ <para>You can set this to yes if all domain controllers support aes.
> > -+ This will prevent downgrade attacks.</para>
> > -+
> > -+ <para>The behavior can be controlled per netbios domain
> > -+ by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
> > -+
> > -+ <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
> > -+</description>
> > -+
> > -+<value type="default">no</value>
> > -+</samba:parameter>
> > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > -index aef091b..ecd7f8e 100644
> > ---- a/lib/param/param_functions.c
> > -+++ b/lib/param/param_functions.c
> > -@@ -204,6 +204,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
> > - FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
> > - FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
> > - FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
> > -+FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
> > - FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
> > - FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
> > - FN_GLOBAL_BOOL(stat_cache, bStatCache)
> > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > -index edf6829..b53f850 100644
> > ---- a/lib/param/param_table.c
> > -+++ b/lib/param/param_table.c
> > -@@ -4197,6 +4197,15 @@ static struct parm_struct parm_table[] = {
> > - .enum_list = NULL,
> > - .flags = FLAG_ADVANCED,
> > - },
> > -+ {
> > -+ .label = "reject md5 servers",
> > -+ .type = P_BOOL,
> > -+ .p_class = P_GLOBAL,
> > -+ .offset = GLOBAL_VAR(bRejectMD5Servers),
> > -+ .special = NULL,
> > -+ .enum_list = NULL,
> > -+ .flags = FLAG_ADVANCED,
> > -+ },
> > -
> > - {N_("DNS options"), P_SEP, P_SEPARATOR},
> > - {
> > ---
> > -1.9.3
> > -
> > -
> > -From 2545090f09da279655510f87d02c631c74409eb1 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 17 Oct 2013 18:39:56 +0200
> > -Subject: [PATCH 167/249] lib/param: add "require strong key" option,
> > - defaulting to true
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 6630c68cce8fbbd700e7d4cd92ec3ebb2a268f06)
> > ----
> > - docs-xml/smbdotconf/winbind/requirestrongkey.xml | 27 ++++++++++++++++++++++++
> > - lib/param/loadparm.c | 1 +
> > - lib/param/param_functions.c | 1 +
> > - lib/param/param_table.c | 9 ++++++++
> > - 4 files changed, 38 insertions(+)
> > - create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml
> > -
> > -diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
> > -new file mode 100644
> > -index 0000000..de749bb
> > ---- /dev/null
> > -+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
> > -@@ -0,0 +1,27 @@
> > -+<samba:parameter name="require strong key"
> > -+ context="G"
> > -+ type="boolean"
> > -+ advanced="1"
> > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > -+<description>
> > -+ <para>This option controls whether winbindd requires support
> > -+ for md5 strong key support for the netlogon secure channel.</para>
> > -+
> > -+ <para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
> > -+ NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
> > -+
> > -+ <para>You can set this to no if some domain controllers only support des.
> > -+ This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
> > -+
> > -+ <para>The behavior can be controlled per netbios domain
> > -+ by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
> > -+
> > -+ <para>Note for active directory domain this option is hardcoded to 'yes'</para>
> > -+
> > -+ <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
> > -+
> > -+ <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
> > -+</description>
> > -+
> > -+<value type="default">yes</value>
> > -+</samba:parameter>
> > -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> > -index 23b45e2..a84a166 100644
> > ---- a/lib/param/loadparm.c
> > -+++ b/lib/param/loadparm.c
> > -@@ -2183,6 +2183,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
> > -
> > - lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
> > - lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
> > -+ lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
> > - lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
> > - lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
> > - lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
> > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > -index ecd7f8e..41b137f 100644
> > ---- a/lib/param/param_functions.c
> > -+++ b/lib/param/param_functions.c
> > -@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
> > - FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
> > - FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
> > - FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
> > -+FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
> > - FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
> > - FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
> > - FN_GLOBAL_BOOL(stat_cache, bStatCache)
> > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > -index b53f850..36e8554 100644
> > ---- a/lib/param/param_table.c
> > -+++ b/lib/param/param_table.c
> > -@@ -4206,6 +4206,15 @@ static struct parm_struct parm_table[] = {
> > - .enum_list = NULL,
> > - .flags = FLAG_ADVANCED,
> > - },
> > -+ {
> > -+ .label = "require strong key",
> > -+ .type = P_BOOL,
> > -+ .p_class = P_GLOBAL,
> > -+ .offset = GLOBAL_VAR(bRequireStrongKey),
> > -+ .special = NULL,
> > -+ .enum_list = NULL,
> > -+ .flags = FLAG_ADVANCED,
> > -+ },
> > -
> > - {N_("DNS options"), P_SEP, P_SEPARATOR},
> > - {
> > ---
> > -1.9.3
> > -
> > -
> > -From 4e604cc566b2854045c5b794a846c1ab1ef4a35f Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 17 Oct 2013 19:01:47 +0200
> > -Subject: [PATCH 168/249] s3:param: set Globals.bRequireStrongKey = true
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit e7954bcc04ec6761b2ed6dad08b90c65efafa948)
> > ----
> > - source3/param/loadparm.c | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> > -index 7d95256..ed46e53 100644
> > ---- a/source3/param/loadparm.c
> > -+++ b/source3/param/loadparm.c
> > -@@ -835,6 +835,7 @@ static void init_globals(bool reinit_globals)
> > - Globals.bEncryptPasswords = true;
> > - Globals.clientSchannel = Auto;
> > - Globals.bWinbindSealedPipes = true;
> > -+ Globals.bRequireStrongKey = true;
> > - Globals.serverSchannel = Auto;
> > - Globals.bReadRaw = true;
> > - Globals.bWriteRaw = true;
> > ---
> > -1.9.3
> > -
> > -
> > -From 382f69a0f3762947a3e8cc02e8e9817533073195 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 17 Oct 2013 18:48:15 +0200
> > -Subject: [PATCH 169/249] libcli/auth: make use of real options in
> > - netlogon_creds_cli_context_global()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit fa3af7c2e8f1bf292e190ba3d933b6e1d552595d)
> > ----
> > - libcli/auth/netlogon_creds_cli.c | 18 +++---------------
> > - 1 file changed, 3 insertions(+), 15 deletions(-)
> > -
> > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > -index a872b31..6590b21 100644
> > ---- a/libcli/auth/netlogon_creds_cli.c
> > -+++ b/libcli/auth/netlogon_creds_cli.c
> > -@@ -279,11 +279,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > - * allow overwrite per domain
> > - * reject md5 servers:<netbios_domain>
> > - */
> > -- //TODO: add lpcfp_reject_md5_servers()
> > -- reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> > -- "__default__",
> > -- "reject md5 servers",
> > -- reject_md5_servers);
> > -+ reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
> > - reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> > - "reject md5 servers",
> > - server_netbios_domain,
> > -@@ -293,11 +289,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > - * allow overwrite per domain
> > - * require strong key:<netbios_domain>
> > - */
> > -- //TODO: add lpcfp_require_strong_key()
> > -- require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> > -- "__default__",
> > -- "require strong key",
> > -- require_strong_key);
> > -+ require_strong_key = lpcfg_require_strong_key(lp_ctx);
> > - require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> > - "require strong key",
> > - server_netbios_domain,
> > -@@ -327,11 +319,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > - * allow overwrite per domain
> > - * neutralize nt4 emulation:<netbios_domain>
> > - */
> > -- //TODO: add lpcfp_neutralize_nt4_emulation()
> > -- neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> > -- "__default__",
> > -- "neutralize nt4 emulation",
> > -- neutralize_nt4_emulation);
> > -+ neutralize_nt4_emulation = lpcfg_neutralize_nt4_emulation(lp_ctx);
> > - neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> > - "neutralize nt4 emulation",
> > - server_netbios_domain,
> > ---
> > -1.9.3
> > -
> > -
> > -From 79e8c0c97591ed8bc129561e44b0d94757fcc4e1 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 23 Dec 2013 10:45:27 +0100
> > -Subject: [PATCH 170/249] docs-xml: explain the interaction between security =
> > - ads and other options.
> > -
> > -It implies 'require strong key = yes' and 'client schannel = yes'.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit f703a37a56e215827dbb2a7ec8da6738bf17f600)
> > ----
> > - docs-xml/smbdotconf/security/security.xml | 5 ++++-
> > - 1 file changed, 4 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
> > -index 406089f..2f5c3f7 100644
> > ---- a/docs-xml/smbdotconf/security/security.xml
> > -+++ b/docs-xml/smbdotconf/security/security.xml
> > -@@ -99,7 +99,10 @@
> > -
> > - <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
> > - Controller. </para>
> > --
> > -+
> > -+ <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
> > -+ and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
> > -+
> > - <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
> > - </description>
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 27ea332df51e3cd8ed9601633282b688e6f288a7 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 23 Dec 2013 10:46:57 +0100
> > -Subject: [PATCH 171/249] docs-xml: explain the interaction of 'client
> > - schannel' with 'require strong key = yes'
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 1d69fdddd5287757c2e67b0982d00241a6d75d26)
> > ----
> > - docs-xml/smbdotconf/security/clientschannel.xml | 5 +++++
> > - 1 file changed, 5 insertions(+)
> > -
> > -diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
> > -index e229182..ac4cc59 100644
> > ---- a/docs-xml/smbdotconf/security/clientschannel.xml
> > -+++ b/docs-xml/smbdotconf/security/clientschannel.xml
> > -@@ -12,6 +12,11 @@
> > - enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access
> > - if the server is not able to speak netlogon schannel.
> > - </para>
> > -+
> > -+ <para>Note that for active directory domains this is hardcoded to
> > -+ <smbconfoption name="client schannel">yes</smbconfoption>.</para>
> > -+
> > -+ <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
> > - </description>
> > - <value type="default">auto</value>
> > - <value type="example">yes</value>
> > ---
> > -1.9.3
> > -
> > -
> > -From 4853daeffb1916db3b92dc6ba9e5776652ec5f4e Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 17 Oct 2013 19:31:58 +0200
> > -Subject: [PATCH 172/249] s3:winbindd: make use of the "winbind sealed pipes"
> > - option for all connections
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 225982e1cb6276ed5c6a47c0e4827d75e8ab2fb1)
> > ----
> > - source3/winbindd/winbindd.h | 3 +++
> > - source3/winbindd/winbindd_cm.c | 20 +++++++++++++++++---
> > - 2 files changed, 20 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
> > -index 72eb3ec..afde685 100644
> > ---- a/source3/winbindd/winbindd.h
> > -+++ b/source3/winbindd/winbindd.h
> > -@@ -25,6 +25,7 @@
> > -
> > - #include "nsswitch/winbind_struct_protocol.h"
> > - #include "nsswitch/libwbclient/wbclient.h"
> > -+#include "librpc/gen_ndr/dcerpc.h"
> > - #include "librpc/gen_ndr/wbint.h"
> > -
> > - #include "talloc_dict.h"
> > -@@ -105,6 +106,8 @@ struct getpwent_user {
> > - struct winbindd_cm_conn {
> > - struct cli_state *cli;
> > -
> > -+ enum dcerpc_AuthLevel auth_level;
> > -+
> > - struct rpc_pipe_client *samr_pipe;
> > - struct policy_handle sam_connect_handle, sam_domain_handle;
> > -
> > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > -index c4f59d3..6c1244e 100644
> > ---- a/source3/winbindd/winbindd_cm.c
> > -+++ b/source3/winbindd/winbindd_cm.c
> > -@@ -1722,6 +1722,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
> > - }
> > -
> > - if (NT_STATUS_IS_OK(result)) {
> > -+ bool seal_pipes = true;
> > -
> > - winbindd_set_locator_kdc_envs(domain);
> > -
> > -@@ -1741,6 +1742,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
> > - */
> > - store_current_dc_in_gencache(domain->name, domain->dcname,
> > - new_conn->cli);
> > -+
> > -+ seal_pipes = lp_winbind_sealed_pipes();
> > -+ seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
> > -+ domain->name,
> > -+ seal_pipes);
> > -+
> > -+ if (seal_pipes) {
> > -+ new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> > -+ } else {
> > -+ new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
> > -+ }
> > - } else {
> > - /* Ensure we setup the retry handler. */
> > - set_domain_offline(domain);
> > -@@ -1813,6 +1825,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
> > - }
> > - }
> > -
> > -+ conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> > -+
> > - if (conn->cli) {
> > - cli_shutdown(conn->cli);
> > - }
> > -@@ -2363,7 +2377,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - &ndr_table_samr,
> > - NCACN_NP,
> > - GENSEC_OID_NTLMSSP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > -+ conn->auth_level,
> > - smbXcli_conn_remote_name(conn->cli->conn),
> > - domain_name,
> > - machine_account,
> > -@@ -2534,7 +2548,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > -
> > - if (conn->lsa_pipe_tcp &&
> > - conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
> > -- conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
> > -+ conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
> > - rpccli_is_connected(conn->lsa_pipe_tcp)) {
> > - goto done;
> > - }
> > -@@ -2602,7 +2616,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - result = cli_rpc_pipe_open_spnego
> > - (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> > - GENSEC_OID_NTLMSSP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > -+ conn->auth_level,
> > - smbXcli_conn_remote_name(conn->cli->conn),
> > - conn->cli->domain, conn->cli->user_name, conn->cli->password,
> > - &conn->lsa_pipe);
> > ---
> > -1.9.3
> > -
> > -
> > -From c2116e6a1ee32ff36942091287e90b08d1ecf6d1 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 14 Nov 2013 18:53:06 +0100
> > -Subject: [PATCH 173/249] docs-xml: update 'winbind sealed pipes' description
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 11aed7cd3dbd967593b34a206f0802fd0002bf27)
> > ----
> > - docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 6 +++---
> > - 1 file changed, 3 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
> > -index 26f446e..63f5588 100644
> > ---- a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
> > -+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
> > -@@ -4,12 +4,12 @@
> > - advanced="1" developer="1"
> > - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > - <description>
> > -- <para>This option controls whether any requests made over the Samba 4 winbind
> > -+ <para>This option controls whether any requests from winbindd to domain controllers
> > - pipe will be sealed. Disabling sealing can be useful for debugging
> > - purposes.</para>
> > -
> > -- <para>Note that this option only applies to the Samba 4 winbind and not
> > -- to the standard winbind.</para>
> > -+ <para>The behavior can be controlled per netbios domain
> > -+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
> > - </description>
> > -
> > - <value type="default">yes</value>
> > ---
> > -1.9.3
> > -
> > -
> > -From ea14b4a713a85a2d87cba6ad88127020e1d5e813 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 27 Jul 2013 11:30:13 +0200
> > -Subject: [PATCH 174/249] s3:rpc_client: make use of the new
> > - netlogon_creds_cli_context
> > -
> > -This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
> > -and lets the secure channel session state be stored in node local database.
> > -
> > -This is the proper fix for a large number of bugs:
> > -https://bugzilla.samba.org/show_bug.cgi?id=6563
> > -https://bugzilla.samba.org/show_bug.cgi?id=7944
> > -https://bugzilla.samba.org/show_bug.cgi?id=7945
> > -https://bugzilla.samba.org/show_bug.cgi?id=7568
> > -https://bugzilla.samba.org/show_bug.cgi?id=8599
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 38d4dba37406515181e4d6f1a1faffc18e652e27)
> > ----
> > - source3/libnet/libnet_join.c | 3 +-
> > - source3/libnet/libnet_samsync.c | 19 +-
> > - source3/rpc_client/cli_netlogon.c | 436 ++++++++-------------------------
> > - source3/rpc_client/cli_pipe.c | 139 +++--------
> > - source3/rpc_client/cli_pipe.h | 2 +-
> > - source3/rpc_client/cli_pipe_schannel.c | 3 +-
> > - source3/rpc_client/rpc_client.h | 2 +-
> > - source3/rpcclient/cmd_netlogon.c | 57 ++++-
> > - source3/winbindd/winbindd.h | 9 -
> > - source3/winbindd/winbindd_cm.c | 36 +--
> > - source3/winbindd/winbindd_pam.c | 136 ++--------
> > - source3/wscript_build | 6 +-
> > - 12 files changed, 250 insertions(+), 598 deletions(-)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index c1eccda..5dc620f 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -1279,7 +1279,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > - cli, &ndr_table_netlogon, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY,
> > -- netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
> > -+ netbios_domain_name,
> > -+ netlogon_pipe->netlogon_creds, &pipe_hnd);
> > -
> > - cli_shutdown(cli);
> > -
> > -diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
> > -index a103785..02d3fc6 100644
> > ---- a/source3/libnet/libnet_samsync.c
> > -+++ b/source3/libnet/libnet_samsync.c
> > -@@ -30,6 +30,7 @@
> > - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > - #include "../libcli/security/security.h"
> > - #include "messages.h"
> > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > -
> > - /**
> > - * Fix up the delta, dealing with encryption issues so that the final
> > -@@ -213,8 +214,15 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
> > -
> > - do {
> > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -
> > -- netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
> > -+ status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
> > -+ mem_ctx, &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ netlogon_creds_client_authenticator(creds, &credential);
> > -
> > - if (ctx->single_object_replication &&
> > - !ctx->force_full_replication) {
> > -@@ -254,28 +262,33 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
> > - }
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(creds);
> > - return status;
> > - }
> > -
> > - /* Check returned credentials. */
> > -- if (!netlogon_creds_client_check(ctx->cli->dc,
> > -+ if (!netlogon_creds_client_check(creds,
> > - &return_authenticator.cred)) {
> > -+ TALLOC_FREE(creds);
> > - DEBUG(0,("credentials chain check failed\n"));
> > - return NT_STATUS_ACCESS_DENIED;
> > - }
> > -
> > - if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
> > -+ TALLOC_FREE(creds);
> > - return result;
> > - }
> > -
> > - if (NT_STATUS_IS_ERR(result)) {
> > -+ TALLOC_FREE(creds);
> > - break;
> > - }
> > -
> > - samsync_fix_delta_array(mem_ctx,
> > -- ctx->cli->dc,
> > -+ creds,
> > - database_id,
> > - delta_enum_array);
> > -+ TALLOC_FREE(creds);
> > -
> > - /* Process results */
> > - callback_status = ctx->ops->process_objects(mem_ctx, database_id,
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 5e8a2fc..fcd24d6 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -23,11 +23,13 @@
> > - #include "includes.h"
> > - #include "rpc_client/rpc_client.h"
> > - #include "../libcli/auth/libcli_auth.h"
> > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > - #include "rpc_client/cli_netlogon.h"
> > - #include "rpc_client/init_netlogon.h"
> > - #include "rpc_client/util_netlogon.h"
> > - #include "../libcli/security/security.h"
> > -+#include "lib/param/param.h"
> > -
> > - /****************************************************************************
> > - Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
> > -@@ -44,113 +46,81 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > - enum netr_SchannelType sec_chan_type,
> > - uint32_t *neg_flags_inout)
> > - {
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct loadparm_context *lp_ctx;
> > - NTSTATUS status;
> > -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > -- struct netr_Credential clnt_chal_send;
> > -- struct netr_Credential srv_chal_recv;
> > - struct samr_Password password;
> > -- bool retried = false;
> > - fstring mach_acct;
> > -- uint32_t neg_flags = *neg_flags_inout;
> > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -
> > - if (!ndr_syntax_id_equal(&cli->abstract_syntax,
> > - &ndr_table_netlogon.syntax_id)) {
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_INVALID_PARAMETER;
> > - }
> > -
> > -- TALLOC_FREE(cli->dc);
> > --
> > -- /* Store the machine account password we're going to use. */
> > -- memcpy(password.hash, machine_pwd, 16);
> > --
> > -- fstr_sprintf( mach_acct, "%s$", machine_account);
> > --
> > -- again:
> > -- /* Create the client challenge. */
> > -- generate_random_buffer(clnt_chal_send.data, 8);
> > --
> > -- /* Get the server challenge. */
> > -- status = dcerpc_netr_ServerReqChallenge(b, talloc_tos(),
> > -- cli->srv_name_slash,
> > -- clnt_name,
> > -- &clnt_chal_send,
> > -- &srv_chal_recv,
> > -- &result);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- return result;
> > -+ if (!strequal(lp_netbios_name(), clnt_name)) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > - }
> > -
> > -- /* Calculate the session key and client credentials */
> > -+ TALLOC_FREE(cli->netlogon_creds);
> > -
> > -- cli->dc = netlogon_creds_client_init(cli,
> > -- mach_acct,
> > -- clnt_name,
> > -- sec_chan_type,
> > -- &clnt_chal_send,
> > -- &srv_chal_recv,
> > -- &password,
> > -- &clnt_chal_send,
> > -- neg_flags);
> > -+ fstr_sprintf( mach_acct, "%s$", machine_account);
> > -
> > -- if (!cli->dc) {
> > -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > -+ if (lp_ctx == NULL) {
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > --
> > -- /*
> > -- * Send client auth-2 challenge and receive server repy.
> > -- */
> > --
> > -- status = dcerpc_netr_ServerAuthenticate2(b, talloc_tos(),
> > -- cli->srv_name_slash,
> > -- cli->dc->account_name,
> > -- sec_chan_type,
> > -- cli->dc->computer_name,
> > -- &clnt_chal_send, /* input. */
> > -- &srv_chal_recv, /* output. */
> > -- &neg_flags,
> > -- &result);
> > -+ status = netlogon_creds_cli_context_global(lp_ctx,
> > -+ NULL, /* msg_ctx */
> > -+ mach_acct,
> > -+ sec_chan_type,
> > -+ server_name,
> > -+ domain,
> > -+ cli, &cli->netlogon_creds);
> > -+ talloc_unlink(frame, lp_ctx);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > - return status;
> > - }
> > -- /* we might be talking to NT4, so let's downgrade in that case and retry
> > -- * with the returned neg_flags - gd */
> > -
> > -- if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
> > -- retried = true;
> > -- TALLOC_FREE(cli->dc);
> > -- goto again;
> > -+ status = netlogon_creds_cli_get(cli->netlogon_creds,
> > -+ frame, &creds);
> > -+ if (NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
> > -+ "cached credential\n",
> > -+ cli->desthost));
> > -+ *neg_flags_inout = creds->negotiate_flags;
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_OK;
> > - }
> > -
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- return result;
> > -- }
> > --
> > -- /*
> > -- * Check the returned value using the initial
> > -- * server received challenge.
> > -- */
> > --
> > -- if (!netlogon_creds_client_check(cli->dc, &srv_chal_recv)) {
> > -- /*
> > -- * Server replied with bad credential. Fail.
> > -- */
> > -- DEBUG(0,("rpccli_netlogon_setup_creds: server %s "
> > -- "replied with bad credential\n",
> > -- cli->desthost ));
> > -- return NT_STATUS_ACCESS_DENIED;
> > -- }
> > -+ /* Store the machine account password we're going to use. */
> > -+ memcpy(password.hash, machine_pwd, 16);
> > -
> > - DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
> > - "chain established.\n",
> > - cli->desthost ));
> > -
> > -- cli->dc->negotiate_flags = neg_flags;
> > -- *neg_flags_inout = neg_flags;
> > -+ status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
> > -+ password, NULL);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_get(cli->netlogon_creds,
> > -+ frame, &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_INTERNAL_ERROR;
> > -+ }
> > -
> > -+ *neg_flags_inout = creds->negotiate_flags;
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_OK;
> > - }
> > -
> > -@@ -163,20 +133,16 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > - const char *username,
> > - const char *password,
> > - const char *workstation,
> > -- uint16_t validation_level,
> > -+ uint16_t _ignored_validation_level,
> > - int logon_type)
> > - {
> > -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > - NTSTATUS status;
> > -- struct netr_Authenticator clnt_creds;
> > -- struct netr_Authenticator ret_creds;
> > - union netr_LogonLevel *logon;
> > -- union netr_Validation validation;
> > -- uint8_t authoritative;
> > -+ uint16_t validation_level = 0;
> > -+ union netr_Validation *validation = NULL;
> > -+ uint8_t authoritative = 0;
> > -+ uint32_t flags = 0;
> > - fstring clnt_name_slash;
> > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > --
> > -- ZERO_STRUCT(ret_creds);
> > -
> > - logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > - if (!logon) {
> > -@@ -191,8 +157,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > -
> > - /* Initialise input parameters */
> > -
> > -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> > --
> > - switch (logon_type) {
> > - case NetlogonInteractiveInformation: {
> > -
> > -@@ -208,17 +172,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > -
> > - nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
> > -
> > -- if (cli->dc->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- netlogon_creds_aes_encrypt(cli->dc, lmpassword.hash, 16);
> > -- netlogon_creds_aes_encrypt(cli->dc, ntpassword.hash, 16);
> > -- } else if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > -- netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16);
> > -- netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16);
> > -- } else {
> > -- netlogon_creds_des_encrypt(cli->dc, &lmpassword);
> > -- netlogon_creds_des_encrypt(cli->dc, &ntpassword);
> > -- }
> > --
> > - password_info->identity_info.domain_name.string = domain;
> > - password_info->identity_info.parameter_control = logon_parameters;
> > - password_info->identity_info.logon_id_low = 0xdead;
> > -@@ -281,28 +234,20 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > - return NT_STATUS_INVALID_INFO_CLASS;
> > - }
> > -
> > -- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
> > -- cli->srv_name_slash,
> > -- lp_netbios_name(),
> > -- &clnt_creds,
> > -- &ret_creds,
> > -- logon_type,
> > -- logon,
> > -- validation_level,
> > -- &validation,
> > -- &authoritative,
> > -- &result);
> > -+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> > -+ cli->binding_handle,
> > -+ logon_type,
> > -+ logon,
> > -+ mem_ctx,
> > -+ &validation_level,
> > -+ &validation,
> > -+ &authoritative,
> > -+ &flags);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -
> > -- /* Always check returned credentials */
> > -- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
> > -- DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n"));
> > -- return NT_STATUS_ACCESS_DENIED;
> > -- }
> > --
> > -- return result;
> > -+ return NT_STATUS_OK;
> > - }
> > -
> > - static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > -@@ -366,29 +311,24 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > - const char *domain,
> > - const char *workstation,
> > - const uint8 chal[8],
> > -- uint16_t validation_level,
> > -+ uint16_t _ignored_validation_level,
> > - DATA_BLOB lm_response,
> > - DATA_BLOB nt_response,
> > - struct netr_SamInfo3 **info3)
> > - {
> > -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > - NTSTATUS status;
> > - const char *workstation_name_slash;
> > -- const char *server_name_slash;
> > -- struct netr_Authenticator clnt_creds;
> > -- struct netr_Authenticator ret_creds;
> > - union netr_LogonLevel *logon = NULL;
> > - struct netr_NetworkInfo *network_info;
> > -- uint8_t authoritative;
> > -- union netr_Validation validation;
> > -+ uint16_t validation_level = 0;
> > -+ union netr_Validation *validation = NULL;
> > -+ uint8_t authoritative = 0;
> > -+ uint32_t flags = 0;
> > - struct netr_ChallengeResponse lm;
> > - struct netr_ChallengeResponse nt;
> > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > -
> > - *info3 = NULL;
> > -
> > -- ZERO_STRUCT(ret_creds);
> > --
> > - ZERO_STRUCT(lm);
> > - ZERO_STRUCT(nt);
> > -
> > -@@ -402,21 +342,13 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> > --
> > -- if (server[0] != '\\' && server[1] != '\\') {
> > -- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
> > -- } else {
> > -- server_name_slash = server;
> > -- }
> > --
> > - if (workstation[0] != '\\' && workstation[1] != '\\') {
> > - workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> > - } else {
> > - workstation_name_slash = workstation;
> > - }
> > -
> > -- if (!workstation_name_slash || !server_name_slash) {
> > -+ if (!workstation_name_slash) {
> > - DEBUG(0, ("talloc_asprintf failed!\n"));
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -@@ -443,40 +375,27 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > -
> > - /* Marshall data and send request */
> > -
> > -- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
> > -- server_name_slash,
> > -- lp_netbios_name(),
> > -- &clnt_creds,
> > -- &ret_creds,
> > -- NetlogonNetworkInformation,
> > -- logon,
> > -- validation_level,
> > -- &validation,
> > -- &authoritative,
> > -- &result);
> > -+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> > -+ cli->binding_handle,
> > -+ NetlogonNetworkInformation,
> > -+ logon,
> > -+ mem_ctx,
> > -+ &validation_level,
> > -+ &validation,
> > -+ &authoritative,
> > -+ &flags);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -
> > -- /* Always check returned credentials. */
> > -- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
> > -- DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n"));
> > -- return NT_STATUS_ACCESS_DENIED;
> > -- }
> > --
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- return result;
> > -- }
> > --
> > -- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
> > -- &validation);
> > --
> > -- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- return result;
> > -+ status = map_validation_to_info3(mem_ctx,
> > -+ validation_level, validation,
> > -+ info3);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > - }
> > -
> > -- return result;
> > -+ return NT_STATUS_OK;
> > - }
> > -
> > - NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> > -@@ -492,100 +411,18 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> > - DATA_BLOB nt_response,
> > - struct netr_SamInfo3 **info3)
> > - {
> > -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > -- NTSTATUS status;
> > -- const char *workstation_name_slash;
> > -- const char *server_name_slash;
> > -- union netr_LogonLevel *logon = NULL;
> > -- struct netr_NetworkInfo *network_info;
> > -- uint8_t authoritative;
> > -- union netr_Validation validation;
> > -- struct netr_ChallengeResponse lm;
> > -- struct netr_ChallengeResponse nt;
> > -- uint32_t flags = 0;
> > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > --
> > -- *info3 = NULL;
> > --
> > -- ZERO_STRUCT(lm);
> > -- ZERO_STRUCT(nt);
> > --
> > -- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > -- if (!logon) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> > -- if (!network_info) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- if (server[0] != '\\' && server[1] != '\\') {
> > -- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
> > -- } else {
> > -- server_name_slash = server;
> > -- }
> > --
> > -- if (workstation[0] != '\\' && workstation[1] != '\\') {
> > -- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> > -- } else {
> > -- workstation_name_slash = workstation;
> > -- }
> > --
> > -- if (!workstation_name_slash || !server_name_slash) {
> > -- DEBUG(0, ("talloc_asprintf failed!\n"));
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- /* Initialise input parameters */
> > --
> > -- lm.data = lm_response.data;
> > -- lm.length = lm_response.length;
> > -- nt.data = nt_response.data;
> > -- nt.length = nt_response.length;
> > --
> > -- network_info->identity_info.domain_name.string = domain;
> > -- network_info->identity_info.parameter_control = logon_parameters;
> > -- network_info->identity_info.logon_id_low = 0xdead;
> > -- network_info->identity_info.logon_id_high = 0xbeef;
> > -- network_info->identity_info.account_name.string = username;
> > -- network_info->identity_info.workstation.string = workstation_name_slash;
> > --
> > -- memcpy(network_info->challenge, chal, 8);
> > -- network_info->nt = nt;
> > -- network_info->lm = lm;
> > --
> > -- logon->network = network_info;
> > --
> > -- /* Marshall data and send request */
> > --
> > -- status = dcerpc_netr_LogonSamLogonEx(b, mem_ctx,
> > -- server_name_slash,
> > -- lp_netbios_name(),
> > -- NetlogonNetworkInformation,
> > -- logon,
> > -- validation_level,
> > -- &validation,
> > -- &authoritative,
> > -- &flags,
> > -- &result);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- return result;
> > -- }
> > --
> > -- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
> > -- &validation);
> > --
> > -- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- return result;
> > -- }
> > --
> > -- return result;
> > -+ return rpccli_netlogon_sam_network_logon(cli,
> > -+ mem_ctx,
> > -+ logon_parameters,
> > -+ server,
> > -+ username,
> > -+ domain,
> > -+ workstation,
> > -+ chal,
> > -+ validation_level,
> > -+ lm_response,
> > -+ nt_response,
> > -+ info3);
> > - }
> > -
> > - /*********************************************************
> > -@@ -605,11 +442,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > - const unsigned char new_trust_passwd_hash[16],
> > - enum netr_SchannelType sec_channel_type)
> > - {
> > -- NTSTATUS result, status;
> > -- struct netr_Authenticator clnt_creds, srv_cred;
> > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > -+ NTSTATUS result;
> > -
> > -- if (!cli->dc) {
> > -+ if (cli->netlogon_creds == NULL) {
> > - uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > - NETLOGON_NEG_SUPPORTS_AES;
> > - result = rpccli_netlogon_setup_creds(cli,
> > -@@ -627,77 +462,16 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > - }
> > - }
> > -
> > -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> > --
> > -- if (cli->dc->negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
> > --
> > -- struct netr_CryptPassword new_password;
> > -- uint32_t old_timeout;
> > --
> > -- init_netr_CryptPassword(new_trust_pwd_cleartext,
> > -- cli->dc,
> > -- &new_password);
> > --
> > -- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
> > --
> > -- status = dcerpc_netr_ServerPasswordSet2(b, mem_ctx,
> > -- cli->srv_name_slash,
> > -- cli->dc->account_name,
> > -- sec_channel_type,
> > -- cli->dc->computer_name,
> > -- &clnt_creds,
> > -- &srv_cred,
> > -- &new_password,
> > -- &result);
> > --
> > -- dcerpc_binding_handle_set_timeout(b, old_timeout);
> > --
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0,("dcerpc_netr_ServerPasswordSet2 failed: %s\n",
> > -- nt_errstr(status)));
> > -- return status;
> > -- }
> > -- } else {
> > --
> > -- struct samr_Password new_password;
> > -- uint32_t old_timeout;
> > --
> > -- memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash));
> > -- netlogon_creds_des_encrypt(cli->dc, &new_password);
> > --
> > -- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
> > --
> > -- status = dcerpc_netr_ServerPasswordSet(b, mem_ctx,
> > -- cli->srv_name_slash,
> > -- cli->dc->account_name,
> > -- sec_channel_type,
> > -- cli->dc->computer_name,
> > -- &clnt_creds,
> > -- &srv_cred,
> > -- &new_password,
> > -- &result);
> > --
> > -- dcerpc_binding_handle_set_timeout(b, old_timeout);
> > --
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0,("dcerpc_netr_ServerPasswordSet failed: %s\n",
> > -- nt_errstr(status)));
> > -- return status;
> > -- }
> > -- }
> > --
> > -- /* Always check returned credentials. */
> > -- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
> > -- DEBUG(0,("credentials chain check failed\n"));
> > -- return NT_STATUS_ACCESS_DENIED;
> > -- }
> > --
> > -+ result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
> > -+ cli->binding_handle,
> > -+ new_trust_pwd_cleartext,
> > -+ NULL); /* new_version */
> > - if (!NT_STATUS_IS_OK(result)) {
> > -- DEBUG(0,("dcerpc_netr_ServerPasswordSet{2} failed: %s\n",
> > -+ DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
> > - nt_errstr(result)));
> > - return result;
> > - }
> > -
> > -- return result;
> > -+ return NT_STATUS_OK;
> > - }
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index a45023f..fe1613d 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -24,6 +24,7 @@
> > - #include "librpc/gen_ndr/ndr_epmapper_c.h"
> > - #include "../librpc/gen_ndr/ndr_dssetup.h"
> > - #include "../libcli/auth/schannel.h"
> > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > - #include "auth_generic.h"
> > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > - #include "librpc/gen_ndr/ndr_netlogon_c.h"
> > -@@ -3024,34 +3025,39 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -- struct netlogon_creds_CredentialState **pdc,
> > -+ struct netlogon_creds_cli_context *netlogon_creds,
> > - struct rpc_pipe_client **_rpccli)
> > - {
> > - struct rpc_pipe_client *rpccli;
> > - struct pipe_auth_data *rpcauth;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > - NTSTATUS status;
> > -- NTSTATUS result;
> > -- struct netlogon_creds_CredentialState save_creds;
> > -- struct netr_Authenticator auth;
> > -- struct netr_Authenticator return_auth;
> > -- union netr_Capabilities capabilities;
> > - const char *target_service = table->authservices->names[0];
> > -+ int rpc_pipe_bind_dbglvl = 0;
> > -
> > - status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -
> > -+ status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
> > -+ nt_errstr(status)));
> > -+ TALLOC_FREE(rpccli);
> > -+ return status;
> > -+ }
> > -+
> > - status = rpccli_generic_bind_data(rpccli,
> > - DCERPC_AUTH_TYPE_SCHANNEL,
> > - auth_level,
> > - NULL,
> > - target_service,
> > - domain,
> > -- (*pdc)->computer_name,
> > -+ creds->computer_name,
> > - NULL,
> > - CRED_AUTO_USE_KERBEROS,
> > -- *pdc,
> > -+ creds,
> > - &rpcauth);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> > -@@ -3060,120 +3066,43 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - return status;
> > - }
> > -
> > -- /*
> > -- * The credentials on a new netlogon pipe are the ones we are passed
> > -- * in - copy them over
> > -- *
> > -- * This may get overwritten... in rpc_pipe_bind()...
> > -- */
> > -- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> > -- if (rpccli->dc == NULL) {
> > -- TALLOC_FREE(rpccli);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > - status = rpc_pipe_bind(rpccli, rpcauth);
> > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
> > -+ rpc_pipe_bind_dbglvl = 1;
> > -+ netlogon_creds_cli_delete(netlogon_creds, &creds);
> > -+ }
> > - if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
> > -- "cli_rpc_pipe_bind failed with error %s\n",
> > -- nt_errstr(status) ));
> > -+ DEBUG(rpc_pipe_bind_dbglvl,
> > -+ ("cli_rpc_pipe_open_schannel_with_key: "
> > -+ "rpc_pipe_bind failed with error %s\n",
> > -+ nt_errstr(status)));
> > - TALLOC_FREE(rpccli);
> > - return status;
> > - }
> > -
> > -- if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
> > -- goto done;
> > -- }
> > --
> > -- save_creds = *rpccli->dc;
> > -- ZERO_STRUCT(return_auth);
> > -- ZERO_STRUCT(capabilities);
> > -+ TALLOC_FREE(creds);
> > -
> > -- netlogon_creds_client_authenticator(&save_creds, &auth);
> > --
> > -- status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
> > -- talloc_tos(),
> > -- rpccli->srv_name_slash,
> > -- save_creds.computer_name,
> > -- &auth, &return_auth,
> > -- 1, &capabilities,
> > -- &result);
> > -- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- DEBUG(5, ("AES was negotiated and the error was %s - "
> > -- "downgrade detected\n",
> > -- nt_errstr(status)));
> > -- TALLOC_FREE(rpccli);
> > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -- }
> > --
> > -- /* This is probably an old Samba Version */
> > -- DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
> > -- nt_errstr(status)));
> > -+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
> > - goto done;
> > - }
> > -
> > -+ status = netlogon_creds_cli_check(netlogon_creds,
> > -+ rpccli->binding_handle);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> > -+ DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
> > - nt_errstr(status)));
> > - TALLOC_FREE(rpccli);
> > - return status;
> > - }
> > -
> > -- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
> > -- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- /* This means AES isn't supported. */
> > -- DEBUG(5, ("AES was negotiated and the result was %s - "
> > -- "downgrade detected\n",
> > -- nt_errstr(result)));
> > -- TALLOC_FREE(rpccli);
> > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -- }
> > --
> > -- /* This is probably an old Windows version */
> > -- DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
> > -- nt_errstr(result)));
> > -- goto done;
> > -- }
> > --
> > -- /*
> > -- * We need to check the credential state here, cause win2k3 and earlier
> > -- * returns NT_STATUS_NOT_IMPLEMENTED
> > -- */
> > -- if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
> > -- /*
> > -- * Server replied with bad credential. Fail.
> > -- */
> > -- DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
> > -- "replied with bad credential\n",
> > -- rpccli->desthost));
> > -- TALLOC_FREE(rpccli);
> > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -- }
> > -- *rpccli->dc = save_creds;
> > --
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> > -- nt_errstr(result)));
> > -- TALLOC_FREE(rpccli);
> > -- return result;
> > -- }
> > --
> > -- if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> > -- /* This means AES isn't supported. */
> > -- DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
> > -- "was OK - downgrade detected\n"));
> > -- TALLOC_FREE(rpccli);
> > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -- }
> > --
> > -- if (save_creds.negotiate_flags != capabilities.server_capabilities) {
> > -- DEBUG(0, ("The client capabilities don't match the server "
> > -- "capabilities: local[0x%08X] remote[0x%08X]\n",
> > -- save_creds.negotiate_flags,
> > -- capabilities.server_capabilities));
> > -+ status = netlogon_creds_cli_context_copy(netlogon_creds,
> > -+ rpccli,
> > -+ &rpccli->netlogon_creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
> > -+ nt_errstr(status)));
> > - TALLOC_FREE(rpccli);
> > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -+ return status;
> > - }
> > -
> > - done:
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index 826f9bf..cf0c5c6 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -96,7 +96,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -- struct netlogon_creds_CredentialState **pdc,
> > -+ struct netlogon_creds_cli_context *netlogon_creds,
> > - struct rpc_pipe_client **presult);
> > -
> > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index aaae44b..e3d65c8 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -112,7 +112,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > - }
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> > -+ cli, table, transport, auth_level, domain,
> > -+ netlogon_pipe->netlogon_creds,
> > - &result);
> > -
> > - /* Now we've bound using the session key we can close the netlog pipe. */
> > -diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
> > -index 8024f01..7c4cceb 100644
> > ---- a/source3/rpc_client/rpc_client.h
> > -+++ b/source3/rpc_client/rpc_client.h
> > -@@ -50,7 +50,7 @@ struct rpc_pipe_client {
> > - struct pipe_auth_data *auth;
> > -
> > - /* The following is only non-null on a netlogon client pipe. */
> > -- struct netlogon_creds_CredentialState *dc;
> > -+ struct netlogon_creds_cli_context *netlogon_creds;
> > - };
> > -
> > - #endif /* _RPC_CLIENT_H */
> > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > -index d92434b..2e0b5e5 100644
> > ---- a/source3/rpcclient/cmd_netlogon.c
> > -+++ b/source3/rpcclient/cmd_netlogon.c
> > -@@ -26,6 +26,7 @@
> > - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > - #include "rpc_client/cli_netlogon.h"
> > - #include "secrets.h"
> > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > -
> > - static WERROR cmd_netlogon_logon_ctrl2(struct rpc_pipe_client *cli,
> > - TALLOC_CTX *mem_ctx, int argc,
> > -@@ -630,8 +631,15 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
> > -
> > - do {
> > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -
> > -- netlogon_creds_client_authenticator(cli->dc, &credential);
> > -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > -+ mem_ctx, &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ netlogon_creds_client_authenticator(creds, &credential);
> > -
> > - status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
> > - logon_server,
> > -@@ -645,15 +653,18 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
> > - 0xffff,
> > - &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(creds);
> > - return status;
> > - }
> > -
> > - /* Check returned credentials. */
> > -- if (!netlogon_creds_client_check(cli->dc,
> > -+ if (!netlogon_creds_client_check(creds,
> > - &return_authenticator.cred)) {
> > - DEBUG(0,("credentials chain check failed\n"));
> > -+ TALLOC_FREE(creds);
> > - return NT_STATUS_ACCESS_DENIED;
> > - }
> > -+ TALLOC_FREE(creds);
> > -
> > - if (NT_STATUS_IS_ERR(result)) {
> > - break;
> > -@@ -699,8 +710,15 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
> > -
> > - do {
> > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -+
> > -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > -+ mem_ctx, &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -
> > -- netlogon_creds_client_authenticator(cli->dc, &credential);
> > -+ netlogon_creds_client_authenticator(creds, &credential);
> > -
> > - status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
> > - logon_server,
> > -@@ -713,15 +731,18 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
> > - 0xffff,
> > - &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(creds);
> > - return status;
> > - }
> > -
> > - /* Check returned credentials. */
> > -- if (!netlogon_creds_client_check(cli->dc,
> > -+ if (!netlogon_creds_client_check(creds,
> > - &return_authenticator.cred)) {
> > - DEBUG(0,("credentials chain check failed\n"));
> > -+ TALLOC_FREE(creds);
> > - return NT_STATUS_ACCESS_DENIED;
> > - }
> > -+ TALLOC_FREE(creds);
> > -
> > - if (NT_STATUS_IS_ERR(result)) {
> > - break;
> > -@@ -1129,6 +1150,7 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > - struct netr_ChangeLogEntry e;
> > - uint32_t rid = 500;
> > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -
> > - if (argc > 2) {
> > - fprintf(stderr, "Usage: %s <user rid>\n", argv[0]);
> > -@@ -1158,7 +1180,13 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > - return status;
> > - }
> > -
> > -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> > -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > -+ mem_ctx, &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ netlogon_creds_client_authenticator(creds, &clnt_creds);
> > -
> > - ZERO_STRUCT(e);
> > -
> > -@@ -1176,13 +1204,16 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > - &delta_enum_array,
> > - &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(creds);
> > - return status;
> > - }
> > -
> > -- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
> > -+ if (!netlogon_creds_client_check(creds, &srv_cred.cred)) {
> > - DEBUG(0,("credentials chain check failed\n"));
> > -+ TALLOC_FREE(creds);
> > - return NT_STATUS_ACCESS_DENIED;
> > - }
> > -+ TALLOC_FREE(creds);
> > -
> > - return result;
> > - }
> > -@@ -1198,6 +1229,7 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> > - union netr_Capabilities capabilities;
> > - uint32_t level = 1;
> > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -
> > - if (argc > 2) {
> > - fprintf(stderr, "Usage: %s <level>\n", argv[0]);
> > -@@ -1210,7 +1242,13 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> > -
> > - ZERO_STRUCT(return_authenticator);
> > -
> > -- netlogon_creds_client_authenticator(cli->dc, &credential);
> > -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > -+ mem_ctx, &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ netlogon_creds_client_authenticator(creds, &credential);
> > -
> > - status = dcerpc_netr_LogonGetCapabilities(b, mem_ctx,
> > - cli->desthost,
> > -@@ -1221,14 +1259,17 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> > - &capabilities,
> > - &result);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(creds);
> > - return status;
> > - }
> > -
> > -- if (!netlogon_creds_client_check(cli->dc,
> > -+ if (!netlogon_creds_client_check(creds,
> > - &return_authenticator.cred)) {
> > - DEBUG(0,("credentials chain check failed\n"));
> > -+ TALLOC_FREE(creds);
> > - return NT_STATUS_ACCESS_DENIED;
> > - }
> > -+ TALLOC_FREE(creds);
> > -
> > - printf("capabilities: 0x%08x\n", capabilities.server_capabilities);
> > -
> > -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
> > -index afde685..b5fc010 100644
> > ---- a/source3/winbindd/winbindd.h
> > -+++ b/source3/winbindd/winbindd.h
> > -@@ -165,16 +165,7 @@ struct winbindd_domain {
> > - time_t startup_time; /* When we set "startup" true. monotonic clock */
> > - bool startup; /* are we in the first 30 seconds after startup_time ? */
> > -
> > -- bool can_do_samlogon_ex; /* Due to the lack of finer control what type
> > -- * of DC we have, let us try to do a
> > -- * credential-chain less samlogon_ex call
> > -- * with AD and schannel. If this fails with
> > -- * DCERPC_FAULT_OP_RNG_ERROR, then set this
> > -- * to False. This variable is around so that
> > -- * we don't have to try _ex every time. */
> > --
> > - bool can_do_ncacn_ip_tcp;
> > -- bool can_do_validation6;
> > -
> > - /* Lookup methods for this domain (LDAP or RPC) */
> > - struct winbindd_methods *methods;
> > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > -index 6c1244e..e0d1d0c 100644
> > ---- a/source3/winbindd/winbindd_cm.c
> > -+++ b/source3/winbindd/winbindd_cm.c
> > -@@ -2047,7 +2047,6 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
> > - domain->active_directory ? "" : "NOT "));
> > -
> > - domain->can_do_ncacn_ip_tcp = domain->active_directory;
> > -- domain->can_do_validation6 = domain->active_directory;
> > -
> > - domain->initialized = True;
> > -
> > -@@ -2248,7 +2247,6 @@ done:
> > - domain->name, domain->active_directory ? "" : "NOT "));
> > -
> > - domain->can_do_ncacn_ip_tcp = domain->active_directory;
> > -- domain->can_do_validation6 = domain->active_directory;
> > -
> > - TALLOC_FREE(cli);
> > -
> > -@@ -2289,7 +2287,7 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
> > - ***********************************************************************/
> > -
> > - static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> > -- struct netlogon_creds_CredentialState **ppdc)
> > -+ struct netlogon_creds_cli_context **ppdc)
> > - {
> > - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > - struct rpc_pipe_client *netlogon_pipe;
> > -@@ -2306,11 +2304,11 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> > - /* Return a pointer to the struct netlogon_creds_CredentialState from the
> > - netlogon pipe. */
> > -
> > -- if (!domain->conn.netlogon_pipe->dc) {
> > -+ if (!domain->conn.netlogon_pipe->netlogon_creds) {
> > - return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
> > - }
> > -
> > -- *ppdc = domain->conn.netlogon_pipe->dc;
> > -+ *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
> > - return NT_STATUS_OK;
> > - }
> > -
> > -@@ -2319,7 +2317,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - {
> > - struct winbindd_cm_conn *conn;
> > - NTSTATUS status, result;
> > -- struct netlogon_creds_CredentialState *p_creds;
> > -+ struct netlogon_creds_cli_context *p_creds;
> > - char *machine_password = NULL;
> > - char *machine_account = NULL;
> > - const char *domain_name = NULL;
> > -@@ -2431,7 +2429,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - status = cli_rpc_pipe_open_schannel_with_key
> > - (conn->cli, &ndr_table_samr, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY,
> > -- domain->name, &p_creds, &conn->samr_pipe);
> > -+ domain->name, p_creds, &conn->samr_pipe);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
> > -@@ -2534,7 +2532,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > - struct rpc_pipe_client **cli)
> > - {
> > - struct winbindd_cm_conn *conn;
> > -- struct netlogon_creds_CredentialState *creds;
> > -+ struct netlogon_creds_cli_context *creds;
> > - NTSTATUS status;
> > -
> > - DEBUG(10,("cm_connect_lsa_tcp\n"));
> > -@@ -2565,7 +2563,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > - NCACN_IP_TCP,
> > - DCERPC_AUTH_LEVEL_PRIVACY,
> > - domain->name,
> > -- &creds,
> > -+ creds,
> > - &conn->lsa_pipe_tcp);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
> > -@@ -2589,7 +2587,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - {
> > - struct winbindd_cm_conn *conn;
> > - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > -- struct netlogon_creds_CredentialState *p_creds;
> > -+ struct netlogon_creds_cli_context *p_creds;
> > -
> > - result = init_dc_connection_rpc(domain);
> > - if (!NT_STATUS_IS_OK(result))
> > -@@ -2662,7 +2660,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - result = cli_rpc_pipe_open_schannel_with_key
> > - (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY,
> > -- domain->name, &p_creds, &conn->lsa_pipe);
> > -+ domain->name, p_creds, &conn->lsa_pipe);
> > -
> > - if (!NT_STATUS_IS_OK(result)) {
> > - DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
> > -@@ -2826,10 +2824,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > - no_schannel:
> > - if ((lp_client_schannel() == False) ||
> > - ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
> > -- /*
> > -- * NetSamLogonEx only works for schannel
> > -- */
> > -- domain->can_do_samlogon_ex = False;
> > -
> > - /* We're done - just keep the existing connection to NETLOGON
> > - * open */
> > -@@ -2845,7 +2839,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > -
> > - result = cli_rpc_pipe_open_schannel_with_key(
> > - conn->cli, &ndr_table_netlogon, NCACN_NP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
> > -+ DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
> > -+ netlogon_pipe->netlogon_creds,
> > - &conn->netlogon_pipe);
> > -
> > - /* We can now close the initial netlogon pipe. */
> > -@@ -2859,15 +2854,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > - return result;
> > - }
> > -
> > -- /*
> > -- * Always try netr_LogonSamLogonEx. We will fall back for NT4
> > -- * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
> > -- * supported). We used to only try SamLogonEx for AD, but
> > -- * Samba DCs can also do it. And because we don't distinguish
> > -- * between Samba and NT4, always try it once.
> > -- */
> > -- domain->can_do_samlogon_ex = true;
> > --
> > - *cli = conn->netlogon_pipe;
> > - return NT_STATUS_OK;
> > - }
> > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > -index c356686..39483a5 100644
> > ---- a/source3/winbindd/winbindd_pam.c
> > -+++ b/source3/winbindd/winbindd_pam.c
> > -@@ -1228,8 +1228,6 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > -
> > - do {
> > - struct rpc_pipe_client *netlogon_pipe;
> > -- const struct pipe_auth_data *auth;
> > -- uint32_t neg_flags = 0;
> > -
> > - ZERO_STRUCTP(info3);
> > - retry = false;
> > -@@ -1278,75 +1276,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > - }
> > - netr_attempts = 0;
> > -
> > -- auth = netlogon_pipe->auth;
> > -- if (netlogon_pipe->dc) {
> > -- neg_flags = netlogon_pipe->dc->negotiate_flags;
> > -- }
> > --
> > -- /* It is really important to try SamLogonEx here,
> > -- * because in a clustered environment, we want to use
> > -- * one machine account from multiple physical
> > -- * computers.
> > -- *
> > -- * With a normal SamLogon call, we must keep the
> > -- * credentials chain updated and intact between all
> > -- * users of the machine account (which would imply
> > -- * cross-node communication for every NTLM logon).
> > -- *
> > -- * (The credentials chain is not per NETLOGON pipe
> > -- * connection, but globally on the server/client pair
> > -- * by machine name).
> > -- *
> > -- * When using SamLogonEx, the credentials are not
> > -- * supplied, but the session key is implied by the
> > -- * wrapping SamLogon context.
> > -- *
> > -- * -- abartlet 21 April 2008
> > -- *
> > -- * It's also important to use NetlogonValidationSamInfo4 (6),
> > -- * because it relies on the rpc transport encryption
> > -- * and avoids using the global netlogon schannel
> > -- * session key to en/decrypt secret information
> > -- * like the user_session_key for network logons.
> > -- *
> > -- * [MS-APDS] 3.1.5.2 NTLM Network Logon
> > -- * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
> > -- * NETLOGON_NEG_AUTHENTICATED_RPC set together
> > -- * are the indication that the server supports
> > -- * NetlogonValidationSamInfo4 (6). And it must only
> > -- * be used if "SealSecureChannel" is used.
> > -- *
> > -- * -- metze 4 February 2011
> > -- */
> > --
> > -- if (auth == NULL) {
> > -- domain->can_do_validation6 = false;
> > -- } else if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
> > -- domain->can_do_validation6 = false;
> > -- } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
> > -- domain->can_do_validation6 = false;
> > -- } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
> > -- domain->can_do_validation6 = false;
> > -- } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > -- domain->can_do_validation6 = false;
> > -- }
> > --
> > -- if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
> > -- result = rpccli_netlogon_sam_network_logon_ex(
> > -- netlogon_pipe,
> > -- mem_ctx,
> > -- logon_parameters,
> > -- server, /* server name */
> > -- username, /* user name */
> > -- domainname, /* target domain */
> > -- workstation, /* workstation */
> > -- chal,
> > -- 6,
> > -- lm_response,
> > -- nt_response,
> > -- info3);
> > -- } else {
> > -- result = rpccli_netlogon_sam_network_logon(
> > -+ result = rpccli_netlogon_sam_network_logon(
> > - netlogon_pipe,
> > - mem_ctx,
> > - logon_parameters,
> > -@@ -1355,48 +1285,10 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > - domainname, /* target domain */
> > - workstation, /* workstation */
> > - chal,
> > -- domain->can_do_validation6 ? 6 : 3,
> > -+ -1, /* ignored */
> > - lm_response,
> > - nt_response,
> > - info3);
> > -- }
> > --
> > -- if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > --
> > -- /*
> > -- * It's likely that the server also does not support
> > -- * validation level 6
> > -- */
> > -- domain->can_do_validation6 = false;
> > --
> > -- if (domain->can_do_samlogon_ex) {
> > -- DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
> > -- "retrying with NetSamLogon\n"));
> > -- domain->can_do_samlogon_ex = false;
> > -- retry = true;
> > -- continue;
> > -- }
> > --
> > --
> > -- /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
> > -- * (no Ex). This happens against old Samba
> > -- * DCs. Drop the connection.
> > -- */
> > -- invalidate_cm_connection(&domain->conn);
> > -- result = NT_STATUS_LOGON_FAILURE;
> > -- break;
> > -- }
> > --
> > -- if (domain->can_do_validation6 &&
> > -- (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
> > -- NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
> > -- NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
> > -- DEBUG(3,("Got a DC that can not do validation level 6, "
> > -- "retrying with level 3\n"));
> > -- domain->can_do_validation6 = false;
> > -- retry = true;
> > -- continue;
> > -- }
> > -
> > - /*
> > - * we increment this after the "feature negotiation"
> > -@@ -1428,6 +1320,30 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > - retry = true;
> > - }
> > -
> > -+ if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > -+ /*
> > -+ * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
> > -+ * (no Ex). This happens against old Samba
> > -+ * DCs, if LogonSamLogonEx() fails with an error
> > -+ * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
> > -+ *
> > -+ * The server will log something like this:
> > -+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
> > -+ *
> > -+ * This sets the whole connection into a fault_state mode
> > -+ * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> > -+ *
> > -+ * This also happens to our retry with LogonSamLogonWithFlags()
> > -+ * and LogonSamLogon().
> > -+ *
> > -+ * In order to recover from this situation, we need to
> > -+ * drop the connection.
> > -+ */
> > -+ invalidate_cm_connection(&domain->conn);
> > -+ result = NT_STATUS_LOGON_FAILURE;
> > -+ break;
> > -+ }
> > -+
> > - } while ( (attempts < 2) && retry );
> > -
> > - if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
> > -diff --git a/source3/wscript_build b/source3/wscript_build
> > -index 13d15c3..0d3ba8e 100755
> > ---- a/source3/wscript_build
> > -+++ b/source3/wscript_build
> > -@@ -671,8 +671,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
> > - deps='''ndr ndr-standard
> > - RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
> > - LIBTSOCKET gse dcerpc-binding
> > -- libsmb
> > -- ndr-table''',
> > -+ libsmb ndr-table NETLOGON_CREDS_CLI
> > -+ ''',
> > - vars=locals(),
> > - private_library=True)
> > -
> > -@@ -1114,7 +1114,7 @@ bld.SAMBA3_LIBRARY('libcli_lsa3',
> > -
> > - bld.SAMBA3_LIBRARY('libcli_netlogon3',
> > - source=LIBCLI_NETLOGON_SRC,
> > -- deps='RPC_NDR_NETLOGON INIT_NETLOGON cliauth param',
> > -+ deps='msrpc3 RPC_NDR_NETLOGON INIT_NETLOGON cliauth param NETLOGON_CREDS_CLI',
> > - private_library=True)
> > -
> > - bld.SAMBA3_LIBRARY('cli_spoolss',
> > ---
> > -1.9.3
> > -
> > -
> > -From 0b489bffb452e05d595abc2894532100162a4e8c Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 17 Oct 2013 17:03:00 +0200
> > -Subject: [PATCH 175/249] s3:rpc_client: use netlogon_creds_cli_auth_level() in
> > - cli_rpc_pipe_open_schannel_with_key()
> > -
> > -This means the auth level is now based on the "winbindd sealed pipes" option,
> > -defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 5adfc5f9f737c003b84b0187fa17b9fc3784442e)
> > ----
> > - source3/libnet/libnet_join.c | 1 -
> > - source3/rpc_client/cli_pipe.c | 4 +++-
> > - source3/rpc_client/cli_pipe.h | 1 -
> > - source3/rpc_client/cli_pipe_schannel.c | 2 +-
> > - source3/winbindd/winbindd_cm.c | 5 +----
> > - 5 files changed, 5 insertions(+), 8 deletions(-)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index 5dc620f..b2805ee 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -1278,7 +1278,6 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > - cli, &ndr_table_netlogon, NCACN_NP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > - netbios_domain_name,
> > - netlogon_pipe->netlogon_creds, &pipe_hnd);
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index fe1613d..31cd7f5 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -3023,7 +3023,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > -- enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > - struct netlogon_creds_cli_context *netlogon_creds,
> > - struct rpc_pipe_client **_rpccli)
> > -@@ -3031,6 +3030,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - struct rpc_pipe_client *rpccli;
> > - struct pipe_auth_data *rpcauth;
> > - struct netlogon_creds_CredentialState *creds = NULL;
> > -+ enum dcerpc_AuthLevel auth_level;
> > - NTSTATUS status;
> > - const char *target_service = table->authservices->names[0];
> > - int rpc_pipe_bind_dbglvl = 0;
> > -@@ -3048,6 +3048,8 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - return status;
> > - }
> > -
> > -+ auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
> > -+
> > - status = rpccli_generic_bind_data(rpccli,
> > - DCERPC_AUTH_TYPE_SCHANNEL,
> > - auth_level,
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index cf0c5c6..c21c55d 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -94,7 +94,6 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> > - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > -- enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > - struct netlogon_creds_cli_context *netlogon_creds,
> > - struct rpc_pipe_client **presult);
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index e3d65c8..8f9161f 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -112,7 +112,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > - }
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > -- cli, table, transport, auth_level, domain,
> > -+ cli, table, transport, domain,
> > - netlogon_pipe->netlogon_creds,
> > - &result);
> > -
> > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > -index e0d1d0c..1546002 100644
> > ---- a/source3/winbindd/winbindd_cm.c
> > -+++ b/source3/winbindd/winbindd_cm.c
> > -@@ -2428,7 +2428,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - }
> > - status = cli_rpc_pipe_open_schannel_with_key
> > - (conn->cli, &ndr_table_samr, NCACN_NP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > - domain->name, p_creds, &conn->samr_pipe);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > -@@ -2561,7 +2560,6 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > - status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
> > - &ndr_table_lsarpc,
> > - NCACN_IP_TCP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > - domain->name,
> > - creds,
> > - &conn->lsa_pipe_tcp);
> > -@@ -2659,7 +2657,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > - }
> > - result = cli_rpc_pipe_open_schannel_with_key
> > - (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > - domain->name, p_creds, &conn->lsa_pipe);
> > -
> > - if (!NT_STATUS_IS_OK(result)) {
> > -@@ -2839,7 +2836,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > -
> > - result = cli_rpc_pipe_open_schannel_with_key(
> > - conn->cli, &ndr_table_netlogon, NCACN_NP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
> > -+ domain->name,
> > - netlogon_pipe->netlogon_creds,
> > - &conn->netlogon_pipe);
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 0f19f3b64e4f0b969eec4f2048df7c40be661e82 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 7 Aug 2013 11:27:25 +0200
> > -Subject: [PATCH 176/249] s3:rpc_client: add
> > - rpccli_{create,setup}_netlogon_creds()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 14ceb7b501fce6623be284cbcceb573fd2e10d3a)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 105 ++++++++++++++++++++++++++++++++++++++
> > - source3/rpc_client/cli_netlogon.h | 16 ++++++
> > - 2 files changed, 121 insertions(+)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index fcd24d6..89aec37 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -21,15 +21,19 @@
> > - */
> > -
> > - #include "includes.h"
> > -+#include "libsmb/libsmb.h"
> > - #include "rpc_client/rpc_client.h"
> > -+#include "rpc_client/cli_pipe.h"
> > - #include "../libcli/auth/libcli_auth.h"
> > - #include "../libcli/auth/netlogon_creds_cli.h"
> > - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > -+#include "../librpc/gen_ndr/schannel.h"
> > - #include "rpc_client/cli_netlogon.h"
> > - #include "rpc_client/init_netlogon.h"
> > - #include "rpc_client/util_netlogon.h"
> > - #include "../libcli/security/security.h"
> > - #include "lib/param/param.h"
> > -+#include "libcli/smb/smbXcli_base.h"
> > -
> > - /****************************************************************************
> > - Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
> > -@@ -124,6 +128,107 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > - return NT_STATUS_OK;
> > - }
> > -
> > -+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > -+ const char *server_netbios_domain,
> > -+ const char *client_account,
> > -+ enum netr_SchannelType sec_chan_type,
> > -+ struct messaging_context *msg_ctx,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **netlogon_creds)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct loadparm_context *lp_ctx;
> > -+ NTSTATUS status;
> > -+
> > -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > -+ if (lp_ctx == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ status = netlogon_creds_cli_context_global(lp_ctx,
> > -+ msg_ctx,
> > -+ client_account,
> > -+ sec_chan_type,
> > -+ server_computer,
> > -+ server_netbios_domain,
> > -+ mem_ctx, netlogon_creds);
> > -+ TALLOC_FREE(frame);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > -+ struct netlogon_creds_cli_context *netlogon_creds,
> > -+ bool force_reauth,
> > -+ struct samr_Password current_nt_hash,
> > -+ const struct samr_Password *previous_nt_hash)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct rpc_pipe_client *netlogon_pipe = NULL;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -+ NTSTATUS status;
> > -+
> > -+ status = netlogon_creds_cli_get(netlogon_creds,
> > -+ frame, &creds);
> > -+ if (NT_STATUS_IS_OK(status)) {
> > -+ const char *action = "using";
> > -+
> > -+ if (force_reauth) {
> > -+ action = "overwrite";
> > -+ }
> > -+
> > -+ DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
> > -+ __FUNCTION__, action,
> > -+ creds->account_name, creds->computer_name,
> > -+ smbXcli_conn_remote_name(cli->conn)));
> > -+ if (!force_reauth) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+ TALLOC_FREE(creds);
> > -+ }
> > -+
> > -+ status = cli_rpc_pipe_open_noauth(cli,
> > -+ &ndr_table_netlogon,
> > -+ &netlogon_pipe);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
> > -+ __FUNCTION__,
> > -+ smbXcli_conn_remote_name(cli->conn),
> > -+ nt_errstr(status)));
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+ talloc_steal(frame, netlogon_pipe);
> > -+
> > -+ status = netlogon_creds_cli_auth(netlogon_creds,
> > -+ netlogon_pipe->binding_handle,
> > -+ current_nt_hash,
> > -+ previous_nt_hash);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_get(netlogon_creds,
> > -+ frame, &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_INTERNAL_ERROR;
> > -+ }
> > -+
> > -+ DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
> > -+ __FUNCTION__,
> > -+ creds->account_name, creds->computer_name,
> > -+ smbXcli_conn_remote_name(cli->conn)));
> > -+
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > - /* Logon domain user */
> > -
> > - NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index ad59d5b..82e0923 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -23,6 +23,10 @@
> > - #ifndef _RPC_CLIENT_CLI_NETLOGON_H_
> > - #define _RPC_CLIENT_CLI_NETLOGON_H_
> > -
> > -+struct cli_state;
> > -+struct messaging_context;
> > -+struct netlogon_creds_cli_context;
> > -+
> > - /* The following definitions come from rpc_client/cli_netlogon.c */
> > -
> > - NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > -@@ -33,6 +37,18 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > - const unsigned char machine_pwd[16],
> > - enum netr_SchannelType sec_chan_type,
> > - uint32_t *neg_flags_inout);
> > -+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > -+ const char *server_netbios_domain,
> > -+ const char *client_account,
> > -+ enum netr_SchannelType sec_chan_type,
> > -+ struct messaging_context *msg_ctx,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **netlogon_creds);
> > -+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > -+ struct netlogon_creds_cli_context *netlogon_creds,
> > -+ bool force_reauth,
> > -+ struct samr_Password current_nt_hash,
> > -+ const struct samr_Password *previous_nt_hash);
> > - NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > - TALLOC_CTX *mem_ctx,
> > - uint32 logon_parameters,
> > ---
> > -1.9.3
> > -
> > -
> > -From de0ed0882a458e52ef232e7d44234bf393311fc0 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 17 Dec 2013 20:05:56 +0100
> > -Subject: [PATCH 177/249] s3:rpc_client: add rpccli_pre_open_netlogon_creds()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3c025af657899c9a2ff14f868c03ff72ab74cf8e)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 21 +++++++++++++++++++++
> > - source3/rpc_client/cli_netlogon.h | 1 +
> > - 2 files changed, 22 insertions(+)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 89aec37..9342fc3 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -128,6 +128,27 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > - return NT_STATUS_OK;
> > - }
> > -
> > -+NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct loadparm_context *lp_ctx;
> > -+ NTSTATUS status;
> > -+
> > -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > -+ if (lp_ctx == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_open_global_db(lp_ctx);
> > -+ TALLOC_FREE(frame);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > - NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > - const char *server_netbios_domain,
> > - const char *client_account,
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index 82e0923..3096c48 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -37,6 +37,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > - const unsigned char machine_pwd[16],
> > - enum netr_SchannelType sec_chan_type,
> > - uint32_t *neg_flags_inout);
> > -+NTSTATUS rpccli_pre_open_netlogon_creds(void);
> > - NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > - const char *server_netbios_domain,
> > - const char *client_account,
> > ---
> > -1.9.3
> > -
> > -
> > -From f4f7df785d1641f1e21ad8374140715fd41be07a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 27 Aug 2013 14:07:43 +0200
> > -Subject: [PATCH 178/249] s3:rpc_client: remove unused
> > - rpccli_netlogon_sam_network_logon_ex()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a07cc9a1c6ab8fee516e069a6f90bb48a7abf875)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 27 ---------------------------
> > - source3/rpc_client/cli_netlogon.h | 12 ------------
> > - 2 files changed, 39 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 9342fc3..253d060 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -524,33 +524,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > - return NT_STATUS_OK;
> > - }
> > -
> > --NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- uint32 logon_parameters,
> > -- const char *server,
> > -- const char *username,
> > -- const char *domain,
> > -- const char *workstation,
> > -- const uint8 chal[8],
> > -- uint16_t validation_level,
> > -- DATA_BLOB lm_response,
> > -- DATA_BLOB nt_response,
> > -- struct netr_SamInfo3 **info3)
> > --{
> > -- return rpccli_netlogon_sam_network_logon(cli,
> > -- mem_ctx,
> > -- logon_parameters,
> > -- server,
> > -- username,
> > -- domain,
> > -- workstation,
> > -- chal,
> > -- validation_level,
> > -- lm_response,
> > -- nt_response,
> > -- info3);
> > --}
> > --
> > - /*********************************************************
> > - Change the domain password on the PDC.
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index 3096c48..f10e5c7 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -71,18 +71,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > - DATA_BLOB lm_response,
> > - DATA_BLOB nt_response,
> > - struct netr_SamInfo3 **info3);
> > --NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- uint32 logon_parameters,
> > -- const char *server,
> > -- const char *username,
> > -- const char *domain,
> > -- const char *workstation,
> > -- const uint8 chal[8],
> > -- uint16_t validation_level,
> > -- DATA_BLOB lm_response,
> > -- DATA_BLOB nt_response,
> > -- struct netr_SamInfo3 **info3);
> > - NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > - TALLOC_CTX *mem_ctx,
> > - const char *account_name,
> > ---
> > -1.9.3
> > -
> > -
> > -From b250859baf6c720e636c2435b0593af83acf6acc Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 27 Aug 2013 14:36:24 +0200
> > -Subject: [PATCH 179/249] s3:rpc_client: add rpccli_netlogon_network_logon()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 5196493c9e599b741417b119b48188ba0d646a37)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 103 ++++++++++++++++++++++++++++++++++++++
> > - source3/rpc_client/cli_netlogon.h | 14 ++++++
> > - 2 files changed, 117 insertions(+)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 253d060..e335423 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -524,6 +524,109 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > - return NT_STATUS_OK;
> > - }
> > -
> > -+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > -+ struct dcerpc_binding_handle *binding_handle,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ uint32_t logon_parameters,
> > -+ const char *username,
> > -+ const char *domain,
> > -+ const char *workstation,
> > -+ const uint8 chal[8],
> > -+ DATA_BLOB lm_response,
> > -+ DATA_BLOB nt_response,
> > -+ uint8_t *authoritative,
> > -+ uint32_t *flags,
> > -+ struct netr_SamInfo3 **info3)
> > -+{
> > -+ NTSTATUS status;
> > -+ const char *workstation_name_slash;
> > -+ union netr_LogonLevel *logon = NULL;
> > -+ struct netr_NetworkInfo *network_info;
> > -+ uint16_t validation_level = 0;
> > -+ union netr_Validation *validation = NULL;
> > -+ uint8_t _authoritative = 0;
> > -+ uint32_t _flags = 0;
> > -+ struct netr_ChallengeResponse lm;
> > -+ struct netr_ChallengeResponse nt;
> > -+
> > -+ *info3 = NULL;
> > -+
> > -+ if (authoritative == NULL) {
> > -+ authoritative = &_authoritative;
> > -+ }
> > -+ if (flags == NULL) {
> > -+ flags = &_flags;
> > -+ }
> > -+
> > -+ ZERO_STRUCT(lm);
> > -+ ZERO_STRUCT(nt);
> > -+
> > -+ logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > -+ if (!logon) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> > -+ if (!network_info) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ if (workstation[0] != '\\' && workstation[1] != '\\') {
> > -+ workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> > -+ } else {
> > -+ workstation_name_slash = workstation;
> > -+ }
> > -+
> > -+ if (!workstation_name_slash) {
> > -+ DEBUG(0, ("talloc_asprintf failed!\n"));
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ /* Initialise input parameters */
> > -+
> > -+ lm.data = lm_response.data;
> > -+ lm.length = lm_response.length;
> > -+ nt.data = nt_response.data;
> > -+ nt.length = nt_response.length;
> > -+
> > -+ network_info->identity_info.domain_name.string = domain;
> > -+ network_info->identity_info.parameter_control = logon_parameters;
> > -+ network_info->identity_info.logon_id_low = 0xdead;
> > -+ network_info->identity_info.logon_id_high = 0xbeef;
> > -+ network_info->identity_info.account_name.string = username;
> > -+ network_info->identity_info.workstation.string = workstation_name_slash;
> > -+
> > -+ memcpy(network_info->challenge, chal, 8);
> > -+ network_info->nt = nt;
> > -+ network_info->lm = lm;
> > -+
> > -+ logon->network = network_info;
> > -+
> > -+ /* Marshall data and send request */
> > -+
> > -+ status = netlogon_creds_cli_LogonSamLogon(creds,
> > -+ binding_handle,
> > -+ NetlogonNetworkInformation,
> > -+ logon,
> > -+ mem_ctx,
> > -+ &validation_level,
> > -+ &validation,
> > -+ authoritative,
> > -+ flags);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ status = map_validation_to_info3(mem_ctx,
> > -+ validation_level, validation,
> > -+ info3);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > - /*********************************************************
> > - Change the domain password on the PDC.
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index f10e5c7..54ed7ae 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -26,6 +26,7 @@
> > - struct cli_state;
> > - struct messaging_context;
> > - struct netlogon_creds_cli_context;
> > -+struct dcerpc_binding_handle;
> > -
> > - /* The following definitions come from rpc_client/cli_netlogon.c */
> > -
> > -@@ -71,6 +72,19 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > - DATA_BLOB lm_response,
> > - DATA_BLOB nt_response,
> > - struct netr_SamInfo3 **info3);
> > -+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > -+ struct dcerpc_binding_handle *binding_handle,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ uint32_t logon_parameters,
> > -+ const char *username,
> > -+ const char *domain,
> > -+ const char *workstation,
> > -+ const uint8 chal[8],
> > -+ DATA_BLOB lm_response,
> > -+ DATA_BLOB nt_response,
> > -+ uint8_t *authoritative,
> > -+ uint32_t *flags,
> > -+ struct netr_SamInfo3 **info3);
> > - NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > - TALLOC_CTX *mem_ctx,
> > - const char *account_name,
> > ---
> > -1.9.3
> > -
> > -
> > -From 2488e78fdf3058bf3a48c2086afd0f3248a43417 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 27 Aug 2013 14:56:06 +0200
> > -Subject: [PATCH 180/249] s3:rpc_client: add rpccli_netlogon_password_logon()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit b7dc3fb20468aa67ea7ddc1cea21fbe458e74565)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 133 ++++++++++++++++++++++++++++++++++++++
> > - source3/rpc_client/cli_netlogon.h | 8 +++
> > - 2 files changed, 141 insertions(+)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index e335423..a9f8604 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -376,6 +376,139 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > - return NT_STATUS_OK;
> > - }
> > -
> > -+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > -+ struct dcerpc_binding_handle *binding_handle,
> > -+ uint32_t logon_parameters,
> > -+ const char *domain,
> > -+ const char *username,
> > -+ const char *password,
> > -+ const char *workstation,
> > -+ enum netr_LogonInfoClass logon_type)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ NTSTATUS status;
> > -+ union netr_LogonLevel *logon;
> > -+ uint16_t validation_level = 0;
> > -+ union netr_Validation *validation = NULL;
> > -+ uint8_t authoritative = 0;
> > -+ uint32_t flags = 0;
> > -+ char *workstation_slash = NULL;
> > -+
> > -+ logon = talloc_zero(frame, union netr_LogonLevel);
> > -+ if (logon == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ if (workstation == NULL) {
> > -+ workstation = lp_netbios_name();
> > -+ }
> > -+
> > -+ workstation_slash = talloc_asprintf(frame, "\\\\%s", workstation);
> > -+ if (workstation_slash == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ /* Initialise input parameters */
> > -+
> > -+ switch (logon_type) {
> > -+ case NetlogonInteractiveInformation: {
> > -+
> > -+ struct netr_PasswordInfo *password_info;
> > -+
> > -+ struct samr_Password lmpassword;
> > -+ struct samr_Password ntpassword;
> > -+
> > -+ password_info = talloc_zero(frame, struct netr_PasswordInfo);
> > -+ if (password_info == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
> > -+
> > -+ password_info->identity_info.domain_name.string = domain;
> > -+ password_info->identity_info.parameter_control = logon_parameters;
> > -+ password_info->identity_info.logon_id_low = 0xdead;
> > -+ password_info->identity_info.logon_id_high = 0xbeef;
> > -+ password_info->identity_info.account_name.string = username;
> > -+ password_info->identity_info.workstation.string = workstation_slash;
> > -+
> > -+ password_info->lmpassword = lmpassword;
> > -+ password_info->ntpassword = ntpassword;
> > -+
> > -+ logon->password = password_info;
> > -+
> > -+ break;
> > -+ }
> > -+ case NetlogonNetworkInformation: {
> > -+ struct netr_NetworkInfo *network_info;
> > -+ uint8 chal[8];
> > -+ unsigned char local_lm_response[24];
> > -+ unsigned char local_nt_response[24];
> > -+ struct netr_ChallengeResponse lm;
> > -+ struct netr_ChallengeResponse nt;
> > -+
> > -+ ZERO_STRUCT(lm);
> > -+ ZERO_STRUCT(nt);
> > -+
> > -+ network_info = talloc_zero(frame, struct netr_NetworkInfo);
> > -+ if (network_info == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ generate_random_buffer(chal, 8);
> > -+
> > -+ SMBencrypt(password, chal, local_lm_response);
> > -+ SMBNTencrypt(password, chal, local_nt_response);
> > -+
> > -+ lm.length = 24;
> > -+ lm.data = local_lm_response;
> > -+
> > -+ nt.length = 24;
> > -+ nt.data = local_nt_response;
> > -+
> > -+ network_info->identity_info.domain_name.string = domain;
> > -+ network_info->identity_info.parameter_control = logon_parameters;
> > -+ network_info->identity_info.logon_id_low = 0xdead;
> > -+ network_info->identity_info.logon_id_high = 0xbeef;
> > -+ network_info->identity_info.account_name.string = username;
> > -+ network_info->identity_info.workstation.string = workstation_slash;
> > -+
> > -+ memcpy(network_info->challenge, chal, 8);
> > -+ network_info->nt = nt;
> > -+ network_info->lm = lm;
> > -+
> > -+ logon->network = network_info;
> > -+
> > -+ break;
> > -+ }
> > -+ default:
> > -+ DEBUG(0, ("switch value %d not supported\n",
> > -+ logon_type));
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_INVALID_INFO_CLASS;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_LogonSamLogon(creds,
> > -+ binding_handle,
> > -+ logon_type,
> > -+ logon,
> > -+ frame,
> > -+ &validation_level,
> > -+ &validation,
> > -+ &authoritative,
> > -+ &flags);
> > -+ TALLOC_FREE(frame);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > - static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > - uint16_t validation_level,
> > - union netr_Validation *validation,
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index 54ed7ae..d4c6670 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -60,6 +60,14 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > - const char *workstation,
> > - uint16_t validation_level,
> > - int logon_type);
> > -+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > -+ struct dcerpc_binding_handle *binding_handle,
> > -+ uint32_t logon_parameters,
> > -+ const char *domain,
> > -+ const char *username,
> > -+ const char *password,
> > -+ const char *workstation,
> > -+ enum netr_LogonInfoClass logon_type);
> > - NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > - TALLOC_CTX *mem_ctx,
> > - uint32 logon_parameters,
> > ---
> > -1.9.3
> > -
> > -
> > -From 10c272f991643913358efd5fefb28fc1ce307c70 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 17 Dec 2013 20:06:14 +0100
> > -Subject: [PATCH 181/249] s3:winbindd: call rpccli_pre_open_netlogon_creds() in
> > - the parent
> > -
> > -This opens the CLEAR_IF_FIRST tdb in the long living parent.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 07126b6fb22cebce660d1d1a4f0f9fb905064aa0)
> > ----
> > - source3/winbindd/winbindd.c | 8 ++++++++
> > - 1 file changed, 8 insertions(+)
> > -
> > -diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
> > -index 69a17bf..a90c8fe 100644
> > ---- a/source3/winbindd/winbindd.c
> > -+++ b/source3/winbindd/winbindd.c
> > -@@ -31,6 +31,7 @@
> > - #include "../librpc/gen_ndr/srv_lsa.h"
> > - #include "../librpc/gen_ndr/srv_samr.h"
> > - #include "secrets.h"
> > -+#include "rpc_client/cli_netlogon.h"
> > - #include "idmap.h"
> > - #include "lib/addrchange.h"
> > - #include "serverid.h"
> > -@@ -1538,6 +1539,13 @@ int main(int argc, char **argv, char **envp)
> > - return False;
> > - }
> > -
> > -+ status = rpccli_pre_open_netlogon_creds();
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(0, ("rpccli_pre_open_netlogon_creds() - %s\n",
> > -+ nt_errstr(status)));
> > -+ exit(1);
> > -+ }
> > -+
> > - /* Unblock all signals we are interested in as they may have been
> > - blocked by the parent process. */
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 4cb4ec2065f1f8b3598eb37ca24ce0f8fdf567aa Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 7 Aug 2013 11:32:44 +0200
> > -Subject: [PATCH 182/249] s3:winbindd: make use of
> > - rpccli_{create,setup}_netlogon_creds()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 22e4e2c1d1252e434cb928d4530c378a62a64138)
> > ----
> > - source3/winbindd/winbindd.h | 3 +
> > - source3/winbindd/winbindd_cm.c | 125 ++++++++++++++++++++---------------
> > - source3/winbindd/winbindd_dual_srv.c | 1 +
> > - 3 files changed, 77 insertions(+), 52 deletions(-)
> > -
> > -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
> > -index b5fc010..8f89e27 100644
> > ---- a/source3/winbindd/winbindd.h
> > -+++ b/source3/winbindd/winbindd.h
> > -@@ -116,6 +116,9 @@ struct winbindd_cm_conn {
> > - struct policy_handle lsa_policy;
> > -
> > - struct rpc_pipe_client *netlogon_pipe;
> > -+ struct netlogon_creds_cli_context *netlogon_creds;
> > -+ uint32_t netlogon_flags;
> > -+ bool netlogon_force_reauth;
> > - };
> > -
> > - /* Async child */
> > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > -index 1546002..7b6cc96 100644
> > ---- a/source3/winbindd/winbindd_cm.c
> > -+++ b/source3/winbindd/winbindd_cm.c
> > -@@ -79,6 +79,7 @@
> > - #include "auth/gensec/gensec.h"
> > - #include "../libcli/smb/smbXcli_base.h"
> > - #include "lib/param/loadparm.h"
> > -+#include "libcli/auth/netlogon_creds_cli.h"
> > -
> > - #undef DBGC_CLASS
> > - #define DBGC_CLASS DBGC_WINBIND
> > -@@ -1826,6 +1827,9 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
> > - }
> > -
> > - conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> > -+ conn->netlogon_force_reauth = false;
> > -+ conn->netlogon_flags = 0;
> > -+ TALLOC_FREE(conn->netlogon_creds);
> > -
> > - if (conn->cli) {
> > - cli_shutdown(conn->cli);
> > -@@ -2292,8 +2296,18 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> > - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > - struct rpc_pipe_client *netlogon_pipe;
> > -
> > -- if (lp_client_schannel() == False) {
> > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > -+ *ppdc = NULL;
> > -+
> > -+ if ((!IS_DC) && (!domain->primary)) {
> > -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> > -+ }
> > -+
> > -+ if (domain->conn.netlogon_creds != NULL) {
> > -+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> > -+ }
> > -+ *ppdc = domain->conn.netlogon_creds;
> > -+ return NT_STATUS_OK;
> > - }
> > -
> > - result = cm_connect_netlogon(domain, &netlogon_pipe);
> > -@@ -2301,14 +2315,15 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> > - return result;
> > - }
> > -
> > -- /* Return a pointer to the struct netlogon_creds_CredentialState from the
> > -- netlogon pipe. */
> > -+ if (domain->conn.netlogon_creds == NULL) {
> > -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> > -+ }
> > -
> > -- if (!domain->conn.netlogon_pipe->netlogon_creds) {
> > -- return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
> > -+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> > - }
> > -
> > -- *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
> > -+ *ppdc = domain->conn.netlogon_creds;
> > - return NT_STATUS_OK;
> > - }
> > -
> > -@@ -2747,14 +2762,16 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
> > - NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > - struct rpc_pipe_client **cli)
> > - {
> > -+ struct messaging_context *msg_ctx = winbind_messaging_context();
> > - struct winbindd_cm_conn *conn;
> > - NTSTATUS result;
> > --
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
> > -- uint8_t mach_pwd[16];
> > - enum netr_SchannelType sec_chan_type;
> > -+ const char *_account_name;
> > - const char *account_name;
> > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > -+ struct samr_Password current_nt_hash;
> > -+ struct samr_Password *previous_nt_hash = NULL;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -+ bool ok;
> > -
> > - *cli = NULL;
> > -
> > -@@ -2771,60 +2788,68 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > - }
> > -
> > - TALLOC_FREE(conn->netlogon_pipe);
> > --
> > -- result = cli_rpc_pipe_open_noauth(conn->cli,
> > -- &ndr_table_netlogon,
> > -- &netlogon_pipe);
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- return result;
> > -- }
> > -+ conn->netlogon_flags = 0;
> > -+ TALLOC_FREE(conn->netlogon_creds);
> > -
> > - if ((!IS_DC) && (!domain->primary)) {
> > -- /* Clear the schannel request bit and drop down */
> > -- neg_flags &= ~NETLOGON_NEG_SCHANNEL;
> > - goto no_schannel;
> > - }
> > -
> > -- if (lp_client_schannel() != False) {
> > -- neg_flags |= NETLOGON_NEG_SCHANNEL;
> > -+ ok = get_trust_pw_hash(domain->name,
> > -+ current_nt_hash.hash,
> > -+ &_account_name,
> > -+ &sec_chan_type);
> > -+ if (!ok) {
> > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > - }
> > -
> > -- if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
> > -- &sec_chan_type))
> > -- {
> > -- TALLOC_FREE(netlogon_pipe);
> > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > -+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
> > -+ if (account_name == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- result = rpccli_netlogon_setup_creds(
> > -- netlogon_pipe,
> > -- domain->dcname, /* server name. */
> > -- domain->name, /* domain name */
> > -- lp_netbios_name(), /* client name */
> > -- account_name, /* machine account */
> > -- mach_pwd, /* machine password */
> > -- sec_chan_type, /* from get_trust_pw */
> > -- &neg_flags);
> > -+ result = rpccli_create_netlogon_creds(domain->dcname,
> > -+ domain->name,
> > -+ account_name,
> > -+ sec_chan_type,
> > -+ msg_ctx,
> > -+ domain,
> > -+ &conn->netlogon_creds);
> > -+ if (!NT_STATUS_IS_OK(result)) {
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ return result;
> > -+ }
> > -
> > -+ result = rpccli_setup_netlogon_creds(conn->cli,
> > -+ conn->netlogon_creds,
> > -+ conn->netlogon_force_reauth,
> > -+ current_nt_hash,
> > -+ previous_nt_hash);
> > -+ conn->netlogon_force_reauth = false;
> > -+ SAFE_FREE(previous_nt_hash);
> > - if (!NT_STATUS_IS_OK(result)) {
> > -- TALLOC_FREE(netlogon_pipe);
> > - return result;
> > - }
> > -
> > -- if ((lp_client_schannel() == True) &&
> > -- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
> > -- DEBUG(3, ("Server did not offer schannel\n"));
> > -- TALLOC_FREE(netlogon_pipe);
> > -- return NT_STATUS_ACCESS_DENIED;
> > -+ result = netlogon_creds_cli_get(conn->netlogon_creds,
> > -+ talloc_tos(),
> > -+ &creds);
> > -+ if (!NT_STATUS_IS_OK(result)) {
> > -+ return result;
> > - }
> > -+ conn->netlogon_flags = creds->negotiate_flags;
> > -+ TALLOC_FREE(creds);
> > -
> > - no_schannel:
> > -- if ((lp_client_schannel() == False) ||
> > -- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
> > -+ if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > -+ result = cli_rpc_pipe_open_noauth(conn->cli,
> > -+ &ndr_table_netlogon,
> > -+ &conn->netlogon_pipe);
> > -+ if (!NT_STATUS_IS_OK(result)) {
> > -+ invalidate_cm_connection(conn);
> > -+ return result;
> > -+ }
> > -
> > -- /* We're done - just keep the existing connection to NETLOGON
> > -- * open */
> > -- conn->netlogon_pipe = netlogon_pipe;
> > - *cli = conn->netlogon_pipe;
> > - return NT_STATUS_OK;
> > - }
> > -@@ -2837,12 +2862,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > - result = cli_rpc_pipe_open_schannel_with_key(
> > - conn->cli, &ndr_table_netlogon, NCACN_NP,
> > - domain->name,
> > -- netlogon_pipe->netlogon_creds,
> > -+ conn->netlogon_creds,
> > - &conn->netlogon_pipe);
> > --
> > -- /* We can now close the initial netlogon pipe. */
> > -- TALLOC_FREE(netlogon_pipe);
> > --
> > - if (!NT_STATUS_IS_OK(result)) {
> > - DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
> > - "was %s\n", nt_errstr(result)));
> > -diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
> > -index b873655..001591a 100644
> > ---- a/source3/winbindd/winbindd_dual_srv.c
> > -+++ b/source3/winbindd/winbindd_dual_srv.c
> > -@@ -580,6 +580,7 @@ NTSTATUS _wbint_CheckMachineAccount(struct pipes_struct *p,
> > -
> > - again:
> > - invalidate_cm_connection(&domain->conn);
> > -+ domain->conn.netlogon_force_reauth = true;
> > -
> > - {
> > - struct rpc_pipe_client *netlogon_pipe;
> > ---
> > -1.9.3
> > -
> > -
> > -From dc77edf0b74a88950f4de2472c05a73fcc629dc1 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 27 Aug 2013 13:07:45 +0200
> > -Subject: [PATCH 183/249] s3:auth_domain: simplify
> > - connect_to_domain_password_server()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit d9d55f5406949187901476d673c7d6ff0fc165c2)
> > ----
> > - source3/auth/auth_domain.c | 31 ++++++++++++-------------------
> > - 1 file changed, 12 insertions(+), 19 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > -index 9f88c4a..ae27bf0 100644
> > ---- a/source3/auth/auth_domain.c
> > -+++ b/source3/auth/auth_domain.c
> > -@@ -47,16 +47,17 @@ static struct named_mutex *mutex;
> > - *
> > - **/
> > -
> > --static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > -+static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > - const char *domain,
> > - const char *dc_name,
> > - const struct sockaddr_storage *dc_ss,
> > - struct rpc_pipe_client **pipe_ret)
> > - {
> > -- NTSTATUS result;
> > -+ NTSTATUS result;
> > -+ struct cli_state *cli = NULL;
> > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > -
> > -- *cli = NULL;
> > -+ *cli_ret = NULL;
> > -
> > - *pipe_ret = NULL;
> > -
> > -@@ -80,7 +81,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > - }
> > -
> > - /* Attempt connection */
> > -- result = cli_full_connection(cli, lp_netbios_name(), dc_name, dc_ss, 0,
> > -+ result = cli_full_connection(&cli, lp_netbios_name(), dc_name, dc_ss, 0,
> > - "IPC$", "IPC", "", "", "", 0, SMB_SIGNING_DEFAULT);
> > -
> > - if (!NT_STATUS_IS_OK(result)) {
> > -@@ -89,11 +90,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > - result = NT_STATUS_NO_LOGON_SERVERS;
> > - }
> > -
> > -- if (*cli) {
> > -- cli_shutdown(*cli);
> > -- *cli = NULL;
> > -- }
> > --
> > - TALLOC_FREE(mutex);
> > - return result;
> > - }
> > -@@ -115,18 +111,17 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > - if (lp_client_schannel()) {
> > - /* We also setup the creds chain in the open_schannel call. */
> > - result = cli_rpc_pipe_open_schannel(
> > -- *cli, &ndr_table_netlogon, NCACN_NP,
> > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> > - } else {
> > - result = cli_rpc_pipe_open_noauth(
> > -- *cli, &ndr_table_netlogon, &netlogon_pipe);
> > -+ cli, &ndr_table_netlogon, &netlogon_pipe);
> > - }
> > -
> > - if (!NT_STATUS_IS_OK(result)) {
> > - DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
> > - machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > -- cli_shutdown(*cli);
> > -- *cli = NULL;
> > -+ cli_shutdown(cli);
> > - TALLOC_FREE(mutex);
> > - return result;
> > - }
> > -@@ -145,8 +140,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > - DEBUG(0, ("connect_to_domain_password_server: could not fetch "
> > - "trust account password for domain '%s'\n",
> > - domain));
> > -- cli_shutdown(*cli);
> > -- *cli = NULL;
> > -+ cli_shutdown(cli);
> > - TALLOC_FREE(mutex);
> > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > - }
> > -@@ -161,8 +155,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > - &neg_flags);
> > -
> > - if (!NT_STATUS_IS_OK(result)) {
> > -- cli_shutdown(*cli);
> > -- *cli = NULL;
> > -+ cli_shutdown(cli);
> > - TALLOC_FREE(mutex);
> > - return result;
> > - }
> > -@@ -172,14 +165,14 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > - DEBUG(0, ("connect_to_domain_password_server: unable to open "
> > - "the domain client session to machine %s. Error "
> > - "was : %s.\n", dc_name, nt_errstr(result)));
> > -- cli_shutdown(*cli);
> > -- *cli = NULL;
> > -+ cli_shutdown(cli);
> > - TALLOC_FREE(mutex);
> > - return NT_STATUS_NO_LOGON_SERVERS;
> > - }
> > -
> > - /* We exit here with the mutex *locked*. JRA */
> > -
> > -+ *cli_ret = cli;
> > - *pipe_ret = netlogon_pipe;
> > -
> > - return NT_STATUS_OK;
> > ---
> > -1.9.3
> > -
> > -
> > -From 8fc2ffafd545dbc4af4c1ebab5fb631da18cade4 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 27 Aug 2013 15:01:10 +0200
> > -Subject: [PATCH 184/249] s3:auth_domain: make use of
> > - rpccli_{create,setup}_netlogon_creds()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 34e66780e573bebf4b971fb96e1ed8680c1488a9)
> > ----
> > - source3/auth/auth_domain.c | 136 ++++++++++++++++++++++++++++-----------------
> > - 1 file changed, 85 insertions(+), 51 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > -index ae27bf0..bf2671c 100644
> > ---- a/source3/auth/auth_domain.c
> > -+++ b/source3/auth/auth_domain.c
> > -@@ -27,6 +27,7 @@
> > - #include "secrets.h"
> > - #include "passdb.h"
> > - #include "libsmb/libsmb.h"
> > -+#include "libcli/auth/netlogon_creds_cli.h"
> > -
> > - #undef DBGC_CLASS
> > - #define DBGC_CLASS DBGC_AUTH
> > -@@ -53,9 +54,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > - const struct sockaddr_storage *dc_ss,
> > - struct rpc_pipe_client **pipe_ret)
> > - {
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct messaging_context *msg_ctx = server_messaging_context();
> > - NTSTATUS result;
> > - struct cli_state *cli = NULL;
> > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -+ uint32_t netlogon_flags = 0;
> > -+ enum netr_SchannelType sec_chan_type = 0;
> > -+ const char *_account_name = NULL;
> > -+ const char *account_name = NULL;
> > -+ struct samr_Password current_nt_hash;
> > -+ struct samr_Password *previous_nt_hash = NULL;
> > -+ bool ok;
> > -
> > - *cli_ret = NULL;
> > -
> > -@@ -77,6 +89,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > -
> > - mutex = grab_named_mutex(NULL, dc_name, 10);
> > - if (mutex == NULL) {
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_NO_LOGON_SERVERS;
> > - }
> > -
> > -@@ -91,6 +104,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > - }
> > -
> > - TALLOC_FREE(mutex);
> > -+ TALLOC_FREE(frame);
> > - return result;
> > - }
> > -
> > -@@ -98,67 +112,85 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > - * We now have an anonymous connection to IPC$ on the domain password server.
> > - */
> > -
> > -- /*
> > -- * Even if the connect succeeds we need to setup the netlogon
> > -- * pipe here. We do this as we may just have changed the domain
> > -- * account password on the PDC and yet we may be talking to
> > -- * a BDC that doesn't have this replicated yet. In this case
> > -- * a successful connect to a DC needs to take the netlogon connect
> > -- * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
> > -- */
> > -+ ok = get_trust_pw_hash(domain,
> > -+ current_nt_hash.hash,
> > -+ &_account_name,
> > -+ &sec_chan_type);
> > -+ if (!ok) {
> > -+ cli_shutdown(cli);
> > -+ TALLOC_FREE(mutex);
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > -+ }
> > -
> > -- /* open the netlogon pipe. */
> > -- if (lp_client_schannel()) {
> > -- /* We also setup the creds chain in the open_schannel call. */
> > -- result = cli_rpc_pipe_open_schannel(
> > -- cli, &ndr_table_netlogon, NCACN_NP,
> > -- DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> > -- } else {
> > -- result = cli_rpc_pipe_open_noauth(
> > -- cli, &ndr_table_netlogon, &netlogon_pipe);
> > -+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
> > -+ if (account_name == NULL) {
> > -+ cli_shutdown(cli);
> > -+ TALLOC_FREE(mutex);
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -+ result = rpccli_create_netlogon_creds(dc_name,
> > -+ domain,
> > -+ account_name,
> > -+ sec_chan_type,
> > -+ msg_ctx,
> > -+ talloc_tos(),
> > -+ &netlogon_creds);
> > - if (!NT_STATUS_IS_OK(result)) {
> > -- DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
> > --machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > - cli_shutdown(cli);
> > - TALLOC_FREE(mutex);
> > -+ TALLOC_FREE(frame);
> > -+ SAFE_FREE(previous_nt_hash);
> > - return result;
> > - }
> > -
> > -- if (!lp_client_schannel()) {
> > -- /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -- NETLOGON_NEG_SUPPORTS_AES;
> > -- enum netr_SchannelType sec_chan_type = 0;
> > -- unsigned char machine_pwd[16];
> > -- const char *account_name;
> > --
> > -- if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
> > -- &sec_chan_type))
> > -- {
> > -- DEBUG(0, ("connect_to_domain_password_server: could not fetch "
> > -- "trust account password for domain '%s'\n",
> > -- domain));
> > -- cli_shutdown(cli);
> > -- TALLOC_FREE(mutex);
> > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > -- }
> > -+ result = rpccli_setup_netlogon_creds(cli,
> > -+ netlogon_creds,
> > -+ false, /* force_reauth */
> > -+ current_nt_hash,
> > -+ previous_nt_hash);
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ if (!NT_STATUS_IS_OK(result)) {
> > -+ cli_shutdown(cli);
> > -+ TALLOC_FREE(mutex);
> > -+ TALLOC_FREE(frame);
> > -+ return result;
> > -+ }
> > -
> > -- result = rpccli_netlogon_setup_creds(netlogon_pipe,
> > -- dc_name, /* server name */
> > -- domain, /* domain */
> > -- lp_netbios_name(), /* client name */
> > -- account_name, /* machine account name */
> > -- machine_pwd,
> > -- sec_chan_type,
> > -- &neg_flags);
> > --
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- cli_shutdown(cli);
> > -- TALLOC_FREE(mutex);
> > -- return result;
> > -- }
> > -+ result = netlogon_creds_cli_get(netlogon_creds,
> > -+ talloc_tos(),
> > -+ &creds);
> > -+ if (!NT_STATUS_IS_OK(result)) {
> > -+ cli_shutdown(cli);
> > -+ TALLOC_FREE(mutex);
> > -+ TALLOC_FREE(frame);
> > -+ return result;
> > -+ }
> > -+ netlogon_flags = creds->negotiate_flags;
> > -+ TALLOC_FREE(creds);
> > -+
> > -+ if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
> > -+ result = cli_rpc_pipe_open_schannel_with_key(
> > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > -+ domain, netlogon_creds, &netlogon_pipe);
> > -+ } else {
> > -+ result = cli_rpc_pipe_open_noauth(cli,
> > -+ &ndr_table_netlogon,
> > -+ &netlogon_pipe);
> > -+ }
> > -+
> > -+ if (!NT_STATUS_IS_OK(result)) {
> > -+ DEBUG(0,("connect_to_domain_password_server: "
> > -+ "unable to open the domain client session to "
> > -+ "machine %s. Flags[0x%08X] Error was : %s.\n",
> > -+ dc_name, (unsigned)netlogon_flags,
> > -+ nt_errstr(result)));
> > -+ cli_shutdown(cli);
> > -+ TALLOC_FREE(mutex);
> > -+ TALLOC_FREE(frame);
> > -+ return result;
> > - }
> > -
> > - if(!netlogon_pipe) {
> > -@@ -167,6 +199,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > - "was : %s.\n", dc_name, nt_errstr(result)));
> > - cli_shutdown(cli);
> > - TALLOC_FREE(mutex);
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_NO_LOGON_SERVERS;
> > - }
> > -
> > -@@ -175,6 +208,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > - *cli_ret = cli;
> > - *pipe_ret = netlogon_pipe;
> > -
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_OK;
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 5cc57e577bc7d144176ffe6f21ed24a95661a861 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 27 Aug 2013 15:02:26 +0200
> > -Subject: [PATCH 185/249] s3:auth_domain: make use of
> > - rpccli_netlogon_network_logon()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 531bbf3aff3fb08aaf112b21038f20544db60b69)
> > ----
> > - source3/auth/auth_domain.c | 36 ++++++++++++++++++++++--------------
> > - 1 file changed, 22 insertions(+), 14 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > -index bf2671c..937841c 100644
> > ---- a/source3/auth/auth_domain.c
> > -+++ b/source3/auth/auth_domain.c
> > -@@ -52,7 +52,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > - const char *domain,
> > - const char *dc_name,
> > - const struct sockaddr_storage *dc_ss,
> > -- struct rpc_pipe_client **pipe_ret)
> > -+ struct rpc_pipe_client **pipe_ret,
> > -+ struct netlogon_creds_cli_context **creds_ret)
> > - {
> > - TALLOC_CTX *frame = talloc_stackframe();
> > - struct messaging_context *msg_ctx = server_messaging_context();
> > -@@ -72,6 +73,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > - *cli_ret = NULL;
> > -
> > - *pipe_ret = NULL;
> > -+ *creds_ret = NULL;
> > -
> > - /* TODO: Send a SAMLOGON request to determine whether this is a valid
> > - logonserver. We can avoid a 30-second timeout if the DC is down
> > -@@ -207,6 +209,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > -
> > - *cli_ret = cli;
> > - *pipe_ret = netlogon_pipe;
> > -+ *creds_ret = netlogon_creds;
> > -
> > - TALLOC_FREE(frame);
> > - return NT_STATUS_OK;
> > -@@ -230,8 +233,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
> > - struct netr_SamInfo3 *info3 = NULL;
> > - struct cli_state *cli = NULL;
> > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > - NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
> > - int i;
> > -+ uint8_t authoritative = 0;
> > -+ uint32_t flags = 0;
> > -
> > - /*
> > - * At this point, smb_apasswd points to the lanman response to
> > -@@ -248,7 +254,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
> > - domain,
> > - dc_name,
> > - dc_ss,
> > -- &netlogon_pipe);
> > -+ &netlogon_pipe,
> > -+ &netlogon_creds);
> > - }
> > -
> > - if ( !NT_STATUS_IS_OK(nt_status) ) {
> > -@@ -268,18 +275,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
> > - * in the info3 structure.
> > - */
> > -
> > -- nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
> > -- mem_ctx,
> > -- user_info->logon_parameters, /* flags such as 'allow workstation logon' */
> > -- dc_name, /* server name */
> > -- user_info->client.account_name, /* user name logging on. */
> > -- user_info->client.domain_name, /* domain name */
> > -- user_info->workstation_name, /* workstation name */
> > -- chal, /* 8 byte challenge. */
> > -- 3, /* validation level */
> > -- user_info->password.response.lanman, /* lanman 24 byte response */
> > -- user_info->password.response.nt, /* nt 24 byte response */
> > -- &info3); /* info3 out */
> > -+ nt_status = rpccli_netlogon_network_logon(netlogon_creds,
> > -+ netlogon_pipe->binding_handle,
> > -+ mem_ctx,
> > -+ user_info->logon_parameters, /* flags such as 'allow workstation logon' */
> > -+ user_info->client.account_name, /* user name logging on. */
> > -+ user_info->client.domain_name, /* domain name */
> > -+ user_info->workstation_name, /* workstation name */
> > -+ chal, /* 8 byte challenge. */
> > -+ user_info->password.response.lanman, /* lanman 24 byte response */
> > -+ user_info->password.response.nt, /* nt 24 byte response */
> > -+ &authoritative,
> > -+ &flags,
> > -+ &info3); /* info3 out */
> > -
> > - /* Let go as soon as possible so we avoid any potential deadlocks
> > - with winbind lookup up users or groups. */
> > ---
> > -1.9.3
> > -
> > -
> > -From 5da4eca4d30b3894426a4f7cb0512ae61c097cbc Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 2 Sep 2013 19:32:23 +0200
> > -Subject: [PATCH 186/249] s3:libnet_join: make use of
> > - rpccli_{create,setup}_netlogon_creds()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 963800539cea7487fc6258f8ac8f7cacc3426b83)
> > ----
> > - source3/libnet/libnet_join.c | 110 +++++++++++++++++++++++++++++++------------
> > - source3/libnet/libnet_join.h | 5 +-
> > - source3/utils/net_rpc.c | 4 +-
> > - 3 files changed, 86 insertions(+), 33 deletions(-)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index b2805ee..6e653c3 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -40,6 +40,8 @@
> > - #include "libsmb/libsmb.h"
> > - #include "../libcli/smb/smbXcli_base.h"
> > - #include "lib/param/loadparm.h"
> > -+#include "libcli/auth/netlogon_creds_cli.h"
> > -+#include "auth/credentials/credentials.h"
> > -
> > - /****************************************************************
> > - ****************************************************************/
> > -@@ -1189,38 +1191,52 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
> > - /****************************************************************
> > - ****************************************************************/
> > -
> > --NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > -- const char *machine_name,
> > -+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
> > -+ const char *netbios_domain_name,
> > - const char *dc_name,
> > - const bool use_kerberos)
> > - {
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -- NETLOGON_NEG_SUPPORTS_AES;
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > - struct cli_state *cli = NULL;
> > -- struct rpc_pipe_client *pipe_hnd = NULL;
> > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -+ uint32_t netlogon_flags = 0;
> > -+ enum netr_SchannelType sec_chan_type = 0;
> > - NTSTATUS status;
> > - char *machine_password = NULL;
> > -- char *machine_account = NULL;
> > -+ const char *machine_name = NULL;
> > -+ const char *machine_account = NULL;
> > - int flags = 0;
> > -+ struct samr_Password current_nt_hash;
> > -+ struct samr_Password *previous_nt_hash = NULL;
> > -+ bool ok;
> > -
> > - if (!dc_name) {
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_INVALID_PARAMETER;
> > - }
> > -
> > - if (!secrets_init()) {
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > - }
> > -
> > -- machine_password = secrets_fetch_machine_password(netbios_domain_name,
> > -- NULL, NULL);
> > -- if (!machine_password) {
> > -- return NT_STATUS_NO_TRUST_LSA_SECRET;
> > -+ ok = get_trust_pw_clear(netbios_domain_name,
> > -+ &machine_password,
> > -+ &machine_name,
> > -+ &sec_chan_type);
> > -+ if (!ok) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > - }
> > -
> > -- if (asprintf(&machine_account, "%s$", machine_name) == -1) {
> > -+ machine_account = talloc_asprintf(frame, "%s$", machine_name);
> > -+ if (machine_account == NULL) {
> > - SAFE_FREE(machine_password);
> > -- return NT_STATUS_NO_MEMORY;
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > - }
> > -
> > - if (use_kerberos) {
> > -@@ -1232,12 +1248,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > - NULL, 0,
> > - "IPC$", "IPC",
> > - machine_account,
> > -- NULL,
> > -+ netbios_domain_name,
> > - machine_password,
> > - flags,
> > - SMB_SIGNING_DEFAULT);
> > -- free(machine_account);
> > -- free(machine_password);
> > -+
> > -+ E_md4hash(machine_password, current_nt_hash.hash);
> > -+ SAFE_FREE(machine_password);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > - status = cli_full_connection(&cli, NULL,
> > -@@ -1252,36 +1269,65 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > - }
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ TALLOC_FREE(frame);
> > - return status;
> > - }
> > -
> > -- status = get_schannel_session_key(cli, netbios_domain_name,
> > -- &neg_flags, &netlogon_pipe);
> > -+ status = rpccli_create_netlogon_creds(dc_name,
> > -+ netbios_domain_name,
> > -+ machine_account,
> > -+ sec_chan_type,
> > -+ msg_ctx,
> > -+ frame,
> > -+ &netlogon_creds);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
> > -- cli_shutdown(cli);
> > -- return NT_STATUS_OK;
> > -- }
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ cli_shutdown(cli);
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -
> > -- DEBUG(0,("libnet_join_ok: failed to get schannel session "
> > -- "key from server %s for domain %s. Error was %s\n",
> > -- smbXcli_conn_remote_name(cli->conn),
> > -- netbios_domain_name, nt_errstr(status)));
> > -+ status = rpccli_setup_netlogon_creds(cli,
> > -+ netlogon_creds,
> > -+ true, /* force_reauth */
> > -+ current_nt_hash,
> > -+ previous_nt_hash);
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(0,("connect_to_domain_password_server: "
> > -+ "unable to open the domain client session to "
> > -+ "machine %s. Flags[0x%08X] Error was : %s.\n",
> > -+ dc_name, (unsigned)netlogon_flags,
> > -+ nt_errstr(status)));
> > -+ cli_shutdown(cli);
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_get(netlogon_creds,
> > -+ talloc_tos(),
> > -+ &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > - cli_shutdown(cli);
> > -+ TALLOC_FREE(frame);
> > - return status;
> > - }
> > -+ netlogon_flags = creds->negotiate_flags;
> > -+ TALLOC_FREE(creds);
> > -
> > -- if (!lp_client_schannel()) {
> > -+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > - cli_shutdown(cli);
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_OK;
> > - }
> > -
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > - cli, &ndr_table_netlogon, NCACN_NP,
> > - netbios_domain_name,
> > -- netlogon_pipe->netlogon_creds, &pipe_hnd);
> > -+ netlogon_creds, &netlogon_pipe);
> > -
> > -- cli_shutdown(cli);
> > -+ TALLOC_FREE(netlogon_pipe);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(0,("libnet_join_ok: failed to open schannel session "
> > -@@ -1289,9 +1335,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > - "Error was %s\n",
> > - smbXcli_conn_remote_name(cli->conn),
> > - netbios_domain_name, nt_errstr(status)));
> > -+ cli_shutdown(cli);
> > -+ TALLOC_FREE(frame);
> > - return status;
> > - }
> > -
> > -+ cli_shutdown(cli);
> > -+ TALLOC_FREE(frame);
> > - return NT_STATUS_OK;
> > - }
> > -
> > -@@ -1303,8 +1353,8 @@ static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
> > - {
> > - NTSTATUS status;
> > -
> > -- status = libnet_join_ok(r->out.netbios_domain_name,
> > -- r->in.machine_name,
> > -+ status = libnet_join_ok(r->in.msg_ctx,
> > -+ r->out.netbios_domain_name,
> > - r->in.dc_name,
> > - r->in.use_kerberos);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -diff --git a/source3/libnet/libnet_join.h b/source3/libnet/libnet_join.h
> > -index 58c33b2..b7e2f0b 100644
> > ---- a/source3/libnet/libnet_join.h
> > -+++ b/source3/libnet/libnet_join.h
> > -@@ -23,8 +23,9 @@
> > -
> > - /* The following definitions come from libnet/libnet_join.c */
> > -
> > --NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > -- const char *machine_name,
> > -+struct messaging_context;
> > -+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
> > -+ const char *netbios_domain_name,
> > - const char *dc_name,
> > - const bool use_kerberos);
> > - WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index dff8801..9de74c0 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -493,7 +493,9 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > - }
> > -
> > - /* Display success or failure */
> > -- status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
> > -+ status = libnet_join_ok(c->msg_ctx,
> > -+ c->opt_workgroup,
> > -+ dc,
> > - c->opt_kerberos);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
> > ---
> > -1.9.3
> > -
> > -
> > -From 0da8c0a71d08de50b614e5df69a61e00d0a9cd99 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 5 Sep 2013 20:57:02 +0200
> > -Subject: [PATCH 187/249] s3:libnet: use rpccli_{create,setup}_netlogon_creds()
> > - in libnet_join_joindomain_rpc_unsecure
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3a89eee03a95d4b142bf0830f40debc75bfa2e26)
> > ----
> > - source3/libnet/libnet_join.c | 66 ++++++++++++++++++++++++++++++++++----------
> > - 1 file changed, 51 insertions(+), 15 deletions(-)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index 6e653c3..a87eb38 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -817,14 +817,17 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > - struct libnet_JoinCtx *r,
> > - struct cli_state *cli)
> > - {
> > -- struct rpc_pipe_client *pipe_hnd = NULL;
> > -- unsigned char orig_trust_passwd_hash[16];
> > -- unsigned char new_trust_passwd_hash[16];
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct rpc_pipe_client *netlogon_pipe = NULL;
> > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > -+ struct samr_Password current_nt_hash;
> > -+ const char *account_name = NULL;
> > - NTSTATUS status;
> > -
> > - status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > -- &pipe_hnd);
> > -+ &netlogon_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > - return status;
> > - }
> > -
> > -@@ -832,22 +835,55 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > - r->in.machine_password = generate_random_password(mem_ctx,
> > - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
> > - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
> > -- NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
> > -+ if (r->in.machine_password == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > - }
> > -
> > -- E_md4hash(r->in.machine_password, new_trust_passwd_hash);
> > --
> > - /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
> > -- E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
> > -+ E_md4hash(r->in.admin_password, current_nt_hash.hash);
> > -
> > -- status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
> > -- r->in.machine_name,
> > -- orig_trust_passwd_hash,
> > -- r->in.machine_password,
> > -- new_trust_passwd_hash,
> > -- r->in.secure_channel_type);
> > -+ account_name = talloc_asprintf(frame, "%s$",
> > -+ r->in.machine_name);
> > -+ if (account_name == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -
> > -- return status;
> > -+ status = rpccli_create_netlogon_creds(netlogon_pipe->desthost,
> > -+ r->in.domain_name,
> > -+ account_name,
> > -+ r->in.secure_channel_type,
> > -+ r->in.msg_ctx,
> > -+ frame,
> > -+ &netlogon_creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ status = rpccli_setup_netlogon_creds(cli,
> > -+ netlogon_creds,
> > -+ true, /* force_reauth */
> > -+ current_nt_hash,
> > -+ NULL); /* previous_nt_hash */
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
> > -+ netlogon_pipe->binding_handle,
> > -+ r->in.machine_password,
> > -+ NULL); /* new_version */
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_OK;
> > - }
> > -
> > - /****************************************************************
> > ---
> > -1.9.3
> > -
> > -
> > -From 9d192bc1d2dd06efada55792203aaed58b349ab9 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 11 Sep 2013 10:06:41 +0200
> > -Subject: [PATCH 188/249] s3:rpc_client: use
> > - rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 94caf7e190563423914b653d0c2fc4a4abf1f899)
> > ----
> > - source3/rpc_client/cli_pipe.h | 7 --
> > - source3/rpc_client/cli_pipe_schannel.c | 162 ++++++++++++++-------------------
> > - 2 files changed, 66 insertions(+), 103 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index c21c55d..2a76130 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -109,13 +109,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > - struct rpc_pipe_client *cli,
> > - DATA_BLOB *session_key);
> > -
> > --/* The following definitions come from rpc_client/cli_pipe_schannel.c */
> > --
> > --NTSTATUS get_schannel_session_key(struct cli_state *cli,
> > -- const char *domain,
> > -- uint32 *pneg_flags,
> > -- struct rpc_pipe_client **presult);
> > --
> > - #endif /* _CLI_PIPE_H */
> > -
> > - /* vim: set ts=8 sw=8 noet cindent ft=c.doxygen: */
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index 8f9161f..1fcf62e 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -23,67 +23,15 @@
> > - #include "../libcli/auth/schannel.h"
> > - #include "rpc_client/cli_netlogon.h"
> > - #include "rpc_client/cli_pipe.h"
> > --#include "librpc/gen_ndr/ndr_dcerpc.h"
> > - #include "librpc/rpc/dcerpc.h"
> > - #include "passdb.h"
> > - #include "libsmb/libsmb.h"
> > --#include "auth/gensec/gensec.h"
> > - #include "../libcli/smb/smbXcli_base.h"
> > -+#include "libcli/auth/netlogon_creds_cli.h"
> > -
> > - #undef DBGC_CLASS
> > - #define DBGC_CLASS DBGC_RPC_CLI
> > -
> > --
> > --/****************************************************************************
> > -- Get a the schannel session key out of an already opened netlogon pipe.
> > -- ****************************************************************************/
> > --static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
> > -- struct cli_state *cli,
> > -- const char *domain,
> > -- uint32 *pneg_flags)
> > --{
> > -- enum netr_SchannelType sec_chan_type = 0;
> > -- unsigned char machine_pwd[16];
> > -- const char *machine_account;
> > -- NTSTATUS status;
> > --
> > -- /* Get the machine account credentials from secrets.tdb. */
> > -- if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
> > -- &sec_chan_type))
> > -- {
> > -- DEBUG(0, ("get_schannel_session_key: could not fetch "
> > -- "trust account password for domain '%s'\n",
> > -- domain));
> > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > -- }
> > --
> > -- status = rpccli_netlogon_setup_creds(netlogon_pipe,
> > -- smbXcli_conn_remote_name(cli->conn), /* server name */
> > -- domain, /* domain */
> > -- lp_netbios_name(), /* client name */
> > -- machine_account, /* machine account name */
> > -- machine_pwd,
> > -- sec_chan_type,
> > -- pneg_flags);
> > --
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(3, ("get_schannel_session_key_common: "
> > -- "rpccli_netlogon_setup_creds failed with result %s "
> > -- "to server %s, domain %s, machine account %s.\n",
> > -- nt_errstr(status), smbXcli_conn_remote_name(cli->conn), domain,
> > -- machine_account ));
> > -- return status;
> > -- }
> > --
> > -- if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
> > -- DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
> > -- smbXcli_conn_remote_name(cli->conn)));
> > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > -- }
> > --
> > -- return NT_STATUS_OK;
> > --}
> > --
> > - /****************************************************************************
> > - Open a named pipe to an SMB server and bind using schannel (bind type 68).
> > - Fetch the session key ourselves using a temporary netlogon pipe.
> > -@@ -96,63 +44,85 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > - const char *domain,
> > - struct rpc_pipe_client **presult)
> > - {
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -- NETLOGON_NEG_SUPPORTS_AES;
> > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct messaging_context *msg_ctx = NULL;
> > -+ const char *dc_name = smbXcli_conn_remote_name(cli->conn);
> > - struct rpc_pipe_client *result = NULL;
> > - NTSTATUS status;
> > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > -+ uint32_t netlogon_flags = 0;
> > -+ enum netr_SchannelType sec_chan_type = 0;
> > -+ const char *_account_name = NULL;
> > -+ const char *account_name = NULL;
> > -+ struct samr_Password current_nt_hash;
> > -+ struct samr_Password *previous_nt_hash = NULL;
> > -+ bool ok;
> > -+
> > -+ ok = get_trust_pw_hash(domain,
> > -+ current_nt_hash.hash,
> > -+ &_account_name,
> > -+ &sec_chan_type);
> > -+ if (!ok) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > -+ }
> > -+
> > -+ account_name = talloc_asprintf(frame, "%s$", _account_name);
> > -+ if (account_name == NULL) {
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ status = rpccli_create_netlogon_creds(dc_name,
> > -+ domain,
> > -+ account_name,
> > -+ sec_chan_type,
> > -+ msg_ctx,
> > -+ frame,
> > -+ &netlogon_creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -
> > -- status = get_schannel_session_key(cli, domain, &neg_flags,
> > -- &netlogon_pipe);
> > -+ status = rpccli_setup_netlogon_creds(cli,
> > -+ netlogon_creds,
> > -+ false, /* force_reauth */
> > -+ current_nt_hash,
> > -+ previous_nt_hash);
> > -+ SAFE_FREE(previous_nt_hash);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
> > -- "key from server %s for domain %s.\n",
> > -- smbXcli_conn_remote_name(cli->conn), domain ));
> > -+ TALLOC_FREE(frame);
> > - return status;
> > - }
> > -
> > -+ status = netlogon_creds_cli_get(netlogon_creds,
> > -+ frame,
> > -+ &creds);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+ netlogon_flags = creds->negotiate_flags;
> > -+ TALLOC_FREE(creds);
> > -+
> > -+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_DOWNGRADE_DETECTED;
> > -+ }
> > -+
> > - status = cli_rpc_pipe_open_schannel_with_key(
> > - cli, table, transport, domain,
> > -- netlogon_pipe->netlogon_creds,
> > -+ netlogon_creds,
> > - &result);
> > -
> > -- /* Now we've bound using the session key we can close the netlog pipe. */
> > -- TALLOC_FREE(netlogon_pipe);
> > --
> > - if (NT_STATUS_IS_OK(status)) {
> > - *presult = result;
> > - }
> > -
> > -+ TALLOC_FREE(frame);
> > - return status;
> > - }
> > --
> > --/****************************************************************************
> > -- Open a netlogon pipe and get the schannel session key.
> > -- Now exposed to external callers.
> > -- ****************************************************************************/
> > --
> > --
> > --NTSTATUS get_schannel_session_key(struct cli_state *cli,
> > -- const char *domain,
> > -- uint32 *pneg_flags,
> > -- struct rpc_pipe_client **presult)
> > --{
> > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > -- NTSTATUS status;
> > --
> > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > -- &netlogon_pipe);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
> > -- pneg_flags);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- TALLOC_FREE(netlogon_pipe);
> > -- return status;
> > -- }
> > --
> > -- *presult = netlogon_pipe;
> > -- return NT_STATUS_OK;
> > --}
> > ---
> > -1.9.3
> > -
> > -
> > -From 5fba6641f79a14c208c5947886c005a87b9f3256 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 18:24:44 +0200
> > -Subject: [PATCH 189/249] s3:rpcclient: add rpcclient_msg_ctx
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a1c468e1d75d490f0e531feb08188ddc3f0d77b5)
> > ----
> > - source3/rpcclient/rpcclient.c | 5 +++++
> > - source3/rpcclient/rpcclient.h | 2 ++
> > - 2 files changed, 7 insertions(+)
> > -
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index 0cbec20..39bf613 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -33,6 +33,7 @@
> > - #include "libsmb/libsmb.h"
> > - #include "auth/gensec/gensec.h"
> > - #include "../libcli/smb/smbXcli_base.h"
> > -+#include "messages.h"
> > -
> > - enum pipe_auth_type_spnego {
> > - PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
> > -@@ -48,6 +49,7 @@ static enum dcerpc_AuthLevel pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
> > - static unsigned int timeout = 0;
> > - static enum dcerpc_transport_t default_transport = NCACN_NP;
> > -
> > -+struct messaging_context *rpcclient_msg_ctx;
> > - struct user_auth_info *rpcclient_auth_info;
> > -
> > - /* List to hold groups of commands.
> > -@@ -985,6 +987,9 @@ out_free:
> > - /* We must load interfaces after we load the smb.conf */
> > - load_interfaces();
> > -
> > -+ rpcclient_msg_ctx = messaging_init(talloc_autofree_context(),
> > -+ samba_tevent_context_init(talloc_autofree_context()));
> > -+
> > - /*
> > - * Get password
> > - * from stdin if necessary
> > -diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
> > -index 762c54a..219da2a 100644
> > ---- a/source3/rpcclient/rpcclient.h
> > -+++ b/source3/rpcclient/rpcclient.h
> > -@@ -41,4 +41,6 @@ struct cmd_set {
> > - const char *usage;
> > - };
> > -
> > -+extern struct messaging_context *rpcclient_msg_ctx;
> > -+
> > - #endif /* RPCCLIENT_H */
> > ---
> > -1.9.3
> > -
> > -
> > -From c6e02d60ef12431cd1a5615fcf514548e86d6dc8 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 18:29:30 +0200
> > -Subject: [PATCH 190/249] s3:rpcclient: add rpcclient_netlogon_creds
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 1696b127c61fea76fce3d992632a822ed78de07c)
> > ----
> > - source3/rpcclient/rpcclient.c | 3 +++
> > - source3/rpcclient/rpcclient.h | 1 +
> > - 2 files changed, 4 insertions(+)
> > -
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index 39bf613..a875ff5 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -51,6 +51,7 @@ static enum dcerpc_transport_t default_transport = NCACN_NP;
> > -
> > - struct messaging_context *rpcclient_msg_ctx;
> > - struct user_auth_info *rpcclient_auth_info;
> > -+struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
> > -
> > - /* List to hold groups of commands.
> > - *
> > -@@ -797,6 +798,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - }
> > - }
> > -
> > -+ rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
> > -+
> > - /* Run command */
> > -
> > - if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
> > -diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
> > -index 219da2a..9288249 100644
> > ---- a/source3/rpcclient/rpcclient.h
> > -+++ b/source3/rpcclient/rpcclient.h
> > -@@ -42,5 +42,6 @@ struct cmd_set {
> > - };
> > -
> > - extern struct messaging_context *rpcclient_msg_ctx;
> > -+extern struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
> > -
> > - #endif /* RPCCLIENT_H */
> > ---
> > -1.9.3
> > -
> > -
> > -From 849cb578d3aa38e7d6508353914d39501cd6b2c8 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 18:57:09 +0200
> > -Subject: [PATCH 191/249] s3:rpcclient: remove unused
> > - rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
> > -
> > -rpccli_netlogon_setup_creds() is already called in the main do_cmd()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit fb13b002d599049f229d2014e1b94f82952b7150)
> > ----
> > - source3/rpcclient/cmd_netlogon.c | 21 +--------------------
> > - 1 file changed, 1 insertion(+), 20 deletions(-)
> > -
> > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > -index 2e0b5e5..8a865a9 100644
> > ---- a/source3/rpcclient/cmd_netlogon.c
> > -+++ b/source3/rpcclient/cmd_netlogon.c
> > -@@ -1141,12 +1141,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > - NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
> > - NTSTATUS result;
> > - const char *server_name = cli->desthost;
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -- NETLOGON_NEG_SUPPORTS_AES;
> > - struct netr_Authenticator clnt_creds, srv_cred;
> > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > -- unsigned char trust_passwd_hash[16];
> > -- enum netr_SchannelType sec_channel_type = 0;
> > - struct netr_ChangeLogEntry e;
> > - uint32_t rid = 500;
> > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > -@@ -1161,25 +1157,10 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > - sscanf(argv[1], "%d", &rid);
> > - }
> > -
> > -- if (!secrets_fetch_trust_account_password(lp_workgroup(),
> > -- trust_passwd_hash,
> > -- NULL, &sec_channel_type)) {
> > -+ if (cli->netlogon_creds == NULL) {
> > - return NT_STATUS_UNSUCCESSFUL;
> > - }
> > -
> > -- status = rpccli_netlogon_setup_creds(cli,
> > -- server_name, /* server name */
> > -- lp_workgroup(), /* domain */
> > -- lp_netbios_name(), /* client name */
> > -- lp_netbios_name(), /* machine account name */
> > -- trust_passwd_hash,
> > -- sec_channel_type,
> > -- &neg_flags);
> > --
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > - status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > - mem_ctx, &creds);
> > - if (!NT_STATUS_IS_OK(status)) {
> > ---
> > -1.9.3
> > -
> > -
> > -From df5ce2ceb4c41e2a952cd9f011626028f8d230ff Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 19:00:22 +0200
> > -Subject: [PATCH 192/249] s3:rpcclient: make use of rpcclient_netlogon_creds
> > - instead of cli->netlogon_creds
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3bf77812e80b50f254af64e4935301719f78987e)
> > ----
> > - source3/rpcclient/cmd_netlogon.c | 22 +++++++++++++++++-----
> > - 1 file changed, 17 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > -index 8a865a9..59e1e4e 100644
> > ---- a/source3/rpcclient/cmd_netlogon.c
> > -+++ b/source3/rpcclient/cmd_netlogon.c
> > -@@ -633,7 +633,11 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
> > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > - struct netlogon_creds_CredentialState *creds = NULL;
> > -
> > -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > -+ if (rpcclient_netlogon_creds == NULL) {
> > -+ return NT_STATUS_UNSUCCESSFUL;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> > - mem_ctx, &creds);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > -@@ -712,7 +716,11 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
> > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > - struct netlogon_creds_CredentialState *creds = NULL;
> > -
> > -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > -+ if (rpcclient_netlogon_creds == NULL) {
> > -+ return NT_STATUS_UNSUCCESSFUL;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> > - mem_ctx, &creds);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > -@@ -1157,11 +1165,11 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > - sscanf(argv[1], "%d", &rid);
> > - }
> > -
> > -- if (cli->netlogon_creds == NULL) {
> > -+ if (rpcclient_netlogon_creds == NULL) {
> > - return NT_STATUS_UNSUCCESSFUL;
> > - }
> > -
> > -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> > - mem_ctx, &creds);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > -@@ -1223,7 +1231,11 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> > -
> > - ZERO_STRUCT(return_authenticator);
> > -
> > -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > -+ if (rpcclient_netlogon_creds == NULL) {
> > -+ return NT_STATUS_UNSUCCESSFUL;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> > - mem_ctx, &creds);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > ---
> > -1.9.3
> > -
> > -
> > -From 4e9d9abc0bae5ca08c3a91cc5d1b2bacffc6cbfc Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 19:59:11 +0200
> > -Subject: [PATCH 193/249] s3:net_rpc: add net_context->netlogon_creds
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit d1340c20b0900f54e2c73c4a363f45988b1ba097)
> > ----
> > - source3/utils/net.h | 1 +
> > - source3/utils/net_rpc.c | 1 +
> > - 2 files changed, 2 insertions(+)
> > -
> > -diff --git a/source3/utils/net.h b/source3/utils/net.h
> > -index e97734a..ce19c57 100644
> > ---- a/source3/utils/net.h
> > -+++ b/source3/utils/net.h
> > -@@ -90,6 +90,7 @@ struct net_context {
> > - bool smb_encrypt;
> > - struct libnetapi_ctx *netapi_ctx;
> > - struct messaging_context *msg_ctx;
> > -+ struct netlogon_creds_cli_context *netlogon_creds;
> > -
> > - bool display_usage;
> > - void *private_data;
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index 9de74c0..3bf3f30 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -201,6 +201,7 @@ int run_rpc_command(struct net_context *c,
> > - nt_errstr(nt_status) ));
> > - goto fail;
> > - }
> > -+ c->netlogon_creds = pipe_hnd->netlogon_creds;
> > - } else {
> > - if (conn_flags & NET_FLAGS_SEAL) {
> > - nt_status = cli_rpc_pipe_open_generic_auth(
> > ---
> > -1.9.3
> > -
> > -
> > -From 7a4535c1e61de498230abd1f99bfe875ae59c2e0 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sun, 15 Sep 2013 13:19:52 +0200
> > -Subject: [PATCH 194/249] s3:libsmb: add trust_pw_change()
> > -
> > -This protects the password change using a domain specific g_lock,
> > -so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
> > -even on multiple cluster nodes doesn't race anymore.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 16c6e4992fa882207eeaff0a1c4d9fe217be48b7)
> > ----
> > - source3/include/proto.h | 8 ++
> > - source3/libsmb/trusts_util.c | 179 +++++++++++++++++++++++++++++++++++++++++++
> > - 2 files changed, 187 insertions(+)
> > -
> > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > -index 216a377..edda119 100644
> > ---- a/source3/include/proto.h
> > -+++ b/source3/include/proto.h
> > -@@ -984,6 +984,14 @@ void update_trustdom_cache( void );
> > - NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > - TALLOC_CTX *mem_ctx,
> > - const char *domain) ;
> > -+struct netlogon_creds_cli_context;
> > -+struct messaging_context;
> > -+struct dcerpc_binding_handle;
> > -+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
> > -+ struct messaging_context *msg_ctx,
> > -+ struct dcerpc_binding_handle *b,
> > -+ const char *domain,
> > -+ bool force);
> > -
> > - /* The following definitions come from param/loadparm.c */
> > -
> > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > -index 52fb481..b1bc006 100644
> > ---- a/source3/libsmb/trusts_util.c
> > -+++ b/source3/libsmb/trusts_util.c
> > -@@ -20,12 +20,15 @@
> > -
> > - #include "includes.h"
> > - #include "../libcli/auth/libcli_auth.h"
> > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > - #include "rpc_client/cli_netlogon.h"
> > - #include "rpc_client/cli_pipe.h"
> > - #include "../librpc/gen_ndr/ndr_netlogon.h"
> > - #include "secrets.h"
> > - #include "passdb.h"
> > - #include "libsmb/libsmb.h"
> > -+#include "source3/include/messages.h"
> > -+#include "source3/include/g_lock.h"
> > -
> > - /*********************************************************
> > - Change the domain password on the PDC.
> > -@@ -113,3 +116,179 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > -
> > - return nt_status;
> > - }
> > -+
> > -+struct trust_pw_change_state {
> > -+ struct g_lock_ctx *g_ctx;
> > -+ char *g_lock_key;
> > -+};
> > -+
> > -+static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
> > -+{
> > -+ g_lock_unlock(state->g_ctx, state->g_lock_key);
> > -+ return 0;
> > -+}
> > -+
> > -+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
> > -+ struct messaging_context *msg_ctx,
> > -+ struct dcerpc_binding_handle *b,
> > -+ const char *domain,
> > -+ bool force)
> > -+{
> > -+ TALLOC_CTX *frame = talloc_stackframe();
> > -+ struct trust_pw_change_state *state;
> > -+ struct samr_Password current_nt_hash;
> > -+ const struct samr_Password *previous_nt_hash = NULL;
> > -+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> > -+ const char *account_name;
> > -+ char *new_trust_passwd;
> > -+ char *pwd;
> > -+ struct dom_sid sid;
> > -+ time_t pass_last_set_time;
> > -+ struct timeval g_timeout = { 0, };
> > -+ int timeout = 0;
> > -+ struct timeval tv = { 0, };
> > -+ NTSTATUS status;
> > -+
> > -+ state = talloc_zero(frame, struct trust_pw_change_state);
> > -+ if (state == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ state->g_ctx = g_lock_ctx_init(state, msg_ctx);
> > -+ if (state->g_ctx == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ state->g_lock_key = talloc_asprintf(state,
> > -+ "trust_password_change_%s",
> > -+ domain);
> > -+ if (state->g_lock_key == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ g_timeout = timeval_current_ofs(10, 0);
> > -+ status = g_lock_lock(state->g_ctx,
> > -+ state->g_lock_key,
> > -+ G_LOCK_WRITE, g_timeout);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(1, ("could not get g_lock on [%s]!\n",
> > -+ state->g_lock_key));
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ talloc_set_destructor(state, trust_pw_change_state_destructor);
> > -+
> > -+ if (!get_trust_pw_hash(domain, current_nt_hash.hash,
> > -+ &account_name,
> > -+ &sec_channel_type)) {
> > -+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> > -+ }
> > -+
> > -+ switch (sec_channel_type) {
> > -+ case SEC_CHAN_WKSTA:
> > -+ pwd = secrets_fetch_machine_password(domain,
> > -+ &pass_last_set_time,
> > -+ NULL);
> > -+ if (pwd == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> > -+ }
> > -+ break;
> > -+ case SEC_CHAN_DOMAIN:
> > -+ if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> > -+ }
> > -+ break;
> > -+ default:
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NOT_SUPPORTED;
> > -+ }
> > -+
> > -+ timeout = lp_machine_password_timeout();
> > -+ if (timeout == 0) {
> > -+ if (!force) {
> > -+ DEBUG(10,("machine password never expires\n"));
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+ }
> > -+
> > -+ tv.tv_sec = pass_last_set_time;
> > -+ DEBUG(10, ("password last changed %s\n",
> > -+ timeval_string(talloc_tos(), &tv, false)));
> > -+ tv.tv_sec += timeout;
> > -+ DEBUGADD(10, ("password valid until %s\n",
> > -+ timeval_string(talloc_tos(), &tv, false)));
> > -+
> > -+ if (!force && !timeval_expired(&tv)) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ /* Create a random machine account password */
> > -+ new_trust_passwd = generate_random_password(frame,
> > -+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
> > -+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
> > -+ if (new_trust_passwd == NULL) {
> > -+ DEBUG(0, ("generate_random_password failed\n"));
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_auth(context, b,
> > -+ current_nt_hash,
> > -+ previous_nt_hash);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_ServerPasswordSet(context, b,
> > -+ new_trust_passwd, NULL);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > -+ DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
> > -+ current_timestring(talloc_tos(), False)));
> > -+
> > -+ /*
> > -+ * Return the result of trying to write the new password
> > -+ * back into the trust account file.
> > -+ */
> > -+
> > -+ switch (sec_channel_type) {
> > -+
> > -+ case SEC_CHAN_WKSTA:
> > -+ if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
> > -+ }
> > -+ break;
> > -+
> > -+ case SEC_CHAN_DOMAIN:
> > -+ /*
> > -+ * we need to get the sid first for the
> > -+ * pdb_set_trusteddom_pw call
> > -+ */
> > -+ if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
> > -+ }
> > -+ break;
> > -+
> > -+ default:
> > -+ break;
> > -+ }
> > -+
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_OK;
> > -+}
> > ---
> > -1.9.3
> > -
> > -
> > -From 09dae290b1d49a30eef5b93f5260dc44fb628437 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 18:33:51 +0200
> > -Subject: [PATCH 195/249] s3:rpcclient: make use of trust_pw_change()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a9281e6570fcc5ff5abe3149615bed7029d1cf71)
> > ----
> > - source3/rpcclient/cmd_netlogon.c | 10 +++++-----
> > - 1 file changed, 5 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > -index 59e1e4e..000d65c 100644
> > ---- a/source3/rpcclient/cmd_netlogon.c
> > -+++ b/source3/rpcclient/cmd_netlogon.c
> > -@@ -829,11 +829,11 @@ static NTSTATUS cmd_netlogon_change_trust_pw(struct rpc_pipe_client *cli,
> > - return NT_STATUS_OK;
> > - }
> > -
> > -- /* Perform the sam logon */
> > --
> > -- result = trust_pw_find_change_and_store_it(cli, mem_ctx,
> > -- lp_workgroup());
> > --
> > -+ result = trust_pw_change(rpcclient_netlogon_creds,
> > -+ rpcclient_msg_ctx,
> > -+ cli->binding_handle,
> > -+ lp_workgroup(),
> > -+ true); /* force */
> > - if (!NT_STATUS_IS_OK(result))
> > - goto done;
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 3731b2163f6bb88922a9fa84e60fa48afbbbda9a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 18:34:48 +0200
> > -Subject: [PATCH 196/249] s3:net_rpc: make use of trust_pw_change()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit cfd139347c21f4f4ddd16026c2c8c221feabd6c5)
> > ----
> > - source3/utils/net_rpc.c | 6 +++++-
> > - 1 file changed, 5 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index 3bf3f30..ba49f3e 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -279,7 +279,11 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
> > - {
> > - NTSTATUS status;
> > -
> > -- status = trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup);
> > -+ status = trust_pw_change(c->netlogon_creds,
> > -+ c->msg_ctx,
> > -+ pipe_hnd->binding_handle,
> > -+ c->opt_target_workgroup,
> > -+ true); /* force */
> > - if (!NT_STATUS_IS_OK(status)) {
> > - d_fprintf(stderr, _("Failed to change machine account password: %s\n"),
> > - nt_errstr(status));
> > ---
> > -1.9.3
> > -
> > -
> > -From cd8fdfc923adcc5b6c700ec52d1bba4643079247 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 18:35:39 +0200
> > -Subject: [PATCH 197/249] s3:winbindd: use invalidate_cm_connection() to kill
> > - the netlogon connection
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit dbd49d90bbf175525557eaa983ad57ca5076d710)
> > ----
> > - source3/winbindd/winbindd_dual.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
> > -index 64af571..b26cdca 100644
> > ---- a/source3/winbindd/winbindd_dual.c
> > -+++ b/source3/winbindd/winbindd_dual.c
> > -@@ -1056,7 +1056,7 @@ static void machine_password_change_handler(struct tevent_context *ctx,
> > - "password was changed and we didn't know it. "
> > - "Killing connections to domain %s\n",
> > - child->domain->name));
> > -- TALLOC_FREE(child->domain->conn.netlogon_pipe);
> > -+ invalidate_cm_connection(&child->domain->conn);
> > - }
> > -
> > - if (!calculate_next_machine_pwd_change(child->domain->name,
> > ---
> > -1.9.3
> > -
> > -
> > -From 6369757af75412746c0d9950971a77be72826b92 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 18:36:43 +0200
> > -Subject: [PATCH 198/249] s3:winbindd: make use of trust_pw_change() for
> > - periodic password changes
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 57741dd4ba5a9ed3abf7aad35a2a69fd66b49b4b)
> > ----
> > - source3/winbindd/winbindd_dual.c | 16 ++++++++--------
> > - 1 file changed, 8 insertions(+), 8 deletions(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
> > -index b26cdca..1d6a5ba 100644
> > ---- a/source3/winbindd/winbindd_dual.c
> > -+++ b/source3/winbindd/winbindd_dual.c
> > -@@ -29,6 +29,7 @@
> > -
> > - #include "includes.h"
> > - #include "winbindd.h"
> > -+#include "rpc_client/rpc_client.h"
> > - #include "nsswitch/wb_reqtrans.h"
> > - #include "secrets.h"
> > - #include "../lib/util/select.h"
> > -@@ -999,10 +1000,10 @@ static void machine_password_change_handler(struct tevent_context *ctx,
> > - struct timeval now,
> > - void *private_data)
> > - {
> > -+ struct messaging_context *msg_ctx = winbind_messaging_context();
> > - struct winbindd_child *child =
> > - (struct winbindd_child *)private_data;
> > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > -- TALLOC_CTX *frame;
> > - NTSTATUS result;
> > - struct timeval next_change;
> > -
> > -@@ -1039,15 +1040,14 @@ static void machine_password_change_handler(struct tevent_context *ctx,
> > - return;
> > - }
> > -
> > -- frame = talloc_stackframe();
> > --
> > -- result = trust_pw_find_change_and_store_it(netlogon_pipe,
> > -- frame,
> > -- child->domain->name);
> > -- TALLOC_FREE(frame);
> > -+ result = trust_pw_change(child->domain->conn.netlogon_creds,
> > -+ msg_ctx,
> > -+ netlogon_pipe->binding_handle,
> > -+ child->domain->name,
> > -+ false); /* force */
> > -
> > - DEBUG(10, ("machine_password_change_handler: "
> > -- "trust_pw_find_change_and_store_it returned %s\n",
> > -+ "trust_pw_change returned %s\n",
> > - nt_errstr(result)));
> > -
> > - if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
> > ---
> > -1.9.3
> > -
> > -
> > -From 5fe11c760d853dff63ad9b3505f3d3721b7e14f6 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 18:37:34 +0200
> > -Subject: [PATCH 199/249] s3:winbindd: make use of trust_pw_change() in
> > - _wbint_ChangeMachineAccount()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3c30e19c4a0e60e355b2f1d35edbb0a3b7688089)
> > ----
> > - source3/winbindd/winbindd_dual_srv.c | 35 +++++++----------------------------
> > - 1 file changed, 7 insertions(+), 28 deletions(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
> > -index 001591a..f064467 100644
> > ---- a/source3/winbindd/winbindd_dual_srv.c
> > -+++ b/source3/winbindd/winbindd_dual_srv.c
> > -@@ -622,48 +622,27 @@ again:
> > - NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
> > - struct wbint_ChangeMachineAccount *r)
> > - {
> > -+ struct messaging_context *msg_ctx = winbind_messaging_context();
> > - struct winbindd_domain *domain;
> > -- int num_retries = 0;
> > - NTSTATUS status;
> > - struct rpc_pipe_client *netlogon_pipe;
> > -- TALLOC_CTX *tmp_ctx;
> > -
> > --again:
> > - domain = wb_child_domain();
> > - if (domain == NULL) {
> > - return NT_STATUS_REQUEST_NOT_ACCEPTED;
> > - }
> > -
> > -- invalidate_cm_connection(&domain->conn);
> > --
> > -- {
> > -- status = cm_connect_netlogon(domain, &netlogon_pipe);
> > -- }
> > --
> > -- /* There is a race condition between fetching the trust account
> > -- password and the periodic machine password change. So it's
> > -- possible that the trust account password has been changed on us.
> > -- We are returned NT_STATUS_ACCESS_DENIED if this happens. */
> > --
> > --#define MAX_RETRIES 3
> > --
> > -- if ((num_retries < MAX_RETRIES)
> > -- && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
> > -- num_retries++;
> > -- goto again;
> > -- }
> > --
> > -+ status = cm_connect_netlogon(domain, &netlogon_pipe);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
> > - goto done;
> > - }
> > -
> > -- tmp_ctx = talloc_new(p->mem_ctx);
> > --
> > -- status = trust_pw_find_change_and_store_it(netlogon_pipe,
> > -- tmp_ctx,
> > -- domain->name);
> > -- talloc_destroy(tmp_ctx);
> > -+ status = trust_pw_change(domain->conn.netlogon_creds,
> > -+ msg_ctx,
> > -+ netlogon_pipe->binding_handle,
> > -+ domain->name,
> > -+ true); /* force */
> > -
> > - /* Pass back result code - zero for success, other values for
> > - specific failures. */
> > ---
> > -1.9.3
> > -
> > -
> > -From 9956ea8b561da89fb79739dd8a8552116c7867f7 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 18:39:52 +0200
> > -Subject: [PATCH 200/249] s3:libsmb: remove unused
> > - trust_pw_find_change_and_store_it()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a8ecebe3e840005c81df043cb07773972aaa2371)
> > ----
> > - source3/include/proto.h | 3 --
> > - source3/libsmb/trusts_util.c | 81 --------------------------------------------
> > - 2 files changed, 84 deletions(-)
> > -
> > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > -index edda119..18348e5 100644
> > ---- a/source3/include/proto.h
> > -+++ b/source3/include/proto.h
> > -@@ -981,9 +981,6 @@ void update_trustdom_cache( void );
> > -
> > - /* The following definitions come from libsmb/trusts_util.c */
> > -
> > --NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- const char *domain) ;
> > - struct netlogon_creds_cli_context;
> > - struct messaging_context;
> > - struct dcerpc_binding_handle;
> > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > -index b1bc006..b38aec6 100644
> > ---- a/source3/libsmb/trusts_util.c
> > -+++ b/source3/libsmb/trusts_util.c
> > -@@ -36,87 +36,6 @@
> > - already setup the connection to the NETLOGON pipe
> > - **********************************************************/
> > -
> > --NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- const char *domain)
> > --{
> > -- unsigned char old_trust_passwd_hash[16];
> > -- unsigned char new_trust_passwd_hash[16];
> > -- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> > -- const char *account_name;
> > -- char *new_trust_passwd;
> > -- NTSTATUS nt_status;
> > --
> > -- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
> > -- &sec_channel_type)) {
> > -- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> > -- return NT_STATUS_UNSUCCESSFUL;
> > -- }
> > --
> > -- switch (sec_channel_type) {
> > -- case SEC_CHAN_WKSTA:
> > -- case SEC_CHAN_DOMAIN:
> > -- break;
> > -- default:
> > -- return NT_STATUS_NOT_SUPPORTED;
> > -- }
> > --
> > -- /* Create a random machine account password */
> > -- new_trust_passwd = generate_random_password(mem_ctx,
> > -- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
> > -- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
> > -- if (new_trust_passwd == NULL) {
> > -- DEBUG(0, ("generate_random_password failed\n"));
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- E_md4hash(new_trust_passwd, new_trust_passwd_hash);
> > --
> > -- nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
> > -- account_name,
> > -- old_trust_passwd_hash,
> > -- new_trust_passwd,
> > -- new_trust_passwd_hash,
> > -- sec_channel_type);
> > --
> > -- if (NT_STATUS_IS_OK(nt_status)) {
> > -- DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
> > -- current_timestring(talloc_tos(), False)));
> > -- /*
> > -- * Return the result of trying to write the new password
> > -- * back into the trust account file.
> > -- */
> > --
> > -- switch (sec_channel_type) {
> > --
> > -- case SEC_CHAN_WKSTA:
> > -- if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
> > -- nt_status = NT_STATUS_UNSUCCESSFUL;
> > -- }
> > -- break;
> > --
> > -- case SEC_CHAN_DOMAIN: {
> > -- char *pwd;
> > -- struct dom_sid sid;
> > -- time_t pass_last_set_time;
> > --
> > -- /* we need to get the sid first for the
> > -- * pdb_set_trusteddom_pw call */
> > --
> > -- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
> > -- nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> > -- }
> > -- if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
> > -- nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
> > -- }
> > -- break;
> > -- }
> > -- }
> > -- }
> > --
> > -- return nt_status;
> > --}
> > --
> > - struct trust_pw_change_state {
> > - struct g_lock_ctx *g_ctx;
> > - char *g_lock_key;
> > ---
> > -1.9.3
> > -
> > -
> > -From f71cb73d7f034165802aad97e9be6f45ba32d519 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 19:19:39 +0200
> > -Subject: [PATCH 201/249] s3:libnet: pass in struct netlogon_creds_cli_context
> > - from the caller.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 77defb175e3ffd1b096485ac7de38ad161594b72)
> > ----
> > - source3/libnet/libnet_samsync.c | 2 +-
> > - source3/libnet/libnet_samsync.h | 1 +
> > - source3/utils/net_rpc_samsync.c | 1 +
> > - 3 files changed, 3 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
> > -index 02d3fc6..e7e1393 100644
> > ---- a/source3/libnet/libnet_samsync.c
> > -+++ b/source3/libnet/libnet_samsync.c
> > -@@ -216,7 +216,7 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
> > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > - struct netlogon_creds_CredentialState *creds = NULL;
> > -
> > -- status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
> > -+ status = netlogon_creds_cli_lock(ctx->netlogon_creds,
> > - mem_ctx, &creds);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > -diff --git a/source3/libnet/libnet_samsync.h b/source3/libnet/libnet_samsync.h
> > -index efdbb37..e1d66ec 100644
> > ---- a/source3/libnet/libnet_samsync.h
> > -+++ b/source3/libnet/libnet_samsync.h
> > -@@ -75,6 +75,7 @@ struct samsync_context {
> > - struct samsync_object *objects;
> > -
> > - struct rpc_pipe_client *cli;
> > -+ struct netlogon_creds_cli_context *netlogon_creds;
> > - struct messaging_context *msg_ctx;
> > -
> > - const struct samsync_ops *ops;
> > -diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
> > -index 772651f..6377ad4 100644
> > ---- a/source3/utils/net_rpc_samsync.c
> > -+++ b/source3/utils/net_rpc_samsync.c
> > -@@ -129,6 +129,7 @@ NTSTATUS rpc_samdump_internals(struct net_context *c,
> > -
> > - ctx->mode = NET_SAMSYNC_MODE_DUMP;
> > - ctx->cli = pipe_hnd;
> > -+ ctx->netlogon_creds = c->netlogon_creds;
> > - ctx->ops = &libnet_samsync_display_ops;
> > - ctx->domain_name = domain_name;
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From acb678ce415403e1442116b32eb8b8b32b677f4a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 20:51:25 +0200
> > -Subject: [PATCH 202/249] s3:rpcclient: make use of
> > - rpccli_{create,setup}_netlogon_creds()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 5107ca02a41673739a1fc4a1c2a0fbe8465f211a)
> > ----
> > - source3/rpcclient/rpcclient.c | 59 ++++++++++++++++++++++++++++++-------------
> > - 1 file changed, 41 insertions(+), 18 deletions(-)
> > -
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index a875ff5..490f8df 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -676,6 +676,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - {
> > - NTSTATUS ntresult;
> > - WERROR wresult;
> > -+ bool ok;
> > -
> > - TALLOC_CTX *mem_ctx;
> > -
> > -@@ -759,17 +760,20 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - return ntresult;
> > - }
> > -
> > -- if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> > -- &ndr_table_netlogon.syntax_id)) {
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -- NETLOGON_NEG_SUPPORTS_AES;
> > -- enum netr_SchannelType sec_channel_type;
> > -- uchar trust_password[16];
> > -- const char *machine_account;
> > -+ ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> > -+ &ndr_table_netlogon.syntax_id);
> > -+ if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
> > -+ const char *dc_name = cmd_entry->rpc_pipe->desthost;
> > -+ const char *domain = get_cmdline_auth_info_domain(auth_info);
> > -+ enum netr_SchannelType sec_chan_type = 0;
> > -+ const char *_account_name = NULL;
> > -+ const char *account_name = NULL;
> > -+ struct samr_Password current_nt_hash;
> > -+ struct samr_Password *previous_nt_hash = NULL;
> > -
> > - if (!get_trust_pw_hash(get_cmdline_auth_info_domain(auth_info),
> > -- trust_password, &machine_account,
> > -- &sec_channel_type))
> > -+ current_nt_hash.hash, &_account_name,
> > -+ &sec_chan_type))
> > - {
> > - DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
> > - get_cmdline_auth_info_domain(auth_info),
> > -@@ -779,22 +783,41 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > - }
> > -
> > -- ntresult = rpccli_netlogon_setup_creds(cmd_entry->rpc_pipe,
> > -- cmd_entry->rpc_pipe->desthost, /* server name */
> > -- get_cmdline_auth_info_domain(auth_info), /* domain */
> > -- lp_netbios_name(), /* client name */
> > -- machine_account, /* machine account name */
> > -- trust_password,
> > -- sec_channel_type,
> > -- &neg_flags);
> > -+ account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
> > -+ if (account_name == NULL) {
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ TALLOC_FREE(mem_ctx);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ ntresult = rpccli_create_netlogon_creds(dc_name,
> > -+ domain,
> > -+ account_name,
> > -+ sec_chan_type,
> > -+ rpcclient_msg_ctx,
> > -+ talloc_autofree_context(),
> > -+ &rpcclient_netlogon_creds);
> > -+ if (!NT_STATUS_IS_OK(ntresult)) {
> > -+ SAFE_FREE(previous_nt_hash);
> > -+ TALLOC_FREE(mem_ctx);
> > -+ return ntresult;
> > -+ }
> > -
> > -+ ntresult = rpccli_setup_netlogon_creds(cli,
> > -+ rpcclient_netlogon_creds,
> > -+ false, /* force_reauth */
> > -+ current_nt_hash,
> > -+ previous_nt_hash);
> > -+ SAFE_FREE(previous_nt_hash);
> > - if (!NT_STATUS_IS_OK(ntresult)) {
> > - DEBUG(0, ("Could not initialise credentials for %s.\n",
> > - cmd_entry->table->name));
> > - TALLOC_FREE(cmd_entry->rpc_pipe);
> > -- talloc_free(mem_ctx);
> > -+ TALLOC_FREE(rpcclient_netlogon_creds);
> > -+ TALLOC_FREE(mem_ctx);
> > - return ntresult;
> > - }
> > -+ cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
> > - }
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From b04744971aa9cc696aa4a3c56dd46d58db8dda75 Mon Sep 17 00:00:00 2001
> > -From: Garming Sam <garming@catalyst.net.nz>
> > -Date: Fri, 29 Nov 2013 14:45:20 +1300
> > -Subject: [PATCH 203/249] s3:rpcclient: give errors and clean up correctly
> > - after failing to obtain secret
> > -
> > -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a012e2fdd6733e871ddeb68874a2df8413ad91ed)
> > ----
> > - source3/rpcclient/rpcclient.c | 6 ++++++
> > - 1 file changed, 6 insertions(+)
> > -
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index 490f8df..fd3ebdf 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -785,6 +785,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > -
> > - account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
> > - if (account_name == NULL) {
> > -+ DEBUG(0, ("Out of memory creating account name to connect to %s.\n",
> > -+ cmd_entry->table->name));
> > -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> > - SAFE_FREE(previous_nt_hash);
> > - TALLOC_FREE(mem_ctx);
> > - return NT_STATUS_NO_MEMORY;
> > -@@ -798,6 +801,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - talloc_autofree_context(),
> > - &rpcclient_netlogon_creds);
> > - if (!NT_STATUS_IS_OK(ntresult)) {
> > -+ DEBUG(0, ("Could not initialise credentials for %s.\n",
> > -+ cmd_entry->table->name));
> > -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> > - SAFE_FREE(previous_nt_hash);
> > - TALLOC_FREE(mem_ctx);
> > - return ntresult;
> > ---
> > -1.9.3
> > -
> > -
> > -From 564e6df9361025ff7da6fa92d83491cfd9e60b2b Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 17 Sep 2013 00:46:09 +0200
> > -Subject: [PATCH 204/249] s3:rpcclient: remove optional auth_level parameter of
> > - the 'samlogon' cmd
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 4c99e49898151a514e334a07f38eed83fe608c05)
> > ----
> > - source3/rpcclient/cmd_netlogon.c | 11 ++++-------
> > - 1 file changed, 4 insertions(+), 7 deletions(-)
> > -
> > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > -index 000d65c..97b79cb 100644
> > ---- a/source3/rpcclient/cmd_netlogon.c
> > -+++ b/source3/rpcclient/cmd_netlogon.c
> > -@@ -782,9 +782,9 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > -
> > - /* Check arguments */
> > -
> > -- if (argc < 3 || argc > 7) {
> > -+ if (argc < 3 || argc > 6) {
> > - fprintf(stderr, "Usage: samlogon <username> <password> [workstation]"
> > -- "[logon_type (1 or 2)] [auth level (2 or 3)] [logon_parameter]\n");
> > -+ "[logon_type (1 or 2)] [logon_parameter]\n");
> > - return NT_STATUS_OK;
> > - }
> > -
> > -@@ -797,11 +797,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > - if (argc >= 5)
> > - sscanf(argv[4], "%i", &logon_type);
> > -
> > -- if (argc >= 6)
> > -- validation_level = atoi(argv[5]);
> > --
> > -- if (argc == 7)
> > -- sscanf(argv[6], "%x", &logon_param);
> > -+ if (argc == 6)
> > -+ sscanf(argv[5], "%x", &logon_param);
> > -
> > - /* Perform the sam logon */
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From a61d399c13c9f46e283f85f3d076b0607c2729f3 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 17 Sep 2013 00:48:31 +0200
> > -Subject: [PATCH 205/249] s3:rpcclient: make use of
> > - rpccli_netlogon_password_logon() in the 'samlogon' cmd
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit c6bb47f2f199cc13101dccf656ac36e9eb879201)
> > ----
> > - source3/rpcclient/cmd_netlogon.c | 11 ++++++++---
> > - 1 file changed, 8 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > -index 97b79cb..b637b3e 100644
> > ---- a/source3/rpcclient/cmd_netlogon.c
> > -+++ b/source3/rpcclient/cmd_netlogon.c
> > -@@ -776,7 +776,6 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > - int logon_type = NetlogonNetworkInformation;
> > - const char *username, *password;
> > -- uint16_t validation_level = 3;
> > - uint32 logon_param = 0;
> > - const char *workstation = NULL;
> > -
> > -@@ -802,8 +801,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > -
> > - /* Perform the sam logon */
> > -
> > -- result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type);
> > --
> > -+ result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
> > -+ cli->binding_handle,
> > -+ logon_param,
> > -+ lp_workgroup(),
> > -+ username,
> > -+ password,
> > -+ workstation,
> > -+ logon_type);
> > - if (!NT_STATUS_IS_OK(result))
> > - goto done;
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From fbe0154a63d401acd47c5190be37b8d69d3d64ba Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 17 Sep 2013 00:56:15 +0200
> > -Subject: [PATCH 206/249] s3:winbindd: make use of
> > - rpccli_netlogon_network_logon()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a34c837fdb59df1e66be9b5f23a07990e34fea1c)
> > ----
> > - source3/winbindd/winbindd_pam.c | 28 +++++++++++++++-------------
> > - 1 file changed, 15 insertions(+), 13 deletions(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > -index 39483a5..3f3ec70 100644
> > ---- a/source3/winbindd/winbindd_pam.c
> > -+++ b/source3/winbindd/winbindd_pam.c
> > -@@ -1228,6 +1228,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > -
> > - do {
> > - struct rpc_pipe_client *netlogon_pipe;
> > -+ uint8_t authoritative = 0;
> > -+ uint32_t flags = 0;
> > -
> > - ZERO_STRUCTP(info3);
> > - retry = false;
> > -@@ -1276,19 +1278,19 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > - }
> > - netr_attempts = 0;
> > -
> > -- result = rpccli_netlogon_sam_network_logon(
> > -- netlogon_pipe,
> > -- mem_ctx,
> > -- logon_parameters,
> > -- server, /* server name */
> > -- username, /* user name */
> > -- domainname, /* target domain */
> > -- workstation, /* workstation */
> > -- chal,
> > -- -1, /* ignored */
> > -- lm_response,
> > -- nt_response,
> > -- info3);
> > -+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
> > -+ netlogon_pipe->binding_handle,
> > -+ mem_ctx,
> > -+ logon_parameters,
> > -+ username,
> > -+ domainname,
> > -+ workstation,
> > -+ chal,
> > -+ lm_response,
> > -+ nt_response,
> > -+ &authoritative,
> > -+ &flags,
> > -+ info3);
> > -
> > - /*
> > - * we increment this after the "feature negotiation"
> > ---
> > -1.9.3
> > -
> > -
> > -From cfcb681d6f80253b6f2db769f5c5be1ffb54cc0e Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 20:53:51 +0200
> > -Subject: [PATCH 207/249] s3:rpc_client: make cli_rpc_pipe_open_schannel() more
> > - flexible
> > -
> > -It expects a messaging_context now
> > -and returns a netlogon_creds_cli_context.
> > -
> > -This way we can finally avoid having a rpc_pipe_client->netlogon_creds.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 660150b12a637da7f9ebb820e687f27ac22fb93a)
> > ----
> > - source3/rpc_client/cli_pipe.h | 5 ++++-
> > - source3/rpc_client/cli_pipe_schannel.c | 9 +++++++--
> > - source3/rpcclient/rpcclient.c | 13 +++++++------
> > - source3/utils/net_rpc.c | 6 +++---
> > - 4 files changed, 21 insertions(+), 12 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > -index 2a76130..b704d8a 100644
> > ---- a/source3/rpc_client/cli_pipe.h
> > -+++ b/source3/rpc_client/cli_pipe.h
> > -@@ -99,11 +99,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - struct rpc_pipe_client **presult);
> > -
> > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > -+ struct messaging_context *msg_ctx,
> > - const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -- struct rpc_pipe_client **presult);
> > -+ struct rpc_pipe_client **presult,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **pcreds);
> > -
> > - NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > - struct rpc_pipe_client *cli,
> > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > -index 1fcf62e..a842333 100644
> > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > -@@ -38,14 +38,16 @@
> > - ****************************************************************************/
> > -
> > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > -+ struct messaging_context *msg_ctx,
> > - const struct ndr_interface_table *table,
> > - enum dcerpc_transport_t transport,
> > - enum dcerpc_AuthLevel auth_level,
> > - const char *domain,
> > -- struct rpc_pipe_client **presult)
> > -+ struct rpc_pipe_client **presult,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ struct netlogon_creds_cli_context **pcreds)
> > - {
> > - TALLOC_CTX *frame = talloc_stackframe();
> > -- struct messaging_context *msg_ctx = NULL;
> > - const char *dc_name = smbXcli_conn_remote_name(cli->conn);
> > - struct rpc_pipe_client *result = NULL;
> > - NTSTATUS status;
> > -@@ -121,6 +123,9 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > -
> > - if (NT_STATUS_IS_OK(status)) {
> > - *presult = result;
> > -+ if (pcreds != NULL) {
> > -+ *pcreds = talloc_move(mem_ctx, &netlogon_creds);
> > -+ }
> > - }
> > -
> > - TALLOC_FREE(frame);
> > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > -index fd3ebdf..43343e8 100644
> > ---- a/source3/rpcclient/rpcclient.c
> > -+++ b/source3/rpcclient/rpcclient.c
> > -@@ -737,12 +737,16 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - &cmd_entry->rpc_pipe);
> > - break;
> > - case DCERPC_AUTH_TYPE_SCHANNEL:
> > -+ TALLOC_FREE(rpcclient_netlogon_creds);
> > - ntresult = cli_rpc_pipe_open_schannel(
> > -- cli, cmd_entry->table,
> > -+ cli, rpcclient_msg_ctx,
> > -+ cmd_entry->table,
> > - default_transport,
> > - pipe_default_auth_level,
> > - get_cmdline_auth_info_domain(auth_info),
> > -- &cmd_entry->rpc_pipe);
> > -+ &cmd_entry->rpc_pipe,
> > -+ talloc_autofree_context(),
> > -+ &rpcclient_netlogon_creds);
> > - break;
> > - default:
> > - DEBUG(0, ("Could not initialise %s. Invalid "
> > -@@ -762,7 +766,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > -
> > - ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> > - &ndr_table_netlogon.syntax_id);
> > -- if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
> > -+ if (rpcclient_netlogon_creds == NULL && ok) {
> > - const char *dc_name = cmd_entry->rpc_pipe->desthost;
> > - const char *domain = get_cmdline_auth_info_domain(auth_info);
> > - enum netr_SchannelType sec_chan_type = 0;
> > -@@ -823,12 +827,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > - TALLOC_FREE(mem_ctx);
> > - return ntresult;
> > - }
> > -- cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
> > - }
> > - }
> > -
> > -- rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
> > --
> > - /* Run command */
> > -
> > - if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
> > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > -index ba49f3e..d0f699a 100644
> > ---- a/source3/utils/net_rpc.c
> > -+++ b/source3/utils/net_rpc.c
> > -@@ -192,16 +192,16 @@ int run_rpc_command(struct net_context *c,
> > - && (ndr_syntax_id_equal(&table->syntax_id,
> > - &ndr_table_netlogon.syntax_id))) {
> > - /* Always try and create an schannel netlogon pipe. */
> > -+ TALLOC_FREE(c->netlogon_creds);
> > - nt_status = cli_rpc_pipe_open_schannel(
> > -- cli, table, NCACN_NP,
> > -+ cli, c->msg_ctx, table, NCACN_NP,
> > - DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
> > -- &pipe_hnd);
> > -+ &pipe_hnd, c, &c->netlogon_creds);
> > - if (!NT_STATUS_IS_OK(nt_status)) {
> > - DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
> > - nt_errstr(nt_status) ));
> > - goto fail;
> > - }
> > -- c->netlogon_creds = pipe_hnd->netlogon_creds;
> > - } else {
> > - if (conn_flags & NET_FLAGS_SEAL) {
> > - nt_status = cli_rpc_pipe_open_generic_auth(
> > ---
> > -1.9.3
> > -
> > -
> > -From 603b40eeee3cf21de94f11471889d0443713ba4f Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 6 Sep 2013 13:54:30 +0200
> > -Subject: [PATCH 208/249] s3:rpc_client: remove unused
> > - rpccli_netlogon_set_trust_password()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 6d457ad9c156cf86d99e58dea21dba170defad1b)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 51 ---------------------------------------
> > - source3/rpc_client/cli_netlogon.h | 7 ------
> > - 2 files changed, 58 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index a9f8604..2f23d1b 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -759,54 +759,3 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > -
> > - return NT_STATUS_OK;
> > - }
> > --
> > --/*********************************************************
> > -- Change the domain password on the PDC.
> > --
> > -- Just changes the password betwen the two values specified.
> > --
> > -- Caller must have the cli connected to the netlogon pipe
> > -- already.
> > --**********************************************************/
> > --
> > --NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- const char *account_name,
> > -- const unsigned char orig_trust_passwd_hash[16],
> > -- const char *new_trust_pwd_cleartext,
> > -- const unsigned char new_trust_passwd_hash[16],
> > -- enum netr_SchannelType sec_channel_type)
> > --{
> > -- NTSTATUS result;
> > --
> > -- if (cli->netlogon_creds == NULL) {
> > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > -- NETLOGON_NEG_SUPPORTS_AES;
> > -- result = rpccli_netlogon_setup_creds(cli,
> > -- cli->desthost, /* server name */
> > -- lp_workgroup(), /* domain */
> > -- lp_netbios_name(), /* client name */
> > -- account_name, /* machine account name */
> > -- orig_trust_passwd_hash,
> > -- sec_channel_type,
> > -- &neg_flags);
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
> > -- nt_errstr(result)));
> > -- return result;
> > -- }
> > -- }
> > --
> > -- result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
> > -- cli->binding_handle,
> > -- new_trust_pwd_cleartext,
> > -- NULL); /* new_version */
> > -- if (!NT_STATUS_IS_OK(result)) {
> > -- DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
> > -- nt_errstr(result)));
> > -- return result;
> > -- }
> > --
> > -- return NT_STATUS_OK;
> > --}
> > --
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index d4c6670..8547db6 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -93,12 +93,5 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > - uint8_t *authoritative,
> > - uint32_t *flags,
> > - struct netr_SamInfo3 **info3);
> > --NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- const char *account_name,
> > -- const unsigned char orig_trust_passwd_hash[16],
> > -- const char *new_trust_pwd_cleartext,
> > -- const unsigned char new_trust_passwd_hash[16],
> > -- enum netr_SchannelType sec_channel_type);
> > -
> > - #endif /* _RPC_CLIENT_CLI_NETLOGON_H_ */
> > ---
> > -1.9.3
> > -
> > -
> > -From c9dc23d434bc7015f400b1969a055b95faac6594 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 6 Sep 2013 13:06:53 +0200
> > -Subject: [PATCH 209/249] s3:rpc_client: remove unused
> > - rpccli_netlogon_setup_creds()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit a4faf57b47095bfc0f4370ac093c8c4cef17584f)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 92 ---------------------------------------
> > - source3/rpc_client/cli_netlogon.h | 8 ----
> > - 2 files changed, 100 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 2f23d1b..687d0c2 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -35,98 +35,6 @@
> > - #include "lib/param/param.h"
> > - #include "libcli/smb/smbXcli_base.h"
> > -
> > --/****************************************************************************
> > -- Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
> > -- credentials chain. Stores the credentials in the struct dcinfo in the
> > -- netlogon pipe struct.
> > --****************************************************************************/
> > --
> > --NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > -- const char *server_name,
> > -- const char *domain,
> > -- const char *clnt_name,
> > -- const char *machine_account,
> > -- const unsigned char machine_pwd[16],
> > -- enum netr_SchannelType sec_chan_type,
> > -- uint32_t *neg_flags_inout)
> > --{
> > -- TALLOC_CTX *frame = talloc_stackframe();
> > -- struct loadparm_context *lp_ctx;
> > -- NTSTATUS status;
> > -- struct samr_Password password;
> > -- fstring mach_acct;
> > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > -- struct netlogon_creds_CredentialState *creds = NULL;
> > --
> > -- if (!ndr_syntax_id_equal(&cli->abstract_syntax,
> > -- &ndr_table_netlogon.syntax_id)) {
> > -- TALLOC_FREE(frame);
> > -- return NT_STATUS_INVALID_PARAMETER;
> > -- }
> > --
> > -- if (!strequal(lp_netbios_name(), clnt_name)) {
> > -- TALLOC_FREE(frame);
> > -- return NT_STATUS_INVALID_PARAMETER;
> > -- }
> > --
> > -- TALLOC_FREE(cli->netlogon_creds);
> > --
> > -- fstr_sprintf( mach_acct, "%s$", machine_account);
> > --
> > -- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > -- if (lp_ctx == NULL) {
> > -- TALLOC_FREE(frame);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- status = netlogon_creds_cli_context_global(lp_ctx,
> > -- NULL, /* msg_ctx */
> > -- mach_acct,
> > -- sec_chan_type,
> > -- server_name,
> > -- domain,
> > -- cli, &cli->netlogon_creds);
> > -- talloc_unlink(frame, lp_ctx);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- TALLOC_FREE(frame);
> > -- return status;
> > -- }
> > --
> > -- status = netlogon_creds_cli_get(cli->netlogon_creds,
> > -- frame, &creds);
> > -- if (NT_STATUS_IS_OK(status)) {
> > -- DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
> > -- "cached credential\n",
> > -- cli->desthost));
> > -- *neg_flags_inout = creds->negotiate_flags;
> > -- TALLOC_FREE(frame);
> > -- return NT_STATUS_OK;
> > -- }
> > --
> > -- /* Store the machine account password we're going to use. */
> > -- memcpy(password.hash, machine_pwd, 16);
> > --
> > -- DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
> > -- "chain established.\n",
> > -- cli->desthost ));
> > --
> > -- status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
> > -- password, NULL);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- TALLOC_FREE(frame);
> > -- return status;
> > -- }
> > --
> > -- status = netlogon_creds_cli_get(cli->netlogon_creds,
> > -- frame, &creds);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- TALLOC_FREE(frame);
> > -- return NT_STATUS_INTERNAL_ERROR;
> > -- }
> > --
> > -- *neg_flags_inout = creds->negotiate_flags;
> > -- TALLOC_FREE(frame);
> > -- return NT_STATUS_OK;
> > --}
> > -
> > - NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > - {
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index 8547db6..0de836a 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -30,14 +30,6 @@ struct dcerpc_binding_handle;
> > -
> > - /* The following definitions come from rpc_client/cli_netlogon.c */
> > -
> > --NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > -- const char *server_name,
> > -- const char *domain,
> > -- const char *clnt_name,
> > -- const char *machine_account,
> > -- const unsigned char machine_pwd[16],
> > -- enum netr_SchannelType sec_chan_type,
> > -- uint32_t *neg_flags_inout);
> > - NTSTATUS rpccli_pre_open_netlogon_creds(void);
> > - NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > - const char *server_netbios_domain,
> > ---
> > -1.9.3
> > -
> > -
> > -From 2a072da1cc18acc7eb6d82769dc96b7e94ec57fe Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 19:23:18 +0200
> > -Subject: [PATCH 210/249] s3:rpc_client: remove unused
> > - rpccli_netlogon_sam_logon()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit e4fea80693b49e79a96acdac09d5ea292756635c)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 124 --------------------------------------
> > - source3/rpc_client/cli_netlogon.h | 9 ---
> > - 2 files changed, 133 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 687d0c2..171337a 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -160,130 +160,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > -
> > - /* Logon domain user */
> > -
> > --NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- uint32 logon_parameters,
> > -- const char *domain,
> > -- const char *username,
> > -- const char *password,
> > -- const char *workstation,
> > -- uint16_t _ignored_validation_level,
> > -- int logon_type)
> > --{
> > -- NTSTATUS status;
> > -- union netr_LogonLevel *logon;
> > -- uint16_t validation_level = 0;
> > -- union netr_Validation *validation = NULL;
> > -- uint8_t authoritative = 0;
> > -- uint32_t flags = 0;
> > -- fstring clnt_name_slash;
> > --
> > -- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > -- if (!logon) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- if (workstation) {
> > -- fstr_sprintf( clnt_name_slash, "\\\\%s", workstation );
> > -- } else {
> > -- fstr_sprintf( clnt_name_slash, "\\\\%s", lp_netbios_name() );
> > -- }
> > --
> > -- /* Initialise input parameters */
> > --
> > -- switch (logon_type) {
> > -- case NetlogonInteractiveInformation: {
> > --
> > -- struct netr_PasswordInfo *password_info;
> > --
> > -- struct samr_Password lmpassword;
> > -- struct samr_Password ntpassword;
> > --
> > -- password_info = talloc_zero(mem_ctx, struct netr_PasswordInfo);
> > -- if (!password_info) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
> > --
> > -- password_info->identity_info.domain_name.string = domain;
> > -- password_info->identity_info.parameter_control = logon_parameters;
> > -- password_info->identity_info.logon_id_low = 0xdead;
> > -- password_info->identity_info.logon_id_high = 0xbeef;
> > -- password_info->identity_info.account_name.string = username;
> > -- password_info->identity_info.workstation.string = clnt_name_slash;
> > --
> > -- password_info->lmpassword = lmpassword;
> > -- password_info->ntpassword = ntpassword;
> > --
> > -- logon->password = password_info;
> > --
> > -- break;
> > -- }
> > -- case NetlogonNetworkInformation: {
> > -- struct netr_NetworkInfo *network_info;
> > -- uint8 chal[8];
> > -- unsigned char local_lm_response[24];
> > -- unsigned char local_nt_response[24];
> > -- struct netr_ChallengeResponse lm;
> > -- struct netr_ChallengeResponse nt;
> > --
> > -- ZERO_STRUCT(lm);
> > -- ZERO_STRUCT(nt);
> > --
> > -- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> > -- if (!network_info) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- generate_random_buffer(chal, 8);
> > --
> > -- SMBencrypt(password, chal, local_lm_response);
> > -- SMBNTencrypt(password, chal, local_nt_response);
> > --
> > -- lm.length = 24;
> > -- lm.data = local_lm_response;
> > --
> > -- nt.length = 24;
> > -- nt.data = local_nt_response;
> > --
> > -- network_info->identity_info.domain_name.string = domain;
> > -- network_info->identity_info.parameter_control = logon_parameters;
> > -- network_info->identity_info.logon_id_low = 0xdead;
> > -- network_info->identity_info.logon_id_high = 0xbeef;
> > -- network_info->identity_info.account_name.string = username;
> > -- network_info->identity_info.workstation.string = clnt_name_slash;
> > --
> > -- memcpy(network_info->challenge, chal, 8);
> > -- network_info->nt = nt;
> > -- network_info->lm = lm;
> > --
> > -- logon->network = network_info;
> > --
> > -- break;
> > -- }
> > -- default:
> > -- DEBUG(0, ("switch value %d not supported\n",
> > -- logon_type));
> > -- return NT_STATUS_INVALID_INFO_CLASS;
> > -- }
> > --
> > -- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> > -- cli->binding_handle,
> > -- logon_type,
> > -- logon,
> > -- mem_ctx,
> > -- &validation_level,
> > -- &validation,
> > -- &authoritative,
> > -- &flags);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- return NT_STATUS_OK;
> > --}
> > --
> > - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > - struct dcerpc_binding_handle *binding_handle,
> > - uint32_t logon_parameters,
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index 0de836a..eaa5b0c 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -43,15 +43,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > - bool force_reauth,
> > - struct samr_Password current_nt_hash,
> > - const struct samr_Password *previous_nt_hash);
> > --NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- uint32 logon_parameters,
> > -- const char *domain,
> > -- const char *username,
> > -- const char *password,
> > -- const char *workstation,
> > -- uint16_t validation_level,
> > -- int logon_type);
> > - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > - struct dcerpc_binding_handle *binding_handle,
> > - uint32_t logon_parameters,
> > ---
> > -1.9.3
> > -
> > -
> > -From 4092fca5daf42e1cd26af8069b09b97a7d01df9c Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 19:23:54 +0200
> > -Subject: [PATCH 211/249] s3:rpc_client: remove unused
> > - rpccli_netlogon_sam_network_logon()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3f41b583840ffa2220f61eea61833bf3c6bd33db)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 94 ---------------------------------------
> > - source3/rpc_client/cli_netlogon.h | 12 -----
> > - 2 files changed, 106 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 171337a..ca2d9bf 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -346,100 +346,6 @@ static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > - * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
> > - **/
> > -
> > --NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- uint32 logon_parameters,
> > -- const char *server,
> > -- const char *username,
> > -- const char *domain,
> > -- const char *workstation,
> > -- const uint8 chal[8],
> > -- uint16_t _ignored_validation_level,
> > -- DATA_BLOB lm_response,
> > -- DATA_BLOB nt_response,
> > -- struct netr_SamInfo3 **info3)
> > --{
> > -- NTSTATUS status;
> > -- const char *workstation_name_slash;
> > -- union netr_LogonLevel *logon = NULL;
> > -- struct netr_NetworkInfo *network_info;
> > -- uint16_t validation_level = 0;
> > -- union netr_Validation *validation = NULL;
> > -- uint8_t authoritative = 0;
> > -- uint32_t flags = 0;
> > -- struct netr_ChallengeResponse lm;
> > -- struct netr_ChallengeResponse nt;
> > --
> > -- *info3 = NULL;
> > --
> > -- ZERO_STRUCT(lm);
> > -- ZERO_STRUCT(nt);
> > --
> > -- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > -- if (!logon) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> > -- if (!network_info) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- if (workstation[0] != '\\' && workstation[1] != '\\') {
> > -- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> > -- } else {
> > -- workstation_name_slash = workstation;
> > -- }
> > --
> > -- if (!workstation_name_slash) {
> > -- DEBUG(0, ("talloc_asprintf failed!\n"));
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- /* Initialise input parameters */
> > --
> > -- lm.data = lm_response.data;
> > -- lm.length = lm_response.length;
> > -- nt.data = nt_response.data;
> > -- nt.length = nt_response.length;
> > --
> > -- network_info->identity_info.domain_name.string = domain;
> > -- network_info->identity_info.parameter_control = logon_parameters;
> > -- network_info->identity_info.logon_id_low = 0xdead;
> > -- network_info->identity_info.logon_id_high = 0xbeef;
> > -- network_info->identity_info.account_name.string = username;
> > -- network_info->identity_info.workstation.string = workstation_name_slash;
> > --
> > -- memcpy(network_info->challenge, chal, 8);
> > -- network_info->nt = nt;
> > -- network_info->lm = lm;
> > --
> > -- logon->network = network_info;
> > --
> > -- /* Marshall data and send request */
> > --
> > -- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> > -- cli->binding_handle,
> > -- NetlogonNetworkInformation,
> > -- logon,
> > -- mem_ctx,
> > -- &validation_level,
> > -- &validation,
> > -- &authoritative,
> > -- &flags);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- status = map_validation_to_info3(mem_ctx,
> > -- validation_level, validation,
> > -- info3);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- return status;
> > -- }
> > --
> > -- return NT_STATUS_OK;
> > --}
> > -
> > - NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > - struct dcerpc_binding_handle *binding_handle,
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index eaa5b0c..61fed4a 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -51,18 +51,6 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
> > - const char *password,
> > - const char *workstation,
> > - enum netr_LogonInfoClass logon_type);
> > --NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > -- TALLOC_CTX *mem_ctx,
> > -- uint32 logon_parameters,
> > -- const char *server,
> > -- const char *username,
> > -- const char *domain,
> > -- const char *workstation,
> > -- const uint8 chal[8],
> > -- uint16_t validation_level,
> > -- DATA_BLOB lm_response,
> > -- DATA_BLOB nt_response,
> > -- struct netr_SamInfo3 **info3);
> > - NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > - struct dcerpc_binding_handle *binding_handle,
> > - TALLOC_CTX *mem_ctx,
> > ---
> > -1.9.3
> > -
> > -
> > -From bdfc02fd5830ed6e2f14aaf90456e572028ada6a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 16 Sep 2013 19:25:27 +0200
> > -Subject: [PATCH 212/249] s3:rpc_client: finally remove unused
> > - rpc_pipe_client->netlogon_creds
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit c0761c3eae34175d772476006caf5caad68bd8c6)
> > ----
> > - source3/rpc_client/cli_pipe.c | 9 ---------
> > - source3/rpc_client/rpc_client.h | 3 ---
> > - 2 files changed, 12 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > -index 31cd7f5..8613a21 100644
> > ---- a/source3/rpc_client/cli_pipe.c
> > -+++ b/source3/rpc_client/cli_pipe.c
> > -@@ -3097,15 +3097,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > - return status;
> > - }
> > -
> > -- status = netlogon_creds_cli_context_copy(netlogon_creds,
> > -- rpccli,
> > -- &rpccli->netlogon_creds);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
> > -- nt_errstr(status)));
> > -- TALLOC_FREE(rpccli);
> > -- return status;
> > -- }
> > -
> > - done:
> > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > -diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
> > -index 7c4cceb..7c5ff0e 100644
> > ---- a/source3/rpc_client/rpc_client.h
> > -+++ b/source3/rpc_client/rpc_client.h
> > -@@ -48,9 +48,6 @@ struct rpc_pipe_client {
> > - uint16 max_recv_frag;
> > -
> > - struct pipe_auth_data *auth;
> > --
> > -- /* The following is only non-null on a netlogon client pipe. */
> > -- struct netlogon_creds_cli_context *netlogon_creds;
> > - };
> > -
> > - #endif /* _RPC_CLIENT_H */
> > ---
> > -1.9.3
> > -
> > -
> > -From 710124dca6a97d9148d62bc9aa727568d5284e45 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Thu, 17 Oct 2013 19:17:12 +0200
> > -Subject: [PATCH 213/249] libcli/auth: remove unused
> > - netlogon_creds_cli_context_copy()
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3d45d4dc3c69557bf1d1fe6d4a880ad74a2a41f1)
> > ----
> > - libcli/auth/netlogon_creds_cli.c | 47 ----------------------------------------
> > - libcli/auth/netlogon_creds_cli.h | 4 ----
> > - 2 files changed, 51 deletions(-)
> > -
> > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > -index 6590b21..1724064 100644
> > ---- a/libcli/auth/netlogon_creds_cli.c
> > -+++ b/libcli/auth/netlogon_creds_cli.c
> > -@@ -488,53 +488,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> > - return NT_STATUS_OK;
> > - }
> > -
> > --NTSTATUS netlogon_creds_cli_context_copy(
> > -- const struct netlogon_creds_cli_context *src,
> > -- TALLOC_CTX *mem_ctx,
> > -- struct netlogon_creds_cli_context **_dst)
> > --{
> > -- struct netlogon_creds_cli_context *dst;
> > --
> > -- dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> > -- if (dst == NULL) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- *dst = *src;
> > --
> > -- dst->client.computer = talloc_strdup(dst, src->client.computer);
> > -- if (dst->client.computer == NULL) {
> > -- TALLOC_FREE(dst);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- dst->client.account = talloc_strdup(dst, src->client.account);
> > -- if (dst->client.account == NULL) {
> > -- TALLOC_FREE(dst);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- dst->server.computer = talloc_strdup(dst, src->server.computer);
> > -- if (dst->server.computer == NULL) {
> > -- TALLOC_FREE(dst);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
> > -- if (dst->server.netbios_domain == NULL) {
> > -- TALLOC_FREE(dst);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- dst->db.key_name = talloc_strdup(dst, src->db.key_name);
> > -- if (dst->db.key_name == NULL) {
> > -- TALLOC_FREE(dst);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > --
> > -- dst->db.key_data = string_term_tdb_data(dst->db.key_name);
> > --
> > -- *_dst = dst;
> > -- return NT_STATUS_OK;
> > --}
> > --
> > - enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> > - struct netlogon_creds_cli_context *context)
> > - {
> > -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
> > -index f8f2bef..5bd8bd3 100644
> > ---- a/libcli/auth/netlogon_creds_cli.h
> > -+++ b/libcli/auth/netlogon_creds_cli.h
> > -@@ -49,10 +49,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> > - const char *server_netbios_domain,
> > - TALLOC_CTX *mem_ctx,
> > - struct netlogon_creds_cli_context **_context);
> > --NTSTATUS netlogon_creds_cli_context_copy(
> > -- const struct netlogon_creds_cli_context *src,
> > -- TALLOC_CTX *mem_ctx,
> > -- struct netlogon_creds_cli_context **_dst);
> > -
> > - enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> > - struct netlogon_creds_cli_context *context);
> > ---
> > -1.9.3
> > -
> > -
> > -From aa3a65e9770bb81e73b30e71b49855b18d012e68 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 6 Dec 2013 11:38:21 +0100
> > -Subject: [PATCH 214/249] lib/param: add "allow nt4 crypto" option, defaulting
> > - to false
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 87bdc88328568359e51af6615b378ba8dc67f647)
> > ----
> > - docs-xml/smbdotconf/logon/allownt4crypto.xml | 26 ++++++++++++++++++++++++++
> > - lib/param/param_functions.c | 1 +
> > - lib/param/param_table.c | 9 +++++++++
> > - 3 files changed, 36 insertions(+)
> > - create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml
> > -
> > -diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
> > -new file mode 100644
> > -index 0000000..4d417c7
> > ---- /dev/null
> > -+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
> > -@@ -0,0 +1,26 @@
> > -+<samba:parameter name="allow nt4 crypto"
> > -+ context="G"
> > -+ type="boolean"
> > -+ advanced="1"
> > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > -+<description>
> > -+ <para>This option controls whether the netlogon server (currently
> > -+ only in 'active directory domain controller' mode), will
> > -+ reject clients which does not support NETLOGON_NEG_STRONG_KEYS
> > -+ nor NETLOGON_NEG_SUPPORTS_AES.</para>
> > -+
> > -+ <para>This option was added with Samba 4.2.0. It may lock out clients
> > -+ which worked fine with Samba versions up to 4.1.x. as the effective default
> > -+ was "yes" there, while it is "no" now.</para>
> > -+
> > -+ <para>If you have clients without RequireStrongKey = 1 in the registry,
> > -+ you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
> > -+ </para>
> > -+
> > -+ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
> > -+
> > -+ <para>This option yields precedence to the 'reject md5 clients' option.</para>
> > -+</description>
> > -+
> > -+<value type="default">no</value>
> > -+</samba:parameter>
> > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > -index 41b137f..bf931c6 100644
> > ---- a/lib/param/param_functions.c
> > -+++ b/lib/param/param_functions.c
> > -@@ -154,6 +154,7 @@ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
> > - FN_LOCAL_BOOL(durable_handles, bDurableHandles)
> > -
> > - FN_GLOBAL_BOOL(allow_insecure_widelinks, bAllowInsecureWidelinks)
> > -+FN_GLOBAL_BOOL(allow_nt4_crypto, bAllowNT4Crypto)
> > - FN_GLOBAL_BOOL(allow_trusted_domains, bAllowTrustedDomains)
> > - FN_GLOBAL_BOOL(async_smb_echo_handler, bAsyncSMBEchoHandler)
> > - FN_GLOBAL_BOOL(bind_interfaces_only, bBindInterfacesOnly)
> > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > -index 36e8554..5ef78de 100644
> > ---- a/lib/param/param_table.c
> > -+++ b/lib/param/param_table.c
> > -@@ -4324,6 +4324,15 @@ static struct parm_struct parm_table[] = {
> > - .special = NULL,
> > - .enum_list = NULL
> > - },
> > -+ {
> > -+ .label = "allow nt4 crypto",
> > -+ .type = P_BOOL,
> > -+ .p_class = P_GLOBAL,
> > -+ .offset = GLOBAL_VAR(bAllowNT4Crypto),
> > -+ .special = NULL,
> > -+ .enum_list = NULL,
> > -+ .flags = FLAG_ADVANCED,
> > -+ },
> > -
> > - {N_("TLS options"), P_SEP, P_SEPARATOR},
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 51323c0574963065e2edf9346f310f08ce2b59e8 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 6 Dec 2013 11:39:15 +0100
> > -Subject: [PATCH 215/249] lib/param: add "reject md5 client" option, defaulting
> > - to false
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 807bcb4981fb20a9b97e69f01c3545ea7e85666e)
> > ----
> > - docs-xml/smbdotconf/logon/rejectmd5clients.xml | 18 ++++++++++++++++++
> > - lib/param/param_functions.c | 1 +
> > - lib/param/param_table.c | 9 +++++++++
> > - 3 files changed, 28 insertions(+)
> > - create mode 100644 docs-xml/smbdotconf/logon/rejectmd5clients.xml
> > -
> > -diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
> > -new file mode 100644
> > -index 0000000..04a5b4d
> > ---- /dev/null
> > -+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
> > -@@ -0,0 +1,18 @@
> > -+<samba:parameter name="reject md5 clients"
> > -+ context="G"
> > -+ type="boolean"
> > -+ advanced="1"
> > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > -+<description>
> > -+ <para>This option controls whether the netlogon server (currently
> > -+ only in 'active directory domain controller' mode), will
> > -+ reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
> > -+
> > -+ <para>You can set this to yes if all domain members support aes.
> > -+ This will prevent downgrade attacks.</para>
> > -+
> > -+ <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
> > -+</description>
> > -+
> > -+<value type="default">no</value>
> > -+</samba:parameter>
> > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > -index bf931c6..99f0b7f 100644
> > ---- a/lib/param/param_functions.c
> > -+++ b/lib/param/param_functions.c
> > -@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
> > - FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
> > - FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
> > - FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
> > -+FN_GLOBAL_BOOL(reject_md5_clients, bRejectMD5Clients)
> > - FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
> > - FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
> > - FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
> > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > -index 5ef78de..4850324 100644
> > ---- a/lib/param/param_table.c
> > -+++ b/lib/param/param_table.c
> > -@@ -4333,6 +4333,15 @@ static struct parm_struct parm_table[] = {
> > - .enum_list = NULL,
> > - .flags = FLAG_ADVANCED,
> > - },
> > -+ {
> > -+ .label = "reject md5 clients",
> > -+ .type = P_BOOL,
> > -+ .p_class = P_GLOBAL,
> > -+ .offset = GLOBAL_VAR(bRejectMD5Clients),
> > -+ .special = NULL,
> > -+ .enum_list = NULL,
> > -+ .flags = FLAG_ADVANCED,
> > -+ },
> > -
> > - {N_("TLS options"), P_SEP, P_SEPARATOR},
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 4f3cd17f89ddedaf6e34bc17b220f6ae6993d0c0 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 6 Dec 2013 13:41:43 +0100
> > -Subject: [PATCH 216/249] selftest/Samba4: use "allow nt4 crypto = yes" for
> > - testing
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 0d4806f9f056c3e37f5aed1ef19e2924aa8f4151)
> > ----
> > - selftest/target/Samba4.pm | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> > -index ac2fdd9..ee6a365 100644
> > ---- a/selftest/target/Samba4.pm
> > -+++ b/selftest/target/Samba4.pm
> > -@@ -776,6 +776,7 @@ sub provision($$$$$$$$$)
> > - server max protocol = SMB2
> > - host msdfs = $msdfs
> > - lanman auth = yes
> > -+ allow nt4 crypto = yes
> > -
> > - $extra_smbconf_options
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 32f88ae5a3d254c6e1b94ea2aaa45febf475af9e Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 23 Dec 2013 10:12:24 +0100
> > -Subject: [PATCH 217/249] s4:netlogon: correctly calculate the negotiate_flags
> > -
> > -We need to bit-wise AND the client and server flags.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 3b77b804cdc9e7621f026ef9bc8e7059f471348e)
> > ----
> > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 59 +++++++++++++--------------
> > - 1 file changed, 28 insertions(+), 31 deletions(-)
> > -
> > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -index c41cd02..b001cb5 100644
> > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -@@ -120,6 +120,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > -
> > - const char *trust_dom_attrs[] = {"flatname", NULL};
> > - const char *account_name;
> > -+ uint32_t server_flags = 0;
> > - uint32_t negotiate_flags = 0;
> > -
> > - ZERO_STRUCTP(r->out.return_credentials);
> > -@@ -176,37 +177,33 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > - memcache_delete(global_challenge_table,
> > - SINGLETON_CACHE, challenge_key);
> > -
> > -- negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
> > -- NETLOGON_NEG_PERSISTENT_SAMREPL |
> > -- NETLOGON_NEG_ARCFOUR |
> > -- NETLOGON_NEG_PROMOTION_COUNT |
> > -- NETLOGON_NEG_CHANGELOG_BDC |
> > -- NETLOGON_NEG_FULL_SYNC_REPL |
> > -- NETLOGON_NEG_MULTIPLE_SIDS |
> > -- NETLOGON_NEG_REDO |
> > -- NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
> > -- NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
> > -- NETLOGON_NEG_GENERIC_PASSTHROUGH |
> > -- NETLOGON_NEG_CONCURRENT_RPC |
> > -- NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
> > -- NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
> > -- NETLOGON_NEG_TRANSITIVE_TRUSTS |
> > -- NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
> > -- NETLOGON_NEG_PASSWORD_SET2 |
> > -- NETLOGON_NEG_GETDOMAININFO |
> > -- NETLOGON_NEG_CROSS_FOREST_TRUSTS |
> > -- NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
> > -- NETLOGON_NEG_RODC_PASSTHROUGH |
> > -- NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
> > -- NETLOGON_NEG_AUTHENTICATED_RPC;
> > --
> > -- if (*r->in.negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
> > -- negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
> > -- }
> > --
> > -- if (*r->in.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -- negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
> > -- }
> > -+ server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
> > -+ NETLOGON_NEG_PERSISTENT_SAMREPL |
> > -+ NETLOGON_NEG_ARCFOUR |
> > -+ NETLOGON_NEG_PROMOTION_COUNT |
> > -+ NETLOGON_NEG_CHANGELOG_BDC |
> > -+ NETLOGON_NEG_FULL_SYNC_REPL |
> > -+ NETLOGON_NEG_MULTIPLE_SIDS |
> > -+ NETLOGON_NEG_REDO |
> > -+ NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
> > -+ NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
> > -+ NETLOGON_NEG_GENERIC_PASSTHROUGH |
> > -+ NETLOGON_NEG_CONCURRENT_RPC |
> > -+ NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
> > -+ NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
> > -+ NETLOGON_NEG_STRONG_KEYS |
> > -+ NETLOGON_NEG_TRANSITIVE_TRUSTS |
> > -+ NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
> > -+ NETLOGON_NEG_PASSWORD_SET2 |
> > -+ NETLOGON_NEG_GETDOMAININFO |
> > -+ NETLOGON_NEG_CROSS_FOREST_TRUSTS |
> > -+ NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
> > -+ NETLOGON_NEG_RODC_PASSTHROUGH |
> > -+ NETLOGON_NEG_SUPPORTS_AES |
> > -+ NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
> > -+ NETLOGON_NEG_AUTHENTICATED_RPC;
> > -+
> > -+ negotiate_flags = *r->in.negotiate_flags & server_flags;
> > -
> > - /*
> > - * According to Microsoft (see bugid #6099)
> > ---
> > -1.9.3
> > -
> > -
> > -From ce8c9b651d9da88a13a8cd0fe02e5f3e2f1f6b51 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Mon, 23 Dec 2013 10:10:17 +0100
> > -Subject: [PATCH 218/249] s4:netlogon: don't generate a debug message for
> > - SEC_CHAN_NULL.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 2e36fbc77dc43f31ec78cdbef23b94bd00d6f565)
> > ----
> > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++
> > - 1 file changed, 2 insertions(+)
> > -
> > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -index b001cb5..45a7262 100644
> > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -@@ -220,6 +220,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > - case SEC_CHAN_BDC:
> > - case SEC_CHAN_RODC:
> > - break;
> > -+ case SEC_CHAN_NULL:
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > - default:
> > - DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
> > - r->in.secure_channel_type));
> > ---
> > -1.9.3
> > -
> > -
> > -From b4d5ace784d207f8562a4c93b55de415a81cec42 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 6 Dec 2013 12:08:50 +0100
> > -Subject: [PATCH 219/249] s4:netlogon: implement "allow nt4 crypto" and "reject
> > - md5 clients" features.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -
> > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > -Autobuild-Date(master): Tue Jan 7 16:53:31 CET 2014 on sn-devel-104
> > -(cherry picked from commit 7d2abf520df1ff46d79dfd8ff579c230f2bc3c2a)
> > ----
> > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 20 ++++++++++++++++++++
> > - 1 file changed, 20 insertions(+)
> > -
> > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -index 45a7262..6b57cda 100644
> > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -@@ -122,6 +122,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > - const char *account_name;
> > - uint32_t server_flags = 0;
> > - uint32_t negotiate_flags = 0;
> > -+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
> > -+ bool reject_des_client = !allow_nt4_crypto;
> > -+ bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
> > -
> > - ZERO_STRUCTP(r->out.return_credentials);
> > - *r->out.rid = 0;
> > -@@ -205,6 +208,23 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > -
> > - negotiate_flags = *r->in.negotiate_flags & server_flags;
> > -
> > -+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
> > -+ reject_des_client = false;
> > -+ }
> > -+
> > -+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > -+ reject_des_client = false;
> > -+ reject_md5_client = false;
> > -+ }
> > -+
> > -+ if (reject_des_client || reject_md5_client) {
> > -+ /*
> > -+ * Here we match Windows 2012 and return no flags.
> > -+ */
> > -+ *r->out.negotiate_flags = 0;
> > -+ return NT_STATUS_DOWNGRADE_DETECTED;
> > -+ }
> > -+
> > - /*
> > - * According to Microsoft (see bugid #6099)
> > - * Windows 7 looks at the negotiate_flags
> > ---
> > -1.9.3
> > -
> > -
> > -From ff28e17cdcbe8e1ec4a275d80b3e749da4920c6d Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Wed, 8 Jan 2014 12:04:22 +0100
> > -Subject: [PATCH 220/249] libcli/auth: fix usage of an uninitialized variable
> > - in netlogon_creds_cli_check_caps()
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Günther Deschner <gd@samba.org>
> > -(cherry picked from commit 0e62f3279525ea864590f713f334f4dc5f5d3a32)
> > ----
> > - libcli/auth/netlogon_creds_cli.c | 4 ++--
> > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > -index 1724064..51b30a1 100644
> > ---- a/libcli/auth/netlogon_creds_cli.c
> > -+++ b/libcli/auth/netlogon_creds_cli.c
> > -@@ -1390,7 +1390,7 @@ struct netlogon_creds_cli_check_state {
> > - };
> > -
> > - static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
> > -- NTSTATUS status);
> > -+ NTSTATUS status);
> > - static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
> > -
> > - struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
> > -@@ -1582,7 +1582,7 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
> > - * with the next request as the sequence number processing
> > - * gets out of sync.
> > - */
> > -- netlogon_creds_cli_check_cleanup(req, result);
> > -+ netlogon_creds_cli_check_cleanup(req, status);
> > - tevent_req_done(req);
> > - return;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From d4902881482eeecf5a219342b3862ac0fbb7b7a9 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 17 Jan 2014 14:00:27 +0100
> > -Subject: [PATCH 221/249] libcli/auth: add netlogon_creds_cli_set_global_db()
> > -
> > -This can be used to inject a db_context from dbwrap_ctdb.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit ece3ba10a16138a75b207a0cf9fe299759253d99)
> > ----
> > - libcli/auth/netlogon_creds_cli.c | 10 ++++++++++
> > - libcli/auth/netlogon_creds_cli.h | 2 ++
> > - 2 files changed, 12 insertions(+)
> > -
> > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > -index 51b30a1..37bdf74 100644
> > ---- a/libcli/auth/netlogon_creds_cli.c
> > -+++ b/libcli/auth/netlogon_creds_cli.c
> > -@@ -199,6 +199,16 @@ static NTSTATUS netlogon_creds_cli_context_common(
> > -
> > - static struct db_context *netlogon_creds_cli_global_db;
> > -
> > -+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
> > -+{
> > -+ if (netlogon_creds_cli_global_db != NULL) {
> > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > -+ }
> > -+
> > -+ netlogon_creds_cli_global_db = talloc_move(talloc_autofree_context(), db);
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > - NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
> > - {
> > - char *fname;
> > -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
> > -index 5bd8bd3..90d0182 100644
> > ---- a/libcli/auth/netlogon_creds_cli.h
> > -+++ b/libcli/auth/netlogon_creds_cli.h
> > -@@ -28,7 +28,9 @@
> > - struct netlogon_creds_cli_context;
> > - struct messaging_context;
> > - struct dcerpc_binding_handle;
> > -+struct db_context;
> > -
> > -+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
> > - NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
> > -
> > - NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > ---
> > -1.9.3
> > -
> > -
> > -From 80407a74da35cac64bef252698a2477787f0997d Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 17 Jan 2014 14:07:37 +0100
> > -Subject: [PATCH 222/249] s3:rpc_client: use db_open() to open
> > - "netlogon_creds_cli.tdb"
> > -
> > -This uses dbwrap_ctdb if running in a cluster.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 8cf4eff201aa9e1ba8127311bcfc2a357fb4ef03)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 38 ++++++++++++++++++++++++++++++++++++--
> > - 1 file changed, 36 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index ca2d9bf..b7b490f 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -21,6 +21,7 @@
> > - */
> > -
> > - #include "includes.h"
> > -+#include "system/filesys.h"
> > - #include "libsmb/libsmb.h"
> > - #include "rpc_client/rpc_client.h"
> > - #include "rpc_client/cli_pipe.h"
> > -@@ -34,26 +35,53 @@
> > - #include "../libcli/security/security.h"
> > - #include "lib/param/param.h"
> > - #include "libcli/smb/smbXcli_base.h"
> > -+#include "dbwrap/dbwrap.h"
> > -+#include "dbwrap/dbwrap_open.h"
> > -+#include "util_tdb.h"
> > -
> > -
> > - NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > - {
> > -- TALLOC_CTX *frame = talloc_stackframe();
> > -+ static bool already_open = false;
> > -+ TALLOC_CTX *frame;
> > - struct loadparm_context *lp_ctx;
> > -+ char *fname;
> > -+ struct db_context *global_db;
> > - NTSTATUS status;
> > -
> > -+ if (already_open) {
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ frame = talloc_stackframe();
> > -+
> > - lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > - if (lp_ctx == NULL) {
> > - TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > - }
> > -
> > -- status = netlogon_creds_cli_open_global_db(lp_ctx);
> > -+ fname = lpcfg_private_db_path(frame, lp_ctx, "netlogon_creds_cli");
> > -+ if (fname == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ global_db = db_open(talloc_autofree_context(), fname,
> > -+ 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
> > -+ if (global_db == NULL) {
> > -+ TALLOC_FREE(frame);
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+
> > -+ status = netlogon_creds_cli_set_global_db(&global_db);
> > - TALLOC_FREE(frame);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - return status;
> > - }
> > -
> > -+ already_open = true;
> > - return NT_STATUS_OK;
> > - }
> > -
> > -@@ -69,6 +97,12 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > - struct loadparm_context *lp_ctx;
> > - NTSTATUS status;
> > -
> > -+ status = rpccli_pre_open_netlogon_creds();
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > -+ }
> > -+
> > - lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > - if (lp_ctx == NULL) {
> > - TALLOC_FREE(frame);
> > ---
> > -1.9.3
> > -
> > -
> > -From 2ed3041405f5808031f2d5fd0e42f48246d22b7b Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 17 Jan 2014 14:08:59 +0100
> > -Subject: [PATCH 223/249] libcli/auth: don't alter the computer_name in cluster
> > - mode.
> > -
> > -This breaks NTLMv2 authentication.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 387ed2e15df085274f72cebda341040a1e767a4b)
> > ----
> > - libcli/auth/netlogon_creds_cli.c | 22 +++-------------------
> > - 1 file changed, 3 insertions(+), 19 deletions(-)
> > -
> > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > -index 37bdf74..88893ad 100644
> > ---- a/libcli/auth/netlogon_creds_cli.c
> > -+++ b/libcli/auth/netlogon_creds_cli.c
> > -@@ -261,28 +261,12 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > - bool seal_secure_channel = true;
> > - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
> > - bool neutralize_nt4_emulation = false;
> > -- struct server_id self = {
> > -- .vnn = NONCLUSTER_VNN,
> > -- .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
> > -- };
> > --
> > -- if (msg_ctx != NULL) {
> > -- self = messaging_server_id(msg_ctx);
> > -- }
> > -
> > - *_context = NULL;
> > -
> > -- if (self.vnn != NONCLUSTER_VNN) {
> > -- client_computer = talloc_asprintf(frame,
> > -- "%s_cluster_vnn_%u",
> > -- lpcfg_netbios_name(lp_ctx),
> > -- (unsigned)self.vnn);
> > -- if (client_computer == NULL) {
> > -- TALLOC_FREE(frame);
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- } else {
> > -- client_computer = lpcfg_netbios_name(lp_ctx);
> > -+ client_computer = lpcfg_netbios_name(lp_ctx);
> > -+ if (strlen(client_computer) > 15) {
> > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > - }
> > -
> > - /*
> > ---
> > -1.9.3
> > -
> > -
> > -From 8257c3a5d6e8319578d224e544242da81b043a54 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Fri, 10 Jan 2014 13:13:40 +0100
> > -Subject: [PATCH 224/249] libcli/auth: reject computer_name longer than 15
> > - chars
> > -
> > -This matches Windows, it seems they use a fixed size field to store
> > -netlogon_creds_CredentialState.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit b8fdeb8ca7ce362058bb86a4e58b34fb6340867e)
> > ----
> > - libcli/auth/schannel_state_tdb.c | 8 ++++++++
> > - 1 file changed, 8 insertions(+)
> > -
> > -diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
> > -index 8f9c1f0..b91e242 100644
> > ---- a/libcli/auth/schannel_state_tdb.c
> > -+++ b/libcli/auth/schannel_state_tdb.c
> > -@@ -78,6 +78,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
> > - char *name_upper;
> > - NTSTATUS status;
> > -
> > -+ if (strlen(creds->computer_name) > 15) {
> > -+ /*
> > -+ * We may want to check for a completely
> > -+ * valid netbios name.
> > -+ */
> > -+ return STATUS_BUFFER_OVERFLOW;
> > -+ }
> > -+
> > - name_upper = strupper_talloc(mem_ctx, creds->computer_name);
> > - if (!name_upper) {
> > - return NT_STATUS_NO_MEMORY;
> > ---
> > -1.9.3
> > -
> > -
> > -From d6af8ed76f728621a8ba7515cf1180d6654c8d83 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 11 Jan 2014 17:13:04 +0100
> > -Subject: [PATCH 225/249] s3:rpc_server/netlogon: return a zero
> > - return_authenticator on error
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit dcc2c8362df9af088613722ebd8a6261fb098a5c)
> > ----
> > - source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > -index 09857b6..7bb9dd6 100644
> > ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
> > -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > -@@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
> > - talloc_unlink(p->mem_ctx, lp_ctx);
> > -
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ ZERO_STRUCTP(r->out.return_credentials);
> > - goto out;
> > - }
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From be06629b25f8340ac54a9e674e6a5da1eb01e733 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Sat, 11 Jan 2014 17:13:04 +0100
> > -Subject: [PATCH 226/249] s4:rpc_server/netlogon: return a zero
> > - return_authenticator and rid on error
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > -(cherry picked from commit 25fb73f2821821630dde4cc263794e754ca03d68)
> > ----
> > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++++----
> > - 1 file changed, 8 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -index 6b57cda..afa15d8 100644
> > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > -@@ -348,9 +348,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > - return NT_STATUS_INTERNAL_ERROR;
> > - }
> > -
> > -- *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
> > -- "objectSid", 0);
> > --
> > - mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
> > - if (mach_pwd == NULL) {
> > - return NT_STATUS_ACCESS_DENIED;
> > -@@ -383,8 +380,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > - nt_status = schannel_save_creds_state(mem_ctx,
> > - dce_call->conn->dce_ctx->lp_ctx,
> > - creds);
> > -+ if (!NT_STATUS_IS_OK(nt_status)) {
> > -+ ZERO_STRUCTP(r->out.return_credentials);
> > -+ return nt_status;
> > -+ }
> > -
> > -- return nt_status;
> > -+ *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
> > -+ "objectSid", 0);
> > -+
> > -+ return NT_STATUS_OK;
> > - }
> > -
> > - static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
> > ---
> > -1.9.3
> > -
> > -
> > -From f5fe58d49fc66867db743393a92e1cd8e4cb293b Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Wed, 29 Jan 2014 16:58:37 +0100
> > -Subject: [PATCH 227/249] dbwrap_tool: remove the short form "-p" of
> > - "--persistent"
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 6dd1008c4e8b0b798d589959021c9b578db74ff4)
> > ----
> > - source3/utils/dbwrap_tool.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
> > -index 79b40d2..406e89e 100644
> > ---- a/source3/utils/dbwrap_tool.c
> > -+++ b/source3/utils/dbwrap_tool.c
> > -@@ -420,7 +420,7 @@ int main(int argc, const char **argv)
> > - struct poptOption popt_options[] = {
> > - POPT_AUTOHELP
> > - POPT_COMMON_SAMBA
> > -- { "persistent", 'p', POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
> > -+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
> > - POPT_TABLEEND
> > - };
> > - int opt;
> > ---
> > -1.9.3
> > -
> > -
> > -From 209b5ec86620f8caadcc714db0cbec4789db0377 Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Thu, 30 Jan 2014 10:33:00 +0100
> > -Subject: [PATCH 228/249] docs: remove short form "-p" of --persistent from
> > - dbwrap_tool manpage
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 6f748fef652bbea3c8dbbbfb96b95270e6f1dcfc)
> > ----
> > - docs-xml/manpages/dbwrap_tool.1.xml | 4 ++--
> > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
> > -index 074d819..94ae281 100644
> > ---- a/docs-xml/manpages/dbwrap_tool.1.xml
> > -+++ b/docs-xml/manpages/dbwrap_tool.1.xml
> > -@@ -19,7 +19,7 @@
> > - <refsynopsisdiv>
> > - <cmdsynopsis>
> > - <command>dbwrap_tool</command>
> > -- <arg choice="opt">-p|--persistent</arg>
> > -+ <arg choice="opt">--persistent</arg>
> > - <arg choice="opt">-d <debug level></arg>
> > - <arg choice="opt">-s <config file></arg>
> > - <arg choice="opt">-l <log file base></arg>
> > -@@ -70,7 +70,7 @@
> > -
> > - <variablelist>
> > - <varlistentry>
> > -- <term>-p|--persistent</term>
> > -+ <term>--persistent</term>
> > - <listitem><para>Open the database as a persistent database.
> > - If this option is not specified, the database is opened as
> > - non-persistent.
> > ---
> > -1.9.3
> > -
> > -
> > -From f3b8b74ff6d74fe9a0047256074e21c3363b112f Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Thu, 30 Jan 2014 10:29:49 +0100
> > -Subject: [PATCH 229/249] dbwrap_tool: add option "--non-persistent" and force
> > - excatly one of "--[non-]persistent"
> > -
> > -We want to force users of dbwrap_tool to explicitly specify
> > -persistent or non-persistent. Otherwise, one could easily
> > -by accident wipe a whole database that is actually persistent
> > -but not currently opened by a samba process, just by openeing
> > -the DB with the default non-persistent mode...
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit c3f93271ef447f9f16cd3002307c630c5f149f5a)
> > ----
> > - source3/utils/dbwrap_tool.c | 23 ++++++++++++++++++-----
> > - 1 file changed, 18 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
> > -index 406e89e..ffca6b6 100644
> > ---- a/source3/utils/dbwrap_tool.c
> > -+++ b/source3/utils/dbwrap_tool.c
> > -@@ -411,6 +411,7 @@ int main(int argc, const char **argv)
> > - enum dbwrap_type type;
> > - const char *valuestr = "0";
> > - int persistent = 0;
> > -+ int non_persistent = 0;
> > - int tdb_flags = TDB_DEFAULT;
> > -
> > - TALLOC_CTX *mem_ctx = talloc_stackframe();
> > -@@ -420,7 +421,13 @@ int main(int argc, const char **argv)
> > - struct poptOption popt_options[] = {
> > - POPT_AUTOHELP
> > - POPT_COMMON_SAMBA
> > -- { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
> > -+ { "non-persistent", 0, POPT_ARG_NONE, &non_persistent, 0,
> > -+ "treat the database as non-persistent "
> > -+ "(CAVEAT: This mode might wipe your database!)",
> > -+ NULL },
> > -+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0,
> > -+ "treat the database as persistent",
> > -+ NULL },
> > - POPT_TABLEEND
> > - };
> > - int opt;
> > -@@ -463,6 +470,16 @@ int main(int argc, const char **argv)
> > - goto done;
> > - }
> > -
> > -+ if ((persistent == 0 && non_persistent == 0) ||
> > -+ (persistent == 1 && non_persistent == 1))
> > -+ {
> > -+ d_fprintf(stderr, "ERROR: you must specify exactly one "
> > -+ "of --persistent and --non-persistent\n");
> > -+ goto done;
> > -+ } else if (non_persistent == 1) {
> > -+ tdb_flags |= TDB_CLEAR_IF_FIRST;
> > -+ }
> > -+
> > - dbname = extra_argv[0];
> > - opname = extra_argv[1];
> > -
> > -@@ -563,10 +580,6 @@ int main(int argc, const char **argv)
> > - goto done;
> > - }
> > -
> > -- if (persistent == 0) {
> > -- tdb_flags |= TDB_CLEAR_IF_FIRST;
> > -- }
> > --
> > - switch (op) {
> > - case OP_FETCH:
> > - case OP_STORE:
> > ---
> > -1.9.3
> > -
> > -
> > -From 7209e84e02c722365bec4e2a473c24217cbeb22b Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Thu, 30 Jan 2014 10:36:46 +0100
> > -Subject: [PATCH 230/249] docs: document new --non-persistent option to
> > - dbwrap_tool
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 1e3b352f799038ec25437db53e051dadb9d97c95)
> > ----
> > - docs-xml/manpages/dbwrap_tool.1.xml | 20 ++++++++++++++++++--
> > - 1 file changed, 18 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
> > -index 94ae281..ff0e478 100644
> > ---- a/docs-xml/manpages/dbwrap_tool.1.xml
> > -+++ b/docs-xml/manpages/dbwrap_tool.1.xml
> > -@@ -20,6 +20,7 @@
> > - <cmdsynopsis>
> > - <command>dbwrap_tool</command>
> > - <arg choice="opt">--persistent</arg>
> > -+ <arg choice="opt">--non-persistent</arg>
> > - <arg choice="opt">-d <debug level></arg>
> > - <arg choice="opt">-s <config file></arg>
> > - <arg choice="opt">-l <log file base></arg>
> > -@@ -72,8 +73,23 @@
> > - <varlistentry>
> > - <term>--persistent</term>
> > - <listitem><para>Open the database as a persistent database.
> > -- If this option is not specified, the database is opened as
> > -- non-persistent.
> > -+ </para>
> > -+ <para>
> > -+ Exactly one of --persistent and --non-persistent must be
> > -+ specified.
> > -+ </para></listitem>
> > -+ </varlistentry>
> > -+ <varlistentry>
> > -+ <term>--non-persistent</term>
> > -+ <listitem><para>Open the database as a non-persistent database.
> > -+ </para>
> > -+ <para>
> > -+ Caveat: opening a database as non-persistent when there
> > -+ is currently no other opener will wipe the database.
> > -+ </para>
> > -+ <para>
> > -+ Exactly one of --persistent and --non-persistent must be
> > -+ specified.
> > - </para></listitem>
> > - </varlistentry>
> > - &popt.common.samba.client;
> > ---
> > -1.9.3
> > -
> > -
> > -From accf5a617055c161540384fdfe195ad9c43cd048 Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Thu, 30 Jan 2014 10:47:15 +0100
> > -Subject: [PATCH 231/249] docs: remove extra spaces in synopsis of dbwrap_tool
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit e93f052e37e736e5776fe7f7c7d246f9ecc4b4c8)
> > ----
> > - docs-xml/manpages/dbwrap_tool.1.xml | 4 +---
> > - 1 file changed, 1 insertion(+), 3 deletions(-)
> > -
> > -diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
> > -index ff0e478..68a88df 100644
> > ---- a/docs-xml/manpages/dbwrap_tool.1.xml
> > -+++ b/docs-xml/manpages/dbwrap_tool.1.xml
> > -@@ -30,9 +30,7 @@
> > - <arg choice="req"><operation></arg>
> > - <arg choice="opt"><key>
> > - <arg choice="opt"><type>
> > -- <arg choice="opt"><value></arg>
> > -- </arg>
> > -- </arg>
> > -+ <arg choice="opt"><value></arg></arg></arg>
> > - </cmdsynopsis>
> > - </refsynopsisdiv>
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 0e193981caa2ad9458e758a46076664d2efdb70e Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Fri, 24 Jan 2014 00:09:50 +0100
> > -Subject: [PATCH 232/249] smbd:smb2: fix durable reconnect: set fsp->fnum from
> > - the smbXsrv_open->local_id
> > -
> > -Originally, fsp->fnum was left at the INVALID fnum value.
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 6b2d67a345e90306f0d35402d0f4e3067a014057)
> > ----
> > - source3/smbd/durable.c | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c
> > -index c3d0a6f..471c5b9 100644
> > ---- a/source3/smbd/durable.c
> > -+++ b/source3/smbd/durable.c
> > -@@ -703,6 +703,7 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
> > - fsp->share_access = e->share_access;
> > - fsp->can_read = ((fsp->access_mask & (FILE_READ_DATA)) != 0);
> > - fsp->can_write = ((fsp->access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) != 0);
> > -+ fsp->fnum = op->local_id;
> > -
> > - /*
> > - * TODO:
> > ---
> > -1.9.3
> > -
> > -
> > -From dbc1d6f8479cf84c714c4ed6b69df2a3673d0a46 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 24 Dec 2013 09:00:01 +0100
> > -Subject: [PATCH 233/249] s3:smbd: skip empty records in smbXsrv_open_cleanup()
> > -
> > -This should avoid scary ndr_pull errors, if there's
> > -a cleanup race.
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Michael Adam <obnox@samba.org>
> > -
> > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > -Autobuild-Date(master): Thu Jan 30 18:49:37 CET 2014 on sn-devel-104
> > -(cherry picked from commit 0b23345676c6f02d5bb1a327174d8456705ec0c7)
> > ----
> > - source3/smbd/smbXsrv_open.c | 9 +++++++++
> > - 1 file changed, 9 insertions(+)
> > -
> > -diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
> > -index 27dd50c..29c172c 100644
> > ---- a/source3/smbd/smbXsrv_open.c
> > -+++ b/source3/smbd/smbXsrv_open.c
> > -@@ -1380,6 +1380,7 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
> > - struct smbXsrv_open_global0 *op = NULL;
> > - uint8_t key_buf[SMBXSRV_OPEN_GLOBAL_TDB_KEY_SIZE];
> > - TDB_DATA key;
> > -+ TDB_DATA val;
> > - struct db_record *rec;
> > - bool delete_open = false;
> > - uint32_t global_id = persistent_id & UINT32_MAX;
> > -@@ -1395,6 +1396,14 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
> > - goto done;
> > - }
> > -
> > -+ val = dbwrap_record_get_value(rec);
> > -+ if (val.dsize == 0) {
> > -+ DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
> > -+ "empty record in %s, skipping...\n",
> > -+ global_id, dbwrap_name(smbXsrv_open_global_db_ctx)));
> > -+ goto done;
> > -+ }
> > -+
> > - status = smbXsrv_open_global_parse_record(talloc_tos(), rec, &op);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(1, ("smbXsrv_open_cleanup[global: 0x%08x] "
> > ---
> > -1.9.3
> > -
> > -
> > -From 838d9da4a7fe6c90ba7cae6563f0af5d8b6cf6d5 Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Mon, 27 Jan 2014 13:38:51 +0100
> > -Subject: [PATCH 234/249] dbwrap: add flags DBWRAP_FLAG_NONE
> > -
> > -This is in preparation of adding a dbwrap_flags argument to db_open
> > -and firends.
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 229dcfd3501e4743d5d9aea5c9f7a97d7612a499)
> > ----
> > - lib/dbwrap/dbwrap.h | 2 ++
> > - 1 file changed, 2 insertions(+)
> > -
> > -diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
> > -index 8bf3286..4064ba2 100644
> > ---- a/lib/dbwrap/dbwrap.h
> > -+++ b/lib/dbwrap/dbwrap.h
> > -@@ -32,6 +32,8 @@ enum dbwrap_lock_order {
> > - };
> > - #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
> > -
> > -+#define DBWRAP_FLAG_NONE 0x0000000000000000ULL
> > -+
> > - /* The following definitions come from lib/dbwrap.c */
> > -
> > - TDB_DATA dbwrap_record_get_key(const struct db_record *rec);
> > ---
> > -1.9.3
> > -
> > -
> > -From 868d8e2fa389ab0c697e9a70a4373908aa7df80b Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Mon, 27 Jan 2014 14:49:12 +0100
> > -Subject: [PATCH 235/249] dbwrap: add a dbwrap_flags argument to db_open()
> > -
> > -This is in preparation to support handing flags to backends,
> > -in particular activating read only record support for ctdb
> > -databases. For a start, this does nothing but adding the
> > -parameter, and all databases use DBWRAP_FLAG_NONE.
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -(similar to commit cf0cb0add9ed47b8974272237fee0e1a4ba7bf68)
> > ----
> > - source3/groupdb/mapping_tdb.c | 2 +-
> > - source3/lib/dbwrap/dbwrap_open.c | 3 ++-
> > - source3/lib/dbwrap/dbwrap_open.h | 3 ++-
> > - source3/lib/dbwrap/dbwrap_watch.c | 3 ++-
> > - source3/lib/g_lock.c | 3 ++-
> > - source3/lib/serverid.c | 3 ++-
> > - source3/lib/sharesec.c | 2 +-
> > - source3/locking/brlock.c | 2 +-
> > - source3/locking/share_mode_lock.c | 2 +-
> > - source3/modules/vfs_acl_tdb.c | 2 +-
> > - source3/modules/vfs_xattr_tdb.c | 2 +-
> > - source3/passdb/account_pol.c | 4 ++--
> > - source3/passdb/pdb_tdb.c | 6 +++---
> > - source3/passdb/secrets.c | 2 +-
> > - source3/printing/printer_list.c | 3 ++-
> > - source3/registry/reg_backend_db.c | 6 +++---
> > - source3/rpc_client/cli_netlogon.c | 3 ++-
> > - source3/smbd/notify_internal.c | 2 +-
> > - source3/smbd/smbXsrv_open.c | 3 ++-
> > - source3/smbd/smbXsrv_session.c | 3 ++-
> > - source3/smbd/smbXsrv_tcon.c | 3 ++-
> > - source3/smbd/smbXsrv_version.c | 3 ++-
> > - source3/torture/test_dbwrap_watch.c | 3 ++-
> > - source3/torture/test_idmap_tdb_common.c | 2 +-
> > - source3/torture/torture.c | 3 ++-
> > - source3/utils/dbwrap_tool.c | 2 +-
> > - source3/utils/dbwrap_torture.c | 2 +-
> > - source3/utils/net_idmap.c | 6 +++---
> > - source3/utils/net_idmap_check.c | 2 +-
> > - source3/utils/net_registry_check.c | 4 ++--
> > - source3/utils/status.c | 2 +-
> > - source3/winbindd/idmap_autorid.c | 2 +-
> > - source3/winbindd/idmap_tdb.c | 2 +-
> > - source3/winbindd/idmap_tdb2.c | 2 +-
> > - 34 files changed, 55 insertions(+), 42 deletions(-)
> > -
> > -diff --git a/source3/groupdb/mapping_tdb.c b/source3/groupdb/mapping_tdb.c
> > -index 088874f..0863187 100644
> > ---- a/source3/groupdb/mapping_tdb.c
> > -+++ b/source3/groupdb/mapping_tdb.c
> > -@@ -54,7 +54,7 @@ static bool init_group_mapping(void)
> > -
> > - db = db_open(NULL, state_path("group_mapping.tdb"), 0,
> > - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (db == NULL) {
> > - DEBUG(0, ("Failed to open group mapping database: %s\n",
> > - strerror(errno)));
> > -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
> > -index 515b4bf..6c9280c 100644
> > ---- a/source3/lib/dbwrap/dbwrap_open.c
> > -+++ b/source3/lib/dbwrap/dbwrap_open.c
> > -@@ -60,7 +60,8 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> > - const char *name,
> > - int hash_size, int tdb_flags,
> > - int open_flags, mode_t mode,
> > -- enum dbwrap_lock_order lock_order)
> > -+ enum dbwrap_lock_order lock_order,
> > -+ uint64_t dbwrap_flags)
> > - {
> > - struct db_context *result = NULL;
> > - #ifdef CLUSTER_SUPPORT
> > -diff --git a/source3/lib/dbwrap/dbwrap_open.h b/source3/lib/dbwrap/dbwrap_open.h
> > -index 51c7dfd..d14794e 100644
> > ---- a/source3/lib/dbwrap/dbwrap_open.h
> > -+++ b/source3/lib/dbwrap/dbwrap_open.h
> > -@@ -39,6 +39,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> > - const char *name,
> > - int hash_size, int tdb_flags,
> > - int open_flags, mode_t mode,
> > -- enum dbwrap_lock_order lock_order);
> > -+ enum dbwrap_lock_order lock_order,
> > -+ uint64_t dbwrap_flags);
> > -
> > - #endif /* __DBWRAP_OPEN_H__ */
> > -diff --git a/source3/lib/dbwrap/dbwrap_watch.c b/source3/lib/dbwrap/dbwrap_watch.c
> > -index 7bdcd99..5f3d17d 100644
> > ---- a/source3/lib/dbwrap/dbwrap_watch.c
> > -+++ b/source3/lib/dbwrap/dbwrap_watch.c
> > -@@ -34,7 +34,8 @@ static struct db_context *dbwrap_record_watchers_db(void)
> > - watchers_db = db_open(
> > - NULL, lock_path("dbwrap_watchers.tdb"), 0,
> > - TDB_CLEAR_IF_FIRST | TDB_INCOMPATIBLE_HASH,
> > -- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3);
> > -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3,
> > -+ DBWRAP_FLAG_NONE);
> > - }
> > - return watchers_db;
> > - }
> > -diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
> > -index 8c7a6c2..6813f06 100644
> > ---- a/source3/lib/g_lock.c
> > -+++ b/source3/lib/g_lock.c
> > -@@ -61,7 +61,8 @@ struct g_lock_ctx *g_lock_ctx_init(TALLOC_CTX *mem_ctx,
> > - result->db = db_open(result, lock_path("g_lock.tdb"), 0,
> > - TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > - O_RDWR|O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_2);
> > -+ DBWRAP_LOCK_ORDER_2,
> > -+ DBWRAP_FLAG_NONE);
> > - if (result->db == NULL) {
> > - DEBUG(1, ("g_lock_init: Could not open g_lock.tdb\n"));
> > - TALLOC_FREE(result);
> > -diff --git a/source3/lib/serverid.c b/source3/lib/serverid.c
> > -index cb49520..4259887 100644
> > ---- a/source3/lib/serverid.c
> > -+++ b/source3/lib/serverid.c
> > -@@ -77,7 +77,8 @@ static struct db_context *serverid_db(void)
> > - }
> > - db = db_open(NULL, lock_path("serverid.tdb"), 0,
> > - TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > -- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2);
> > -+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2,
> > -+ DBWRAP_FLAG_NONE);
> > - return db;
> > - }
> > -
> > -diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
> > -index c7a8e51..095c851 100644
> > ---- a/source3/lib/sharesec.c
> > -+++ b/source3/lib/sharesec.c
> > -@@ -149,7 +149,7 @@ bool share_info_db_init(void)
> > -
> > - share_db = db_open(NULL, state_path("share_info.tdb"), 0,
> > - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (share_db == NULL) {
> > - DEBUG(0,("Failed to open share info database %s (%s)\n",
> > - state_path("share_info.tdb"), strerror(errno) ));
> > -diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
> > -index 5d683dd..d88aa2d 100644
> > ---- a/source3/locking/brlock.c
> > -+++ b/source3/locking/brlock.c
> > -@@ -292,7 +292,7 @@ void brl_init(bool read_only)
> > - brlock_db = db_open(NULL, lock_path("brlock.tdb"),
> > - lp_open_files_db_hash_size(), tdb_flags,
> > - read_only?O_RDONLY:(O_RDWR|O_CREAT), 0644,
> > -- DBWRAP_LOCK_ORDER_2);
> > -+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
> > - if (!brlock_db) {
> > - DEBUG(0,("Failed to open byte range locking database %s\n",
> > - lock_path("brlock.tdb")));
> > -diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
> > -index 4f049bd..22f8d9a 100644
> > ---- a/source3/locking/share_mode_lock.c
> > -+++ b/source3/locking/share_mode_lock.c
> > -@@ -67,7 +67,7 @@ static bool locking_init_internal(bool read_only)
> > - lp_open_files_db_hash_size(),
> > - TDB_DEFAULT|TDB_VOLATILE|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > - read_only?O_RDONLY:O_RDWR|O_CREAT, 0644,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > -
> > - if (!lock_db) {
> > - DEBUG(0,("ERROR: Failed to initialise locking database\n"));
> > -diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
> > -index 80839e3..8ee4bd5 100644
> > ---- a/source3/modules/vfs_acl_tdb.c
> > -+++ b/source3/modules/vfs_acl_tdb.c
> > -@@ -60,7 +60,7 @@ static bool acl_tdb_init(void)
> > -
> > - become_root();
> > - acl_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - unbecome_root();
> > -
> > - if (acl_db == NULL) {
> > -diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c
> > -index 43456cf..63a12fd 100644
> > ---- a/source3/modules/vfs_xattr_tdb.c
> > -+++ b/source3/modules/vfs_xattr_tdb.c
> > -@@ -320,7 +320,7 @@ static bool xattr_tdb_init(int snum, TALLOC_CTX *mem_ctx, struct db_context **p_
> > -
> > - become_root();
> > - db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_2);
> > -+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
> > - unbecome_root();
> > -
> > - if (db == NULL) {
> > -diff --git a/source3/passdb/account_pol.c b/source3/passdb/account_pol.c
> > -index c94df29..09a2d20 100644
> > ---- a/source3/passdb/account_pol.c
> > -+++ b/source3/passdb/account_pol.c
> > -@@ -220,13 +220,13 @@ bool init_account_policy(void)
> > - }
> > -
> > - db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
> > -- O_RDWR, 0600, DBWRAP_LOCK_ORDER_1);
> > -+ O_RDWR, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > -
> > - if (db == NULL) { /* the account policies files does not exist or open
> > - * failed, try to create a new one */
> > - db = db_open(NULL, state_path("account_policy.tdb"), 0,
> > - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (db == NULL) {
> > - DEBUG(0,("Failed to open account policy database\n"));
> > - return False;
> > -diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
> > -index f256e6c..162083f 100644
> > ---- a/source3/passdb/pdb_tdb.c
> > -+++ b/source3/passdb/pdb_tdb.c
> > -@@ -226,7 +226,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
> > -
> > - tmp_db = db_open(NULL, tmp_fname, 0,
> > - TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (tmp_db == NULL) {
> > - DEBUG(0, ("tdbsam_convert_backup: Failed to create backup TDB passwd "
> > - "[%s]\n", tmp_fname));
> > -@@ -293,7 +293,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
> > -
> > - orig_db = db_open(NULL, dbname, 0,
> > - TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (orig_db == NULL) {
> > - DEBUG(0, ("tdbsam_convert_backup: Failed to re-open "
> > - "converted passdb TDB [%s]\n", dbname));
> > -@@ -444,7 +444,7 @@ static bool tdbsam_open( const char *name )
> > - /* Try to open tdb passwd. Create a new one if necessary */
> > -
> > - db_sam = db_open(NULL, name, 0, TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (db_sam == NULL) {
> > - DEBUG(0, ("tdbsam_open: Failed to open/create TDB passwd "
> > - "[%s]\n", name));
> > -diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
> > -index 548b030..bff9a0d 100644
> > ---- a/source3/passdb/secrets.c
> > -+++ b/source3/passdb/secrets.c
> > -@@ -79,7 +79,7 @@ bool secrets_init_path(const char *private_dir, bool use_ntdb)
> > -
> > - db_ctx = db_open(NULL, fname, 0,
> > - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > -
> > - if (db_ctx == NULL) {
> > - DEBUG(0,("Failed to open %s\n", fname));
> > -diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c
> > -index 815f89f..9a9fa0b 100644
> > ---- a/source3/printing/printer_list.c
> > -+++ b/source3/printing/printer_list.c
> > -@@ -40,7 +40,8 @@ static struct db_context *get_printer_list_db(void)
> > - }
> > - db = db_open(NULL, PL_DB_NAME(), 0,
> > - TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > -- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1);
> > -+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1,
> > -+ DBWRAP_FLAG_NONE);
> > - return db;
> > - }
> > -
> > -diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c
> > -index 3e561eb..fdaf576 100644
> > ---- a/source3/registry/reg_backend_db.c
> > -+++ b/source3/registry/reg_backend_db.c
> > -@@ -732,11 +732,11 @@ WERROR regdb_init(void)
> > -
> > - regdb = db_open(NULL, state_path("registry.tdb"), 0,
> > - REG_TDB_FLAGS, O_RDWR, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (!regdb) {
> > - regdb = db_open(NULL, state_path("registry.tdb"), 0,
> > - REG_TDB_FLAGS, O_RDWR|O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (!regdb) {
> > - werr = ntstatus_to_werror(map_nt_error_from_unix(errno));
> > - DEBUG(1,("regdb_init: Failed to open registry %s (%s)\n",
> > -@@ -852,7 +852,7 @@ WERROR regdb_open( void )
> > -
> > - regdb = db_open(NULL, state_path("registry.tdb"), 0,
> > - REG_TDB_FLAGS, O_RDWR, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if ( !regdb ) {
> > - result = ntstatus_to_werror( map_nt_error_from_unix( errno ) );
> > - DEBUG(0,("regdb_open: Failed to open %s! (%s)\n",
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index b7b490f..9e3c1bd 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -69,7 +69,8 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > -
> > - global_db = db_open(talloc_autofree_context(), fname,
> > - 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > -- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
> > -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
> > -+ DBWRAP_FLAG_NONE);
> > - if (global_db == NULL) {
> > - TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > -diff --git a/source3/smbd/notify_internal.c b/source3/smbd/notify_internal.c
> > -index 2dc8674..67d8774 100644
> > ---- a/source3/smbd/notify_internal.c
> > -+++ b/source3/smbd/notify_internal.c
> > -@@ -145,7 +145,7 @@ struct notify_context *notify_init(TALLOC_CTX *mem_ctx,
> > - notify->db_index = db_open(
> > - notify, lock_path("notify_index.tdb"),
> > - 0, TDB_SEQNUM|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > -- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3);
> > -+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3, DBWRAP_FLAG_NONE);
> > - if (notify->db_index == NULL) {
> > - goto fail;
> > - }
> > -diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
> > -index 29c172c..830c7aa 100644
> > ---- a/source3/smbd/smbXsrv_open.c
> > -+++ b/source3/smbd/smbXsrv_open.c
> > -@@ -64,7 +64,8 @@ NTSTATUS smbXsrv_open_global_init(void)
> > - TDB_CLEAR_IF_FIRST |
> > - TDB_INCOMPATIBLE_HASH,
> > - O_RDWR | O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1,
> > -+ DBWRAP_FLAG_NONE);
> > - if (db_ctx == NULL) {
> > - NTSTATUS status;
> > -
> > -diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
> > -index 017880c..a1ba52d 100644
> > ---- a/source3/smbd/smbXsrv_session.c
> > -+++ b/source3/smbd/smbXsrv_session.c
> > -@@ -75,7 +75,8 @@ NTSTATUS smbXsrv_session_global_init(void)
> > - TDB_CLEAR_IF_FIRST |
> > - TDB_INCOMPATIBLE_HASH,
> > - O_RDWR | O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1,
> > -+ DBWRAP_FLAG_NONE);
> > - if (db_ctx == NULL) {
> > - NTSTATUS status;
> > -
> > -diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c
> > -index b6e2058..2cbd761 100644
> > ---- a/source3/smbd/smbXsrv_tcon.c
> > -+++ b/source3/smbd/smbXsrv_tcon.c
> > -@@ -62,7 +62,8 @@ NTSTATUS smbXsrv_tcon_global_init(void)
> > - TDB_CLEAR_IF_FIRST |
> > - TDB_INCOMPATIBLE_HASH,
> > - O_RDWR | O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1,
> > -+ DBWRAP_FLAG_NONE);
> > - if (db_ctx == NULL) {
> > - NTSTATUS status;
> > -
> > -diff --git a/source3/smbd/smbXsrv_version.c b/source3/smbd/smbXsrv_version.c
> > -index 8ba5e1f..b24dae9 100644
> > ---- a/source3/smbd/smbXsrv_version.c
> > -+++ b/source3/smbd/smbXsrv_version.c
> > -@@ -80,7 +80,8 @@ NTSTATUS smbXsrv_version_global_init(const struct server_id *server_id)
> > - TDB_CLEAR_IF_FIRST |
> > - TDB_INCOMPATIBLE_HASH,
> > - O_RDWR | O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1,
> > -+ DBWRAP_FLAG_NONE);
> > - if (db_ctx == NULL) {
> > - status = map_nt_error_from_unix_common(errno);
> > - DEBUG(0,("smbXsrv_version_global_init: "
> > -diff --git a/source3/torture/test_dbwrap_watch.c b/source3/torture/test_dbwrap_watch.c
> > -index 9c2a679..4e699fe 100644
> > ---- a/source3/torture/test_dbwrap_watch.c
> > -+++ b/source3/torture/test_dbwrap_watch.c
> > -@@ -48,7 +48,8 @@ bool run_dbwrap_watch1(int dummy)
> > - goto fail;
> > - }
> > - db = db_open(msg, "test_watch.tdb", 0, TDB_DEFAULT,
> > -- O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1);
> > -+ O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1,
> > -+ DBWRAP_FLAG_NONE);
> > - if (db == NULL) {
> > - fprintf(stderr, "db_open failed: %s\n", strerror(errno));
> > - goto fail;
> > -diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
> > -index 6f5f3c5..f7262a2 100644
> > ---- a/source3/torture/test_idmap_tdb_common.c
> > -+++ b/source3/torture/test_idmap_tdb_common.c
> > -@@ -86,7 +86,7 @@ static bool open_db(struct idmap_tdb_common_context *ctx)
> > -
> > - ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT,
> > - O_RDWR | O_CREAT, 0600,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > -
> > - if(!ctx->db) {
> > - DEBUG(0, ("Failed to open database: %s\n", strerror(errno)));
> > -diff --git a/source3/torture/torture.c b/source3/torture/torture.c
> > -index 2e66912..1dc3eaf 100644
> > ---- a/source3/torture/torture.c
> > -+++ b/source3/torture/torture.c
> > -@@ -9011,7 +9011,8 @@ static bool run_local_dbtrans(int dummy)
> > - TDB_DATA value;
> > -
> > - db = db_open(talloc_tos(), "transtest.tdb", 0, TDB_DEFAULT,
> > -- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1);
> > -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1,
> > -+ DBWRAP_FLAG_NONE);
> > - if (db == NULL) {
> > - printf("Could not open transtest.db\n");
> > - return false;
> > -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
> > -index ffca6b6..b56e07a 100644
> > ---- a/source3/utils/dbwrap_tool.c
> > -+++ b/source3/utils/dbwrap_tool.c
> > -@@ -588,7 +588,7 @@ int main(int argc, const char **argv)
> > - case OP_LISTKEYS:
> > - case OP_EXISTS:
> > - db = db_open(mem_ctx, dbname, 0, tdb_flags, O_RDWR | O_CREAT,
> > -- 0644, DBWRAP_LOCK_ORDER_1);
> > -+ 0644, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (db == NULL) {
> > - d_fprintf(stderr, "ERROR: could not open dbname\n");
> > - goto done;
> > -diff --git a/source3/utils/dbwrap_torture.c b/source3/utils/dbwrap_torture.c
> > -index 2741820..f748ac2 100644
> > ---- a/source3/utils/dbwrap_torture.c
> > -+++ b/source3/utils/dbwrap_torture.c
> > -@@ -309,7 +309,7 @@ int main(int argc, const char *argv[])
> > - }
> > -
> > - db = db_open(mem_ctx, db_name, 0, tdb_flags, O_RDWR | O_CREAT, 0644,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > -
> > - if (db == NULL) {
> > - d_fprintf(stderr, "failed to open db '%s': %s\n", db_name,
> > -diff --git a/source3/utils/net_idmap.c b/source3/utils/net_idmap.c
> > -index fbeca3e..6fc07e7 100644
> > ---- a/source3/utils/net_idmap.c
> > -+++ b/source3/utils/net_idmap.c
> > -@@ -210,7 +210,7 @@ static int net_idmap_dump(struct net_context *c, int argc, const char **argv)
> > - d_fprintf(stderr, _("dumping id mapping from %s\n"), dbfile);
> > -
> > - db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDONLY, 0,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (db == NULL) {
> > - d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
> > - dbfile, strerror(errno));
> > -@@ -336,7 +336,7 @@ static int net_idmap_restore(struct net_context *c, int argc, const char **argv)
> > - }
> > -
> > - db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (db == NULL) {
> > - d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
> > - dbfile, strerror(errno));
> > -@@ -546,7 +546,7 @@ static int net_idmap_delete(struct net_context *c, int argc, const char **argv)
> > - d_fprintf(stderr, _("deleting id mapping from %s\n"), dbfile);
> > -
> > - db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR, 0,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (db == NULL) {
> > - d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
> > - dbfile, strerror(errno));
> > -diff --git a/source3/utils/net_idmap_check.c b/source3/utils/net_idmap_check.c
> > -index e75c890..4b82871 100644
> > ---- a/source3/utils/net_idmap_check.c
> > -+++ b/source3/utils/net_idmap_check.c
> > -@@ -790,7 +790,7 @@ static bool check_open_db(struct check_ctx* ctx, const char* name, int oflags)
> > - }
> > -
> > - ctx->db = db_open(ctx, name, 0, TDB_DEFAULT, oflags, 0,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (ctx->db == NULL) {
> > - d_fprintf(stderr,
> > - _("Could not open idmap db (%s) for writing: %s\n"),
> > -diff --git a/source3/utils/net_registry_check.c b/source3/utils/net_registry_check.c
> > -index 8cdb8fa..d57c2aa 100644
> > ---- a/source3/utils/net_registry_check.c
> > -+++ b/source3/utils/net_registry_check.c
> > -@@ -338,7 +338,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
> > - }
> > -
> > - ctx->odb = db_open(ctx, ctx->opt.output, 0, TDB_DEFAULT, oflags, 0644,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (ctx->odb == NULL) {
> > - d_fprintf(stderr,
> > - _("Could not open db (%s) for writing: %s\n"),
> > -@@ -351,7 +351,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
> > -
> > - static bool check_ctx_open_input(struct check_ctx *ctx) {
> > - ctx->idb = db_open(ctx, ctx->fname, 0, TDB_DEFAULT, O_RDONLY, 0,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (ctx->idb == NULL) {
> > - d_fprintf(stderr,
> > - _("Could not open db (%s) for reading: %s\n"),
> > -diff --git a/source3/utils/status.c b/source3/utils/status.c
> > -index be7c52f..1ff0e36 100644
> > ---- a/source3/utils/status.c
> > -+++ b/source3/utils/status.c
> > -@@ -508,7 +508,7 @@ static void print_notify_recs(const char *path,
> > - struct db_context *db;
> > - db = db_open(NULL, lock_path("locking.tdb"), 0,
> > - TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH, O_RDONLY, 0,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > -
> > - if (!db) {
> > - d_printf("%s not initialised\n",
> > -diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
> > -index 57d952e..0bd2938 100644
> > ---- a/source3/winbindd/idmap_autorid.c
> > -+++ b/source3/winbindd/idmap_autorid.c
> > -@@ -728,7 +728,7 @@ static NTSTATUS idmap_autorid_db_init(void)
> > - /* Open idmap repository */
> > - autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
> > - TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > -
> > - if (!autorid_db) {
> > - DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
> > -diff --git a/source3/winbindd/idmap_tdb.c b/source3/winbindd/idmap_tdb.c
> > -index cc930ff..ebff347 100644
> > ---- a/source3/winbindd/idmap_tdb.c
> > -+++ b/source3/winbindd/idmap_tdb.c
> > -@@ -321,7 +321,7 @@ static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
> > -
> > - /* Open idmap repository */
> > - db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (!db) {
> > - DEBUG(0, ("Unable to open idmap database\n"));
> > - ret = NT_STATUS_UNSUCCESSFUL;
> > -diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
> > -index 4a9c2fe..942490d 100644
> > ---- a/source3/winbindd/idmap_tdb2.c
> > -+++ b/source3/winbindd/idmap_tdb2.c
> > -@@ -114,7 +114,7 @@ static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
> > -
> > - /* Open idmap repository */
> > - ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
> > -- DBWRAP_LOCK_ORDER_1);
> > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - TALLOC_FREE(db_path);
> > -
> > - if (ctx->db == NULL) {
> > ---
> > -1.9.3
> > -
> > -
> > -From b904731a81df57b3d33fe0c35663bc47d061d744 Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Tue, 28 Jan 2014 12:53:24 +0100
> > -Subject: [PATCH 236/249] dbwrap: add a dbwrap_flags argument to db_open_ctdb()
> > -
> > -This is in preparation of directly supporting ctdb read only
> > -record copies when opening a ctdb database from samba.
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 6def1c3f6e145abcc81ea69505133bbe128eacac)
> > ----
> > - source3/lib/dbwrap/dbwrap_ctdb.c | 6 ++++--
> > - source3/lib/dbwrap/dbwrap_ctdb.h | 3 ++-
> > - source3/lib/dbwrap/dbwrap_open.c | 2 +-
> > - source3/torture/test_dbwrap_ctdb.c | 2 +-
> > - 4 files changed, 8 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
> > -index 5a473f9..af7a72f 100644
> > ---- a/source3/lib/dbwrap/dbwrap_ctdb.c
> > -+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
> > -@@ -1498,7 +1498,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> > - const char *name,
> > - int hash_size, int tdb_flags,
> > - int open_flags, mode_t mode,
> > -- enum dbwrap_lock_order lock_order)
> > -+ enum dbwrap_lock_order lock_order,
> > -+ uint64_t dbwrap_flags)
> > - {
> > - struct db_context *result;
> > - struct db_ctdb_ctx *db_ctdb;
> > -@@ -1624,7 +1625,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> > - const char *name,
> > - int hash_size, int tdb_flags,
> > - int open_flags, mode_t mode,
> > -- enum dbwrap_lock_order lock_order)
> > -+ enum dbwrap_lock_order lock_order,
> > -+ uint64_t dbwrap_flags)
> > - {
> > - DEBUG(3, ("db_open_ctdb: no cluster support!\n"));
> > - errno = ENOSYS;
> > -diff --git a/source3/lib/dbwrap/dbwrap_ctdb.h b/source3/lib/dbwrap/dbwrap_ctdb.h
> > -index bfbe3bd..3196b91 100644
> > ---- a/source3/lib/dbwrap/dbwrap_ctdb.h
> > -+++ b/source3/lib/dbwrap/dbwrap_ctdb.h
> > -@@ -31,6 +31,7 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> > - const char *name,
> > - int hash_size, int tdb_flags,
> > - int open_flags, mode_t mode,
> > -- enum dbwrap_lock_order lock_order);
> > -+ enum dbwrap_lock_order lock_order,
> > -+ uint64_t dbwrap_flags);
> > -
> > - #endif /* __DBWRAP_CTDB_H__ */
> > -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
> > -index 6c9280c..61324f7 100644
> > ---- a/source3/lib/dbwrap/dbwrap_open.c
> > -+++ b/source3/lib/dbwrap/dbwrap_open.c
> > -@@ -104,7 +104,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> > - if (lp_parm_bool(-1, "ctdb", partname, True)) {
> > - result = db_open_ctdb(mem_ctx, partname, hash_size,
> > - tdb_flags, open_flags, mode,
> > -- lock_order);
> > -+ lock_order, dbwrap_flags);
> > - if (result == NULL) {
> > - DEBUG(0,("failed to attach to ctdb %s\n",
> > - partname));
> > -diff --git a/source3/torture/test_dbwrap_ctdb.c b/source3/torture/test_dbwrap_ctdb.c
> > -index f7672ba..d7380b1 100644
> > ---- a/source3/torture/test_dbwrap_ctdb.c
> > -+++ b/source3/torture/test_dbwrap_ctdb.c
> > -@@ -32,7 +32,7 @@ bool run_local_dbwrap_ctdb(int dummy)
> > - uint32_t val;
> > -
> > - db = db_open_ctdb(talloc_tos(), "torture.tdb", 0, TDB_DEFAULT,
> > -- O_RDWR, 0755, DBWRAP_LOCK_ORDER_1);
> > -+ O_RDWR, 0755, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > - if (db == NULL) {
> > - perror("db_open_ctdb failed");
> > - goto fail;
> > ---
> > -1.9.3
> > -
> > -
> > -From 4f2d14112981d03000b533458e2e60a032d052de Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Tue, 28 Jan 2014 11:31:44 +0100
> > -Subject: [PATCH 237/249] dbwrap: add DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 56bd4040889dfe492ff820497b7a6d76624a6048)
> > ----
> > - lib/dbwrap/dbwrap.h | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
> > -index 4064ba2..02b4405 100644
> > ---- a/lib/dbwrap/dbwrap.h
> > -+++ b/lib/dbwrap/dbwrap.h
> > -@@ -33,6 +33,7 @@ enum dbwrap_lock_order {
> > - #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
> > -
> > - #define DBWRAP_FLAG_NONE 0x0000000000000000ULL
> > -+#define DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS 0x0000000000000001ULL
> > -
> > - /* The following definitions come from lib/dbwrap.c */
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From a007f8f7f627c4347f48bd2446637aab137e0608 Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 28 Jan 2014 21:24:22 +0100
> > -Subject: [PATCH 238/249] dbwrap_ctdb: implement
> > - DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
> > -
> > -For non-persistent databases we try to use CTDB_CONTROL_SET_DB_READONLY
> > -in order to make use of readonly records.
> > -
> > -Pair-Programmed-With: Michael Adam <obnox@samba.org>
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -(cherry picked from commit a97b588b63f437d25c4344c76014326dbf0cbdb0)
> > ----
> > - source3/lib/dbwrap/dbwrap_ctdb.c | 21 +++++++++++++++++++++
> > - 1 file changed, 21 insertions(+)
> > -
> > -diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
> > -index af7a72f..3dc86d1 100644
> > ---- a/source3/lib/dbwrap/dbwrap_ctdb.c
> > -+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
> > -@@ -1578,6 +1578,27 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> > - return NULL;
> > - }
> > -
> > -+#ifdef HAVE_CTDB_WANT_READONLY_DECL
> > -+ if (!result->persistent &&
> > -+ (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS))
> > -+ {
> > -+ TDB_DATA indata;
> > -+
> > -+ indata = make_tdb_data((uint8_t *)&db_ctdb->db_id,
> > -+ sizeof(db_ctdb->db_id));
> > -+
> > -+ status = ctdbd_control_local(
> > -+ conn, CTDB_CONTROL_SET_DB_READONLY, 0, 0, indata,
> > -+ NULL, NULL, &cstatus);
> > -+ if (!NT_STATUS_IS_OK(status) || (cstatus != 0)) {
> > -+ DEBUG(1, ("CTDB_CONTROL_SET_DB_READONLY failed: "
> > -+ "%s, %d\n", nt_errstr(status), cstatus));
> > -+ TALLOC_FREE(result);
> > -+ return NULL;
> > -+ }
> > -+ }
> > -+#endif
> > -+
> > - lp_ctx = loadparm_init_s3(db_path, loadparm_s3_helpers());
> > -
> > - db_ctdb->wtdb = tdb_wrap_open(db_ctdb, db_path, hash_size, tdb_flags,
> > ---
> > -1.9.3
> > -
> > -
> > -From d1ea222d46a594d45422eacccbd655d7e488792a Mon Sep 17 00:00:00 2001
> > -From: Stefan Metzmacher <metze@samba.org>
> > -Date: Tue, 28 Jan 2014 21:31:17 +0100
> > -Subject: [PATCH 239/249] dbwrap_open: add 'dbwrap_optimize_readonly:* = yes'
> > - option
> > -
> > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > -Reviewed-by: Michael Adam <obnox@samba.org>
> > -(cherry picked from commit a20c977c7a58a0c09d01bfa046c00fcd3f1462de)
> > ----
> > - source3/lib/dbwrap/dbwrap_open.c | 25 +++++++++++++++++++++++++
> > - 1 file changed, 25 insertions(+)
> > -
> > -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
> > -index 61324f7..7f3cddf 100644
> > ---- a/source3/lib/dbwrap/dbwrap_open.c
> > -+++ b/source3/lib/dbwrap/dbwrap_open.c
> > -@@ -81,6 +81,31 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> > - return NULL;
> > - }
> > -
> > -+ if (tdb_flags & TDB_CLEAR_IF_FIRST) {
> > -+ const char *base;
> > -+ bool try_readonly = false;
> > -+
> > -+ base = strrchr_m(name, '/');
> > -+ if (base != NULL) {
> > -+ base += 1;
> > -+ } else {
> > -+ base = name;
> > -+ }
> > -+
> > -+ if (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS) {
> > -+ try_readonly = true;
> > -+ }
> > -+
> > -+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", "*", try_readonly);
> > -+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", base, try_readonly);
> > -+
> > -+ if (try_readonly) {
> > -+ dbwrap_flags |= DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
> > -+ } else {
> > -+ dbwrap_flags &= ~DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
> > -+ }
> > -+ }
> > -+
> > - #ifdef CLUSTER_SUPPORT
> > - sockname = lp_ctdbd_socket();
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From ce06399f9fab90623a2166d69f1bbfc46f124d73 Mon Sep 17 00:00:00 2001
> > -From: Michael Adam <obnox@samba.org>
> > -Date: Mon, 27 Jan 2014 16:21:14 +0100
> > -Subject: [PATCH 240/249] s3:rpc_client: optimize the netlogon_creds_cli.tdb
> > - for read-only access
> > -
> > -Usually a record in this DB will be written once and then read
> > -many times by winbindd processes on multiple nodes (when run in
> > -a cluster). In order not to introduce a big performance penalty
> > -with the increased correctness achieved by storing the netlogon
> > -creds, in a cluster setup, we should activate ctdb's read only
> > -record copies on this db.
> > -
> > -Signed-off-by: Michael Adam <obnox@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -(cherry picked from commit 020fab300d2f4f19301eff19ad810c71f77bbb78)
> > ----
> > - source3/rpc_client/cli_netlogon.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 9e3c1bd..746c7b6 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -70,7 +70,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > - global_db = db_open(talloc_autofree_context(), fname,
> > - 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > - O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
> > -- DBWRAP_FLAG_NONE);
> > -+ DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS);
> > - if (global_db == NULL) {
> > - TALLOC_FREE(frame);
> > - return NT_STATUS_NO_MEMORY;
> > ---
> > -1.9.3
> > -
> > -
> > -From e39b8c0e22e609db117285d47cdbd1d854fe8d02 Mon Sep 17 00:00:00 2001
> > -From: Ira Cooper <ira@samba.org>
> > -Date: Thu, 13 Feb 2014 14:45:23 -0500
> > -Subject: [PATCH 241/249] libcli: Overflow array index read possible, in auth
> > - code.
> > -
> > -Changed the if condtion to detect when we'd improperly overflow.
> > -
> > -Coverity-Id: 1167990
> > -Signed-off-by: Ira Cooper <ira@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > -
> > -Autobuild-User(master): Ira Cooper <ira@samba.org>
> > -Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
> > -
> > -(cherry picked from commit 8cd8aa6686c21e8c43a6d14c0ae1a21954d6e8cd)
> > ----
> > - libcli/auth/netlogon_creds_cli.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > -index 88893ad..e3cf91c 100644
> > ---- a/libcli/auth/netlogon_creds_cli.c
> > -+++ b/libcli/auth/netlogon_creds_cli.c
> > -@@ -1769,7 +1769,7 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
> > - uint32_t ofs = 512 - len;
> > - uint8_t *p;
> > -
> > -- if (ofs < 12) {
> > -+ if (len > 500) {
> > - tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > - return tevent_req_post(req, ev);
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 4e15aa86c44e906ca30cfa4589e4f45f23625953 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Tue, 15 Jul 2014 08:28:42 +0200
> > -Subject: [PATCH 242/249] s3-rpc_client: return info3 in
> > - rpccli_netlogon_password_logon().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/rpc_client/cli_netlogon.c | 103 +++++++++++++++++++++-----------------
> > - source3/rpc_client/cli_netlogon.h | 4 +-
> > - source3/rpcclient/cmd_netlogon.c | 5 +-
> > - 3 files changed, 64 insertions(+), 48 deletions(-)
> > -
> > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > -index 746c7b6..7063351 100644
> > ---- a/source3/rpc_client/cli_netlogon.c
> > -+++ b/source3/rpc_client/cli_netlogon.c
> > -@@ -193,16 +193,65 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > - return NT_STATUS_OK;
> > - }
> > -
> > -+static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > -+ uint16_t validation_level,
> > -+ union netr_Validation *validation,
> > -+ struct netr_SamInfo3 **info3_p)
> > -+{
> > -+ struct netr_SamInfo3 *info3;
> > -+ NTSTATUS status;
> > -+
> > -+ if (validation == NULL) {
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > -+ }
> > -+
> > -+ switch (validation_level) {
> > -+ case 3:
> > -+ if (validation->sam3 == NULL) {
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > -+ }
> > -+
> > -+ info3 = talloc_move(mem_ctx, &validation->sam3);
> > -+ break;
> > -+ case 6:
> > -+ if (validation->sam6 == NULL) {
> > -+ return NT_STATUS_INVALID_PARAMETER;
> > -+ }
> > -+
> > -+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
> > -+ if (info3 == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(info3);
> > -+ return status;
> > -+ }
> > -+
> > -+ info3->sidcount = validation->sam6->sidcount;
> > -+ info3->sids = talloc_move(info3, &validation->sam6->sids);
> > -+ break;
> > -+ default:
> > -+ return NT_STATUS_BAD_VALIDATION_CLASS;
> > -+ }
> > -+
> > -+ *info3_p = info3;
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > - /* Logon domain user */
> > -
> > - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > - struct dcerpc_binding_handle *binding_handle,
> > -+ TALLOC_CTX *mem_ctx,
> > - uint32_t logon_parameters,
> > - const char *domain,
> > - const char *username,
> > - const char *password,
> > - const char *workstation,
> > -- enum netr_LogonInfoClass logon_type)
> > -+ enum netr_LogonInfoClass logon_type,
> > -+ struct netr_SamInfo3 **info3)
> > - {
> > - TALLOC_CTX *frame = talloc_stackframe();
> > - NTSTATUS status;
> > -@@ -320,57 +369,19 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
> > - &validation,
> > - &authoritative,
> > - &flags);
> > -- TALLOC_FREE(frame);
> > - if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(frame);
> > - return status;
> > - }
> > -
> > -- return NT_STATUS_OK;
> > --}
> > --
> > --static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > -- uint16_t validation_level,
> > -- union netr_Validation *validation,
> > -- struct netr_SamInfo3 **info3_p)
> > --{
> > -- struct netr_SamInfo3 *info3;
> > -- NTSTATUS status;
> > --
> > -- if (validation == NULL) {
> > -- return NT_STATUS_INVALID_PARAMETER;
> > -- }
> > --
> > -- switch (validation_level) {
> > -- case 3:
> > -- if (validation->sam3 == NULL) {
> > -- return NT_STATUS_INVALID_PARAMETER;
> > -- }
> > --
> > -- info3 = talloc_move(mem_ctx, &validation->sam3);
> > -- break;
> > -- case 6:
> > -- if (validation->sam6 == NULL) {
> > -- return NT_STATUS_INVALID_PARAMETER;
> > -- }
> > --
> > -- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
> > -- if (info3 == NULL) {
> > -- return NT_STATUS_NO_MEMORY;
> > -- }
> > -- status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
> > -- if (!NT_STATUS_IS_OK(status)) {
> > -- TALLOC_FREE(info3);
> > -- return status;
> > -- }
> > --
> > -- info3->sidcount = validation->sam6->sidcount;
> > -- info3->sids = talloc_move(info3, &validation->sam6->sids);
> > -- break;
> > -- default:
> > -- return NT_STATUS_BAD_VALIDATION_CLASS;
> > -+ status = map_validation_to_info3(mem_ctx,
> > -+ validation_level, validation,
> > -+ info3);
> > -+ TALLOC_FREE(frame);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > - }
> > -
> > -- *info3_p = info3;
> > -
> > - return NT_STATUS_OK;
> > - }
> > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > -index 61fed4a..fee0801 100644
> > ---- a/source3/rpc_client/cli_netlogon.h
> > -+++ b/source3/rpc_client/cli_netlogon.h
> > -@@ -45,12 +45,14 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > - const struct samr_Password *previous_nt_hash);
> > - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > - struct dcerpc_binding_handle *binding_handle,
> > -+ TALLOC_CTX *mem_ctx,
> > - uint32_t logon_parameters,
> > - const char *domain,
> > - const char *username,
> > - const char *password,
> > - const char *workstation,
> > -- enum netr_LogonInfoClass logon_type);
> > -+ enum netr_LogonInfoClass logon_type,
> > -+ struct netr_SamInfo3 **info3);
> > - NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > - struct dcerpc_binding_handle *binding_handle,
> > - TALLOC_CTX *mem_ctx,
> > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > -index b637b3e..2d1c351 100644
> > ---- a/source3/rpcclient/cmd_netlogon.c
> > -+++ b/source3/rpcclient/cmd_netlogon.c
> > -@@ -778,6 +778,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > - const char *username, *password;
> > - uint32 logon_param = 0;
> > - const char *workstation = NULL;
> > -+ struct netr_SamInfo3 *info3 = NULL;
> > -
> > - /* Check arguments */
> > -
> > -@@ -803,12 +804,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > -
> > - result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
> > - cli->binding_handle,
> > -+ mem_ctx,
> > - logon_param,
> > - lp_workgroup(),
> > - username,
> > - password,
> > - workstation,
> > -- logon_type);
> > -+ logon_type,
> > -+ &info3);
> > - if (!NT_STATUS_IS_OK(result))
> > - goto done;
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From 3459fada96951a57a787944aedc01caabe873c9d Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Tue, 15 Jul 2014 08:29:55 +0200
> > -Subject: [PATCH 243/249] s3-winbindd: call interactive samlogon via
> > - rpccli_netlogon_password_logon.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -
> > -Conflicts:
> > - source3/winbindd/winbindd_pam.c
> > ----
> > - source3/winbindd/winbindd_pam.c | 45 +++++++++++++++++++++++++++++------------
> > - 1 file changed, 32 insertions(+), 13 deletions(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > -index 3f3ec70..2a1b74a 100644
> > ---- a/source3/winbindd/winbindd_pam.c
> > -+++ b/source3/winbindd/winbindd_pam.c
> > -@@ -1214,11 +1214,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > - uint32_t logon_parameters,
> > - const char *server,
> > - const char *username,
> > -+ const char *password,
> > - const char *domainname,
> > - const char *workstation,
> > - const uint8_t chal[8],
> > - DATA_BLOB lm_response,
> > - DATA_BLOB nt_response,
> > -+ bool interactive,
> > - struct netr_SamInfo3 **info3)
> > - {
> > - int attempts = 0;
> > -@@ -1278,19 +1280,32 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > - }
> > - netr_attempts = 0;
> > -
> > -- result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
> > -- netlogon_pipe->binding_handle,
> > -- mem_ctx,
> > -- logon_parameters,
> > -- username,
> > -- domainname,
> > -- workstation,
> > -- chal,
> > -- lm_response,
> > -- nt_response,
> > -- &authoritative,
> > -- &flags,
> > -- info3);
> > -+ if (interactive && username != NULL && password != NULL) {
> > -+ result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
> > -+ netlogon_pipe->binding_handle,
> > -+ mem_ctx,
> > -+ logon_parameters,
> > -+ domainname,
> > -+ username,
> > -+ password,
> > -+ workstation,
> > -+ NetlogonInteractiveInformation,
> > -+ info3);
> > -+ } else {
> > -+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
> > -+ netlogon_pipe->binding_handle,
> > -+ mem_ctx,
> > -+ logon_parameters,
> > -+ username,
> > -+ domainname,
> > -+ workstation,
> > -+ chal,
> > -+ lm_response,
> > -+ nt_response,
> > -+ &authoritative,
> > -+ &flags,
> > -+ info3);
> > -+ }
> > -
> > - /*
> > - * we increment this after the "feature negotiation"
> > -@@ -1433,11 +1448,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
> > - 0,
> > - domain->dcname,
> > - name_user,
> > -+ pass,
> > - name_domain,
> > - lp_netbios_name(),
> > - chal,
> > - lm_resp,
> > - nt_resp,
> > -+ true, /* interactive */
> > - &my_info3);
> > - if (!NT_STATUS_IS_OK(result)) {
> > - goto done;
> > -@@ -1856,12 +1873,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
> > - state->request->data.auth_crap.logon_parameters,
> > - domain->dcname,
> > - name_user,
> > -+ NULL, /* password */
> > - name_domain,
> > - /* Bug #3248 - found by Stefan Burkei. */
> > - workstation, /* We carefully set this above so use it... */
> > - state->request->data.auth_crap.chal,
> > - lm_resp,
> > - nt_resp,
> > -+ false, /* interactive */
> > - &info3);
> > - if (!NT_STATUS_IS_OK(result)) {
> > - goto done;
> > ---
> > -1.9.3
> > -
> > -
> > -From ad27b750ea3766581e528a41c132bb57927cc64c Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Mon, 7 Jul 2014 17:14:37 +0200
> > -Subject: [PATCH 244/249] s3-winbindd: add wcache_query_user_fullname().
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -This helper function is used to query the full name of a cached user object (for
> > -further gecos processing).
> > -
> > -Thanks to Matt Rogers <mrogers@redhat.com>.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> > -
> > -Guenther
> > -
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++++++++
> > - source3/winbindd/winbindd_proto.h | 4 ++++
> > - 2 files changed, 38 insertions(+)
> > -
> > -diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
> > -index 59ce515..d1e10e6c 100644
> > ---- a/source3/winbindd/winbindd_cache.c
> > -+++ b/source3/winbindd/winbindd_cache.c
> > -@@ -2309,6 +2309,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
> > - return status;
> > - }
> > -
> > -+
> > -+/**
> > -+* @brief Query a fullname from the username cache (for further gecos processing)
> > -+*
> > -+* @param domain A pointer to the winbindd_domain struct.
> > -+* @param mem_ctx The talloc context.
> > -+* @param user_sid The user sid.
> > -+* @param full_name A pointer to the full_name string.
> > -+*
> > -+* @return NTSTATUS code
> > -+*/
> > -+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ const struct dom_sid *user_sid,
> > -+ const char **full_name)
> > -+{
> > -+ NTSTATUS status;
> > -+ struct wbint_userinfo info;
> > -+
> > -+ status = wcache_query_user(domain, mem_ctx, user_sid, &info);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ if (info.full_name != NULL) {
> > -+ *full_name = talloc_strdup(mem_ctx, info.full_name);
> > -+ if (*full_name == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > - /* Lookup user information from a rid */
> > - static NTSTATUS query_user(struct winbindd_domain *domain,
> > - TALLOC_CTX *mem_ctx,
> > -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
> > -index cfc19d0..cfb7812 100644
> > ---- a/source3/winbindd/winbindd_proto.h
> > -+++ b/source3/winbindd/winbindd_proto.h
> > -@@ -105,6 +105,10 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
> > - TALLOC_CTX *mem_ctx,
> > - const struct dom_sid *user_sid,
> > - struct wbint_userinfo *info);
> > -+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
> > -+ TALLOC_CTX *mem_ctx,
> > -+ const struct dom_sid *user_sid,
> > -+ const char **full_name);
> > - NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
> > - TALLOC_CTX *mem_ctx,
> > - uint32 num_sids, const struct dom_sid *sids,
> > ---
> > -1.9.3
> > -
> > -
> > -From e89ca0b90887930a2f86dcaa4f6d3d05565f919c Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Mon, 7 Jul 2014 17:16:32 +0200
> > -Subject: [PATCH 245/249] s3-winbindd: use wcache_query_user_fullname after
> > - inspecting samlogon cache.
> > -
> > -The reason for this followup query is that very often the samlogon cache only
> > -contains a info3 netlogon user structure that has been retrieved during a
> > -netlogon samlogon authentication using "network" logon level. With that logon
> > -level only a few info3 fields are filled in; the user's fullname is never filled
> > -in that case. This is problematic when the cache is used to fill in the user's
> > -gecos field (for NSS queries). When we have retrieved the user's fullname during
> > -other queries, reuse it from the other caches.
> > -
> > -Thanks to Matt Rogers <mrogers@redhat.com>.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> > -
> > -Guenther
> > -
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/winbindd/winbindd_ads.c | 8 ++++++++
> > - source3/winbindd/winbindd_msrpc.c | 8 ++++++++
> > - source3/winbindd/winbindd_pam.c | 20 ++++++++++++++++++++
> > - 3 files changed, 36 insertions(+)
> > -
> > -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> > -index 4c26389..a20fba5 100644
> > ---- a/source3/winbindd/winbindd_ads.c
> > -+++ b/source3/winbindd/winbindd_ads.c
> > -@@ -619,6 +619,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> > -
> > - TALLOC_FREE(user);
> > -
> > -+ if (info->full_name == NULL) {
> > -+ /* this might fail so we dont check the return code */
> > -+ wcache_query_user_fullname(domain,
> > -+ mem_ctx,
> > -+ sid,
> > -+ &info->full_name);
> > -+ }
> > -+
> > - return NT_STATUS_OK;
> > - }
> > -
> > -diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
> > -index 426d64c..c097bf3 100644
> > ---- a/source3/winbindd/winbindd_msrpc.c
> > -+++ b/source3/winbindd/winbindd_msrpc.c
> > -@@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
> > - user_info->full_name = talloc_strdup(user_info,
> > - user->base.full_name.string);
> > -
> > -+ if (user_info->full_name == NULL) {
> > -+ /* this might fail so we dont check the return code */
> > -+ wcache_query_user_fullname(domain,
> > -+ mem_ctx,
> > -+ user_sid,
> > -+ &user_info->full_name);
> > -+ }
> > -+
> > - status = NT_STATUS_OK;
> > - goto done;
> > - }
> > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > -index 2a1b74a..bf71d97 100644
> > ---- a/source3/winbindd/winbindd_pam.c
> > -+++ b/source3/winbindd/winbindd_pam.c
> > -@@ -1720,6 +1720,26 @@ process_result:
> > - sid_compose(&user_sid, info3->base.domain_sid,
> > - info3->base.rid);
> > -
> > -+ if (info3->base.full_name.string == NULL) {
> > -+ struct netr_SamInfo3 *cached_info3;
> > -+
> > -+ cached_info3 = netsamlogon_cache_get(state->mem_ctx,
> > -+ &user_sid);
> > -+ if (cached_info3 != NULL &&
> > -+ cached_info3->base.full_name.string != NULL) {
> > -+ info3->base.full_name.string =
> > -+ talloc_strdup(info3,
> > -+ cached_info3->base.full_name.string);
> > -+ } else {
> > -+
> > -+ /* this might fail so we dont check the return code */
> > -+ wcache_query_user_fullname(domain,
> > -+ info3,
> > -+ &user_sid,
> > -+ &info3->base.full_name.string);
> > -+ }
> > -+ }
> > -+
> > - wcache_invalidate_samlogon(find_domain_from_name(name_domain),
> > - &user_sid);
> > - netsamlogon_cache_store(name_user, info3);
> > ---
> > -1.9.3
> > -
> > -
> > -From aa042d490b2cccb7b6cc394e024004321a6c156c Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 9 Jul 2014 13:36:06 +0200
> > -Subject: [PATCH 246/249] samlogon_cache: use a talloc_stackframe inside
> > - netsamlogon_cache_store.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/libsmb/samlogon_cache.c | 13 ++++---------
> > - 1 file changed, 4 insertions(+), 9 deletions(-)
> > -
> > -diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
> > -index b04cf0a..f7457ae 100644
> > ---- a/source3/libsmb/samlogon_cache.c
> > -+++ b/source3/libsmb/samlogon_cache.c
> > -@@ -125,7 +125,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > - bool result = false;
> > - struct dom_sid user_sid;
> > - time_t t = time(NULL);
> > -- TALLOC_CTX *mem_ctx;
> > -+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
> > - DATA_BLOB blob;
> > - enum ndr_err_code ndr_err;
> > - struct netsamlogoncache_entry r;
> > -@@ -149,11 +149,6 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > -
> > - /* Prepare data */
> > -
> > -- if (!(mem_ctx = talloc( NULL, int))) {
> > -- DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
> > -- return false;
> > -- }
> > --
> > - /* only Samba fills in the username, not sure why NT doesn't */
> > - /* so we fill it in since winbindd_getpwnam() makes use of it */
> > -
> > -@@ -168,11 +163,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > - NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
> > - }
> > -
> > -- ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
> > -+ ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
> > - (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
> > - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > - DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
> > -- TALLOC_FREE(mem_ctx);
> > -+ TALLOC_FREE(tmp_ctx);
> > - return false;
> > - }
> > -
> > -@@ -183,7 +178,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > - result = true;
> > - }
> > -
> > -- TALLOC_FREE(mem_ctx);
> > -+ TALLOC_FREE(tmp_ctx);
> > -
> > - return result;
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From 8283d1acec0c0afd17197339a4986975d05abf29 Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Thu, 3 Jul 2014 16:17:46 +0200
> > -Subject: [PATCH 247/249] samlogon_cache: avoid overwriting
> > - info3->base.full_name.string.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -This field servers as a source for the gecos field. We should not overwrite it
> > -when a info3 struct from a samlogon network level gets saved in which case this
> > -field is always NULL.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > -
> > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > -Autobuild-Date(master): Tue Jul 15 18:25:28 CEST 2014 on sn-devel-104
> > ----
> > - source3/libsmb/samlogon_cache.c | 14 ++++++++++++++
> > - 1 file changed, 14 insertions(+)
> > -
> > -diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
> > -index f7457ae..0a157d4 100644
> > ---- a/source3/libsmb/samlogon_cache.c
> > -+++ b/source3/libsmb/samlogon_cache.c
> > -@@ -149,6 +149,20 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > -
> > - /* Prepare data */
> > -
> > -+ if (info3->base.full_name.string == NULL) {
> > -+ struct netr_SamInfo3 *cached_info3;
> > -+ const char *full_name = NULL;
> > -+
> > -+ cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
> > -+ if (cached_info3 != NULL) {
> > -+ full_name = cached_info3->base.full_name.string;
> > -+ }
> > -+
> > -+ if (full_name != NULL) {
> > -+ info3->base.full_name.string = talloc_strdup(info3, full_name);
> > -+ }
> > -+ }
> > -+
> > - /* only Samba fills in the username, not sure why NT doesn't */
> > - /* so we fill it in since winbindd_getpwnam() makes use of it */
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From fe9d7458001a952d1df23dcd584a1835df5d43d1 Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Thu, 3 Jul 2014 16:19:42 +0200
> > -Subject: [PATCH 248/249] s3-winbind: Don't set the gecos field to NULL.
> > -
> > -The value is loaded from the cache anyway. So it will be set to NULL if
> > -it is not available.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > ----
> > - source3/winbindd/nss_info_template.c | 1 -
> > - 1 file changed, 1 deletion(-)
> > -
> > -diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
> > -index 5fdfd9b..de93803 100644
> > ---- a/source3/winbindd/nss_info_template.c
> > -+++ b/source3/winbindd/nss_info_template.c
> > -@@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
> > - username */
> > - *homedir = talloc_strdup( ctx, lp_template_homedir() );
> > - *shell = talloc_strdup( ctx, lp_template_shell() );
> > -- *gecos = NULL;
> > -
> > - if ( !*homedir || !*shell ) {
> > - return NT_STATUS_NO_MEMORY;
> > ---
> > -1.9.3
> > -
> > -
> > -From d2f3347a264bb7b8b0335404348990f52320b672 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Mon, 14 Jul 2014 18:22:26 +0200
> > -Subject: [PATCH 249/249] s3-winbindd: prefer "displayName" over "name" in ads
> > - user queries for the fullname.
> > -
> > -This makes use more consistent with security=domain as well where the gecos
> > -field is also filled using the displayName field.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/winbindd/winbindd_ads.c | 16 +++++++++++-----
> > - 1 file changed, 11 insertions(+), 5 deletions(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> > -index a20fba5..4b5b2fa 100644
> > ---- a/source3/winbindd/winbindd_ads.c
> > -+++ b/source3/winbindd/winbindd_ads.c
> > -@@ -327,7 +327,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
> > - }
> > -
> > - info->acct_name = ads_pull_username(ads, mem_ctx, msg);
> > -- info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
> > -+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
> > -+ if (info->full_name == NULL) {
> > -+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
> > -+ }
> > - info->homedir = NULL;
> > - info->shell = NULL;
> > - info->primary_gid = (gid_t)-1;
> > -@@ -592,7 +595,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> > - struct netr_SamInfo3 *user = NULL;
> > - gid_t gid = -1;
> > - int ret;
> > -- char *ads_name;
> > -+ char *full_name;
> > -
> > - DEBUG(3,("ads: query_user\n"));
> > -
> > -@@ -704,7 +707,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> > - * nss_get_info_cached call. nss_get_info_cached might destroy
> > - * the ads struct, potentially invalidating the ldap message.
> > - */
> > -- ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
> > -+ full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
> > -+ if (full_name == NULL) {
> > -+ full_name = ads_pull_string(ads, mem_ctx, msg, "name");
> > -+ }
> > -
> > - ads_msgfree(ads, msg);
> > - msg = NULL;
> > -@@ -720,9 +726,9 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> > - }
> > -
> > - if (info->full_name == NULL) {
> > -- info->full_name = ads_name;
> > -+ info->full_name = full_name;
> > - } else {
> > -- TALLOC_FREE(ads_name);
> > -+ TALLOC_FREE(full_name);
> > - }
> > -
> > - status = NT_STATUS_OK;
> > ---
> > -1.9.3
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> > deleted file mode 100644
> > index 7a7bdf5..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> > +++ /dev/null
> > @@ -1,97 +0,0 @@
> > -From f73c906237aa0c9d45900d69d31c9b39261f062a Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Tue, 16 Sep 2014 18:02:30 +0200
> > -Subject: [PATCH 1/2] lib: Add daemon_status() to util library.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > -(cherry picked from commit 9f5f5fa8ebf845c53b7a92557d7aec56ed820320)
> > ----
> > - lib/util/become_daemon.c | 11 +++++++++++
> > - lib/util/samba_util.h | 6 ++++++
> > - 2 files changed, 17 insertions(+)
> > -
> > -diff --git a/lib/util/become_daemon.c b/lib/util/become_daemon.c
> > -index 35c8b32..688bedd 100644
> > ---- a/lib/util/become_daemon.c
> > -+++ b/lib/util/become_daemon.c
> > -@@ -135,3 +135,14 @@ _PUBLIC_ void daemon_ready(const char *daemon)
> > - #endif
> > - DEBUG(0, ("STATUS=daemon '%s' finished starting up and ready to serve connections", daemon));
> > - }
> > -+
> > -+_PUBLIC_ void daemon_status(const char *name, const char *msg)
> > -+{
> > -+ if (name == NULL) {
> > -+ name = "Samba";
> > -+ }
> > -+#ifdef HAVE_SYSTEMD
> > -+ sd_notifyf(0, "\nSTATUS=%s: %s", name, msg);
> > -+#endif
> > -+ DEBUG(0, ("STATUS=daemon '%s' : %s", name, msg));
> > -+}
> > -diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
> > -index e3fe6a6..f4216d8 100644
> > ---- a/lib/util/samba_util.h
> > -+++ b/lib/util/samba_util.h
> > -@@ -853,6 +853,12 @@ _PUBLIC_ void exit_daemon(const char *msg, int error);
> > - **/
> > - _PUBLIC_ void daemon_ready(const char *daemon);
> > -
> > -+/*
> > -+ * Report the daemon status. For example if it is not ready to serve connections
> > -+ * and is waiting for some event to happen.
> > -+ */
> > -+_PUBLIC_ void daemon_status(const char *name, const char *msg);
> > -+
> > - /**
> > - * @brief Get a password from the console.
> > - *
> > ---
> > -2.1.0
> > -
> > -
> > -From 7fcd74039961fa0fb02934bc87ce41fd98234f1a Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Tue, 16 Sep 2014 18:03:51 +0200
> > -Subject: [PATCH 2/2] nmbd: Send waiting status to systemd.
> > -
> > -This tells the Administrator what's going on and we should log that IPv6
> > -is not supported.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > -
> > -Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
> > -Autobuild-Date(master): Wed Sep 17 13:16:43 CEST 2014 on sn-devel-104
> > -
> > -(cherry picked from commit 2df601bff0d949e66c79366b8248b9d950c0b430)
> > ----
> > - source3/nmbd/nmbd_subnetdb.c | 7 +++++--
> > - 1 file changed, 5 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c
> > -index 311a240..6c483af 100644
> > ---- a/source3/nmbd/nmbd_subnetdb.c
> > -+++ b/source3/nmbd/nmbd_subnetdb.c
> > -@@ -247,8 +247,11 @@ bool create_subnets(void)
> > -
> > - /* Only count IPv4, non-loopback interfaces. */
> > - if (iface_count_v4_nl() == 0) {
> > -- DEBUG(0,("create_subnets: No local IPv4 non-loopback interfaces !\n"));
> > -- DEBUG(0,("create_subnets: Waiting for an interface to appear ...\n"));
> > -+ daemon_status("nmbd",
> > -+ "No local IPv4 non-loopback interfaces "
> > -+ "available, waiting for interface ...");
> > -+ DEBUG(0,("NOTE: NetBIOS name resolution is not supported for "
> > -+ "Internet Protocol Version 6 (IPv6).\n"));
> > - }
> > -
> > - /* We only count IPv4, non-loopback interfaces here. */
> > ---
> > -2.1.0
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> > deleted file mode 100644
> > index 3215f2c..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> > +++ /dev/null
> > @@ -1,42 +0,0 @@
> > -From 23dfa2e35bec9c0f6c3d579e7dc2e1d0ce636aa2 Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Fri, 19 Sep 2014 13:33:10 +0200
> > -Subject: [PATCH] nsswitch: Skip groups we were not able to map.
> > -
> > -If we have configured the idmap_ad backend it is possible that the user
> > -is in a group without a gid set. This will result in (uid_t)-1 as the
> > -gid. We return this invalid gid to NSS which is wrong.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: David Disseldorp <ddiss@samba.org>
> > -
> > -Autobuild-User(master): David Disseldorp <ddiss@samba.org>
> > -Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
> > -
> > -(cherry picked from commit 7f59711f076e98ece099f6b38ff6da8c80fa6d5e)
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > ----
> > - nsswitch/winbind_nss_linux.c | 5 +++++
> > - 1 file changed, 5 insertions(+)
> > -
> > -diff --git a/nsswitch/winbind_nss_linux.c b/nsswitch/winbind_nss_linux.c
> > -index 8d66a74..70ede3e 100644
> > ---- a/nsswitch/winbind_nss_linux.c
> > -+++ b/nsswitch/winbind_nss_linux.c
> > -@@ -1101,6 +1101,11 @@ _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
> > - continue;
> > - }
> > -
> > -+ /* Skip groups without a mapping */
> > -+ if (gid_list[i] == (uid_t)-1) {
> > -+ continue;
> > -+ }
> > -+
> > - /* Filled buffer ? If so, resize. */
> > -
> > - if (*start == *size) {
> > ---
> > -2.1.0
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> > deleted file mode 100644
> > index 394a640..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> > +++ /dev/null
> > @@ -1,44 +0,0 @@
> > -From dc6b86b93c8f059b0cc96c364ffad05c88b7d92e Mon Sep 17 00:00:00 2001
> > -From: Christof Schmitt <cs@samba.org>
> > -Date: Fri, 22 Aug 2014 09:15:59 -0700
> > -Subject: [PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child
> > -
> > -When authenticating users in a trusted domain, the idmap_ad module
> > -always connects to a local DC instead of one in the trusted domain.
> > -
> > -Fix this by passing the correct realm to connect to.
> > -
> > -Also Comment parameters passed to ads_cached_connection_connect
> > -
> > -Signed-off-by: Christof Schmitt <cs@samba.org>
> > -Reviewed-by: Jeremy Allison <jra@samba.org>
> > -(cherry picked from commit c203c722e7e22f9146f2ecf6f42452c0e82042e4)
> > ----
> > - source3/winbindd/winbindd_ads.c | 11 +++++++++--
> > - 1 files changed, 9 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> > -index 4c26389..e47613e 100644
> > ---- a/source3/winbindd/winbindd_ads.c
> > -+++ b/source3/winbindd/winbindd_ads.c
> > -@@ -187,8 +187,15 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
> > - }
> > - }
> > -
> > -- status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
> > -- password, realm, 0);
> > -+ status = ads_cached_connection_connect(
> > -+ adsp, /* Returns ads struct. */
> > -+ wb_dom->alt_name, /* realm to connect to. */
> > -+ dom_name, /* 'workgroup' name for ads_init */
> > -+ ldap_server, /* DNS name to connect to. */
> > -+ password, /* password for auth realm. */
> > -+ realm, /* realm used for krb5 ticket. */
> > -+ 0); /* renewable ticket time. */
> > -+
> > - SAFE_FREE(realm);
> > -
> > - return status;
> > ---
> > -1.7.1
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> > deleted file mode 100644
> > index a1b05b8..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> > +++ /dev/null
> > @@ -1,35 +0,0 @@
> > -From 0aab8ae3c137e5900d22160555bcef57cd62ca21 Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Wed, 17 Sep 2014 15:17:50 +0200
> > -Subject: [PATCH 2/2] libcli: Fix a segfault calling smbXcli_req_set_pending()
> > - on NULL.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10817
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Jeremy Allison <jra@samba.org>
> > -
> > -Autobuild-User(master): Jeremy Allison <jra@samba.org>
> > -Autobuild-Date(master): Tue Sep 23 04:23:05 CEST 2014 on sn-devel-104
> > -
> > -(cherry picked from commit f92086f4a347dcc8fa948aa2614a2c12f1115e5a)
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > ----
> > - libcli/smb/smb1cli_echo.c | 1 -
> > - 1 file changed, 1 deletion(-)
> > -
> > -diff --git a/libcli/smb/smb1cli_echo.c b/libcli/smb/smb1cli_echo.c
> > -index 4fb7c60..10dff2d 100644
> > ---- a/libcli/smb/smb1cli_echo.c
> > -+++ b/libcli/smb/smb1cli_echo.c
> > -@@ -96,7 +96,6 @@ static void smb1cli_echo_done(struct tevent_req *subreq)
> > - NULL, /* pbytes_offset */
> > - NULL, /* pinbuf */
> > - expected, ARRAY_SIZE(expected));
> > -- TALLOC_FREE(subreq);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - tevent_req_nterror(req, status);
> > - return;
> > ---
> > -2.1.0
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> > deleted file mode 100644
> > index 35f4d8c..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> > +++ /dev/null
> > @@ -1,180 +0,0 @@
> > -From 579901faf787d8d787c978324bdec87c349e3d9b Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Tue, 23 Sep 2014 14:09:41 +0200
> > -Subject: [PATCH] s3-libads: Improve service principle guessing.
> > -
> > -If the name passed to the net command with the -S options is the long
> > -hostname of the domaincontroller and not the 15 char NetBIOS name we
> > -should construct a FQDN with the realm to get a Kerberos ticket.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > -(cherry picked from commit 83c62bd3f5945bbe295cbfbd153736d4c709b3a6)
> > ----
> > - source3/libads/sasl.c | 124 +++++++++++++++++++++++++++-----------------------
> > - 1 file changed, 66 insertions(+), 58 deletions(-)
> > -
> > -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
> > -index 33f4e24..1450ff1 100644
> > ---- a/source3/libads/sasl.c
> > -+++ b/source3/libads/sasl.c
> > -@@ -714,88 +714,96 @@ static void ads_free_service_principal(struct ads_service_principal *p)
> > - static ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
> > - char **returned_principal)
> > - {
> > -+ ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
> > - char *princ = NULL;
> > -+ TALLOC_CTX *frame;
> > -+ char *server = NULL;
> > -+ char *realm = NULL;
> > -+ int rc;
> > -
> > -- if (ads->server.realm && ads->server.ldap_server) {
> > -- char *server, *server_realm;
> > --
> > -- server = SMB_STRDUP(ads->server.ldap_server);
> > -- server_realm = SMB_STRDUP(ads->server.realm);
> > --
> > -- if (!server || !server_realm) {
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -- }
> > -+ frame = talloc_stackframe();
> > -+ if (frame == NULL) {
> > -+ return ADS_ERROR(LDAP_NO_MEMORY);
> > -+ }
> > -
> > -- if (!strlower_m(server)) {
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -+ if (ads->server.realm && ads->server.ldap_server) {
> > -+ server = strlower_talloc(frame, ads->server.ldap_server);
> > -+ if (server == NULL) {
> > -+ goto out;
> > - }
> > -
> > -- if (!strupper_m(server_realm)) {
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -+ realm = strupper_talloc(frame, ads->server.realm);
> > -+ if (realm == NULL) {
> > -+ goto out;
> > - }
> > -
> > -- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -- }
> > -+ /*
> > -+ * If we got a name which is bigger than a NetBIOS name,
> > -+ * but isn't a FQDN, create one.
> > -+ */
> > -+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
> > -+ char *dnsdomain;
> > -
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -+ dnsdomain = strlower_talloc(frame, ads->server.realm);
> > -+ if (dnsdomain == NULL) {
> > -+ goto out;
> > -+ }
> > -
> > -- if (!princ) {
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -+ server = talloc_asprintf(frame,
> > -+ "%s.%s",
> > -+ server, dnsdomain);
> > -+ if (server == NULL) {
> > -+ goto out;
> > -+ }
> > - }
> > - } else if (ads->config.realm && ads->config.ldap_server_name) {
> > -- char *server, *server_realm;
> > --
> > -- server = SMB_STRDUP(ads->config.ldap_server_name);
> > -- server_realm = SMB_STRDUP(ads->config.realm);
> > --
> > -- if (!server || !server_realm) {
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -+ server = strlower_talloc(frame, ads->config.ldap_server_name);
> > -+ if (server == NULL) {
> > -+ goto out;
> > - }
> > -
> > -- if (!strlower_m(server)) {
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -+ realm = strupper_talloc(frame, ads->config.realm);
> > -+ if (realm == NULL) {
> > -+ goto out;
> > - }
> > -
> > -- if (!strupper_m(server_realm)) {
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -- }
> > -- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -- }
> > -+ /*
> > -+ * If we got a name which is bigger than a NetBIOS name,
> > -+ * but isn't a FQDN, create one.
> > -+ */
> > -+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
> > -+ char *dnsdomain;
> > -
> > -- SAFE_FREE(server);
> > -- SAFE_FREE(server_realm);
> > -+ dnsdomain = strlower_talloc(frame, ads->server.realm);
> > -+ if (dnsdomain == NULL) {
> > -+ goto out;
> > -+ }
> > -
> > -- if (!princ) {
> > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > -+ server = talloc_asprintf(frame,
> > -+ "%s.%s",
> > -+ server, dnsdomain);
> > -+ if (server == NULL) {
> > -+ goto out;
> > -+ }
> > - }
> > - }
> > -
> > -- if (!princ) {
> > -- return ADS_ERROR(LDAP_PARAM_ERROR);
> > -+ if (server == NULL || realm == NULL) {
> > -+ goto out;
> > -+ }
> > -+
> > -+ rc = asprintf(&princ, "ldap/%s@%s", server, realm);
> > -+ if (rc == -1 || princ == NULL) {
> > -+ status = ADS_ERROR(LDAP_PARAM_ERROR);
> > -+ goto out;
> > - }
> > -
> > - *returned_principal = princ;
> > -
> > -- return ADS_SUCCESS;
> > -+ status = ADS_SUCCESS;
> > -+out:
> > -+ TALLOC_FREE(frame);
> > -+ return status;
> > - }
> > -
> > - static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
> > ---
> > -2.1.0
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> > deleted file mode 100644
> > index 5d309f1..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> > +++ /dev/null
> > @@ -1,329 +0,0 @@
> > -From 1925edc67e223d73d672af48c2ebd3e5865e01d9 Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Wed, 24 Sep 2014 09:22:03 +0200
> > -Subject: [PATCH 1/4] s3-libads: Add a function to retrieve the SPNs of a
> > - computer account.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > -(cherry picked from commit 4eaa4ccbdf279f1ff6d8218b36d92aeea0114cd8)
> > ----
> > - source3/libads/ads_proto.h | 6 +++++
> > - source3/libads/ldap.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++
> > - 2 files changed, 66 insertions(+)
> > -
> > -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
> > -index 17a84d1..6a22807 100644
> > ---- a/source3/libads/ads_proto.h
> > -+++ b/source3/libads/ads_proto.h
> > -@@ -87,6 +87,12 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
> > - const char *name, const char **vals);
> > - uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
> > - uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
> > -+
> > -+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
> > -+ ADS_STRUCT *ads,
> > -+ const char *machine_name,
> > -+ char ***spn_array,
> > -+ size_t *num_spns);
> > - ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
> > - ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
> > - const char *my_fqdn, const char *spn);
> > -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
> > -index fb99132..51a0883 100644
> > ---- a/source3/libads/ldap.c
> > -+++ b/source3/libads/ldap.c
> > -@@ -1927,6 +1927,66 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
> > - }
> > -
> > - /**
> > -+ * @brief This gets the service principal names of an existing computer account.
> > -+ *
> > -+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
> > -+ *
> > -+ * @param[in] ads The ADS context to use.
> > -+ *
> > -+ * @param[in] machine_name The NetBIOS name of the computer, which is used to
> > -+ * identify the computer account.
> > -+ *
> > -+ * @param[in] spn_array A pointer to store the array for SPNs.
> > -+ *
> > -+ * @param[in] num_spns The number of principals stored in the array.
> > -+ *
> > -+ * @return 0 on success, or a ADS error if a failure occured.
> > -+ */
> > -+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
> > -+ ADS_STRUCT *ads,
> > -+ const char *machine_name,
> > -+ char ***spn_array,
> > -+ size_t *num_spns)
> > -+{
> > -+ ADS_STATUS status;
> > -+ LDAPMessage *res = NULL;
> > -+ char *dn;
> > -+ int count;
> > -+
> > -+ status = ads_find_machine_acct(ads,
> > -+ &res,
> > -+ machine_name);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
> > -+ machine_name));
> > -+ return status;
> > -+ }
> > -+
> > -+ count = ads_count_replies(ads, res);
> > -+ if (count != 1) {
> > -+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
> > -+ goto done;
> > -+ }
> > -+
> > -+ dn = ads_get_dn(ads, mem_ctx, res);
> > -+ if (dn == NULL) {
> > -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > -+ goto done;
> > -+ }
> > -+
> > -+ *spn_array = ads_pull_strings(ads,
> > -+ mem_ctx,
> > -+ res,
> > -+ "servicePrincipalName",
> > -+ num_spns);
> > -+
> > -+done:
> > -+ ads_msgfree(ads, res);
> > -+
> > -+ return status;
> > -+}
> > -+
> > -+/**
> > - * This adds a service principal name to an existing computer account
> > - * (found by hostname) in AD.
> > - * @param ads An initialized ADS_STRUCT
> > ---
> > -2.1.0
> > -
> > -
> > -From ed3b6536e1027a26d7983942f62677aa2bc0e93c Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Wed, 24 Sep 2014 09:23:58 +0200
> > -Subject: [PATCH 2/4] s3-libads: Add function to search for an element in an
> > - array.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > -(cherry picked from commit e1ee4c8bc7018db7787dd9a0be6d3aa40a477ee2)
> > ----
> > - source3/libads/ads_proto.h | 2 ++
> > - source3/libads/ldap.c | 31 +++++++++++++++++++++++++++++++
> > - 2 files changed, 33 insertions(+)
> > -
> > -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
> > -index 6a22807..1e34247 100644
> > ---- a/source3/libads/ads_proto.h
> > -+++ b/source3/libads/ads_proto.h
> > -@@ -88,6 +88,8 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
> > - uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
> > - uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
> > -
> > -+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el);
> > -+
> > - ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
> > - ADS_STRUCT *ads,
> > - const char *machine_name,
> > -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
> > -index 51a0883..8d104c2 100644
> > ---- a/source3/libads/ldap.c
> > -+++ b/source3/libads/ldap.c
> > -@@ -1927,6 +1927,37 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
> > - }
> > -
> > - /**
> > -+ * @brief Search for an element in a string array.
> > -+ *
> > -+ * @param[in] el_array The string array to search.
> > -+ *
> > -+ * @param[in] num_el The number of elements in the string array.
> > -+ *
> > -+ * @param[in] el The string to search.
> > -+ *
> > -+ * @return True if found, false if not.
> > -+ */
> > -+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
> > -+{
> > -+ size_t i;
> > -+
> > -+ if (el_array == NULL || num_el == 0 || el == NULL) {
> > -+ return false;
> > -+ }
> > -+
> > -+ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
> > -+ int cmp;
> > -+
> > -+ cmp = strcasecmp_m(el_array[i], el);
> > -+ if (cmp == 0) {
> > -+ return true;
> > -+ }
> > -+ }
> > -+
> > -+ return false;
> > -+}
> > -+
> > -+/**
> > - * @brief This gets the service principal names of an existing computer account.
> > - *
> > - * @param[in] mem_ctx The memory context to use to allocate the spn array.
> > ---
> > -2.1.0
> > -
> > -
> > -From 11700f1398d6197a99c686f1a43b45d6305ceae8 Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Fri, 26 Sep 2014 03:09:08 +0200
> > -Subject: [PATCH 3/4] s3-libnet: Add libnet_join_get_machine_spns().
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > -(cherry picked from commit 7e0b8fcce5572c88d50993a1dbd90f65638ba90f)
> > ----
> > - source3/libnet/libnet_join.c | 20 ++++++++++++++++++++
> > - 1 file changed, 20 insertions(+)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index 1418385..3611cc7 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -358,6 +358,26 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
> > - return status;
> > - }
> > -
> > -+static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
> > -+ struct libnet_JoinCtx *r,
> > -+ char ***spn_array,
> > -+ size_t *num_spns)
> > -+{
> > -+ ADS_STATUS status;
> > -+
> > -+ if (r->in.machine_name == NULL) {
> > -+ return ADS_ERROR_SYSTEM(EINVAL);
> > -+ }
> > -+
> > -+ status = ads_get_service_principal_names(mem_ctx,
> > -+ r->in.ads,
> > -+ r->in.machine_name,
> > -+ spn_array,
> > -+ num_spns);
> > -+
> > -+ return status;
> > -+}
> > -+
> > - /****************************************************************
> > - Set a machines dNSHostName and servicePrincipalName attributes
> > - ****************************************************************/
> > ---
> > -2.1.0
> > -
> > -
> > -From 472256e27ad5cb5e7657efaece71744269ca8d16 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 26 Sep 2014 03:35:43 +0200
> > -Subject: [PATCH 4/4] s3-libnet: Make sure we do not overwrite precreated SPNs.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -
> > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > -Autobuild-Date(master): Fri Sep 26 08:22:45 CEST 2014 on sn-devel-104
> > -
> > -(cherry picked from commit 0aacbe78bb40d76b65087c2a197c92b0101e625e)
> > ----
> > - source3/libnet/libnet_join.c | 39 ++++++++++++++++++++++++++++++++++++---
> > - 1 file changed, 36 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index 3611cc7..aa7b5cb 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -388,8 +388,10 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> > - ADS_STATUS status;
> > - ADS_MODLIST mods;
> > - fstring my_fqdn;
> > -- const char *spn_array[3] = {NULL, NULL, NULL};
> > -+ const char **spn_array = NULL;
> > -+ size_t num_spns = 0;
> > - char *spn = NULL;
> > -+ bool ok;
> > -
> > - /* Find our DN */
> > -
> > -@@ -398,6 +400,14 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> > - return status;
> > - }
> > -
> > -+ status = libnet_join_get_machine_spns(mem_ctx,
> > -+ r,
> > -+ discard_const_p(char **, &spn_array),
> > -+ &num_spns);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
> > -+ }
> > -+
> > - /* Windows only creates HOST/shortname & HOST/fqdn. */
> > -
> > - spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
> > -@@ -407,7 +417,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> > - if (!strupper_m(spn)) {
> > - return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > - }
> > -- spn_array[0] = spn;
> > -+
> > -+ ok = ads_element_in_array(spn_array, num_spns, spn);
> > -+ if (!ok) {
> > -+ ok = add_string_to_array(spn_array, spn,
> > -+ &spn_array, (int *)&num_spns);
> > -+ if (!ok) {
> > -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > -+ }
> > -+ }
> > -
> > - if (!name_to_fqdn(my_fqdn, r->in.machine_name)
> > - || (strchr(my_fqdn, '.') == NULL)) {
> > -@@ -424,8 +442,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> > - if (!spn) {
> > - return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > - }
> > -- spn_array[1] = spn;
> > -+
> > -+ ok = ads_element_in_array(spn_array, num_spns, spn);
> > -+ if (!ok) {
> > -+ ok = add_string_to_array(spn_array, spn,
> > -+ &spn_array, (int *)&num_spns);
> > -+ if (!ok) {
> > -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > -+ }
> > -+ }
> > -+ }
> > -+
> > -+ /* make sure to NULL terminate the array */
> > -+ spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
> > -+ if (spn_array == NULL) {
> > -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > - }
> > -+ spn_array[num_spns] = NULL;
> > -
> > - mods = ads_init_mods(mem_ctx);
> > - if (!mods) {
> > ---
> > -2.1.0
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> > deleted file mode 100644
> > index 2174e15..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> > +++ /dev/null
> > @@ -1,159 +0,0 @@
> > -From 3516236ec6eb42f29eda42542b109fa10217e68c Mon Sep 17 00:00:00 2001
> > -From: Andreas Schneider <asn@samba.org>
> > -Date: Wed, 24 Sep 2014 10:51:33 +0200
> > -Subject: [PATCH] s3-libads: Add all machine account principals to the keytab.
> > -
> > -This adds all SPNs defined in the DC for the computer account to the
> > -keytab using 'net ads keytab create -P'.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985
> > -
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > -(cherry picked from commit 5d58b92f8fcbc509f4fe2bd3617bcaeada1806b6)
> > ----
> > - source3/libads/kerberos_keytab.c | 74 ++++++++++++++++++++++++++++------------
> > - 1 file changed, 52 insertions(+), 22 deletions(-)
> > -
> > -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
> > -index 83df088..d13625b 100644
> > ---- a/source3/libads/kerberos_keytab.c
> > -+++ b/source3/libads/kerberos_keytab.c
> > -@@ -507,20 +507,57 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > - krb5_kt_cursor cursor;
> > - krb5_keytab_entry kt_entry;
> > - krb5_kvno kvno;
> > -- int i, found = 0;
> > -+ size_t found = 0;
> > - char *sam_account_name, *upn;
> > - char **oldEntries = NULL, *princ_s[26];
> > -- TALLOC_CTX *tmpctx = NULL;
> > -+ TALLOC_CTX *frame;
> > - char *machine_name;
> > -+ char **spn_array;
> > -+ size_t num_spns;
> > -+ size_t i;
> > -+ ADS_STATUS status;
> > -
> > -- /* these are the main ones we need */
> > -- ret = ads_keytab_add_entry(ads, "host");
> > -- if (ret != 0) {
> > -- DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
> > -- "adding 'host' principal.\n"));
> > -- return ret;
> > -+ frame = talloc_stackframe();
> > -+ if (frame == NULL) {
> > -+ ret = -1;
> > -+ goto done;
> > -+ }
> > -+
> > -+ status = ads_get_service_principal_names(frame,
> > -+ ads,
> > -+ lp_netbios_name(),
> > -+ &spn_array,
> > -+ &num_spns);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ ret = -1;
> > -+ goto done;
> > - }
> > -
> > -+ for (i = 0; i < num_spns; i++) {
> > -+ char *srv_princ;
> > -+ char *p;
> > -+
> > -+ srv_princ = strlower_talloc(frame, spn_array[i]);
> > -+ if (srv_princ == NULL) {
> > -+ ret = -1;
> > -+ goto done;
> > -+ }
> > -+
> > -+ p = strchr_m(srv_princ, '/');
> > -+ if (p == NULL) {
> > -+ continue;
> > -+ }
> > -+ p[0] = '\0';
> > -+
> > -+ /* Add the SPNs found on the DC */
> > -+ ret = ads_keytab_add_entry(ads, srv_princ);
> > -+ if (ret != 0) {
> > -+ DEBUG(1, ("ads_keytab_add_entry failed while "
> > -+ "adding '%s' principal.\n",
> > -+ spn_array[i]));
> > -+ goto done;
> > -+ }
> > -+ }
> > -
> > - #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
> > - really needs them and we will fall back to verifying against
> > -@@ -543,24 +580,17 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > - if (ret) {
> > - DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
> > - error_message(ret)));
> > -- return ret;
> > -- }
> > --
> > -- tmpctx = talloc_init(__location__);
> > -- if (!tmpctx) {
> > -- DEBUG(0, (__location__ ": talloc_init() failed!\n"));
> > -- ret = -1;
> > - goto done;
> > - }
> > -
> > -- machine_name = talloc_strdup(tmpctx, lp_netbios_name());
> > -+ machine_name = talloc_strdup(frame, lp_netbios_name());
> > - if (!machine_name) {
> > - ret = -1;
> > - goto done;
> > - }
> > -
> > - /* now add the userPrincipalName and sAMAccountName entries */
> > -- sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
> > -+ sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
> > - if (!sam_account_name) {
> > - DEBUG(0, (__location__ ": unable to determine machine "
> > - "account's name in AD!\n"));
> > -@@ -584,7 +614,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > - }
> > -
> > - /* remember that not every machine account will have a upn */
> > -- upn = ads_get_upn(ads, tmpctx, machine_name);
> > -+ upn = ads_get_upn(ads, frame, machine_name);
> > - if (upn) {
> > - ret = ads_keytab_add_entry(ads, upn);
> > - if (ret != 0) {
> > -@@ -596,7 +626,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > -
> > - /* Now loop through the keytab and update any other existing entries */
> > - kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
> > -- if (kvno == -1) {
> > -+ if (kvno == (krb5_kvno)-1) {
> > - DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
> > - "determine the system's kvno.\n"));
> > - goto done;
> > -@@ -629,12 +659,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > - * have a race condition where someone else could add entries after
> > - * we've counted them. Re-open asap to minimise the race. JRA.
> > - */
> > -- DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
> > -+ DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
> > - if (!found) {
> > - goto done;
> > - }
> > -
> > -- oldEntries = talloc_array(tmpctx, char *, found);
> > -+ oldEntries = talloc_array(frame, char *, found);
> > - if (!oldEntries) {
> > - DEBUG(1, (__location__ ": Failed to allocate space to store "
> > - "the old keytab entries (talloc failed?).\n"));
> > -@@ -708,7 +738,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > -
> > - done:
> > - TALLOC_FREE(oldEntries);
> > -- TALLOC_FREE(tmpctx);
> > -+ TALLOC_FREE(frame);
> > -
> > - {
> > - krb5_keytab_entry zero_kt_entry;
> > ---
> > -2.1.0
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> > deleted file mode 100644
> > index a939e70..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> > +++ /dev/null
> > @@ -1,988 +0,0 @@
> > -From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 24 Sep 2014 22:16:20 +0200
> > -Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}".
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++
> > - 1 file changed, 308 insertions(+)
> > -
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index 8b8e719..5f18bf4 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
> > - return net_run_function(c, argc, argv, "net ads kerberos", func);
> > - }
> > -
> > -+static int net_ads_enctype_lookup_account(struct net_context *c,
> > -+ ADS_STRUCT *ads,
> > -+ const char *account,
> > -+ LDAPMessage **res,
> > -+ const char **enctype_str)
> > -+{
> > -+ const char *filter;
> > -+ const char *attrs[] = {
> > -+ "msDS-SupportedEncryptionTypes",
> > -+ NULL
> > -+ };
> > -+ int count;
> > -+ int ret = -1;
> > -+ ADS_STATUS status;
> > -+
> > -+ filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
> > -+ account);
> > -+ if (filter == NULL) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ status = ads_search(ads, res, filter, attrs);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ d_printf(_("no account found with filter: %s\n"), filter);
> > -+ goto done;
> > -+ }
> > -+
> > -+ count = ads_count_replies(ads, *res);
> > -+ switch (count) {
> > -+ case 1:
> > -+ break;
> > -+ case 0:
> > -+ d_printf(_("no account found with filter: %s\n"), filter);
> > -+ goto done;
> > -+ default:
> > -+ d_printf(_("multiple accounts found with filter: %s\n"), filter);
> > -+ goto done;
> > -+ }
> > -+
> > -+ if (enctype_str) {
> > -+ *enctype_str = ads_pull_string(ads, c, *res,
> > -+ "msDS-SupportedEncryptionTypes");
> > -+ if (*enctype_str == NULL) {
> > -+ d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
> > -+ goto done;
> > -+ }
> > -+ }
> > -+
> > -+ ret = 0;
> > -+ done:
> > -+ return ret;
> > -+}
> > -+
> > -+static void net_ads_enctype_dump_enctypes(const char *username,
> > -+ const char *enctype_str)
> > -+{
> > -+ int enctypes;
> > -+
> > -+ d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username);
> > -+
> > -+ enctypes = atoi(enctype_str);
> > -+
> > -+ printf("[%s] 0x%08x DES-CBC-CRC\n",
> > -+ enctypes & ENC_CRC32 ? "X" : " ",
> > -+ ENC_CRC32);
> > -+ printf("[%s] 0x%08x DES-CBC-MD5\n",
> > -+ enctypes & ENC_RSA_MD5 ? "X" : " ",
> > -+ ENC_RSA_MD5);
> > -+ printf("[%s] 0x%08x RC4-HMAC\n",
> > -+ enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
> > -+ ENC_RC4_HMAC_MD5);
> > -+ printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
> > -+ enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
> > -+ ENC_HMAC_SHA1_96_AES128);
> > -+ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
> > -+ enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
> > -+ ENC_HMAC_SHA1_96_AES256);
> > -+}
> > -+
> > -+static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
> > -+{
> > -+ int ret = -1;
> > -+ ADS_STATUS status;
> > -+ ADS_STRUCT *ads = NULL;
> > -+ LDAPMessage *res = NULL;
> > -+ const char *str = NULL;
> > -+
> > -+ if (c->display_usage || (argc < 1)) {
> > -+ d_printf( "%s\n"
> > -+ "net ads enctypes list\n"
> > -+ " %s\n",
> > -+ _("Usage:"),
> > -+ _("List supported enctypes"));
> > -+ return 0;
> > -+ }
> > -+
> > -+ status = ads_startup(c, false, &ads);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ printf("startup failed\n");
> > -+ return ret;
> > -+ }
> > -+
> > -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
> > -+ if (ret) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ net_ads_enctype_dump_enctypes(argv[0], str);
> > -+
> > -+ ret = 0;
> > -+ done:
> > -+ ads_msgfree(ads, res);
> > -+ ads_destroy(&ads);
> > -+
> > -+ return ret;
> > -+}
> > -+
> > -+static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
> > -+{
> > -+ int ret = -1;
> > -+ ADS_STATUS status;
> > -+ ADS_STRUCT *ads;
> > -+ LDAPMessage *res = NULL;
> > -+ const char *etype_list_str;
> > -+ const char *dn;
> > -+ ADS_MODLIST mods;
> > -+ uint32_t etype_list;
> > -+ const char *str;
> > -+
> > -+ if (c->display_usage || argc < 1) {
> > -+ d_printf( "%s\n"
> > -+ "net ads enctypes set <sAMAccountName> [enctypes]\n"
> > -+ " %s\n",
> > -+ _("Usage:"),
> > -+ _("Set supported enctypes"));
> > -+ return 0;
> > -+ }
> > -+
> > -+ status = ads_startup(c, false, &ads);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ printf("startup failed\n");
> > -+ return ret;
> > -+ }
> > -+
> > -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
> > -+ if (ret) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ dn = ads_get_dn(ads, c, res);
> > -+ if (dn == NULL) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
> > -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
> > -+ etype_list |= ENC_HMAC_SHA1_96_AES128;
> > -+#endif
> > -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> > -+ etype_list |= ENC_HMAC_SHA1_96_AES256;
> > -+#endif
> > -+
> > -+ if (argv[1] != NULL) {
> > -+ sscanf(argv[1], "%i", &etype_list);
> > -+ }
> > -+
> > -+ etype_list_str = talloc_asprintf(c, "%d", etype_list);
> > -+ if (!etype_list_str) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ mods = ads_init_mods(c);
> > -+ if (!mods) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes",
> > -+ etype_list_str);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ status = ads_gen_mod(ads, dn, mods);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
> > -+ ads_errstr(status));
> > -+ goto done;
> > -+ }
> > -+
> > -+ ads_msgfree(ads, res);
> > -+
> > -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
> > -+ if (ret) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ net_ads_enctype_dump_enctypes(argv[0], str);
> > -+
> > -+ ret = 0;
> > -+ done:
> > -+ ads_msgfree(ads, res);
> > -+ ads_destroy(&ads);
> > -+
> > -+ return ret;
> > -+}
> > -+
> > -+static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
> > -+{
> > -+ int ret = -1;
> > -+ ADS_STATUS status;
> > -+ ADS_STRUCT *ads;
> > -+ LDAPMessage *res = NULL;
> > -+ const char *dn;
> > -+ ADS_MODLIST mods;
> > -+
> > -+ if (c->display_usage || argc < 1) {
> > -+ d_printf( "%s\n"
> > -+ "net ads enctypes delete <sAMAccountName>\n"
> > -+ " %s\n",
> > -+ _("Usage:"),
> > -+ _("Delete supported enctypes"));
> > -+ return 0;
> > -+ }
> > -+
> > -+ status = ads_startup(c, false, &ads);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ printf("startup failed\n");
> > -+ return ret;
> > -+ }
> > -+
> > -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
> > -+ if (ret) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ dn = ads_get_dn(ads, c, res);
> > -+ if (dn == NULL) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ mods = ads_init_mods(c);
> > -+ if (!mods) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ goto done;
> > -+ }
> > -+
> > -+ status = ads_gen_mod(ads, dn, mods);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
> > -+ ads_errstr(status));
> > -+ goto done;
> > -+ }
> > -+
> > -+ ret = 0;
> > -+
> > -+ done:
> > -+ ads_msgfree(ads, res);
> > -+ ads_destroy(&ads);
> > -+ return ret;
> > -+}
> > -+
> > -+static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
> > -+{
> > -+ struct functable func[] = {
> > -+ {
> > -+ "list",
> > -+ net_ads_enctypes_list,
> > -+ NET_TRANSPORT_ADS,
> > -+ N_("List the supported encryption types"),
> > -+ N_("net ads enctypes list\n"
> > -+ " List the supported encryption types")
> > -+ },
> > -+ {
> > -+ "set",
> > -+ net_ads_enctypes_set,
> > -+ NET_TRANSPORT_ADS,
> > -+ N_("Set the supported encryption types"),
> > -+ N_("net ads enctypes set\n"
> > -+ " Set the supported encryption types")
> > -+ },
> > -+ {
> > -+ "delete",
> > -+ net_ads_enctypes_delete,
> > -+ NET_TRANSPORT_ADS,
> > -+ N_("Delete the supported encryption types"),
> > -+ N_("net ads enctypes delete\n"
> > -+ " Delete the supported encryption types")
> > -+ },
> > -+
> > -+ {NULL, NULL, 0, NULL, NULL}
> > -+ };
> > -+
> > -+ return net_run_function(c, argc, argv, "net ads enctypes", func);
> > -+}
> > -+
> > -+
> > - int net_ads(struct net_context *c, int argc, const char **argv)
> > - {
> > - struct functable func[] = {
> > -@@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv)
> > - N_("net ads kerberos\n"
> > - " Manage kerberos keytab")
> > - },
> > -+ {
> > -+ "enctypes",
> > -+ net_ads_enctypes,
> > -+ NET_TRANSPORT_ADS,
> > -+ N_("List/modify supported encryption types"),
> > -+ N_("net ads enctypes\n"
> > -+ " List/modify enctypes")
> > -+ },
> > - {NULL, NULL, 0, NULL, NULL}
> > - };
> > -
> > ---
> > -1.9.3
> > -
> > -
> > -From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Wed, 24 Sep 2014 23:36:19 +0200
> > -Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes".
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++
> > - 1 file changed, 53 insertions(+)
> > -
> > -diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
> > -index f39b420..9e982e3 100644
> > ---- a/docs-xml/manpages/net.8.xml
> > -+++ b/docs-xml/manpages/net.8.xml
> > -@@ -1339,6 +1339,59 @@ to show in the result.
> > - </refsect2>
> > -
> > - <refsect2>
> > -+ <title>ADS ENCTYPES</title>
> > -+
> > -+<para>
> > -+ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
> > -+</para>
> > -+
> > -+<para>
> > -+ This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
> > -+</para>
> > -+
> > -+<para>0x00000001 DES-CBC-CRC</para>
> > -+<para>0x00000002 DES-CBC-MD5</para>
> > -+<para>0x00000004 RC4-HMAC</para>
> > -+<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
> > -+<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
> > -+
> > -+</refsect2>
> > -+
> > -+<refsect2>
> > -+ <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title>
> > -+
> > -+<para>
> > -+ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
> > -+</para>
> > -+
> > -+<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
> > -+
> > -+</refsect2>
> > -+
> > -+<refsect2>
> > -+ <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title>
> > -+
> > -+<para>
> > -+ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types.
> > -+</para>
> > -+
> > -+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
> > -+
> > -+</refsect2>
> > -+
> > -+<refsect2>
> > -+ <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title>
> > -+
> > -+<para>
> > -+ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
> > -+</para>
> > -+
> > -+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
> > -+
> > -+</refsect2>
> > -+
> > -+
> > -+<refsect2>
> > - <title>SAM CREATEBUILTINGROUP <NAME></title>
> > -
> > - <para>
> > ---
> > -1.9.3
> > -
> > -
> > -From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 23 Nov 2012 12:34:27 +0100
> > -Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in
> > - AD >= 2008.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > ----
> > - source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++
> > - 1 file changed, 65 insertions(+)
> > -
> > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > -index 381a59c..e70e11a 100644
> > ---- a/source3/libnet/libnet_join.c
> > -+++ b/source3/libnet/libnet_join.c
> > -@@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
> > - /****************************************************************
> > - ****************************************************************/
> > -
> > -+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
> > -+ struct libnet_JoinCtx *r)
> > -+{
> > -+ ADS_STATUS status;
> > -+ ADS_MODLIST mods;
> > -+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
> > -+ const char *etype_list_str;
> > -+
> > -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
> > -+ etype_list |= ENC_HMAC_SHA1_96_AES128;
> > -+#endif
> > -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> > -+ etype_list |= ENC_HMAC_SHA1_96_AES256;
> > -+#endif
> > -+
> > -+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
> > -+ if (!etype_list_str) {
> > -+ return ADS_ERROR(LDAP_NO_MEMORY);
> > -+ }
> > -+
> > -+ /* Find our DN */
> > -+
> > -+ status = libnet_join_find_machine_acct(mem_ctx, r);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ /* now do the mods */
> > -+
> > -+ mods = ads_init_mods(mem_ctx);
> > -+ if (!mods) {
> > -+ return ADS_ERROR(LDAP_NO_MEMORY);
> > -+ }
> > -+
> > -+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
> > -+ etype_list_str);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ return status;
> > -+ }
> > -+
> > -+ return ads_gen_mod(r->in.ads, r->out.dn, mods);
> > -+}
> > -+
> > -+/****************************************************************
> > -+****************************************************************/
> > -+
> > - static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
> > - struct libnet_JoinCtx *r)
> > - {
> > -@@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
> > - struct libnet_JoinCtx *r)
> > - {
> > - ADS_STATUS status;
> > -+ uint32_t func_level = 0;
> > -
> > - if (!r->in.ads) {
> > - status = libnet_join_connect_ads(mem_ctx, r);
> > -@@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
> > - return status;
> > - }
> > -
> > -+ status = ads_domain_func_level(r->in.ads, &func_level);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ libnet_join_set_error_string(mem_ctx, r,
> > -+ "failed to query domain controller functional level: %s",
> > -+ ads_errstr(status));
> > -+ return status;
> > -+ }
> > -+
> > -+ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
> > -+ status = libnet_join_set_etypes(mem_ctx, r);
> > -+ if (!ADS_ERR_OK(status)) {
> > -+ libnet_join_set_error_string(mem_ctx, r,
> > -+ "failed to set machine kerberos encryption types: %s",
> > -+ ads_errstr(status));
> > -+ return status;
> > -+ }
> > -+ }
> > -+
> > - if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
> > - return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
> > - }
> > ---
> > -1.9.3
> > -
> > -
> > -From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Fri, 26 Sep 2014 21:06:38 +0200
> > -Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure
> > - hostname is lowercase.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Found at MS interop event while working on AES kerberos key support.
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > ----
> > - source4/auth/kerberos/srv_keytab.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
> > -index d81e27d..3baba14 100644
> > ---- a/source4/auth/kerberos/srv_keytab.c
> > -+++ b/source4/auth/kerberos/srv_keytab.c
> > -@@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
> > - return ENOMEM;
> > - }
> > -
> > -- machine_username = talloc_strdup(tmp_ctx, samAccountName);
> > -+ machine_username = strlower_talloc(tmp_ctx, samAccountName);
> > - if (!machine_username) {
> > - *error_string = "Cannot duplicate samAccountName";
> > - talloc_free(tmp_ctx);
> > ---
> > -1.9.3
> > -
> > -From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001
> > -From: Jeremy Allison <jra@samba.org>
> > -Date: Mon, 16 Jun 2014 22:49:29 -0700
> > -Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 *
> > - arguments of copy_netr_SamInfo3() and make_server_info_info3()
> > -
> > -Both functions only read from the struct netr_SamInfo3 * argument.
> > -
> > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > -Reviewed-by: Simo Sorce <idra@samba.org>
> > -
> > -Conflicts:
> > - source3/auth/proto.h
> > - source3/auth/server_info.c
> > ----
> > - source3/auth/auth_util.c | 2 +-
> > - source3/auth/proto.h | 4 ++--
> > - source3/auth/server_info.c | 2 +-
> > - 3 files changed, 4 insertions(+), 4 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> > -index ceaa706..afa78ec 100644
> > ---- a/source3/auth/auth_util.c
> > -+++ b/source3/auth/auth_util.c
> > -@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> > - const char *sent_nt_username,
> > - const char *domain,
> > - struct auth_serversupplied_info **server_info,
> > -- struct netr_SamInfo3 *info3)
> > -+ const struct netr_SamInfo3 *info3)
> > - {
> > - static const char zeros[16] = {0, };
> > -
> > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > -index 76661fc..6ec206e 100644
> > ---- a/source3/auth/proto.h
> > -+++ b/source3/auth/proto.h
> > -@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> > - const char *sent_nt_username,
> > - const char *domain,
> > - struct auth_serversupplied_info **server_info,
> > -- struct netr_SamInfo3 *info3);
> > -+ const struct netr_SamInfo3 *info3);
> > - struct wbcAuthUserInfo;
> > - NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
> > - const char *sent_nt_username,
> > -@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > - const struct passwd *pwd,
> > - struct netr_SamInfo3 **pinfo3);
> > - struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > -- struct netr_SamInfo3 *orig);
> > -+ const struct netr_SamInfo3 *orig);
> > - struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > - const struct wbcAuthUserInfo *info);
> > -
> > -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> > -index d2b7d6e..066b9a8 100644
> > ---- a/source3/auth/server_info.c
> > -+++ b/source3/auth/server_info.c
> > -@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > - } } while(0)
> > -
> > - struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > -- struct netr_SamInfo3 *orig)
> > -+ const struct netr_SamInfo3 *orig)
> > - {
> > - struct netr_SamInfo3 *info3;
> > - unsigned int i;
> > ---
> > -1.9.3
> > -
> > -
> > -From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001
> > -From: Jeremy Allison <jra@samba.org>
> > -Date: Mon, 16 Jun 2014 22:54:45 -0700
> > -Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const
> > - struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
> > -
> > -make_server_info_info3() only reads from the info3 pointer.
> > -
> > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > -Reviewed-by: Simo Sorce <idra@samba.org>
> > ----
> > - source3/auth/auth_generic.c | 2 +-
> > - source3/auth/proto.h | 2 +-
> > - source3/auth/user_krb5.c | 8 ++++----
> > - 3 files changed, 6 insertions(+), 6 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> > -index a2ba4e3..2880bc9 100644
> > ---- a/source3/auth/auth_generic.c
> > -+++ b/source3/auth/auth_generic.c
> > -@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > -
> > - status = make_session_info_krb5(mem_ctx,
> > - ntuser, ntdomain, username, pw,
> > -- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> > -+ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> > - session_info);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
> > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > -index 6ec206e..75d1097 100644
> > ---- a/source3/auth/proto.h
> > -+++ b/source3/auth/proto.h
> > -@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > - char *ntdomain,
> > - char *username,
> > - struct passwd *pw,
> > -- struct PAC_LOGON_INFO *logon_info,
> > -+ const struct netr_SamInfo3 *info3,
> > - bool mapped_to_guest, bool username_was_mapped,
> > - DATA_BLOB *session_key,
> > - struct auth_session_info **session_info);
> > -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
> > -index 974a8aa..0a538b4 100644
> > ---- a/source3/auth/user_krb5.c
> > -+++ b/source3/auth/user_krb5.c
> > -@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > - char *ntdomain,
> > - char *username,
> > - struct passwd *pw,
> > -- struct PAC_LOGON_INFO *logon_info,
> > -+ const struct netr_SamInfo3 *info3,
> > - bool mapped_to_guest, bool username_was_mapped,
> > - DATA_BLOB *session_key,
> > - struct auth_session_info **session_info)
> > -@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > - return status;
> > - }
> > -
> > -- } else if (logon_info) {
> > -+ } else if (info3) {
> > - /* pass the unmapped username here since map_username()
> > - will be called again in make_server_info_info3() */
> > -
> > - status = make_server_info_info3(mem_ctx,
> > - ntuser, ntdomain,
> > - &server_info,
> > -- &logon_info->info3);
> > -+ info3);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(1, ("make_server_info_info3 failed: %s!\n",
> > - nt_errstr(status)));
> > -@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > - char *ntdomain,
> > - char *username,
> > - struct passwd *pw,
> > -- struct PAC_LOGON_INFO *logon_info,
> > -+ const struct netr_SamInfo3 *info3,
> > - bool mapped_to_guest, bool username_was_mapped,
> > - DATA_BLOB *session_key,
> > - struct auth_session_info **session_info)
> > ---
> > -1.9.3
> > -
> > -
> > -From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001
> > -From: Jeremy Allison <jra@samba.org>
> > -Date: Mon, 16 Jun 2014 23:11:58 -0700
> > -Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to
> > - create a new info3 and merge resource group SIDs into it.
> > -
> > -Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
> > -
> > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > -Reviewed-by: Simo Sorce <idra@samba.org>
> > ----
> > - source3/auth/proto.h | 3 ++
> > - source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++
> > - 2 files changed, 80 insertions(+)
> > -
> > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > -index 75d1097..cc51698 100644
> > ---- a/source3/auth/proto.h
> > -+++ b/source3/auth/proto.h
> > -@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
> > - struct netr_SamInfo3 *sam3);
> > - NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
> > - struct netr_SamInfo6 *sam6);
> > -+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
> > -+ const struct PAC_LOGON_INFO *logon_info,
> > -+ struct netr_SamInfo3 **pp_info3);
> > - NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > - struct samu *samu,
> > - const char *login_server,
> > -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> > -index 066b9a8..dc84794 100644
> > ---- a/source3/auth/server_info.c
> > -+++ b/source3/auth/server_info.c
> > -@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
> > - return NT_STATUS_OK;
> > - }
> > -
> > -+/*
> > -+ * Merge resource SIDs, if any, into the passed in info3 structure.
> > -+ */
> > -+
> > -+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
> > -+ struct netr_SamInfo3 *info3)
> > -+{
> > -+ uint32_t i = 0;
> > -+
> > -+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
> > -+ return NT_STATUS_OK;
> > -+ }
> > -+
> > -+ /*
> > -+ * If there are any resource groups (SID Compression) add
> > -+ * them to the extra sids portion of the info3 in the PAC.
> > -+ *
> > -+ * This makes the info3 look like it would if we got the info
> > -+ * from the DC rather than the PAC.
> > -+ */
> > -+
> > -+ /*
> > -+ * Construct a SID for each RID in the list and then append it
> > -+ * to the info3.
> > -+ */
> > -+ for (i = 0; i < logon_info->res_groups.count; i++) {
> > -+ NTSTATUS status;
> > -+ struct dom_sid new_sid;
> > -+ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
> > -+
> > -+ sid_compose(&new_sid,
> > -+ logon_info->res_group_dom_sid,
> > -+ logon_info->res_groups.rids[i].rid);
> > -+
> > -+ DEBUG(10, ("Adding SID %s to extra SIDS\n",
> > -+ sid_string_dbg(&new_sid)));
> > -+
> > -+ status = append_netr_SidAttr(info3, &info3->sids,
> > -+ &info3->sidcount,
> > -+ &new_sid,
> > -+ attributes);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
> > -+ sid_string_dbg(&new_sid),
> > -+ nt_errstr(status)));
> > -+ return status;
> > -+ }
> > -+ }
> > -+
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > -+/*
> > -+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
> > -+ * then merge resource SIDs, if any, into it. If successful return
> > -+ * the created info3 struct.
> > -+ */
> > -+
> > -+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
> > -+ const struct PAC_LOGON_INFO *logon_info,
> > -+ struct netr_SamInfo3 **pp_info3)
> > -+{
> > -+ NTSTATUS status;
> > -+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
> > -+ &logon_info->info3);
> > -+ if (info3 == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ status = merge_resource_sids(logon_info, info3);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ TALLOC_FREE(info3);
> > -+ return status;
> > -+ }
> > -+ *pp_info3 = info3;
> > -+ return NT_STATUS_OK;
> > -+}
> > -+
> > - #define RET_NOMEM(ptr) do { \
> > - if (!ptr) { \
> > - TALLOC_FREE(info3); \
> > ---
> > -1.9.3
> > -
> > -
> > -From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001
> > -From: Jeremy Allison <jra@samba.org>
> > -Date: Mon, 16 Jun 2014 23:15:21 -0700
> > -Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use
> > - a copy of the info3 struct from the struct PAC_LOGON_INFO.
> > -
> > -Call create_info3_from_pac_logon_info() to add in any resource SIDs
> > -from the struct PAC_LOGON_INFO to the info3.
> > -
> > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > -Reviewed-by: Simo Sorce <idra@samba.org>
> > ----
> > - source3/auth/auth_generic.c | 11 +++++++++--
> > - 1 file changed, 9 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> > -index 2880bc9..f841f0c 100644
> > ---- a/source3/auth/auth_generic.c
> > -+++ b/source3/auth/auth_generic.c
> > -@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > - {
> > - TALLOC_CTX *tmp_ctx;
> > - struct PAC_LOGON_INFO *logon_info = NULL;
> > -+ struct netr_SamInfo3 *info3_copy = NULL;
> > - bool is_mapped;
> > - bool is_guest;
> > - char *ntuser;
> > -@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > -
> > - /* save the PAC data if we have it */
> > - if (logon_info) {
> > -- netsamlogon_cache_store(ntuser, &logon_info->info3);
> > -+ status = create_info3_from_pac_logon_info(tmp_ctx,
> > -+ logon_info,
> > -+ &info3_copy);
> > -+ if (!NT_STATUS_IS_OK(status)) {
> > -+ goto done;
> > -+ }
> > -+ netsamlogon_cache_store(ntuser, info3_copy);
> > - }
> > -
> > - /* setup the string used by %U */
> > -@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > -
> > - status = make_session_info_krb5(mem_ctx,
> > - ntuser, ntdomain, username, pw,
> > -- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> > -+ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> > - session_info);
> > - if (!NT_STATUS_IS_OK(status)) {
> > - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
> > ---
> > -1.9.3
> > -
> > -
> > -From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001
> > -From: Jeremy Allison <jra@samba.org>
> > -Date: Mon, 16 Jun 2014 23:27:35 -0700
> > -Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a
> > - new info3 and merge in resource groups from a trusted PAC.
> > -
> > -Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.
> > -
> > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > -Reviewed-by: Simo Sorce <idra@samba.org>
> > -
> > -Autobuild-User(master): Jeremy Allison <jra@samba.org>
> > -Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
> > ----
> > - source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++--
> > - 1 file changed, 22 insertions(+), 2 deletions(-)
> > -
> > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > -index c356686..0f1ca28 100644
> > ---- a/source3/winbindd/winbindd_pam.c
> > -+++ b/source3/winbindd/winbindd_pam.c
> > -@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> > - struct winbindd_request *req = state->request;
> > - DATA_BLOB pac_blob;
> > - struct PAC_LOGON_INFO *logon_info = NULL;
> > -+ struct netr_SamInfo3 *info3_copy = NULL;
> > - NTSTATUS result;
> > -
> > - pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
> > -@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> > -
> > - if (logon_info) {
> > - /* Signature verification succeeded, trust the PAC */
> > -- netsamlogon_cache_store(NULL, &logon_info->info3);
> > -+ result = create_info3_from_pac_logon_info(state->mem_ctx,
> > -+ logon_info,
> > -+ &info3_copy);
> > -+ if (!NT_STATUS_IS_OK(result)) {
> > -+ return result;
> > -+ }
> > -+ netsamlogon_cache_store(NULL, info3_copy);
> > -
> > - } else {
> > - /* Try without signature verification */
> > -@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> > - nt_errstr(result)));
> > - return result;
> > - }
> > -+ if (logon_info) {
> > -+ /*
> > -+ * Don't strictly need to copy here,
> > -+ * but it makes it explicit we're
> > -+ * returning a copy talloc'ed off
> > -+ * the state->mem_ctx.
> > -+ */
> > -+ info3_copy = copy_netr_SamInfo3(state->mem_ctx,
> > -+ &logon_info->info3);
> > -+ if (info3_copy == NULL) {
> > -+ return NT_STATUS_NO_MEMORY;
> > -+ }
> > -+ }
> > - }
> > -
> > -- *info3 = &logon_info->info3;
> > -+ *info3 = info3_copy;
> > -
> > - return NT_STATUS_OK;
> > - }
> > ---
> > -1.9.3
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> > deleted file mode 100644
> > index 071069b..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> > +++ /dev/null
> > @@ -1,51 +0,0 @@
> > -From 3bf805a38a1b901a55b08118ec04097d9787497c Mon Sep 17 00:00:00 2001
> > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > -Date: Mon, 29 Sep 2014 17:16:15 +0200
> > -Subject: [PATCH] s3-net: Force libkrb5 locator to use the same KDC for join
> > - and DNS update.
> > -MIME-Version: 1.0
> > -Content-Type: text/plain; charset=UTF-8
> > -Content-Transfer-Encoding: 8bit
> > -
> > -Guenther
> > -
> > -Signed-off-by: Günther Deschner <gd@samba.org>
> > ----
> > - source3/utils/net_ads.c | 21 +++++++++++++++++++++
> > - 1 file changed, 21 insertions(+)
> > -
> > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > -index e96377f..efbc3d2 100644
> > ---- a/source3/utils/net_ads.c
> > -+++ b/source3/utils/net_ads.c
> > -@@ -1566,6 +1566,27 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
> > - * If the dns update fails, we still consider the join
> > - * operation as succeeded if we came this far.
> > - */
> > -+
> > -+ if (r->out.dns_domain_name != NULL) {
> > -+
> > -+ /* Avoid potential libkrb5 issues finding a good KDC when we
> > -+ * already found one during the join. When the locator plugin is
> > -+ * installed (but winbind is not yet running) make sure we can
> > -+ * force libkrb5 to reuse that KDC. - gd */
> > -+
> > -+ char *env;
> > -+
> > -+ env = talloc_asprintf_strupper_m(r,
> > -+ "WINBINDD_LOCATOR_KDC_ADDRESS_%s",
> > -+ r->out.dns_domain_name);
> > -+ if (env == NULL) {
> > -+ return -1;
> > -+ }
> > -+
> > -+ setenv(env, r->in.ads->auth.kdc_server, 0);
> > -+ setenv("_NO_WINBINDD", "1", 0);
> > -+ }
> > -+
> > - _net_ads_join_dns_updates(c, ctx, r);
> > -
> > - TALLOC_FREE(r);
> > ---
> > -1.9.3
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> > deleted file mode 100644
> > index 9721afa..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> > +++ /dev/null
> > @@ -1,154 +0,0 @@
> > -From 170166b8a0076089c6a8505f53a22f5b72c15786 Mon Sep 17 00:00:00 2001
> > -From: Jeremy Allison <jra@samba.org>
> > -Date: Tue, 28 Oct 2014 11:55:30 -0700
> > -Subject: [PATCH] s3-nmbd: Fix netbios name truncation.
> > -
> > -Try and cope with truncation more intelligently.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10896
> > -
> > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -(cherry picked from commit 6adcc7bffd5e1474ecba04d2328955c0b208cabc)
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/nmbd/nmbd_nameregister.c | 76 +++++++++++++++++++++++++++++++++++-----
> > - 1 file changed, 68 insertions(+), 8 deletions(-)
> > -
> > -diff --git a/source3/nmbd/nmbd_nameregister.c b/source3/nmbd/nmbd_nameregister.c
> > -index 71c4751..8b078e6 100644
> > ---- a/source3/nmbd/nmbd_nameregister.c
> > -+++ b/source3/nmbd/nmbd_nameregister.c
> > -@@ -482,17 +482,77 @@ void register_name(struct subnet_record *subrec,
> > - {
> > - struct nmb_name nmbname;
> > - nstring nname;
> > -+ size_t converted_size;
> > -
> > - errno = 0;
> > -- push_ascii_nstring(nname, name);
> > -- if (errno == E2BIG) {
> > -- unstring tname;
> > -- pull_ascii_nstring(tname, sizeof(tname), nname);
> > -- DEBUG(0,("register_name: NetBIOS name %s is too long. Truncating to %s\n",
> > -- name, tname));
> > -- make_nmb_name(&nmbname, tname, type);
> > -- } else {
> > -+ converted_size = push_ascii_nstring(nname, name);
> > -+ if (converted_size != (size_t)-1) {
> > -+ /* Success. */
> > - make_nmb_name(&nmbname, name, type);
> > -+ } else if (errno == E2BIG) {
> > -+ /*
> > -+ * Name converted to CH_DOS is too large.
> > -+ * try to truncate.
> > -+ */
> > -+ char *converted_str_dos = NULL;
> > -+ char *converted_str_unix = NULL;
> > -+ bool ok;
> > -+
> > -+ converted_size = 0;
> > -+
> > -+ ok = convert_string_talloc(talloc_tos(),
> > -+ CH_UNIX,
> > -+ CH_DOS,
> > -+ name,
> > -+ strlen(name)+1,
> > -+ &converted_str_dos,
> > -+ &converted_size);
> > -+ if (!ok) {
> > -+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
> > -+ "converted. Failing to register name.\n",
> > -+ name));
> > -+ return;
> > -+ }
> > -+
> > -+ /*
> > -+ * As it's now CH_DOS codepage
> > -+ * we truncate by writing '\0' at
> > -+ * MAX_NETBIOSNAME_LEN-1 and then
> > -+ * convert back to CH_UNIX which we
> > -+ * need for the make_nmb_name() call.
> > -+ */
> > -+ if (converted_size >= MAX_NETBIOSNAME_LEN) {
> > -+ converted_str_dos[MAX_NETBIOSNAME_LEN-1] = '\0';
> > -+ }
> > -+
> > -+ ok = convert_string_talloc(talloc_tos(),
> > -+ CH_DOS,
> > -+ CH_UNIX,
> > -+ converted_str_dos,
> > -+ strlen(converted_str_dos)+1,
> > -+ &converted_str_unix,
> > -+ &converted_size);
> > -+ if (!ok) {
> > -+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
> > -+ "converted back to CH_UNIX. "
> > -+ "Failing to register name.\n",
> > -+ converted_str_dos));
> > -+ TALLOC_FREE(converted_str_dos);
> > -+ return;
> > -+ }
> > -+
> > -+ make_nmb_name(&nmbname, converted_str_unix, type);
> > -+
> > -+ TALLOC_FREE(converted_str_dos);
> > -+ TALLOC_FREE(converted_str_unix);
> > -+ } else {
> > -+ /*
> > -+ * Generic conversion error. Fail to register.
> > -+ */
> > -+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
> > -+ "converted (%s). Failing to register name.\n",
> > -+ name, strerror(errno)));
> > -+ return;
> > - }
> > -
> > - /* Always set the NB_ACTIVE flag on the name we are
> > ---
> > -2.1.2
> > -
> > -From 653a1c312e6b85f1d8113beec52a27e0ba71ef79 Mon Sep 17 00:00:00 2001
> > -From: Jeremy Allison <jra@samba.org>
> > -Date: Fri, 31 Oct 2014 11:01:26 -0700
> > -Subject: [PATCH] s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
> > -
> > -This screws up if the name is greater than MAX_NETBIOSNAME_LEN-1 in the
> > -unix charset, but less than or equal to MAX_NETBIOSNAME_LEN-1 in the DOS
> > -charset, but this is so old we have to live with that.
> > -
> > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10920
> > -
> > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > -
> > -(cherry picked from commit 7467f6e72cba214eeca75c34e9d9fba354c7ef31)
> > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > ----
> > - source3/lib/util_names.c | 10 +++++++++-
> > - 1 file changed, 9 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
> > -index cf54a0e..1392b48 100644
> > ---- a/source3/lib/util_names.c
> > -+++ b/source3/lib/util_names.c
> > -@@ -60,7 +60,15 @@ static bool set_my_netbios_names(const char *name, int i)
> > - {
> > - SAFE_FREE(smb_my_netbios_names[i]);
> > -
> > -- smb_my_netbios_names[i] = SMB_STRDUP(name);
> > -+ /*
> > -+ * Don't include space for terminating '\0' in strndup,
> > -+ * it is automatically added. This screws up if the name
> > -+ * is greater than MAX_NETBIOSNAME_LEN-1 in the unix
> > -+ * charset, but less than or equal to MAX_NETBIOSNAME_LEN-1
> > -+ * in the DOS charset, but this is so old we have to live
> > -+ * with that.
> > -+ */
> > -+ smb_my_netbios_names[i] = SMB_STRNDUP(name, MAX_NETBIOSNAME_LEN-1);
> > - if (!smb_my_netbios_names[i])
> > - return False;
> > - return strupper_m(smb_my_netbios_names[i]);
> > ---
> > -2.1.2
> > -
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> > deleted file mode 100644
> > index 447e243..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> > +++ /dev/null
> > @@ -1,52 +0,0 @@
> > -Don't check xsltproc manpages
> > -
> > -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > -
> > -diff -Nurp samba-4.1.12.orig/lib/ldb/wscript samba-4.1.12/lib/ldb/wscript
> > ---- samba-4.1.12.orig/lib/ldb/wscript 2014-07-28 16:13:45.000000000 +0900
> > -+++ samba-4.1.12/lib/ldb/wscript 2015-04-23 17:08:45.277000225 +0900
> > -@@ -56,7 +56,7 @@ def configure(conf):
> > - conf.define('USING_SYSTEM_PYLDB_UTIL', 1)
> > -
> > - if conf.env.standalone_ldb:
> > -- conf.CHECK_XSLTPROC_MANPAGES()
> > -+ #conf.CHECK_XSLTPROC_MANPAGES()
> > -
> > - # we need this for the ldap backend
> > - if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
> > -diff -Nurp samba-4.1.12.orig/lib/ntdb/wscript samba-4.1.12/lib/ntdb/wscript
> > ---- samba-4.1.12.orig/lib/ntdb/wscript 2013-12-05 18:16:48.000000000 +0900
> > -+++ samba-4.1.12/lib/ntdb/wscript 2015-04-23 17:09:17.680000274 +0900
> > -@@ -121,7 +121,7 @@ def configure(conf):
> > - Logs.warn('Disabling pyntdb as python devel libs not found')
> > - conf.env.disable_python = True
> > -
> > -- conf.CHECK_XSLTPROC_MANPAGES()
> > -+ #conf.CHECK_XSLTPROC_MANPAGES()
> > -
> > - # This make #include <ccan/...> work.
> > - conf.ADD_EXTRA_INCLUDES('''#lib''')
> > -diff -Nurp samba-4.1.12.orig/lib/talloc/wscript samba-4.1.12/lib/talloc/wscript
> > ---- samba-4.1.12.orig/lib/talloc/wscript 2013-12-05 18:16:48.000000000 +0900
> > -+++ samba-4.1.12/lib/talloc/wscript 2015-04-23 17:08:21.781000339 +0900
> > -@@ -55,7 +55,7 @@ def configure(conf):
> > - if conf.env.standalone_talloc:
> > - conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
> > -
> > -- conf.CHECK_XSLTPROC_MANPAGES()
> > -+ #conf.CHECK_XSLTPROC_MANPAGES()
> > -
> > - if not conf.env.disable_python:
> > - # also disable if we don't have the python libs installed
> > -diff -Nurp samba-4.1.12.orig/lib/tdb/wscript samba-4.1.12/lib/tdb/wscript
> > ---- samba-4.1.12.orig/lib/tdb/wscript 2013-12-05 18:16:48.000000000 +0900
> > -+++ samba-4.1.12/lib/tdb/wscript 2015-04-23 17:09:02.538000343 +0900
> > -@@ -43,7 +43,7 @@ def configure(conf):
> > -
> > - conf.env.disable_python = getattr(Options.options, 'disable_python', False)
> > -
> > -- conf.CHECK_XSLTPROC_MANPAGES()
> > -+ #conf.CHECK_XSLTPROC_MANPAGES()
> > -
> > - if not conf.env.disable_python:
> > - # also disable if we don't have the python libs installed
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> > deleted file mode 100644
> > index 1a31e0d..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> > +++ /dev/null
> > @@ -1,22 +0,0 @@
> > -samba: execute prog on target directly is impossible.
> > -
> > -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > -
> > -diff -Nurp samba-4.1.12.orig/lib/ccan/wscript samba-4.1.12/lib/ccan/wscript
> > ---- samba-4.1.12.orig/lib/ccan/wscript 2013-06-13 18:21:02.000000000 +0900
> > -+++ samba-4.1.12/lib/ccan/wscript 2015-04-27 14:26:25.123000238 +0900
> > -@@ -127,10 +127,10 @@ def configure(conf):
> > - # Only check for FILE_OFFSET_BITS=64 if off_t is normally small:
> > - # use raw routines because wrappers include previous _GNU_SOURCE
> > - # or _FILE_OFFSET_BITS defines.
> > -- conf.check(fragment="""#include <sys/types.h>
> > -- int main(void) { return !(sizeof(off_t) < 8); }""",
> > -- execute=True, msg='Checking for small off_t',
> > -- define_name='SMALL_OFF_T')
> > -+ conf.CHECK_CODE("""#include <sys/types.h>
> > -+ int main(void) { return !(sizeof(off_t) < 8); }""",
> > -+ link=True, execute=True, addmain=False, msg='Checking for small off_t',
> > -+ define='HAVE_SMALL_OFF_T')
> > - # Unreliable return value above, hence use define.
> > - if conf.CONFIG_SET('SMALL_OFF_T'):
> > - conf.check(fragment="""#include <sys/types.h>
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> > deleted file mode 100644
> > index 83c42eb..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> > +++ /dev/null
> > @@ -1,22 +0,0 @@
> > -waf trys to get package's configuration by native ncurses6-config.
> > -it will make native header files and library be used.
> > -
> > -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > -
> > ---- samba-4.1.12.orig/source3/wscript_configure_system_ncurses 2013-12-05 18:16:48.000000000 +0900
> > -+++ samba-4.1.12/source3/wscript_configure_system_ncurses 2015-04-29 16:12:22.619000250 +0900
> > -@@ -2,14 +2,6 @@ import Logs, Options, sys
> > -
> > - Logs.info("Looking for ncurses features")
> > -
> > --conf.find_program('ncurses5-config', var='NCURSES_CONFIG')
> > --if not conf.env.NCURSES_CONFIG:
> > -- conf.find_program('ncurses6-config', var='NCURSES_CONFIG')
> > --
> > --if conf.env.NCURSES_CONFIG:
> > -- conf.check_cfg(path=conf.env.NCURSES_CONFIG, args="--cflags --libs",
> > -- package="", uselib_store="NCURSES")
> > --
> > - conf.CHECK_HEADERS('ncurses.h menu.h panel.h form.h', lib='ncurses')
> > -
> > - conf.CHECK_FUNCS_IN('initscr', 'ncurses')
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> > deleted file mode 100644
> > index 8c4e2ad..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> > +++ /dev/null
> > @@ -1,42 +0,0 @@
> > -systemd-daemon is contained by libsystemd, so we just need link libsystemd to
> > -obtain the implementation of systemd-daemon's function.
> > -
> > -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > -
> > -diff -Nurp samba-4.1.12.orig/lib/util/wscript_build samba-4.1.12/lib/util/wscript_build
> > ---- samba-4.1.12.orig/lib/util/wscript_build 2014-09-08 18:26:14.000000000 +0900
> > -+++ samba-4.1.12/lib/util/wscript_build 2015-04-29 16:16:58.303000207 +0900
> > -@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-util',
> > - server_id.c dprintf.c parmlist.c bitmap.c pidfile.c
> > - tevent_debug.c util_process.c memcache.c''',
> > - deps='DYNCONFIG',
> > -- public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd-daemon',
> > -+ public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd',
> > - public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h',
> > - header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ],
> > - local_include=False,
> > -diff -Nurp samba-4.1.12.orig/wscript samba-4.1.12/wscript
> > ---- samba-4.1.12.orig/wscript 2014-07-28 16:13:45.000000000 +0900
> > -+++ samba-4.1.12/wscript 2015-04-29 16:17:52.338000264 +0900
> > -@@ -183,16 +183,16 @@ def configure(conf):
> > - conf.env['ENABLE_PIE'] = True
> > -
> > - if Options.options.enable_systemd != False:
> > -- conf.check_cfg(package='libsystemd-daemon', args='--cflags --libs',
> > -- msg='Checking for libsystemd-daemon', uselib_store="SYSTEMD-DAEMON")
> > -- conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd-daemon')
> > -- conf.CHECK_LIB('systemd-daemon', shlib=True)
> > -+ conf.check_cfg(package='libsystemd', args='--cflags --libs',
> > -+ msg='Checking for libsystemd', uselib_store="SYSTEMD-DAEMON")
> > -+ conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd')
> > -+ conf.CHECK_LIB('systemd', shlib=True)
> > -
> > - if conf.CONFIG_SET('HAVE_SYSTEMD_SD_DAEMON_H'):
> > - conf.DEFINE('HAVE_SYSTEMD', '1')
> > - conf.env['ENABLE_SYSTEMD'] = True
> > - else:
> > -- conf.SET_TARGET_TYPE('systemd-daemon', 'EMPTY')
> > -+ conf.SET_TARGET_TYPE('systemd', 'EMPTY')
> > - conf.undefine('HAVE_SYSTEMD')
> > -
> > - conf.SAMBA_CONFIG_H('include/config.h')
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> > deleted file mode 100644
> > index 4254e11..0000000
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> > +++ /dev/null
> > @@ -1,10 +0,0 @@
> > ---- ./source4/auth/wscript_configure.orig 2015-11-19 19:53:11.022212181 +0100
> > -+++ ./source4/auth/wscript_configure 2015-11-19 19:53:17.466212205 +0100
> > -@@ -2,7 +2,3 @@
> > -
> > - conf.CHECK_HEADERS('security/pam_appl.h')
> > - conf.CHECK_FUNCS_IN('pam_start', 'pam', checklibc=True)
> > --
> > --if (conf.CHECK_HEADERS('sasl/sasl.h') and
> > -- conf.CHECK_FUNCS_IN('sasl_client_init', 'sasl2')):
> > -- conf.DEFINE('HAVE_SASL', 1)
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/00-fix-typos-in-man-pages.patch
> > similarity index 100%
> > rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch
> > rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/00-fix-typos-in-man-pages.patch
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0006-avoid-using-colon-in-the-checking-msg.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/0006-avoid-using-colon-in-the-checking-msg.patch
> > similarity index 100%
> > rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/0006-avoid-using-colon-in-the-checking-msg.patch
> > rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/0006-avoid-using-colon-in-the-checking-msg.patch
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> > new file mode 100644
> > index 0000000..c37cfcd
> > --- /dev/null
> > +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> > @@ -0,0 +1,43 @@
> > +Don't check xsltproc manpages
> > +
> > +Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > +
> > +Index: samba-4.4.2/lib/ldb/wscript
> > +===================================================================
> > +--- samba-4.4.2.orig/lib/ldb/wscript
> > ++++ samba-4.4.2/lib/ldb/wscript
> > +@@ -65,7 +65,7 @@ def configure(conf):
> > + conf.define('USING_SYSTEM_LDB', 1)
> > +
> > + if conf.env.standalone_ldb:
> > +- conf.CHECK_XSLTPROC_MANPAGES()
> > ++ #conf.CHECK_XSLTPROC_MANPAGES()
> > +
> > + # we need this for the ldap backend
> > + if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
> > +Index: samba-4.4.2/lib/talloc/wscript
> > +===================================================================
> > +--- samba-4.4.2.orig/lib/talloc/wscript
> > ++++ samba-4.4.2/lib/talloc/wscript
> > +@@ -56,7 +56,7 @@ def configure(conf):
> > + if conf.env.standalone_talloc:
> > + conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
> > +
> > +- conf.CHECK_XSLTPROC_MANPAGES()
> > ++ #conf.CHECK_XSLTPROC_MANPAGES()
> > +
> > + if not conf.env.disable_python:
> > + # also disable if we don't have the python libs installed
> > +Index: samba-4.4.2/lib/tdb/wscript
> > +===================================================================
> > +--- samba-4.4.2.orig/lib/tdb/wscript
> > ++++ samba-4.4.2/lib/tdb/wscript
> > +@@ -92,7 +92,7 @@ def configure(conf):
> > + not conf.env.disable_tdb_mutex_locking):
> > + conf.define('USE_TDB_MUTEX_LOCKING', 1)
> > +
> > +- conf.CHECK_XSLTPROC_MANPAGES()
> > ++ #conf.CHECK_XSLTPROC_MANPAGES()
> > +
> > + if not conf.env.disable_python:
> > + # also disable if we don't have the python libs installed
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
> > old mode 100755
> > new mode 100644
> > similarity index 79%
> > rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
> > rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
> > index 5c20d31..e112b3b
> > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
> > +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
> > @@ -3,18 +3,19 @@ we just check whether does the module exist.
> >
> > Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> >
> > ---- samba-4.1.12.orig/buildtools/wafsamba/samba_bundled.py 2013-06-13 17:21:02.000000000 +0800
> > -+++ samba-4.1.12/buildtools/wafsamba/samba_bundled.py 2015-07-16 16:57:06.649092158 +0800
> > -@@ -1,7 +1,7 @@
> > - # functions to support bundled libraries
> > +Index: samba-4.4.2/buildtools/wafsamba/samba_bundled.py
> > +===================================================================
> > +--- samba-4.4.2.orig/buildtools/wafsamba/samba_bundled.py
> > ++++ samba-4.4.2/buildtools/wafsamba/samba_bundled.py
> > +@@ -2,6 +2,7 @@
> >
> > + import sys
> > + import Build, Options, Logs
> > ++import imp, os
> > from Configure import conf
> > --import sys, Logs
> > -+import sys, Logs, imp
> > - from samba_utils import *
> > + from samba_utils import TO_LIST
> >
> > - def PRIVATE_NAME(bld, name, private_extension, private_library):
> > -@@ -228,17 +228,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
> > +@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
> > # versions
> > minversion = minimum_library_version(conf, libname, minversion)
> >
> > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-add-config-option-without-valgrind.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/21-add-config-option-without-valgrind.patch
> > similarity index 100%
> > rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/21-add-config-option-without-valgrind.patch
> > rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/21-add-config-option-without-valgrind.patch
> > diff --git a/meta-networking/recipes-connectivity/samba/samba_4.1.12.bb b/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
> > similarity index 82%
> > rename from meta-networking/recipes-connectivity/samba/samba_4.1.12.bb
> > rename to meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
> > index ff58dae..585df9d 100644
> > --- a/meta-networking/recipes-connectivity/samba/samba_4.1.12.bb
> > +++ b/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
> > @@ -13,38 +13,14 @@ ${SAMBA_MIRROR} http://www.mirrorservice.org/sites/ftp.samba.org \n \
> >
> > SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
> > file://00-fix-typos-in-man-pages.patch \
> > - file://01-fix-force-user-sec-ads.patch \
> > - file://02-fix-ipv6-join.patch \
> > - file://03-net-ads-kerberos-pac.patch \
> > - file://04-ipv6-workaround.patch \
> > - file://05-fix-gecos-field-with-samlogon.patch \
> > - file://06-fix-nmbd-systemd-status-update.patch \
> > - file://07-fix-idmap-ad-getgroups-without-gid.patch \
> > - file://08-fix-idmap-ad-sfu-with-trusted-domains.patch \
> > - file://09-fix-smbclient-echo-cmd-segfault.patch \
> > - file://10-improve-service-principal-guessing-in-net.patch \
> > - file://11-fix-overwriting-of-spns-during-net-ads-join.patch \
> > - file://12-add-precreated-spns-from-AD-during-keytab-generation.patch \
> > - file://13-fix-aes-enctype.patch \
> > - file://14-fix-dnsupdate.patch \
> > - file://15-fix-netbios-name-truncation.patch \
> > file://16-do-not-check-xsltproc-manpages.patch \
> > - file://17-execute-prog-by-qemu.patch \
> > - file://18-avoid-get-config-by-native-ncurses.patch \
> > - file://19-systemd-daemon-is-contained-by-libsystemd.patch \
> > file://20-do-not-import-target-module-while-cross-compile.patch \
> > file://21-add-config-option-without-valgrind.patch \
> > - file://0001-waf-sanitize-and-fix-added-cross-answer.patch \
> > - file://0002-Adds-a-new-mode-to-samba-cross-compiling.patch \
> > - file://0003-waf-improve-readability-of-cross-answers-generated-b.patch \
> > - file://0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch \
> > - file://0005-build-unify-and-fix-endian-tests.patch \
> > file://0006-avoid-using-colon-in-the-checking-msg.patch \
> > - file://0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch \
> > "
> >
> > -SRC_URI[md5sum] = "232016d7581a1ba11e991ec2674553c4"
> > -SRC_URI[sha256sum] = "033604674936bf5c77d7df299b0626052b84a41505a6a6afe902f6274fc29898"
> > +SRC_URI[md5sum] = "03a65a3adf08ceb1636ad59d234d7f9d"
> > +SRC_URI[sha256sum] = "eaecd41a85ebb9507b8db9856ada2a949376e9d53cf75664b5493658f6e5926a"
> >
> > inherit systemd waf-samba cpan-base perlnative
> > # remove default added RDEPENDS on perl
> > @@ -59,15 +35,15 @@ PACKAGECONFIG ??= "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)} \
> > ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '${SYSVINITTYPE}', '', d)} \
> > ${@base_contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
> > ${@base_contains('DISTRO_FEATURES', 'zeroconf', 'zeroconf', '', d)} \
> > - acl aio cups ldap \
> > + acl cups ldap \
> > "
> >
> > RDEPENDS_${PN}-base += "${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'lsb', '', d)}"
> > +RDEPENDS_${PN}-ctdb-tests += "bash"
> >
> > PACKAGECONFIG[acl] = "--with-acl-support,--without-acl-support,acl"
> > -PACKAGECONFIG[aio] = "--with-aio-support,--without-aio-support,libaio"
> > PACKAGECONFIG[fam] = "--with-fam,--without-fam,gamin"
> > -PACKAGECONFIG[pam] = "--with-pam --with-pam_smbpass --with-pammodulesdir=${base_libdir}/security,--without-pam --without-pam_smbpass,libpam"
> > +PACKAGECONFIG[pam] = "--with-pam --with-pammodulesdir=${base_libdir}/security,--without-pam --without-pam_smbpass,libpam"
> > PACKAGECONFIG[lsb] = ",,lsb"
> > PACKAGECONFIG[sysv] = ",,sysvinit"
> > PACKAGECONFIG[cups] = "--enable-cups,--disable-cups,cups"
> > @@ -78,8 +54,6 @@ PACKAGECONFIG[dmapi] = "--with-dmapi,--without-dmapi,dmapi"
> > PACKAGECONFIG[zeroconf] = "--enable-avahi,--disable-avahi,avahi"
> > PACKAGECONFIG[valgrind] = ",--without-valgrind,valgrind,"
> >
> > -SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'sasl', '', 'file://21-avoid-sasl-unless-wanted.patch', d)}"
> > -
> > SAMBA4_IDMAP_MODULES="idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2"
> > SAMBA4_PDB_MODULES="pdb_tdbsam,${@bb.utils.contains('PACKAGECONFIG', 'ldap', 'pdb_ldap,', '', d)}pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4"
> > SAMBA4_AUTH_MODULES="auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4"
> > @@ -87,15 +61,12 @@ SAMBA4_MODULES="${SAMBA4_IDMAP_MODULES},${SAMBA4_PDB_MODULES},${SAMBA4_AUTH_MODU
> >
> > SAMBA4_LIBS="heimdal,!zlib,!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb"
> >
> > -PERL_VERNDORLIB="${libdir}/perl5/vendor_perl/${PERLVERSION}"
> > -
> > EXTRA_OECONF += "--enable-fhs \
> > --with-piddir=/run \
> > --with-sockets-dir=/run/samba \
> > --with-modulesdir=${libdir}/samba \
> > --with-lockdir=${localstatedir}/lib/samba \
> > --with-cachedir=${localstatedir}/lib/samba \
> > - --with-perl-lib-install-dir=${PERL_VERNDORLIB} \
> > --disable-gnutls \
> > --disable-rpath-install \
> > --with-shared-modules=${SAMBA4_MODULES} \
> > @@ -104,7 +75,6 @@ EXTRA_OECONF += "--enable-fhs \
> > --without-ad-dc \
> > ${@base_conditional('TARGET_ARCH', 'x86_64', '', '--disable-glusterfs', d)} \
> > --with-cluster-support \
> > - --enable-old-ctdb \
> > --with-profiling-data \
> > --with-libiconv=${STAGING_DIR_HOST}${prefix} \
> > "
> > @@ -113,13 +83,6 @@ DISABLE_STATIC = ""
> > LDFLAGS += "-Wl,-z,relro,-z,now"
> >
> > do_install_append() {
> > - if [ -d "${D}/run" ]; then
> > - if [ -d "${D}/run/samba" ]; then
> > - rmdir --ignore-fail-on-non-empty "${D}/run/samba"
> > - fi
> > - rmdir --ignore-fail-on-non-empty "${D}/run"
> > - fi
> > -
> > if ${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'true', 'false', d)}; then
> > install -d ${D}${systemd_unitdir}/system
> > for i in nmb smb winbind; do
> > @@ -127,20 +90,20 @@ do_install_append() {
> > done
> > sed -i 's,\(ExecReload=\).*\(/kill\),\1${base_bindir}\2,' ${D}${systemd_unitdir}/system/*.service
> >
> > - install -d ${D}${sysconfdir}/tmpfiles.d
> > + install -d ${D}${sysconfdir}/tmpfiles.d
> > install -m644 packaging/systemd/samba.conf.tmp ${D}${sysconfdir}/tmpfiles.d/samba.conf
> > echo "d ${localstatedir}/log/samba 0755 root root -" \
> > >> ${D}${sysconfdir}/tmpfiles.d/samba.conf
> > elif ${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'true', 'false', d)}; then
> > - install -d ${D}${sysconfdir}/init.d
> > - install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
> > - update-rc.d -r ${D} samba.sh start 20 3 5 .
> > - update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> > + install -d ${D}${sysconfdir}/init.d
> > + install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
> > + update-rc.d -r ${D} samba.sh start 20 3 5 .
> > + update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> > elif ${@bb.utils.contains('PACKAGECONFIG', 'sysv', 'true', 'false', d)}; then
> > - install -d ${D}${sysconfdir}/init.d
> > - install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
> > - update-rc.d -r ${D} samba.sh start 20 3 5 .
> > - update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> > + install -d ${D}${sysconfdir}/init.d
> > + install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
> > + update-rc.d -r ${D} samba.sh start 20 3 5 .
> > + update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> > fi
> >
> > install -d ${D}${sysconfdir}/samba
> > @@ -149,11 +112,13 @@ do_install_append() {
> >
> > install -d ${D}${sysconfdir}/sysconfig/
> > install -m644 packaging/systemd/samba.sysconfig ${D}${sysconfdir}/sysconfig/samba
> > +
> > + rm -rf ${D}/run ${D}${localstatedir}/run
> > }
> >
> > PACKAGES += "${PN}-python ${PN}-python-dbg ${PN}-pidl libwinbind libwinbind-dbg libwinbind-krb5-locator"
> > PACKAGES =+ "libwbclient libnss-winbind winbind winbind-dbg libnetapi libsmbsharemodes \
> > - libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base"
> > + libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base ${PN}-ctdb-tests"
> >
> > RDEPENDS_${PN} += "${PN}-base"
> >
> > @@ -166,6 +131,12 @@ FILES_${PN}-base = "${sbindir}/nmbd \
> > ${localstatedir}/spool/samba \
> > "
> >
> > +FILES_${PN}-ctdb-tests = "${bindir}/ctdb_run_tests \
> > + ${libdir}/ctdb-tests \
> > + ${datadir}/ctdb-tests \
> > + /run/ctdb \
> > + "
> > +
> > # figured out by
> > # FILES="tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/smbd tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/nmbd"
> > #
> > @@ -312,16 +283,20 @@ FILES_libwinbind-dbg = "${base_libdir}/security/.debug/pam_winbind.so"
> > FILES_libwinbind-krb5-locator = "${libdir}/winbind_krb5_locator.so"
> >
> > FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.so \
> > + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/_ldb_text.py \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.py \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.so \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.so \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.py \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/external/* \
> > + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/kcc/* \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/netcmd/*.py \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/provision/*.py \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.py \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.so \
> > + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/subunit/* \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/tests/* \
> > + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/third_party/* \
> > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/web_server/* \
> > "
> >
> > @@ -332,4 +307,4 @@ FILES_${PN}-python-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.d
> > "
> >
> > RDEPENDS_${PN}-pidl_append = " perl"
> > -FILES_${PN}-pidl = "${bindir}/pidl ${PERL_VERNDORLIB}/*"
> > +FILES_${PN}-pidl = "${bindir}/pidl ${datadir}/perl5/Parse"
> > --
> > 1.9.1
> >
> > --
> > _______________________________________________
> > Openembedded-devel mailing list
> > Openembedded-devel@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>
> --
> Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [meta-networking][PATCH 5/5] samba: Update to latest stable
2016-04-19 13:01 ` Joe MacDonald
@ 2016-04-20 9:27 ` Martin Jansa
2016-04-20 13:06 ` Joe MacDonald
0 siblings, 1 reply; 16+ messages in thread
From: Martin Jansa @ 2016-04-20 9:27 UTC (permalink / raw)
To: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 1515988 bytes --]
On Tue, Apr 19, 2016 at 09:01:25AM -0400, Joe MacDonald wrote:
> [Re: [oe] [meta-networking][PATCH 5/5] samba: Update to latest stable] On 16.04.19 (Tue 11:15) Martin Jansa wrote:
>
> > On Mon, Apr 18, 2016 at 05:00:53PM -0400, Joe MacDonald wrote:
> > > The previous version of Samba had many critical security updates that
> > > would've required significant backporting effort. Update to the latest
> > > stable release instead.
> >
> > Does it fix floating dependency on libpam as well?
>
> It does not, unfortunately. After an embarrassingly long time with this
> I thought it would be best to carry it this far, integrate the
> outstanding patches against it, then tackle the libpam dependency issue.
> Since I know you've sunk a lot of time into this recently I know you
> know all too well what a tangle the samba build and dependency checking
> system can be.
Agreed that it can be resolved in follow-up patch.
> It at least meets the criteria of "better than I found it", I think.
Partially agree, but first please fix this one found in last world build:
ERROR: samba-4.4.2-r0 do_configure: Function failed: do_configure (log file is located at /home/jenkins/oe/world/shr-core/tmp-glibc/work/armv5te-oe-linux-gnueabi/samba/4.4.2-r0/temp/log.do_configure.1777)
ERROR: Logfile of failure stored in: /home/jenkins/oe/world/shr-core/tmp-glibc/work/armv5te-oe-linux-gnueabi/samba/4.4.2-r0/temp/log.do_configure.1777
Log data follows:
| DEBUG: Executing python function sysroot_cleansstate
| DEBUG: Python function sysroot_cleansstate finished
| DEBUG: Executing shell function do_configure
| waf [command] [options]
|
| Main commands (example: ./waf build -j4)
| build : build all targets
| clean : removes the build files
| configure : configures the project
| ctags : build 'tags' file using ctags
| dist : makes a tarball for distribution
| distcheck : test that distribution tarball builds and installs
| distclean : removes the build directory
| etags : build TAGS file using etags
| install : installs the build files
| pep8 : run pep8 validator
| pydoctor : build python apidocs
| reconfigure : reconfigure if config scripts have changed
| test : Run the test suite (see test options below)
| testonly : run tests without doing a build first
| uninstall : removes the installed files
| wafdocs : build wafsamba apidocs
| wildcard_cmd: called on a unknown command
|
| waf: error: no such option: --without-pam_smbpass
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_configure (log file is located at /home/jenkins/oe/world/shr-core/tmp-glibc/work/armv5te-oe-linux-gnueabi/samba/4.4.2-r0/temp/log.do_configure.1777)
NOTE: recipe samba-4.4.2-r0: task do_configure: Failed
ERROR: Task 20263 (/home/jenkins/oe/world/shr-core/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb, do_configure) failed with exit code '1'
>
> -J.
>
> >
> > > Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
> > > ---
> > > ...1-waf-sanitize-and-fix-added-cross-answer.patch | 60 -
> > > ...-Adds-a-new-mode-to-samba-cross-compiling.patch | 112 -
> > > ...-readability-of-cross-answers-generated-b.patch | 66 -
> > > ...wafsamba-CHECK_SIZEOF-cross-compile-frien.patch | 72 -
> > > .../0005-build-unify-and-fix-endian-tests.patch | 169 -
> > > ...sing-of-cross-answers-file-in-case-answer.patch | 36 -
> > > .../samba-4.1.12/01-fix-force-user-sec-ads.patch | 1448 -
> > > .../samba/samba-4.1.12/02-fix-ipv6-join.patch | 266 -
> > > .../samba-4.1.12/03-net-ads-kerberos-pac.patch | 962 -
> > > .../samba/samba-4.1.12/04-ipv6-workaround.patch | 211 -
> > > .../05-fix-gecos-field-with-samlogon.patch | 29894 -------------------
> > > .../06-fix-nmbd-systemd-status-update.patch | 97 -
> > > .../07-fix-idmap-ad-getgroups-without-gid.patch | 42 -
> > > .../08-fix-idmap-ad-sfu-with-trusted-domains.patch | 44 -
> > > .../09-fix-smbclient-echo-cmd-segfault.patch | 35 -
> > > ...improve-service-principal-guessing-in-net.patch | 180 -
> > > ...x-overwriting-of-spns-during-net-ads-join.patch | 329 -
> > > ...ted-spns-from-AD-during-keytab-generation.patch | 159 -
> > > .../samba/samba-4.1.12/13-fix-aes-enctype.patch | 988 -
> > > .../samba/samba-4.1.12/14-fix-dnsupdate.patch | 51 -
> > > .../15-fix-netbios-name-truncation.patch | 154 -
> > > .../16-do-not-check-xsltproc-manpages.patch | 52 -
> > > .../samba-4.1.12/17-execute-prog-by-qemu.patch | 22 -
> > > .../18-avoid-get-config-by-native-ncurses.patch | 22 -
> > > ...systemd-daemon-is-contained-by-libsystemd.patch | 42 -
> > > .../samba-4.1.12/21-avoid-sasl-unless-wanted.patch | 10 -
> > > .../00-fix-typos-in-man-pages.patch | 0
> > > ...006-avoid-using-colon-in-the-checking-msg.patch | 0
> > > .../16-do-not-check-xsltproc-manpages.patch | 43 +
> > > ...-import-target-module-while-cross-compile.patch | 19 +-
> > > .../21-add-config-option-without-valgrind.patch | 0
> > > .../samba/{samba_4.1.12.bb => samba_4.4.2.bb} | 81 +-
> > > 32 files changed, 81 insertions(+), 35585 deletions(-)
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> > > delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> > > rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/00-fix-typos-in-man-pages.patch (100%)
> > > rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/0006-avoid-using-colon-in-the-checking-msg.patch (100%)
> > > create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> > > rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/20-do-not-import-target-module-while-cross-compile.patch (79%)
> > > mode change 100755 => 100644
> > > rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/21-add-config-option-without-valgrind.patch (100%)
> > > rename meta-networking/recipes-connectivity/samba/{samba_4.1.12.bb => samba_4.4.2.bb} (82%)
> > >
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> > > deleted file mode 100644
> > > index 69668c0..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> > > +++ /dev/null
> > > @@ -1,60 +0,0 @@
> > > -From 1b32c7d7f148bcf2598799b21dfa3ba1ed824d32 Mon Sep 17 00:00:00 2001
> > > -From: Uri Simchoni <urisimchoni@gmail.com>
> > > -Date: Mon, 18 May 2015 21:12:06 +0300
> > > -Subject: [PATCH 1/7] waf: sanitize and fix added cross answer
> > > -
> > > -When configuring samba for cross-compilation using the cross-answers
> > > -method, the function add_answer receives the standard output and exit code
> > > -of a configuration test and updates the cross-answers file accordingly.
> > > -
> > > -This patch sanitizes the standard output to conform to the cross-answers
> > > -file format - one line of output. It also adds a missing newline.
> > > -
> > > -(Note - at this point add_answer is only ever called with empty output
> > > -but this change is significant for the reminder of this patchset)
> > > -
> > > -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > > -
> > > -Upstream-Status: Backport
> > > -
> > > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > > ----
> > > - buildtools/wafsamba/samba_cross.py | 13 +++++++++++--
> > > - 1 file changed, 11 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> > > -index 3838e34..fc1d78e 100644
> > > ---- a/buildtools/wafsamba/samba_cross.py
> > > -+++ b/buildtools/wafsamba/samba_cross.py
> > > -@@ -19,6 +19,16 @@ def add_answer(ca_file, msg, answer):
> > > - except:
> > > - Logs.error("Unable to open cross-answers file %s" % ca_file)
> > > - sys.exit(1)
> > > -+ (retcode, retstring) = answer
> > > -+ # if retstring is more than one line then we probably
> > > -+ # don't care about its actual content (the tests should
> > > -+ # yield one-line output in order to comply with the cross-answer
> > > -+ # format)
> > > -+ retstring = retstring.strip()
> > > -+ if len(retstring.split('\n')) > 1:
> > > -+ retstring = ''
> > > -+ answer = (retcode, retstring)
> > > -+
> > > - if answer == ANSWER_OK:
> > > - f.write('%s: OK\n' % msg)
> > > - elif answer == ANSWER_UNKNOWN:
> > > -@@ -26,8 +36,7 @@ def add_answer(ca_file, msg, answer):
> > > - elif answer == ANSWER_FAIL:
> > > - f.write('%s: FAIL\n' % msg)
> > > - else:
> > > -- (retcode, retstring) = answer
> > > -- f.write('%s: (%d, "%s")' % (msg, retcode, retstring))
> > > -+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
> > > - f.close()
> > > -
> > > -
> > > ---
> > > -1.9.1
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> > > deleted file mode 100644
> > > index fce3abc..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> > > +++ /dev/null
> > > @@ -1,112 +0,0 @@
> > > -From add52538b9a0ccf66ca87c7a691bf59901765849 Mon Sep 17 00:00:00 2001
> > > -From: Uri Simchoni <urisimchoni@gmail.com>
> > > -Date: Mon, 18 May 2015 21:15:19 +0300
> > > -Subject: [PATCH 2/7] Adds a new mode to samba cross-compiling.
> > > -
> > > -When both --cross-answers and --cross-execute are set, this means:
> > > -- Use cross-answers
> > > -- If answer is unknown, then instead of adding UNKNOWN to the cross-answers
> > > - file and failing configure, the new mode runs cross-execute to determine the
> > > - answer and adds that to the cross-answers file.
> > > -
> > > -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > > -
> > > -Upstream-Status: Backport
> > > -
> > > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > > ----
> > > - buildtools/wafsamba/samba_cross.py | 46 ++++++++++++++++++++++++++++----------
> > > - 1 file changed, 34 insertions(+), 12 deletions(-)
> > > -
> > > -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> > > -index fc1d78e..3f1ef12 100644
> > > ---- a/buildtools/wafsamba/samba_cross.py
> > > -+++ b/buildtools/wafsamba/samba_cross.py
> > > -@@ -45,7 +45,6 @@ def cross_answer(ca_file, msg):
> > > - try:
> > > - f = open(ca_file, 'r')
> > > - except:
> > > -- add_answer(ca_file, msg, ANSWER_UNKNOWN)
> > > - return ANSWER_UNKNOWN
> > > - for line in f:
> > > - line = line.strip()
> > > -@@ -78,7 +77,6 @@ def cross_answer(ca_file, msg):
> > > - else:
> > > - raise Utils.WafError("Bad answer format '%s' in %s" % (line, ca_file))
> > > - f.close()
> > > -- add_answer(ca_file, msg, ANSWER_UNKNOWN)
> > > - return ANSWER_UNKNOWN
> > > -
> > > -
> > > -@@ -86,24 +84,47 @@ class cross_Popen(Utils.pproc.Popen):
> > > - '''cross-compilation wrapper for Popen'''
> > > - def __init__(*k, **kw):
> > > - (obj, args) = k
> > > --
> > > -- if '--cross-execute' in args:
> > > -- # when --cross-execute is set, then change the arguments
> > > -- # to use the cross emulator
> > > -- i = args.index('--cross-execute')
> > > -- newargs = args[i+1].split()
> > > -- newargs.extend(args[0:i])
> > > -- args = newargs
> > > -- elif '--cross-answers' in args:
> > > -+ use_answers = False
> > > -+ ans = ANSWER_UNKNOWN
> > > -+
> > > -+ # Three possibilities:
> > > -+ # 1. Only cross-answers - try the cross-answers file, and if
> > > -+ # there's no corresponding answer, add to the file and mark
> > > -+ # the configure process as unfinished.
> > > -+ # 2. Only cross-execute - get the answer from cross-execute
> > > -+ # 3. Both - try the cross-answers file, and if there is no
> > > -+ # corresponding answer - use cross-execute to get an answer,
> > > -+ # and add that answer to the file.
> > > -+ if '--cross-answers' in args:
> > > - # when --cross-answers is set, then change the arguments
> > > - # to use the cross answers if available
> > > -+ use_answers = True
> > > - i = args.index('--cross-answers')
> > > - ca_file = args[i+1]
> > > - msg = args[i+2]
> > > - ans = cross_answer(ca_file, msg)
> > > -+
> > > -+ if '--cross-execute' in args and ans == ANSWER_UNKNOWN:
> > > -+ # when --cross-execute is set, then change the arguments
> > > -+ # to use the cross emulator
> > > -+ i = args.index('--cross-execute')
> > > -+ newargs = args[i+1].split()
> > > -+ newargs.extend(args[0:i])
> > > -+ if use_answers:
> > > -+ p = real_Popen(newargs,
> > > -+ stdout=Utils.pproc.PIPE,
> > > -+ stderr=Utils.pproc.PIPE)
> > > -+ ce_out, ce_err = p.communicate()
> > > -+ ans = (p.returncode, ce_out)
> > > -+ add_answer(ca_file, msg, ans)
> > > -+ else:
> > > -+ args = newargs
> > > -+
> > > -+ if use_answers:
> > > - if ans == ANSWER_UNKNOWN:
> > > - global cross_answers_incomplete
> > > - cross_answers_incomplete = True
> > > -+ add_answer(ca_file, msg, ans)
> > > - (retcode, retstring) = ans
> > > - args = ['/bin/sh', '-c', "echo -n '%s'; exit %d" % (retstring, retcode)]
> > > - real_Popen.__init__(*(obj, args), **kw)
> > > -@@ -124,7 +145,8 @@ def SAMBA_CROSS_ARGS(conf, msg=None):
> > > -
> > > - if conf.env.CROSS_EXECUTE:
> > > - ret.extend(['--cross-execute', conf.env.CROSS_EXECUTE])
> > > -- elif conf.env.CROSS_ANSWERS:
> > > -+
> > > -+ if conf.env.CROSS_ANSWERS:
> > > - if msg is None:
> > > - raise Utils.WafError("Cannot have NULL msg in cross-answers")
> > > - ret.extend(['--cross-answers', os.path.join(Options.launch_dir, conf.env.CROSS_ANSWERS), msg])
> > > ---
> > > -1.9.1
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> > > deleted file mode 100644
> > > index ec17d9d..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> > > +++ /dev/null
> > > @@ -1,66 +0,0 @@
> > > -From f7052d633396005563e44509428503f42c9faa97 Mon Sep 17 00:00:00 2001
> > > -From: Jackie Huang <jackie.huang@windriver.com>
> > > -Date: Thu, 12 Nov 2015 01:00:11 -0500
> > > -Subject: [PATCH 3/7] waf: improve readability of cross-answers generated by cross-execute
> > > -
> > > -When generating a result for cross-answers from the (retcode, retstring) tuple:
> > > -- (0, "output") indicated as "output"
> > > -- 1 is interpreted as generic fail code, instead of 255, because most
> > > - if not all tests fail with 1 as exit code rather than 255
> > > -- For failing test, use NO instead of FAIL, because that's not
> > > - necessarily a failure (it could mean that something is NOT
> > > - broken)
> > > -
> > > -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > > -
> > > -Upstream-Status: Backport
> > > -
> > > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > > ----
> > > - buildtools/wafsamba/samba_cross.py | 13 ++++++++-----
> > > - 1 file changed, 8 insertions(+), 5 deletions(-)
> > > -
> > > -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> > > -index 3f1ef12..d1e7006 100644
> > > ---- a/buildtools/wafsamba/samba_cross.py
> > > -+++ b/buildtools/wafsamba/samba_cross.py
> > > -@@ -6,7 +6,7 @@ from Configure import conf
> > > - real_Popen = None
> > > -
> > > - ANSWER_UNKNOWN = (254, "")
> > > --ANSWER_FAIL = (255, "")
> > > -+ANSWER_NO = (1, "")
> > > - ANSWER_OK = (0, "")
> > > -
> > > - cross_answers_incomplete = False
> > > -@@ -33,10 +33,13 @@ def add_answer(ca_file, msg, answer):
> > > - f.write('%s: OK\n' % msg)
> > > - elif answer == ANSWER_UNKNOWN:
> > > - f.write('%s: UNKNOWN\n' % msg)
> > > -- elif answer == ANSWER_FAIL:
> > > -- f.write('%s: FAIL\n' % msg)
> > > -+ elif answer == ANSWER_NO:
> > > -+ f.write('%s: NO\n' % msg)
> > > - else:
> > > -- f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
> > > -+ if retcode == 0:
> > > -+ f.write('%s: "%s"\n' % (msg, retstring))
> > > -+ else:
> > > -+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
> > > - f.close()
> > > -
> > > -
> > > -@@ -64,7 +67,7 @@ def cross_answer(ca_file, msg):
> > > - return ANSWER_UNKNOWN
> > > - elif ans == "FAIL" or ans == "NO":
> > > - f.close()
> > > -- return ANSWER_FAIL
> > > -+ return ANSWER_NO
> > > - elif ans[0] == '"':
> > > - return (0, ans.strip('"'))
> > > - elif ans[0] == "'":
> > > ---
> > > -1.9.1
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> > > deleted file mode 100644
> > > index 3fbb770..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> > > +++ /dev/null
> > > @@ -1,72 +0,0 @@
> > > -From 8ffb1892b5c42d8d29124d274aa4b5f1726d7e9f Mon Sep 17 00:00:00 2001
> > > -From: Gustavo Zacarias <gustavo@zacarias.com.ar>
> > > -Date: Mon, 21 Apr 2014 10:18:16 -0300
> > > -Subject: [PATCH 4/7] build: make wafsamba CHECK_SIZEOF cross-compile friendly
> > > -
> > > -Use the same trick as commit 0d9bb86293c9d39298786df095c73a6251b08b7e
> > > -We do the same array trick iteratively starting from 1 (byte) by powers
> > > -of 2 up to 32.
> > > -
> > > -The new 'critical' option is used to make the invocation die or not
> > > -according to each test.
> > > -The default is True since normally it's expected to find a proper
> > > -result and should error out if not.
> > > -
> > > -Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: David Disseldorp <ddiss@samba.org>
> > > -
> > > -Upstream-Status: Backport
> > > -
> > > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > > ----
> > > - buildtools/wafsamba/samba_autoconf.py | 28 ++++++++++++++++------------
> > > - 1 file changed, 16 insertions(+), 12 deletions(-)
> > > -
> > > -diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
> > > -index fe110bd..59953d9 100644
> > > ---- a/buildtools/wafsamba/samba_autoconf.py
> > > -+++ b/buildtools/wafsamba/samba_autoconf.py
> > > -@@ -304,23 +304,27 @@ def CHECK_FUNCS(conf, list, link=True, lib=None, headers=None):
> > > -
> > > -
> > > - @conf
> > > --def CHECK_SIZEOF(conf, vars, headers=None, define=None):
> > > -+def CHECK_SIZEOF(conf, vars, headers=None, define=None, critical=True):
> > > - '''check the size of a type'''
> > > -- ret = True
> > > - for v in TO_LIST(vars):
> > > - v_define = define
> > > -+ ret = False
> > > - if v_define is None:
> > > - v_define = 'SIZEOF_%s' % v.upper().replace(' ', '_')
> > > -- if not CHECK_CODE(conf,
> > > -- 'printf("%%u", (unsigned)sizeof(%s))' % v,
> > > -- define=v_define,
> > > -- execute=True,
> > > -- define_ret=True,
> > > -- quote=False,
> > > -- headers=headers,
> > > -- local_include=False,
> > > -- msg="Checking size of %s" % v):
> > > -- ret = False
> > > -+ for size in list((1, 2, 4, 8, 16, 32)):
> > > -+ if CHECK_CODE(conf,
> > > -+ 'static int test_array[1 - 2 * !(((long int)(sizeof(%s))) <= %d)];' % (v, size),
> > > -+ define=v_define,
> > > -+ quote=False,
> > > -+ headers=headers,
> > > -+ local_include=False,
> > > -+ msg="Checking if size of %s == %d" % (v, size)):
> > > -+ conf.DEFINE(v_define, size)
> > > -+ ret = True
> > > -+ break
> > > -+ if not ret and critical:
> > > -+ Logs.error("Couldn't determine size of '%s'" % v)
> > > -+ sys.exit(1)
> > > - return ret
> > > -
> > > - @conf
> > > ---
> > > -1.9.1
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> > > deleted file mode 100644
> > > index 5546b6d..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> > > +++ /dev/null
> > > @@ -1,169 +0,0 @@
> > > -From 81379b6b14ea725c72953be2170b382403ed8728 Mon Sep 17 00:00:00 2001
> > > -From: Gustavo Zacarias <gustavo@zacarias.com.ar>
> > > -Date: Mon, 21 Apr 2014 10:18:15 -0300
> > > -Subject: [PATCH 5/7] build: unify and fix endian tests
> > > -
> > > -Unify the endian tests out of lib/ccan/wscript into wafsamba since
> > > -they're almost cross-compile friendly.
> > > -While at it fix them to be so by moving the preprocessor directives out
> > > -of main scope since that will fail.
> > > -And keep the WORDS_BIGENDIAN, HAVE_LITTLE_ENDIAN and HAVE_BIG_ENDIAN
> > > -defines separate because of different codebases.
> > > -
> > > -Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: David Disseldorp <ddiss@samba.org>
> > > -
> > > -Upstream-Status: Backport
> > > -
> > > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > > ----
> > > - buildtools/wafsamba/wscript | 65 ++++++++++++++++++++++++++++++++++++++++++---
> > > - lib/ccan/wscript | 55 --------------------------------------
> > > - 2 files changed, 62 insertions(+), 58 deletions(-)
> > > -
> > > -diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
> > > -index 7984227..1a2cfe6 100755
> > > ---- a/buildtools/wafsamba/wscript
> > > -+++ b/buildtools/wafsamba/wscript
> > > -@@ -390,9 +390,68 @@ def configure(conf):
> > > - else:
> > > - conf.define('SHLIBEXT', "so", quote=True)
> > > -
> > > -- conf.CHECK_CODE('long one = 1; return ((char *)(&one))[0]',
> > > -- execute=True,
> > > -- define='WORDS_BIGENDIAN')
> > > -+ # First try a header check for cross-compile friendlyness
> > > -+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> > > -+ #define B __BYTE_ORDER
> > > -+ #elif defined(BYTE_ORDER)
> > > -+ #define B BYTE_ORDER
> > > -+ #endif
> > > -+
> > > -+ #ifdef __LITTLE_ENDIAN
> > > -+ #define LITTLE __LITTLE_ENDIAN
> > > -+ #elif defined(LITTLE_ENDIAN)
> > > -+ #define LITTLE LITTLE_ENDIAN
> > > -+ #endif
> > > -+
> > > -+ #if !defined(LITTLE) || !defined(B) || LITTLE != B
> > > -+ #error Not little endian.
> > > -+ #endif
> > > -+ int main(void) { return 0; }""",
> > > -+ addmain=False,
> > > -+ headers="endian.h sys/endian.h",
> > > -+ define="HAVE_LITTLE_ENDIAN")
> > > -+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> > > -+ #define B __BYTE_ORDER
> > > -+ #elif defined(BYTE_ORDER)
> > > -+ #define B BYTE_ORDER
> > > -+ #endif
> > > -+
> > > -+ #ifdef __BIG_ENDIAN
> > > -+ #define BIG __BIG_ENDIAN
> > > -+ #elif defined(BIG_ENDIAN)
> > > -+ #define BIG BIG_ENDIAN
> > > -+ #endif
> > > -+
> > > -+ #if !defined(BIG) || !defined(B) || BIG != B
> > > -+ #error Not big endian.
> > > -+ #endif
> > > -+ int main(void) { return 0; }""",
> > > -+ addmain=False,
> > > -+ headers="endian.h sys/endian.h",
> > > -+ define="HAVE_BIG_ENDIAN")
> > > -+
> > > -+ if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> > > -+ # That didn't work! Do runtime test.
> > > -+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> > > -+ u.i = 0x01020304;
> > > -+ return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
> > > -+ addmain=True, execute=True,
> > > -+ define='HAVE_LITTLE_ENDIAN',
> > > -+ msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
> > > -+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> > > -+ u.i = 0x01020304;
> > > -+ return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
> > > -+ addmain=True, execute=True,
> > > -+ define='HAVE_BIG_ENDIAN',
> > > -+ msg="Checking for HAVE_BIG_ENDIAN - runtime")
> > > -+
> > > -+ # Extra sanity check.
> > > -+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> > > -+ Logs.error("Failed endian determination. The PDP-11 is back?")
> > > -+ sys.exit(1)
> > > -+ else:
> > > -+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN"):
> > > -+ conf.DEFINE('WORDS_BIGENDIAN', 1)
> > > -
> > > - # check if signal() takes a void function
> > > - if conf.CHECK_CODE('return *(signal (0, 0)) (0) == 1',
> > > -diff --git a/lib/ccan/wscript b/lib/ccan/wscript
> > > -index a0b5406..5b3a910 100644
> > > ---- a/lib/ccan/wscript
> > > -+++ b/lib/ccan/wscript
> > > -@@ -25,61 +25,6 @@ def configure(conf):
> > > - conf.CHECK_CODE('int __attribute__((used)) func(int x) { return x; }',
> > > - addmain=False, link=False, cflags=conf.env['WERROR_CFLAGS'],
> > > - define='HAVE_ATTRIBUTE_USED')
> > > -- # We try to use headers for a compile-time test.
> > > -- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> > > -- #define B __BYTE_ORDER
> > > -- #elif defined(BYTE_ORDER)
> > > -- #define B BYTE_ORDER
> > > -- #endif
> > > --
> > > -- #ifdef __LITTLE_ENDIAN
> > > -- #define LITTLE __LITTLE_ENDIAN
> > > -- #elif defined(LITTLE_ENDIAN)
> > > -- #define LITTLE LITTLE_ENDIAN
> > > -- #endif
> > > --
> > > -- #if !defined(LITTLE) || !defined(B) || LITTLE != B
> > > -- #error Not little endian.
> > > -- #endif""",
> > > -- headers="endian.h sys/endian.h",
> > > -- define="HAVE_LITTLE_ENDIAN")
> > > -- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
> > > -- #define B __BYTE_ORDER
> > > -- #elif defined(BYTE_ORDER)
> > > -- #define B BYTE_ORDER
> > > -- #endif
> > > --
> > > -- #ifdef __BIG_ENDIAN
> > > -- #define BIG __BIG_ENDIAN
> > > -- #elif defined(BIG_ENDIAN)
> > > -- #define BIG BIG_ENDIAN
> > > -- #endif
> > > --
> > > -- #if !defined(BIG) || !defined(B) || BIG != B
> > > -- #error Not big endian.
> > > -- #endif""",
> > > -- headers="endian.h sys/endian.h",
> > > -- define="HAVE_BIG_ENDIAN")
> > > --
> > > -- if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> > > -- # That didn't work! Do runtime test.
> > > -- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> > > -- u.i = 0x01020304;
> > > -- return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
> > > -- addmain=True, execute=True,
> > > -- define='HAVE_LITTLE_ENDIAN',
> > > -- msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
> > > -- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
> > > -- u.i = 0x01020304;
> > > -- return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
> > > -- addmain=True, execute=True,
> > > -- define='HAVE_BIG_ENDIAN',
> > > -- msg="Checking for HAVE_BIG_ENDIAN - runtime")
> > > --
> > > -- # Extra sanity check.
> > > -- if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
> > > -- Logs.error("Failed endian determination. The PDP-11 is back?")
> > > -- sys.exit(1)
> > > -
> > > - conf.CHECK_CODE('return __builtin_choose_expr(1, 0, "garbage");',
> > > - link=True,
> > > ---
> > > -1.9.1
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> > > deleted file mode 100644
> > > index de0d32c..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> > > +++ /dev/null
> > > @@ -1,36 +0,0 @@
> > > -From 649c731526dc1473bd1804d2903d7559e63616da Mon Sep 17 00:00:00 2001
> > > -From: Uri Simchoni <urisimchoni@gmail.com>
> > > -Date: Mon, 4 May 2015 09:12:45 +0300
> > > -Subject: [PATCH 7/7] waf: Fix parsing of cross-answers file in case answer includes a colon
> > > -
> > > -The answer provided in the cross-answers file may include a colon,
> > > -as in:
> > > -Checking uname version type: "#57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014"
> > > -
> > > -Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > > -
> > > -Upstream-Status: Backport
> > > -
> > > -Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > > ----
> > > - buildtools/wafsamba/samba_cross.py | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
> > > -index d1e7006..7961212 100644
> > > ---- a/buildtools/wafsamba/samba_cross.py
> > > -+++ b/buildtools/wafsamba/samba_cross.py
> > > -@@ -54,7 +54,7 @@ def cross_answer(ca_file, msg):
> > > - if line == '' or line[0] == '#':
> > > - continue
> > > - if line.find(':') != -1:
> > > -- a = line.split(':')
> > > -+ a = line.split(':', 1)
> > > - thismsg = a[0].strip()
> > > - if thismsg != msg:
> > > - continue
> > > ---
> > > -1.9.1
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> > > deleted file mode 100644
> > > index 6c08ccc..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> > > +++ /dev/null
> > > @@ -1,1448 +0,0 @@
> > > -From 80f3551d4f594438dcc93dd82a7953c4a913badd Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Mon, 16 Dec 2013 12:57:20 +0100
> > > -Subject: [PATCH 1/7] s3-lib: Add winbind_lookup_usersids().
> > > -
> > > -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> > > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -(cherry picked from commit 241e98d8ee099f9cc5feb835085b4abd2b1ee663)
> > > ----
> > > - source3/lib/winbind_util.c | 34 +++++
> > > - source3/lib/winbind_util.h | 4 +
> > > - source3/passdb/ABI/pdb-0.1.0.sigs | 311 ++++++++++++++++++++++++++++++++++++++
> > > - source3/wscript_build | 2 +-
> > > - 4 files changed, 350 insertions(+), 1 deletion(-)
> > > - create mode 100644 source3/passdb/ABI/pdb-0.1.0.sigs
> > > -
> > > -diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c
> > > -index b458ebe..f62682b 100644
> > > ---- a/source3/lib/winbind_util.c
> > > -+++ b/source3/lib/winbind_util.c
> > > -@@ -342,6 +342,40 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
> > > - return true;
> > > - }
> > > -
> > > -+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
> > > -+ const struct dom_sid *user_sid,
> > > -+ uint32_t *p_num_sids,
> > > -+ struct dom_sid **p_sids)
> > > -+{
> > > -+ wbcErr ret;
> > > -+ struct wbcDomainSid dom_sid;
> > > -+ struct wbcDomainSid *sid_list = NULL;
> > > -+ uint32_t num_sids;
> > > -+
> > > -+ memcpy(&dom_sid, user_sid, sizeof(dom_sid));
> > > -+
> > > -+ ret = wbcLookupUserSids(&dom_sid,
> > > -+ false,
> > > -+ &num_sids,
> > > -+ &sid_list);
> > > -+ if (ret != WBC_ERR_SUCCESS) {
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ *p_sids = talloc_array(mem_ctx, struct dom_sid, num_sids);
> > > -+ if (*p_sids == NULL) {
> > > -+ wbcFreeMemory(sid_list);
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ memcpy(*p_sids, sid_list, sizeof(dom_sid) * num_sids);
> > > -+
> > > -+ *p_num_sids = num_sids;
> > > -+ wbcFreeMemory(sid_list);
> > > -+
> > > -+ return true;
> > > -+}
> > > -+
> > > - #else /* WITH_WINBIND */
> > > -
> > > - struct passwd * winbind_getpwnam(const char * name)
> > > -diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h
> > > -index 541bb95..abbc5a9 100644
> > > ---- a/source3/lib/winbind_util.h
> > > -+++ b/source3/lib/winbind_util.h
> > > -@@ -58,5 +58,9 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
> > > - size_t num_members,
> > > - uint32_t **pp_alias_rids,
> > > - size_t *p_num_alias_rids);
> > > -+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
> > > -+ const struct dom_sid *user_sid,
> > > -+ uint32_t *p_num_sids,
> > > -+ struct dom_sid **p_sids);
> > > -
> > > - #endif /* __LIB__WINBIND_UTIL_H__ */
> > > -diff --git a/source3/passdb/ABI/pdb-0.1.0.sigs b/source3/passdb/ABI/pdb-0.1.0.sigs
> > > -new file mode 100644
> > > -index 0000000..f4de9c4
> > > ---- /dev/null
> > > -+++ b/source3/passdb/ABI/pdb-0.1.0.sigs
> > > -@@ -0,0 +1,311 @@
> > > -+PDB_secrets_clear_domain_protection: bool (const char *)
> > > -+PDB_secrets_fetch_domain_guid: bool (const char *, struct GUID *)
> > > -+PDB_secrets_fetch_domain_sid: bool (const char *, struct dom_sid *)
> > > -+PDB_secrets_mark_domain_protected: bool (const char *)
> > > -+PDB_secrets_store_domain_guid: bool (const char *, struct GUID *)
> > > -+PDB_secrets_store_domain_sid: bool (const char *, const struct dom_sid *)
> > > -+account_policy_get: bool (enum pdb_policy_type, uint32_t *)
> > > -+account_policy_get_default: bool (enum pdb_policy_type, uint32_t *)
> > > -+account_policy_get_desc: const char *(enum pdb_policy_type)
> > > -+account_policy_name_to_typenum: enum pdb_policy_type (const char *)
> > > -+account_policy_names_list: void (TALLOC_CTX *, const char ***, int *)
> > > -+account_policy_set: bool (enum pdb_policy_type, uint32_t)
> > > -+add_initial_entry: NTSTATUS (gid_t, const char *, enum lsa_SidType, const char *, const char *)
> > > -+algorithmic_pdb_gid_to_group_rid: uint32_t (gid_t)
> > > -+algorithmic_pdb_rid_is_user: bool (uint32_t)
> > > -+algorithmic_pdb_uid_to_user_rid: uint32_t (uid_t)
> > > -+algorithmic_pdb_user_rid_to_uid: uid_t (uint32_t)
> > > -+algorithmic_rid_base: int (void)
> > > -+builtin_domain_name: const char *(void)
> > > -+cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *)
> > > -+cache_account_policy_set: bool (enum pdb_policy_type, uint32_t)
> > > -+create_builtin_administrators: NTSTATUS (const struct dom_sid *)
> > > -+create_builtin_users: NTSTATUS (const struct dom_sid *)
> > > -+decode_account_policy_name: const char *(enum pdb_policy_type)
> > > -+get_account_pol_db: struct db_context *(void)
> > > -+get_account_policy_attr: const char *(enum pdb_policy_type)
> > > -+get_domain_group_from_sid: bool (struct dom_sid, GROUP_MAP *)
> > > -+get_primary_group_sid: NTSTATUS (TALLOC_CTX *, const char *, struct passwd **, struct dom_sid **)
> > > -+get_privileges_for_sid_as_set: NTSTATUS (TALLOC_CTX *, PRIVILEGE_SET **, struct dom_sid *)
> > > -+get_privileges_for_sids: bool (uint64_t *, struct dom_sid *, int)
> > > -+get_trust_pw_clear: bool (const char *, char **, const char **, enum netr_SchannelType *)
> > > -+get_trust_pw_hash: bool (const char *, uint8_t *, const char **, enum netr_SchannelType *)
> > > -+gid_to_sid: void (struct dom_sid *, gid_t)
> > > -+gid_to_unix_groups_sid: void (gid_t, struct dom_sid *)
> > > -+grab_named_mutex: struct named_mutex *(TALLOC_CTX *, const char *, int)
> > > -+grant_all_privileges: bool (const struct dom_sid *)
> > > -+grant_privilege_by_name: bool (const struct dom_sid *, const char *)
> > > -+grant_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
> > > -+groupdb_tdb_init: const struct mapping_backend *(void)
> > > -+init_account_policy: bool (void)
> > > -+init_buffer_from_samu: uint32_t (uint8_t **, struct samu *, bool)
> > > -+init_samu_from_buffer: bool (struct samu *, uint32_t, uint8_t *, uint32_t)
> > > -+initialize_password_db: bool (bool, struct tevent_context *)
> > > -+is_dc_trusted_domain_situation: bool (const char *)
> > > -+is_privileged_sid: bool (const struct dom_sid *)
> > > -+local_password_change: NTSTATUS (const char *, int, const char *, char **, char **)
> > > -+login_cache_delentry: bool (const struct samu *)
> > > -+login_cache_init: bool (void)
> > > -+login_cache_read: bool (struct samu *, struct login_cache *)
> > > -+login_cache_shutdown: bool (void)
> > > -+login_cache_write: bool (const struct samu *, const struct login_cache *)
> > > -+lookup_builtin_name: bool (const char *, uint32_t *)
> > > -+lookup_builtin_rid: bool (TALLOC_CTX *, uint32_t, const char **)
> > > -+lookup_global_sam_name: bool (const char *, int, uint32_t *, enum lsa_SidType *)
> > > -+lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
> > > -+lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
> > > -+lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
> > > -+lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **)
> > > -+lookup_unix_group_name: bool (const char *, struct dom_sid *)
> > > -+lookup_unix_user_name: bool (const char *, struct dom_sid *)
> > > -+lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **)
> > > -+lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **)
> > > -+make_pdb_method: NTSTATUS (struct pdb_methods **)
> > > -+make_pdb_method_name: NTSTATUS (struct pdb_methods **, const char *)
> > > -+max_algorithmic_gid: gid_t (void)
> > > -+max_algorithmic_uid: uid_t (void)
> > > -+my_sam_name: const char *(void)
> > > -+pdb_add_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
> > > -+pdb_add_group_mapping_entry: NTSTATUS (GROUP_MAP *)
> > > -+pdb_add_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
> > > -+pdb_add_sam_account: NTSTATUS (struct samu *)
> > > -+pdb_build_fields_present: uint32_t (struct samu *)
> > > -+pdb_capabilities: uint32_t (void)
> > > -+pdb_copy_sam_account: bool (struct samu *, struct samu *)
> > > -+pdb_create_alias: NTSTATUS (const char *, uint32_t *)
> > > -+pdb_create_builtin: NTSTATUS (uint32_t)
> > > -+pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t)
> > > -+pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *)
> > > -+pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *)
> > > -+pdb_decode_acct_ctrl: uint32_t (const char *)
> > > -+pdb_default_add_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
> > > -+pdb_default_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> > > -+pdb_default_alias_memberships: NTSTATUS (struct pdb_methods *, TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
> > > -+pdb_default_create_alias: NTSTATUS (struct pdb_methods *, const char *, uint32_t *)
> > > -+pdb_default_del_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
> > > -+pdb_default_delete_alias: NTSTATUS (struct pdb_methods *, const struct dom_sid *)
> > > -+pdb_default_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
> > > -+pdb_default_enum_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
> > > -+pdb_default_enum_group_mapping: NTSTATUS (struct pdb_methods *, const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
> > > -+pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
> > > -+pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
> > > -+pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
> > > -+pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
> > > -+pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
> > > -+pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> > > -+pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
> > > -+pdb_del_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
> > > -+pdb_del_trusted_domain: NTSTATUS (const char *)
> > > -+pdb_del_trusteddom_pw: bool (const char *)
> > > -+pdb_delete_alias: NTSTATUS (const struct dom_sid *)
> > > -+pdb_delete_dom_group: NTSTATUS (TALLOC_CTX *, uint32_t)
> > > -+pdb_delete_group_mapping_entry: NTSTATUS (struct dom_sid)
> > > -+pdb_delete_sam_account: NTSTATUS (struct samu *)
> > > -+pdb_delete_secret: NTSTATUS (const char *)
> > > -+pdb_delete_user: NTSTATUS (TALLOC_CTX *, struct samu *)
> > > -+pdb_element_is_changed: bool (const struct samu *, enum pdb_elements)
> > > -+pdb_element_is_set_or_changed: bool (const struct samu *, enum pdb_elements)
> > > -+pdb_encode_acct_ctrl: char *(uint32_t, size_t)
> > > -+pdb_enum_alias_memberships: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
> > > -+pdb_enum_aliasmem: NTSTATUS (const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
> > > -+pdb_enum_group_mapping: bool (const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
> > > -+pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t **, size_t *)
> > > -+pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *)
> > > -+pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***)
> > > -+pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
> > > -+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***)
> > > -+pdb_find_backend_entry: struct pdb_init_function_entry *(const char *)
> > > -+pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *)
> > > -+pdb_get_acct_ctrl: uint32_t (const struct samu *)
> > > -+pdb_get_acct_desc: const char *(const struct samu *)
> > > -+pdb_get_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
> > > -+pdb_get_backend_private_data: void *(const struct samu *, const struct pdb_methods *)
> > > -+pdb_get_backends: const struct pdb_init_function_entry *(void)
> > > -+pdb_get_bad_password_count: uint16_t (const struct samu *)
> > > -+pdb_get_bad_password_time: time_t (const struct samu *)
> > > -+pdb_get_code_page: uint16_t (const struct samu *)
> > > -+pdb_get_comment: const char *(const struct samu *)
> > > -+pdb_get_country_code: uint16_t (const struct samu *)
> > > -+pdb_get_dir_drive: const char *(const struct samu *)
> > > -+pdb_get_domain: const char *(const struct samu *)
> > > -+pdb_get_domain_info: struct pdb_domain_info *(TALLOC_CTX *)
> > > -+pdb_get_fullname: const char *(const struct samu *)
> > > -+pdb_get_group_rid: uint32_t (struct samu *)
> > > -+pdb_get_group_sid: const struct dom_sid *(struct samu *)
> > > -+pdb_get_homedir: const char *(const struct samu *)
> > > -+pdb_get_hours: const uint8_t *(const struct samu *)
> > > -+pdb_get_hours_len: uint32_t (const struct samu *)
> > > -+pdb_get_init_flags: enum pdb_value_state (const struct samu *, enum pdb_elements)
> > > -+pdb_get_kickoff_time: time_t (const struct samu *)
> > > -+pdb_get_lanman_passwd: const uint8_t *(const struct samu *)
> > > -+pdb_get_logoff_time: time_t (const struct samu *)
> > > -+pdb_get_logon_count: uint16_t (const struct samu *)
> > > -+pdb_get_logon_divs: uint16_t (const struct samu *)
> > > -+pdb_get_logon_script: const char *(const struct samu *)
> > > -+pdb_get_logon_time: time_t (const struct samu *)
> > > -+pdb_get_munged_dial: const char *(const struct samu *)
> > > -+pdb_get_nt_passwd: const uint8_t *(const struct samu *)
> > > -+pdb_get_nt_username: const char *(const struct samu *)
> > > -+pdb_get_pass_can_change: bool (const struct samu *)
> > > -+pdb_get_pass_can_change_time: time_t (const struct samu *)
> > > -+pdb_get_pass_can_change_time_noncalc: time_t (const struct samu *)
> > > -+pdb_get_pass_last_set_time: time_t (const struct samu *)
> > > -+pdb_get_pass_must_change_time: time_t (const struct samu *)
> > > -+pdb_get_plaintext_passwd: const char *(const struct samu *)
> > > -+pdb_get_profile_path: const char *(const struct samu *)
> > > -+pdb_get_pw_history: const uint8_t *(const struct samu *, uint32_t *)
> > > -+pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *, DATA_BLOB *, NTTIME *, struct security_descriptor **)
> > > -+pdb_get_seq_num: bool (time_t *)
> > > -+pdb_get_tevent_context: struct tevent_context *(void)
> > > -+pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **)
> > > -+pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **)
> > > -+pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *)
> > > -+pdb_get_unknown_6: uint32_t (const struct samu *)
> > > -+pdb_get_user_rid: uint32_t (const struct samu *)
> > > -+pdb_get_user_sid: const struct dom_sid *(const struct samu *)
> > > -+pdb_get_username: const char *(const struct samu *)
> > > -+pdb_get_workstations: const char *(const struct samu *)
> > > -+pdb_getgrgid: bool (GROUP_MAP *, gid_t)
> > > -+pdb_getgrnam: bool (GROUP_MAP *, const char *)
> > > -+pdb_getgrsid: bool (GROUP_MAP *, struct dom_sid)
> > > -+pdb_gethexhours: bool (const char *, unsigned char *)
> > > -+pdb_gethexpwd: bool (const char *, unsigned char *)
> > > -+pdb_getsampwnam: bool (struct samu *, const char *)
> > > -+pdb_getsampwsid: bool (struct samu *, const struct dom_sid *)
> > > -+pdb_gid_to_sid: bool (gid_t, struct dom_sid *)
> > > -+pdb_group_rid_to_gid: gid_t (uint32_t)
> > > -+pdb_increment_bad_password_count: bool (struct samu *)
> > > -+pdb_is_password_change_time_max: bool (time_t)
> > > -+pdb_is_responsible_for_builtin: bool (void)
> > > -+pdb_is_responsible_for_our_sam: bool (void)
> > > -+pdb_is_responsible_for_unix_groups: bool (void)
> > > -+pdb_is_responsible_for_unix_users: bool (void)
> > > -+pdb_is_responsible_for_wellknown: bool (void)
> > > -+pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char **, enum lsa_SidType *)
> > > -+pdb_new_rid: bool (uint32_t *)
> > > -+pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> > > -+pdb_nop_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
> > > -+pdb_nop_enum_group_mapping: NTSTATUS (struct pdb_methods *, enum lsa_SidType, GROUP_MAP **, size_t *, bool)
> > > -+pdb_nop_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
> > > -+pdb_nop_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
> > > -+pdb_nop_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
> > > -+pdb_nop_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
> > > -+pdb_rename_sam_account: NTSTATUS (struct samu *, const char *)
> > > -+pdb_search_aliases: struct pdb_search *(TALLOC_CTX *, const struct dom_sid *)
> > > -+pdb_search_entries: uint32_t (struct pdb_search *, uint32_t, uint32_t, struct samr_displayentry **)
> > > -+pdb_search_groups: struct pdb_search *(TALLOC_CTX *)
> > > -+pdb_search_init: struct pdb_search *(TALLOC_CTX *, enum pdb_search_type)
> > > -+pdb_search_users: struct pdb_search *(TALLOC_CTX *, uint32_t)
> > > -+pdb_set_account_policy: bool (enum pdb_policy_type, uint32_t)
> > > -+pdb_set_acct_ctrl: bool (struct samu *, uint32_t, enum pdb_value_state)
> > > -+pdb_set_acct_desc: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
> > > -+pdb_set_backend_private_data: bool (struct samu *, void *, void (*)(void **), const struct pdb_methods *, enum pdb_value_state)
> > > -+pdb_set_bad_password_count: bool (struct samu *, uint16_t, enum pdb_value_state)
> > > -+pdb_set_bad_password_time: bool (struct samu *, time_t, enum pdb_value_state)
> > > -+pdb_set_code_page: bool (struct samu *, uint16_t, enum pdb_value_state)
> > > -+pdb_set_comment: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_country_code: bool (struct samu *, uint16_t, enum pdb_value_state)
> > > -+pdb_set_dir_drive: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_domain: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_fullname: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_group_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
> > > -+pdb_set_group_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
> > > -+pdb_set_homedir: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_hours: bool (struct samu *, const uint8_t *, int, enum pdb_value_state)
> > > -+pdb_set_hours_len: bool (struct samu *, uint32_t, enum pdb_value_state)
> > > -+pdb_set_init_flags: bool (struct samu *, enum pdb_elements, enum pdb_value_state)
> > > -+pdb_set_kickoff_time: bool (struct samu *, time_t, enum pdb_value_state)
> > > -+pdb_set_lanman_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
> > > -+pdb_set_logoff_time: bool (struct samu *, time_t, enum pdb_value_state)
> > > -+pdb_set_logon_count: bool (struct samu *, uint16_t, enum pdb_value_state)
> > > -+pdb_set_logon_divs: bool (struct samu *, uint16_t, enum pdb_value_state)
> > > -+pdb_set_logon_script: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_logon_time: bool (struct samu *, time_t, enum pdb_value_state)
> > > -+pdb_set_munged_dial: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_nt_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
> > > -+pdb_set_nt_username: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_pass_can_change: bool (struct samu *, bool)
> > > -+pdb_set_pass_can_change_time: bool (struct samu *, time_t, enum pdb_value_state)
> > > -+pdb_set_pass_last_set_time: bool (struct samu *, time_t, enum pdb_value_state)
> > > -+pdb_set_plaintext_passwd: bool (struct samu *, const char *)
> > > -+pdb_set_plaintext_pw_only: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_profile_path: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_pw_history: bool (struct samu *, const uint8_t *, uint32_t, enum pdb_value_state)
> > > -+pdb_set_secret: NTSTATUS (const char *, DATA_BLOB *, DATA_BLOB *, struct security_descriptor *)
> > > -+pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain *)
> > > -+pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *)
> > > -+pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *)
> > > -+pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state)
> > > -+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **)
> > > -+pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
> > > -+pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
> > > -+pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_username: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_set_workstations: bool (struct samu *, const char *, enum pdb_value_state)
> > > -+pdb_sethexhours: void (char *, const unsigned char *)
> > > -+pdb_sethexpwd: void (char *, const unsigned char *, uint32_t)
> > > -+pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *)
> > > -+pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *)
> > > -+pdb_uid_to_sid: bool (uid_t, struct dom_sid *)
> > > -+pdb_update_autolock_flag: bool (struct samu *, bool *)
> > > -+pdb_update_bad_password_count: bool (struct samu *, bool *)
> > > -+pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *)
> > > -+pdb_update_login_attempts: NTSTATUS (struct samu *, bool)
> > > -+pdb_update_sam_account: NTSTATUS (struct samu *)
> > > -+privilege_create_account: NTSTATUS (const struct dom_sid *)
> > > -+privilege_delete_account: NTSTATUS (const struct dom_sid *)
> > > -+privilege_enum_sids: NTSTATUS (enum sec_privilege, TALLOC_CTX *, struct dom_sid **, int *)
> > > -+privilege_enumerate_accounts: NTSTATUS (struct dom_sid **, int *)
> > > -+revoke_all_privileges: bool (const struct dom_sid *)
> > > -+revoke_privilege_by_name: bool (const struct dom_sid *, const char *)
> > > -+revoke_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
> > > -+samu_alloc_rid_unix: NTSTATUS (struct pdb_methods *, struct samu *, const struct passwd *)
> > > -+samu_new: struct samu *(TALLOC_CTX *)
> > > -+samu_set_unix: NTSTATUS (struct samu *, const struct passwd *)
> > > -+secrets_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
> > > -+sid_check_is_builtin: bool (const struct dom_sid *)
> > > -+sid_check_is_for_passdb: bool (const struct dom_sid *)
> > > -+sid_check_is_in_builtin: bool (const struct dom_sid *)
> > > -+sid_check_is_in_unix_groups: bool (const struct dom_sid *)
> > > -+sid_check_is_in_unix_users: bool (const struct dom_sid *)
> > > -+sid_check_is_in_wellknown_domain: bool (const struct dom_sid *)
> > > -+sid_check_is_unix_groups: bool (const struct dom_sid *)
> > > -+sid_check_is_unix_users: bool (const struct dom_sid *)
> > > -+sid_check_is_wellknown_builtin: bool (const struct dom_sid *)
> > > -+sid_check_is_wellknown_domain: bool (const struct dom_sid *, const char **)
> > > -+sid_check_object_is_for_passdb: bool (const struct dom_sid *)
> > > -+sid_to_gid: bool (const struct dom_sid *, gid_t *)
> > > -+sid_to_uid: bool (const struct dom_sid *, uid_t *)
> > > -+sids_to_unixids: bool (const struct dom_sid *, uint32_t, struct unixid *)
> > > -+smb_add_user_group: int (const char *, const char *)
> > > -+smb_create_group: int (const char *, gid_t *)
> > > -+smb_delete_group: int (const char *)
> > > -+smb_delete_user_group: int (const char *, const char *)
> > > -+smb_nscd_flush_group_cache: void (void)
> > > -+smb_nscd_flush_user_cache: void (void)
> > > -+smb_register_passdb: NTSTATUS (int, const char *, pdb_init_function)
> > > -+smb_set_primary_group: int (const char *, const char *)
> > > -+uid_to_sid: void (struct dom_sid *, uid_t)
> > > -+uid_to_unix_users_sid: void (uid_t, struct dom_sid *)
> > > -+unix_groups_domain_name: const char *(void)
> > > -+unix_users_domain_name: const char *(void)
> > > -+unixid_from_both: void (struct unixid *, uint32_t)
> > > -+unixid_from_gid: void (struct unixid *, uint32_t)
> > > -+unixid_from_uid: void (struct unixid *, uint32_t)
> > > -+wb_is_trusted_domain: wbcErr (const char *)
> > > -+winbind_allocate_gid: bool (gid_t *)
> > > -+winbind_allocate_uid: bool (uid_t *)
> > > -+winbind_get_groups: bool (TALLOC_CTX *, const char *, uint32_t *, gid_t **)
> > > -+winbind_get_sid_aliases: bool (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
> > > -+winbind_getpwnam: struct passwd *(const char *)
> > > -+winbind_getpwsid: struct passwd *(const struct dom_sid *)
> > > -+winbind_gid_to_sid: bool (struct dom_sid *, gid_t)
> > > -+winbind_lookup_name: bool (const char *, const char *, struct dom_sid *, enum lsa_SidType *)
> > > -+winbind_lookup_rids: bool (TALLOC_CTX *, const struct dom_sid *, int, uint32_t *, const char **, const char ***, enum lsa_SidType **)
> > > -+winbind_lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
> > > -+winbind_lookup_usersids: bool (TALLOC_CTX *, const struct dom_sid *, uint32_t *, struct dom_sid **)
> > > -+winbind_ping: bool (void)
> > > -+winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *)
> > > -+winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *)
> > > -+winbind_uid_to_sid: bool (struct dom_sid *, uid_t)
> > > -diff --git a/source3/wscript_build b/source3/wscript_build
> > > -index e0432bf..6d6b6aa 100755
> > > ---- a/source3/wscript_build
> > > -+++ b/source3/wscript_build
> > > -@@ -736,7 +736,7 @@ bld.SAMBA3_LIBRARY('pdb',
> > > - passdb/lookup_sid.h''',
> > > - abi_match=private_pdb_match,
> > > - abi_directory='passdb/ABI',
> > > -- vnum='0',
> > > -+ vnum='0.1.0',
> > > - vars=locals())
> > > -
> > > - bld.SAMBA3_LIBRARY('smbldaphelper',
> > > ---
> > > -1.8.5.2
> > > -
> > > -
> > > -From 91debcafd196a9e821efddce0a9d75c48f8e168d Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Fri, 13 Dec 2013 19:08:34 +0100
> > > -Subject: [PATCH 2/7] s3-auth: Add passwd_to_SamInfo3().
> > > -
> > > -First this function tries to contacts winbind if the user is a domain
> > > -user to get valid information about it. If winbind isn't running it will
> > > -try to create everything from the passwd struct. This is not always
> > > -reliable but works in most cases. It improves the current situation
> > > -which doesn't talk to winbind at all.
> > > -
> > > -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> > > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 1bb11c7744df6928cb8a096373ab920366b38770)
> > > ----
> > > - source3/auth/proto.h | 4 ++
> > > - source3/auth/server_info.c | 116 +++++++++++++++++++++++++++++++++++++++++++++
> > > - 2 files changed, 120 insertions(+)
> > > -
> > > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > > -index 76661fc..8385e66 100644
> > > ---- a/source3/auth/proto.h
> > > -+++ b/source3/auth/proto.h
> > > -@@ -286,6 +286,10 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > > - const char *login_server,
> > > - struct netr_SamInfo3 **_info3,
> > > - struct extra_auth_info *extra);
> > > -+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > > -+ const char *unix_username,
> > > -+ const struct passwd *pwd,
> > > -+ struct netr_SamInfo3 **pinfo3);
> > > - struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > > - struct netr_SamInfo3 *orig);
> > > - struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > > -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> > > -index d2b7d6e..46d8178 100644
> > > ---- a/source3/auth/server_info.c
> > > -+++ b/source3/auth/server_info.c
> > > -@@ -24,6 +24,7 @@
> > > - #include "../libcli/security/security.h"
> > > - #include "rpc_client/util_netlogon.h"
> > > - #include "nsswitch/libwbclient/wbclient.h"
> > > -+#include "lib/winbind_util.h"
> > > - #include "passdb.h"
> > > -
> > > - #undef DBGC_CLASS
> > > -@@ -436,6 +437,121 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > > -+ const char *unix_username,
> > > -+ const struct passwd *pwd,
> > > -+ struct netr_SamInfo3 **pinfo3)
> > > -+{
> > > -+ struct netr_SamInfo3 *info3;
> > > -+ NTSTATUS status;
> > > -+ TALLOC_CTX *tmp_ctx;
> > > -+ const char *domain_name = NULL;
> > > -+ const char *user_name = NULL;
> > > -+ struct dom_sid domain_sid;
> > > -+ struct dom_sid user_sid;
> > > -+ struct dom_sid group_sid;
> > > -+ enum lsa_SidType type;
> > > -+ uint32_t num_sids = 0;
> > > -+ struct dom_sid *user_sids = NULL;
> > > -+ bool ok;
> > > -+
> > > -+ tmp_ctx = talloc_stackframe();
> > > -+
> > > -+ ok = lookup_name_smbconf(tmp_ctx,
> > > -+ unix_username,
> > > -+ LOOKUP_NAME_ALL,
> > > -+ &domain_name,
> > > -+ &user_name,
> > > -+ &user_sid,
> > > -+ &type);
> > > -+ if (!ok) {
> > > -+ status = NT_STATUS_NO_SUCH_USER;
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ if (type != SID_NAME_USER) {
> > > -+ status = NT_STATUS_NO_SUCH_USER;
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ ok = winbind_lookup_usersids(tmp_ctx,
> > > -+ &user_sid,
> > > -+ &num_sids,
> > > -+ &user_sids);
> > > -+ /* Check if winbind is running */
> > > -+ if (ok) {
> > > -+ /*
> > > -+ * Winbind is running and the first element of the user_sids
> > > -+ * is the primary group.
> > > -+ */
> > > -+ if (num_sids > 0) {
> > > -+ group_sid = user_sids[0];
> > > -+ }
> > > -+ } else {
> > > -+ /*
> > > -+ * Winbind is not running, create the group_sid from the
> > > -+ * group id.
> > > -+ */
> > > -+ gid_to_sid(&group_sid, pwd->pw_gid);
> > > -+ }
> > > -+
> > > -+ /* Make sure we have a valid group sid */
> > > -+ ok = !is_null_sid(&group_sid);
> > > -+ if (!ok) {
> > > -+ status = NT_STATUS_NO_SUCH_USER;
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ /* Construct a netr_SamInfo3 from the information we have */
> > > -+ info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3);
> > > -+ if (!info3) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ info3->base.account_name.string = talloc_strdup(info3, unix_username);
> > > -+ if (info3->base.account_name.string == NULL) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ ZERO_STRUCT(domain_sid);
> > > -+
> > > -+ sid_copy(&domain_sid, &user_sid);
> > > -+ sid_split_rid(&domain_sid, &info3->base.rid);
> > > -+ info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
> > > -+
> > > -+ ok = sid_peek_check_rid(&domain_sid, &group_sid,
> > > -+ &info3->base.primary_gid);
> > > -+ if (!ok) {
> > > -+ DEBUG(1, ("The primary group domain sid(%s) does not "
> > > -+ "match the domain sid(%s) for %s(%s)\n",
> > > -+ sid_string_dbg(&group_sid),
> > > -+ sid_string_dbg(&domain_sid),
> > > -+ unix_username,
> > > -+ sid_string_dbg(&user_sid)));
> > > -+ status = NT_STATUS_INVALID_SID;
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ info3->base.acct_flags = ACB_NORMAL;
> > > -+
> > > -+ if (num_sids) {
> > > -+ status = group_sids_to_info3(info3, user_sids, num_sids);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ goto done;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ *pinfo3 = talloc_steal(mem_ctx, info3);
> > > -+
> > > -+ status = NT_STATUS_OK;
> > > -+done:
> > > -+ talloc_free(tmp_ctx);
> > > -+
> > > -+ return status;
> > > -+}
> > > -+
> > > - #undef RET_NOMEM
> > > -
> > > - #define RET_NOMEM(ptr) do { \
> > > ---
> > > -1.8.5.2
> > > -
> > > -
> > > -From c7b7670dc5cd8dbf727258666b6417d67afafb33 Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Fri, 13 Dec 2013 19:11:01 +0100
> > > -Subject: [PATCH 3/7] s3-auth: Pass talloc context to make_server_info_pw().
> > > -
> > > -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> > > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 1b59c9743cf3fbd66b0b8b52162b2cc8d922e5cf)
> > > ----
> > > - source3/auth/auth_unix.c | 7 +++++--
> > > - source3/auth/auth_util.c | 52 +++++++++++++++++++++++++++++-------------------
> > > - source3/auth/proto.h | 7 ++++---
> > > - source3/auth/user_krb5.c | 5 +----
> > > - 4 files changed, 42 insertions(+), 29 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
> > > -index c8b5435..7b483a2 100644
> > > ---- a/source3/auth/auth_unix.c
> > > -+++ b/source3/auth/auth_unix.c
> > > -@@ -67,8 +67,11 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
> > > - unbecome_root();
> > > -
> > > - if (NT_STATUS_IS_OK(nt_status)) {
> > > -- if (pass) {
> > > -- make_server_info_pw(server_info, pass->pw_name, pass);
> > > -+ if (pass != NULL) {
> > > -+ nt_status = make_server_info_pw(mem_ctx,
> > > -+ pass->pw_name,
> > > -+ pass,
> > > -+ server_info);
> > > - } else {
> > > - /* we need to do somthing more useful here */
> > > - nt_status = NT_STATUS_NO_SUCH_USER;
> > > -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> > > -index ceaa706..b225b0d 100644
> > > ---- a/source3/auth/auth_util.c
> > > -+++ b/source3/auth/auth_util.c
> > > -@@ -639,14 +639,15 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
> > > - to a struct samu
> > > - ***************************************************************************/
> > > -
> > > --NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> > > -- char *unix_username,
> > > -- struct passwd *pwd)
> > > -+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
> > > -+ const char *unix_username,
> > > -+ const struct passwd *pwd,
> > > -+ struct auth_serversupplied_info **server_info)
> > > - {
> > > - NTSTATUS status;
> > > - struct samu *sampass = NULL;
> > > - char *qualified_name = NULL;
> > > -- TALLOC_CTX *mem_ctx = NULL;
> > > -+ TALLOC_CTX *tmp_ctx;
> > > - struct dom_sid u_sid;
> > > - enum lsa_SidType type;
> > > - struct auth_serversupplied_info *result;
> > > -@@ -664,27 +665,27 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> > > - * plaintext passwords were used with no SAM backend.
> > > - */
> > > -
> > > -- mem_ctx = talloc_init("make_server_info_pw_tmp");
> > > -- if (!mem_ctx) {
> > > -+ tmp_ctx = talloc_stackframe();
> > > -+ if (tmp_ctx == NULL) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
> > > -+ qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
> > > - unix_users_domain_name(),
> > > - unix_username );
> > > - if (!qualified_name) {
> > > -- TALLOC_FREE(mem_ctx);
> > > -+ TALLOC_FREE(tmp_ctx);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
> > > -+ if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
> > > - NULL, NULL,
> > > - &u_sid, &type)) {
> > > -- TALLOC_FREE(mem_ctx);
> > > -+ TALLOC_FREE(tmp_ctx);
> > > - return NT_STATUS_NO_SUCH_USER;
> > > - }
> > > -
> > > -- TALLOC_FREE(mem_ctx);
> > > -+ TALLOC_FREE(tmp_ctx);
> > > -
> > > - if (type != SID_NAME_USER) {
> > > - return NT_STATUS_NO_SUCH_USER;
> > > -@@ -707,7 +708,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> > > - /* set the user sid to be the calculated u_sid */
> > > - pdb_set_user_sid(sampass, &u_sid, PDB_SET);
> > > -
> > > -- result = make_server_info(NULL);
> > > -+ result = make_server_info(mem_ctx);
> > > - if (result == NULL) {
> > > - TALLOC_FREE(sampass);
> > > - return NT_STATUS_NO_MEMORY;
> > > -@@ -992,25 +993,36 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
> > > - struct passwd *pwd;
> > > - NTSTATUS status;
> > > - struct auth_serversupplied_info *result;
> > > -+ TALLOC_CTX *tmp_ctx;
> > > -
> > > -- pwd = Get_Pwnam_alloc(talloc_tos(), username);
> > > -- if (pwd == NULL) {
> > > -- return NT_STATUS_NO_SUCH_USER;
> > > -+ tmp_ctx = talloc_stackframe();
> > > -+ if (tmp_ctx == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- status = make_server_info_pw(&result, pwd->pw_name, pwd);
> > > -+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
> > > -+ if (pwd == NULL) {
> > > -+ status = NT_STATUS_NO_SUCH_USER;
> > > -+ goto done;
> > > -+ }
> > > -
> > > -+ status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -+ goto done;
> > > - }
> > > -
> > > - result->nss_token = true;
> > > - result->guest = is_guest;
> > > -
> > > - /* Now turn the server_info into a session_info with the full token etc */
> > > -- status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
> > > -- TALLOC_FREE(result);
> > > -- TALLOC_FREE(pwd);
> > > -+ status = create_local_token(mem_ctx,
> > > -+ result,
> > > -+ NULL,
> > > -+ pwd->pw_name,
> > > -+ session_info);
> > > -+
> > > -+done:
> > > -+ talloc_free(tmp_ctx);
> > > -
> > > - return status;
> > > - }
> > > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > > -index 8385e66..7abca07 100644
> > > ---- a/source3/auth/proto.h
> > > -+++ b/source3/auth/proto.h
> > > -@@ -206,9 +206,10 @@ bool user_in_group_sid(const char *username, const struct dom_sid *group_sid);
> > > - bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid);
> > > - bool user_in_group(const char *username, const char *groupname);
> > > - struct passwd;
> > > --NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
> > > -- char *unix_username,
> > > -- struct passwd *pwd);
> > > -+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
> > > -+ const char *unix_username,
> > > -+ const struct passwd *pwd,
> > > -+ struct auth_serversupplied_info **server_info);
> > > - NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
> > > - const char *username,
> > > - bool is_guest,
> > > -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
> > > -index 974a8aa..7d44285 100644
> > > ---- a/source3/auth/user_krb5.c
> > > -+++ b/source3/auth/user_krb5.c
> > > -@@ -242,7 +242,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > > - */
> > > - DEBUG(10, ("didn't find user %s in passdb, calling "
> > > - "make_server_info_pw\n", username));
> > > -- status = make_server_info_pw(&tmp, username, pw);
> > > -+ status = make_server_info_pw(mem_ctx, username, pw, &tmp);
> > > - }
> > > -
> > > - TALLOC_FREE(sampass);
> > > -@@ -253,9 +253,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > > - return status;
> > > - }
> > > -
> > > -- /* Steal tmp server info into the server_info pointer. */
> > > -- server_info = talloc_move(mem_ctx, &tmp);
> > > --
> > > - /* make_server_info_pw does not set the domain. Without this
> > > - * we end up with the local netbios name in substitutions for
> > > - * %D. */
> > > ---
> > > -1.8.5.2
> > > -
> > > -
> > > -From 4fbd13598e8bdc6acf41329f71de806de4265f36 Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Fri, 13 Dec 2013 19:19:02 +0100
> > > -Subject: [PATCH 4/7] s3-auth: Add passwd_to_SamInfo3().
> > > -
> > > -Correctly lookup users which come from smb.conf. passwd_to_SamInfo3()
> > > -tries to contact winbind if the user is a domain user to get
> > > -valid information about it. If winbind isn't running it will try to
> > > -create everything from the passwd struct. This is not always reliable
> > > -but works in most cases. It improves the current situation which doesn't
> > > -talk to winbind at all.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
> > > -
> > > -Pair-Programmed-With: Guenther Deschner <gd@samba.org>
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> > > -Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104
> > > -
> > > -(cherry picked from commit 40e6456b5896e934fcd581c2cac2389984256e09)
> > > ----
> > > - source3/auth/auth_util.c | 87 +++++++++-------------------------------------
> > > - source3/auth/server_info.c | 22 ++++++++++--
> > > - 2 files changed, 36 insertions(+), 73 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> > > -index b225b0d..24190af 100644
> > > ---- a/source3/auth/auth_util.c
> > > -+++ b/source3/auth/auth_util.c
> > > -@@ -645,98 +645,43 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
> > > - struct auth_serversupplied_info **server_info)
> > > - {
> > > - NTSTATUS status;
> > > -- struct samu *sampass = NULL;
> > > -- char *qualified_name = NULL;
> > > -- TALLOC_CTX *tmp_ctx;
> > > -- struct dom_sid u_sid;
> > > -- enum lsa_SidType type;
> > > -+ TALLOC_CTX *tmp_ctx = NULL;
> > > - struct auth_serversupplied_info *result;
> > > -
> > > -- /*
> > > -- * The SID returned in server_info->sam_account is based
> > > -- * on our SAM sid even though for a pure UNIX account this should
> > > -- * not be the case as it doesn't really exist in the SAM db.
> > > -- * This causes lookups on "[in]valid users" to fail as they
> > > -- * will lookup this name as a "Unix User" SID to check against
> > > -- * the user token. Fix this by adding the "Unix User"\unix_username
> > > -- * SID to the sid array. The correct fix should probably be
> > > -- * changing the server_info->sam_account user SID to be a
> > > -- * S-1-22 Unix SID, but this might break old configs where
> > > -- * plaintext passwords were used with no SAM backend.
> > > -- */
> > > --
> > > - tmp_ctx = talloc_stackframe();
> > > - if (tmp_ctx == NULL) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
> > > -- unix_users_domain_name(),
> > > -- unix_username );
> > > -- if (!qualified_name) {
> > > -- TALLOC_FREE(tmp_ctx);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
> > > -- NULL, NULL,
> > > -- &u_sid, &type)) {
> > > -- TALLOC_FREE(tmp_ctx);
> > > -- return NT_STATUS_NO_SUCH_USER;
> > > -- }
> > > --
> > > -- TALLOC_FREE(tmp_ctx);
> > > --
> > > -- if (type != SID_NAME_USER) {
> > > -- return NT_STATUS_NO_SUCH_USER;
> > > -- }
> > > --
> > > -- if ( !(sampass = samu_new( NULL )) ) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- status = samu_set_unix( sampass, pwd );
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- /* In pathological cases the above call can set the account
> > > -- * name to the DOMAIN\username form. Reset the account name
> > > -- * using unix_username */
> > > -- pdb_set_username(sampass, unix_username, PDB_SET);
> > > --
> > > -- /* set the user sid to be the calculated u_sid */
> > > -- pdb_set_user_sid(sampass, &u_sid, PDB_SET);
> > > --
> > > -- result = make_server_info(mem_ctx);
> > > -+ result = make_server_info(tmp_ctx);
> > > - if (result == NULL) {
> > > -- TALLOC_FREE(sampass);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ goto done;
> > > - }
> > > -
> > > -- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
> > > -- &result->info3, &result->extra);
> > > -- TALLOC_FREE(sampass);
> > > -+ status = passwd_to_SamInfo3(result,
> > > -+ unix_username,
> > > -+ pwd,
> > > -+ &result->info3);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(10, ("Failed to convert samu to info3: %s\n",
> > > -- nt_errstr(status)));
> > > -- TALLOC_FREE(result);
> > > -- return status;
> > > -+ goto done;
> > > - }
> > > -
> > > - result->unix_name = talloc_strdup(result, unix_username);
> > > --
> > > - if (result->unix_name == NULL) {
> > > -- TALLOC_FREE(result);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ goto done;
> > > - }
> > > -
> > > - result->utok.uid = pwd->pw_uid;
> > > - result->utok.gid = pwd->pw_gid;
> > > -
> > > -- *server_info = result;
> > > -+ *server_info = talloc_steal(mem_ctx, result);
> > > -+ status = NT_STATUS_OK;
> > > -+done:
> > > -+ talloc_free(tmp_ctx);
> > > -
> > > -- return NT_STATUS_OK;
> > > -+ return status;
> > > - }
> > > -
> > > - static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
> > > -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> > > -index 46d8178..43711d5 100644
> > > ---- a/source3/auth/server_info.c
> > > -+++ b/source3/auth/server_info.c
> > > -@@ -489,10 +489,28 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > > - }
> > > - } else {
> > > - /*
> > > -- * Winbind is not running, create the group_sid from the
> > > -- * group id.
> > > -+ * Winbind is not running, try to create the group_sid from the
> > > -+ * passwd group id.
> > > -+ */
> > > -+
> > > -+ /*
> > > -+ * This can lead to a primary group of S-1-22-2-XX which
> > > -+ * will be rejected by other Samba code.
> > > - */
> > > - gid_to_sid(&group_sid, pwd->pw_gid);
> > > -+
> > > -+ ZERO_STRUCT(domain_sid);
> > > -+
> > > -+ /*
> > > -+ * If we are a unix group, set the group_sid to the
> > > -+ * 'Domain Users' RID of 513 which will always resolve to a
> > > -+ * name.
> > > -+ */
> > > -+ if (sid_check_is_in_unix_groups(&group_sid)) {
> > > -+ sid_compose(&group_sid,
> > > -+ get_global_sam_sid(),
> > > -+ DOMAIN_RID_USERS);
> > > -+ }
> > > - }
> > > -
> > > - /* Make sure we have a valid group sid */
> > > ---
> > > -1.8.5.2
> > > -
> > > -
> > > -From 76bb5e0888f4131ab773d90160051a51c401c90d Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Tue, 18 Feb 2014 10:02:57 +0100
> > > -Subject: [PATCH 5/7] s3-auth: Pass mem_ctx to make_server_info_sam().
> > > -
> > > -Coverity-Id: 1168009
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -
> > > -Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3dc72266005e87a291f5bf9847257e8c54314d39)
> > > ----
> > > - source3/auth/check_samsec.c | 2 +-
> > > - source3/auth/proto.h | 5 ++--
> > > - source3/auth/server_info_sam.c | 56 +++++++++++++++++++++++++++---------------
> > > - source3/auth/user_krb5.c | 12 +++++----
> > > - 4 files changed, 47 insertions(+), 28 deletions(-)
> > > -
> > > -diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
> > > -index 7ed8cc2..b6cac60 100644
> > > ---- a/source3/auth/check_samsec.c
> > > -+++ b/source3/auth/check_samsec.c
> > > -@@ -482,7 +482,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
> > > - }
> > > -
> > > - become_root();
> > > -- nt_status = make_server_info_sam(server_info, sampass);
> > > -+ nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
> > > - unbecome_root();
> > > -
> > > - TALLOC_FREE(sampass);
> > > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > > -index 7abca07..eac3e54 100644
> > > ---- a/source3/auth/proto.h
> > > -+++ b/source3/auth/proto.h
> > > -@@ -190,8 +190,9 @@ bool make_user_info_guest(const struct tsocket_address *remote_address,
> > > - struct auth_usersupplied_info **user_info);
> > > -
> > > - struct samu;
> > > --NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
> > > -- struct samu *sampass);
> > > -+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
> > > -+ struct samu *sampass,
> > > -+ struct auth_serversupplied_info **pserver_info);
> > > - NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
> > > - const struct auth_serversupplied_info *server_info,
> > > - DATA_BLOB *session_key,
> > > -diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c
> > > -index 5d657f9..47087b1 100644
> > > ---- a/source3/auth/server_info_sam.c
> > > -+++ b/source3/auth/server_info_sam.c
> > > -@@ -58,39 +58,51 @@ static bool is_our_machine_account(const char *username)
> > > - Make (and fill) a user_info struct from a struct samu
> > > - ***************************************************************************/
> > > -
> > > --NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
> > > -- struct samu *sampass)
> > > -+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
> > > -+ struct samu *sampass,
> > > -+ struct auth_serversupplied_info **pserver_info)
> > > - {
> > > - struct passwd *pwd;
> > > -- struct auth_serversupplied_info *result;
> > > -+ struct auth_serversupplied_info *server_info;
> > > - const char *username = pdb_get_username(sampass);
> > > -+ TALLOC_CTX *tmp_ctx;
> > > - NTSTATUS status;
> > > -
> > > -- if ( !(result = make_server_info(NULL)) ) {
> > > -+ tmp_ctx = talloc_stackframe();
> > > -+ if (tmp_ctx == NULL) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- if ( !(pwd = Get_Pwnam_alloc(result, username)) ) {
> > > -+ server_info = make_server_info(tmp_ctx);
> > > -+ if (server_info == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
> > > -+ if (pwd == NULL) {
> > > - DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
> > > - pdb_get_username(sampass)));
> > > -- TALLOC_FREE(result);
> > > -- return NT_STATUS_NO_SUCH_USER;
> > > -+ status = NT_STATUS_NO_SUCH_USER;
> > > -+ goto out;
> > > - }
> > > -
> > > -- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
> > > -- &result->info3, &result->extra);
> > > -+ status = samu_to_SamInfo3(server_info,
> > > -+ sampass,
> > > -+ lp_netbios_name(),
> > > -+ &server_info->info3,
> > > -+ &server_info->extra);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -- TALLOC_FREE(result);
> > > -- return status;
> > > -+ goto out;
> > > - }
> > > -
> > > -- result->unix_name = pwd->pw_name;
> > > -- /* Ensure that we keep pwd->pw_name, because we will free pwd below */
> > > -- talloc_steal(result, pwd->pw_name);
> > > -- result->utok.gid = pwd->pw_gid;
> > > -- result->utok.uid = pwd->pw_uid;
> > > -+ server_info->unix_name = talloc_strdup(server_info, pwd->pw_name);
> > > -+ if (server_info->unix_name == NULL) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ goto out;
> > > -+ }
> > > -
> > > -- TALLOC_FREE(pwd);
> > > -+ server_info->utok.gid = pwd->pw_gid;
> > > -+ server_info->utok.uid = pwd->pw_uid;
> > > -
> > > - if (IS_DC && is_our_machine_account(username)) {
> > > - /*
> > > -@@ -110,9 +122,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
> > > - }
> > > -
> > > - DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
> > > -- pdb_get_username(sampass), result->unix_name));
> > > -+ pdb_get_username(sampass), server_info->unix_name));
> > > -+
> > > -+ *pserver_info = talloc_steal(mem_ctx, server_info);
> > > -
> > > -- *server_info = result;
> > > -+ status = NT_STATUS_OK;
> > > -+out:
> > > -+ talloc_free(tmp_ctx);
> > > -
> > > -- return NT_STATUS_OK;
> > > -+ return status;
> > > - }
> > > -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
> > > -index 7d44285..e40c8ac 100644
> > > ---- a/source3/auth/user_krb5.c
> > > -+++ b/source3/auth/user_krb5.c
> > > -@@ -223,9 +223,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > > - * SID consistency with ntlmssp session setup
> > > - */
> > > - struct samu *sampass;
> > > -- /* The stupid make_server_info_XX functions here
> > > -- don't take a talloc context. */
> > > -- struct auth_serversupplied_info *tmp = NULL;
> > > -
> > > - sampass = samu_new(talloc_tos());
> > > - if (sampass == NULL) {
> > > -@@ -235,14 +232,19 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > > - if (pdb_getsampwnam(sampass, username)) {
> > > - DEBUG(10, ("found user %s in passdb, calling "
> > > - "make_server_info_sam\n", username));
> > > -- status = make_server_info_sam(&tmp, sampass);
> > > -+ status = make_server_info_sam(mem_ctx,
> > > -+ sampass,
> > > -+ &server_info);
> > > - } else {
> > > - /*
> > > - * User not in passdb, make it up artificially
> > > - */
> > > - DEBUG(10, ("didn't find user %s in passdb, calling "
> > > - "make_server_info_pw\n", username));
> > > -- status = make_server_info_pw(mem_ctx, username, pw, &tmp);
> > > -+ status = make_server_info_pw(mem_ctx,
> > > -+ username,
> > > -+ pw,
> > > -+ &server_info);
> > > - }
> > > -
> > > - TALLOC_FREE(sampass);
> > > ---
> > > -1.8.5.2
> > > -
> > > -
> > > -From f9c0adb6237c6e60c33ee6af21f55c0cdefa132c Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Tue, 18 Feb 2014 10:19:57 +0100
> > > -Subject: [PATCH 6/7] s3-auth: Pass mem_ctx to auth_check_ntlm_password().
> > > -
> > > -Coverity-Id: 1168009
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -
> > > -Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 4d792db03f18aa164b565c7fdc7b446c174fba28)
> > > ----
> > > - source3/auth/auth.c | 50 ++++++++++++++++++-----------
> > > - source3/auth/auth_ntlmssp.c | 6 ++--
> > > - source3/auth/proto.h | 8 +++--
> > > - source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++--
> > > - source3/torture/pdbtest.c | 5 ++-
> > > - 5 files changed, 48 insertions(+), 27 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth.c b/source3/auth/auth.c
> > > -index c3797cf..dc9af02 100644
> > > ---- a/source3/auth/auth.c
> > > -+++ b/source3/auth/auth.c
> > > -@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain)
> > > - *
> > > - **/
> > > -
> > > --NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > > -- const struct auth_usersupplied_info *user_info,
> > > -- struct auth_serversupplied_info **server_info)
> > > -+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
> > > -+ const struct auth_context *auth_context,
> > > -+ const struct auth_usersupplied_info *user_info,
> > > -+ struct auth_serversupplied_info **pserver_info)
> > > - {
> > > - /* if all the modules say 'not for me' this is reasonable */
> > > - NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
> > > - const char *unix_username;
> > > - auth_methods *auth_method;
> > > -- TALLOC_CTX *mem_ctx;
> > > -
> > > -- if (!user_info || !auth_context || !server_info)
> > > -+ if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
> > > - return NT_STATUS_LOGON_FAILURE;
> > > -+ }
> > > -
> > > - DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
> > > - user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
> > > -@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > > - return NT_STATUS_LOGON_FAILURE;
> > > -
> > > - for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
> > > -+ struct auth_serversupplied_info *server_info;
> > > -+ TALLOC_CTX *tmp_ctx;
> > > - NTSTATUS result;
> > > -
> > > -- mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
> > > -- user_info->mapped.domain_name, user_info->client.account_name);
> > > -+ tmp_ctx = talloc_named(mem_ctx,
> > > -+ 0,
> > > -+ "%s authentication for user %s\\%s",
> > > -+ auth_method->name,
> > > -+ user_info->mapped.domain_name,
> > > -+ user_info->client.account_name);
> > > -
> > > -- result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
> > > -+ result = auth_method->auth(auth_context,
> > > -+ auth_method->private_data,
> > > -+ tmp_ctx,
> > > -+ user_info,
> > > -+ &server_info);
> > > -
> > > - /* check if the module did anything */
> > > - if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
> > > - DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
> > > -- talloc_destroy(mem_ctx);
> > > -+ TALLOC_FREE(tmp_ctx);
> > > - continue;
> > > - }
> > > -
> > > -@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > > - auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
> > > - }
> > > -
> > > -- talloc_destroy(mem_ctx);
> > > --
> > > -- if ( NT_STATUS_IS_OK(nt_status))
> > > -- {
> > > -- break;
> > > -+ if (NT_STATUS_IS_OK(nt_status)) {
> > > -+ *pserver_info = talloc_steal(mem_ctx, server_info);
> > > -+ TALLOC_FREE(tmp_ctx);
> > > -+ break;
> > > - }
> > > -+
> > > -+ TALLOC_FREE(tmp_ctx);
> > > - }
> > > -
> > > - /* successful authentication */
> > > -
> > > - if (NT_STATUS_IS_OK(nt_status)) {
> > > -- unix_username = (*server_info)->unix_name;
> > > -- if (!(*server_info)->guest) {
> > > -+ unix_username = (*pserver_info)->unix_name;
> > > -+ if (!(*pserver_info)->guest) {
> > > - const char *rhost;
> > > -
> > > - if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
> > > -@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > > - }
> > > -
> > > - if (NT_STATUS_IS_OK(nt_status)) {
> > > -- DEBUG((*server_info)->guest ? 5 : 2,
> > > -+ DEBUG((*pserver_info)->guest ? 5 : 2,
> > > - ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
> > > -- (*server_info)->guest ? "guest " : "",
> > > -+ (*pserver_info)->guest ? "guest " : "",
> > > - user_info->client.account_name,
> > > - user_info->mapped.account_name,
> > > - unix_username));
> > > -@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > > - DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
> > > - user_info->client.account_name, user_info->mapped.account_name,
> > > - nt_errstr(nt_status)));
> > > -- ZERO_STRUCTP(server_info);
> > > -+ ZERO_STRUCTP(pserver_info);
> > > -
> > > - return nt_status;
> > > - }
> > > -diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
> > > -index f99bd44..cb7726c 100644
> > > ---- a/source3/auth/auth_ntlmssp.c
> > > -+++ b/source3/auth/auth_ntlmssp.c
> > > -@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
> > > -
> > > - mapped_user_info->flags = user_info->flags;
> > > -
> > > -- nt_status = auth_check_ntlm_password(auth_context,
> > > -- mapped_user_info, &server_info);
> > > -+ nt_status = auth_check_ntlm_password(mem_ctx,
> > > -+ auth_context,
> > > -+ mapped_user_info,
> > > -+ &server_info);
> > > -
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
> > > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > > -index eac3e54..15b1ba0 100644
> > > ---- a/source3/auth/proto.h
> > > -+++ b/source3/auth/proto.h
> > > -@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
> > > - * struct. When the return is other than NT_STATUS_OK the contents
> > > - * of that structure is undefined.
> > > - *
> > > -+ * @param mem_ctx The memory context to use to allocate server_info
> > > -+ *
> > > - * @param user_info Contains the user supplied components, including the passwords.
> > > - * Must be created with make_user_info() or one of its wrappers.
> > > - *
> > > -@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
> > > - * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
> > > - *
> > > - **/
> > > --
> > > --NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
> > > -- const struct auth_usersupplied_info *user_info,
> > > -+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
> > > -+ const struct auth_context *auth_context,
> > > -+ const struct auth_usersupplied_info *user_info,
> > > - struct auth_serversupplied_info **server_info);
> > > -
> > > - /* The following definitions come from auth/auth_builtin.c */
> > > -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > > -index e5ca474..0c8c9a5 100644
> > > ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
> > > -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > > -@@ -1650,8 +1650,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> > > - } /* end switch */
> > > -
> > > - if ( NT_STATUS_IS_OK(status) ) {
> > > -- status = auth_check_ntlm_password(auth_context,
> > > -- user_info, &server_info);
> > > -+ status = auth_check_ntlm_password(p->mem_ctx,
> > > -+ auth_context,
> > > -+ user_info,
> > > -+ &server_info);
> > > - }
> > > -
> > > - TALLOC_FREE(auth_context);
> > > -diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
> > > -index 17da455..14d58b9 100644
> > > ---- a/source3/torture/pdbtest.c
> > > -+++ b/source3/torture/pdbtest.c
> > > -@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
> > > - return False;
> > > - }
> > > -
> > > -- status = auth_check_ntlm_password(auth_context, user_info, &server_info);
> > > -+ status = auth_check_ntlm_password(mem_ctx,
> > > -+ auth_context,
> > > -+ user_info,
> > > -+ &server_info);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
> > > ---
> > > -1.8.5.2
> > > -
> > > -
> > > -From a48bcd84c59b5b2cb8c3e0f5d68b35065bed81d7 Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Tue, 18 Feb 2014 13:52:49 +0100
> > > -Subject: [PATCH 7/7] s3-auth: Pass mem_ctx to do_map_to_guest_server_info().
> > > -
> > > -Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> > > -Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
> > > -
> > > -(cherry picked from commit 79e2725f339e7c5336b4053348c4266268de6ca3)
> > > ----
> > > - source3/auth/auth_ntlmssp.c | 7 ++++---
> > > - source3/auth/auth_util.c | 12 +++++++-----
> > > - source3/auth/proto.h | 8 +++++---
> > > - 3 files changed, 16 insertions(+), 11 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
> > > -index cb7726c..d4fe901 100644
> > > ---- a/source3/auth/auth_ntlmssp.c
> > > -+++ b/source3/auth/auth_ntlmssp.c
> > > -@@ -151,10 +151,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
> > > - free_user_info(&mapped_user_info);
> > > -
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > -- nt_status = do_map_to_guest_server_info(nt_status,
> > > -- &server_info,
> > > -+ nt_status = do_map_to_guest_server_info(mem_ctx,
> > > -+ nt_status,
> > > - user_info->client.account_name,
> > > -- user_info->client.domain_name);
> > > -+ user_info->client.domain_name,
> > > -+ &server_info);
> > > - *server_returned_info = talloc_steal(mem_ctx, server_info);
> > > - return nt_status;
> > > - }
> > > -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> > > -index 24190af..8cf5cb7 100644
> > > ---- a/source3/auth/auth_util.c
> > > -+++ b/source3/auth/auth_util.c
> > > -@@ -1536,9 +1536,11 @@ bool is_trusted_domain(const char* dom_name)
> > > - on a logon error possibly map the error to success if "map to guest"
> > > - is set approriately
> > > - */
> > > --NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
> > > -- struct auth_serversupplied_info **server_info,
> > > -- const char *user, const char *domain)
> > > -+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
> > > -+ NTSTATUS status,
> > > -+ const char *user,
> > > -+ const char *domain,
> > > -+ struct auth_serversupplied_info **server_info)
> > > - {
> > > - user = user ? user : "";
> > > - domain = domain ? domain : "";
> > > -@@ -1548,13 +1550,13 @@ NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
> > > - (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
> > > - DEBUG(3,("No such user %s [%s] - using guest account\n",
> > > - user, domain));
> > > -- return make_server_info_guest(NULL, server_info);
> > > -+ return make_server_info_guest(mem_ctx, server_info);
> > > - }
> > > - } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
> > > - if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
> > > - DEBUG(3,("Registered username %s for guest access\n",
> > > - user));
> > > -- return make_server_info_guest(NULL, server_info);
> > > -+ return make_server_info_guest(mem_ctx, server_info);
> > > - }
> > > - }
> > > -
> > > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > > -index 15b1ba0..7b8959f 100644
> > > ---- a/source3/auth/proto.h
> > > -+++ b/source3/auth/proto.h
> > > -@@ -264,9 +264,11 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
> > > - enum auth_password_state password_state);
> > > - void free_user_info(struct auth_usersupplied_info **user_info);
> > > -
> > > --NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
> > > -- struct auth_serversupplied_info **server_info,
> > > -- const char *user, const char *domain);
> > > -+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
> > > -+ NTSTATUS status,
> > > -+ const char *user,
> > > -+ const char *domain,
> > > -+ struct auth_serversupplied_info **server_info);
> > > -
> > > - /* The following definitions come from auth/auth_winbind.c */
> > > -
> > > ---
> > > -1.8.5.2
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> > > deleted file mode 100644
> > > index daa283e..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> > > +++ /dev/null
> > > @@ -1,266 +0,0 @@
> > > -From 168627e1877317db86471a4b0360dccd9f469aaa Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Mon, 13 Jan 2014 15:59:26 +0100
> > > -Subject: [PATCH 1/2] s3-kerberos: remove print_kdc_line() completely.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Just calling print_canonical_sockaddr() is sufficient, as it already deals with
> > > -ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
> > > -removed as well. It was pointless because it always derived the port number from
> > > -the provided address which was either a SMB (usually port 445) or LDAP
> > > -connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
> > > -Finally, the kerberos libraries that we support and build with, can deal with
> > > -ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
> > > -resolving the DC name on the kerberos library anymore.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/libads/kerberos.c | 73 ++++-------------------------------------------
> > > - 1 file changed, 5 insertions(+), 68 deletions(-)
> > > -
> > > -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > > -index b026e09..ea14350 100644
> > > ---- a/source3/libads/kerberos.c
> > > -+++ b/source3/libads/kerberos.c
> > > -@@ -592,70 +592,6 @@ int kerberos_kinit_password(const char *principal,
> > > - /************************************************************************
> > > - ************************************************************************/
> > > -
> > > --static char *print_kdc_line(char *mem_ctx,
> > > -- const char *prev_line,
> > > -- const struct sockaddr_storage *pss,
> > > -- const char *kdc_name)
> > > --{
> > > -- char addr[INET6_ADDRSTRLEN];
> > > -- uint16_t port = get_sockaddr_port(pss);
> > > --
> > > -- if (pss->ss_family == AF_INET) {
> > > -- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > > -- prev_line,
> > > -- print_canonical_sockaddr(mem_ctx, pss));
> > > -- }
> > > --
> > > -- /*
> > > -- * IPv6 starts here
> > > -- */
> > > --
> > > -- DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
> > > -- kdc_name, port));
> > > --
> > > -- if (port != 0 && port != DEFAULT_KRB5_PORT) {
> > > -- /* Currently for IPv6 we can't specify a non-default
> > > -- krb5 port with an address, as this requires a ':'.
> > > -- Resolve to a name. */
> > > -- char hostname[MAX_DNS_NAME_LENGTH];
> > > -- int ret = sys_getnameinfo((const struct sockaddr *)pss,
> > > -- sizeof(*pss),
> > > -- hostname, sizeof(hostname),
> > > -- NULL, 0,
> > > -- NI_NAMEREQD);
> > > -- if (ret) {
> > > -- DEBUG(0,("print_kdc_line: can't resolve name "
> > > -- "for kdc with non-default port %s. "
> > > -- "Error %s\n.",
> > > -- print_canonical_sockaddr(mem_ctx, pss),
> > > -- gai_strerror(ret)));
> > > -- return NULL;
> > > -- }
> > > -- /* Success, use host:port */
> > > -- return talloc_asprintf(mem_ctx,
> > > -- "%s\tkdc = %s:%u\n",
> > > -- prev_line,
> > > -- hostname,
> > > -- (unsigned int)port);
> > > -- }
> > > --
> > > -- /* no krb5 lib currently supports "kdc = ipv6 address"
> > > -- * at all, so just fill in just the kdc_name if we have
> > > -- * it and let the krb5 lib figure out the appropriate
> > > -- * ipv6 address - gd */
> > > --
> > > -- if (kdc_name) {
> > > -- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > > -- prev_line, kdc_name);
> > > -- }
> > > --
> > > -- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > > -- prev_line,
> > > -- print_sockaddr(addr,
> > > -- sizeof(addr),
> > > -- pss));
> > > --}
> > > --
> > > - /************************************************************************
> > > - Create a string list of available kdc's, possibly searching by sitename.
> > > - Does DNS queries.
> > > -@@ -698,7 +634,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
> > > - char *result = NULL;
> > > - struct netlogon_samlogon_response **responses = NULL;
> > > - NTSTATUS status;
> > > -- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
> > > -+ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
> > > -+ print_canonical_sockaddr(mem_ctx, pss));
> > > -
> > > - if (kdc_str == NULL) {
> > > - TALLOC_FREE(frame);
> > > -@@ -788,9 +725,9 @@ static char *get_kdc_ip_string(char *mem_ctx,
> > > - }
> > > -
> > > - /* Append to the string - inefficient but not done often. */
> > > -- new_kdc_str = print_kdc_line(mem_ctx, kdc_str,
> > > -- &dc_addrs[i],
> > > -- kdc_name);
> > > -+ new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > > -+ kdc_str,
> > > -+ print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
> > > - if (new_kdc_str == NULL) {
> > > - goto fail;
> > > - }
> > > ---
> > > -1.8.5.3
> > > -
> > > -
> > > -From 3edb3d4084548960f03356cf4c44a6892e6efb84 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 7 Mar 2014 14:47:31 +0100
> > > -Subject: [PATCH 2/2] s3-kerberos: remove unused kdc_name from
> > > - create_local_private_krb5_conf_for_domain().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/libads/kerberos.c | 10 ++++------
> > > - source3/libads/kerberos_proto.h | 3 +--
> > > - source3/libnet/libnet_join.c | 3 +--
> > > - source3/libsmb/namequery_dc.c | 6 ++----
> > > - source3/winbindd/winbindd_cm.c | 6 ++----
> > > - 5 files changed, 10 insertions(+), 18 deletions(-)
> > > -
> > > -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > > -index ea14350..649e568 100644
> > > ---- a/source3/libads/kerberos.c
> > > -+++ b/source3/libads/kerberos.c
> > > -@@ -618,8 +618,7 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
> > > - static char *get_kdc_ip_string(char *mem_ctx,
> > > - const char *realm,
> > > - const char *sitename,
> > > -- const struct sockaddr_storage *pss,
> > > -- const char *kdc_name)
> > > -+ const struct sockaddr_storage *pss)
> > > - {
> > > - TALLOC_CTX *frame = talloc_stackframe();
> > > - int i;
> > > -@@ -756,8 +755,7 @@ fail:
> > > - bool create_local_private_krb5_conf_for_domain(const char *realm,
> > > - const char *domain,
> > > - const char *sitename,
> > > -- const struct sockaddr_storage *pss,
> > > -- const char *kdc_name)
> > > -+ const struct sockaddr_storage *pss)
> > > - {
> > > - char *dname;
> > > - char *tmpname = NULL;
> > > -@@ -782,7 +780,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> > > - return false;
> > > - }
> > > -
> > > -- if (domain == NULL || pss == NULL || kdc_name == NULL) {
> > > -+ if (domain == NULL || pss == NULL) {
> > > - return false;
> > > - }
> > > -
> > > -@@ -815,7 +813,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> > > - goto done;
> > > - }
> > > -
> > > -- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
> > > -+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
> > > - if (!kdc_ip_string) {
> > > - goto done;
> > > - }
> > > -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> > > -index f7470d2..2559634 100644
> > > ---- a/source3/libads/kerberos_proto.h
> > > -+++ b/source3/libads/kerberos_proto.h
> > > -@@ -62,8 +62,7 @@ int kerberos_kinit_password(const char *principal,
> > > - bool create_local_private_krb5_conf_for_domain(const char *realm,
> > > - const char *domain,
> > > - const char *sitename,
> > > -- const struct sockaddr_storage *pss,
> > > -- const char *kdc_name);
> > > -+ const struct sockaddr_storage *pss);
> > > -
> > > - /* The following definitions come from libads/authdata.c */
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index a87eb38..68884cd 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -2152,8 +2152,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
> > > -
> > > - create_local_private_krb5_conf_for_domain(
> > > - r->out.dns_domain_name, r->out.netbios_domain_name,
> > > -- NULL, smbXcli_conn_remote_sockaddr(cli->conn),
> > > -- smbXcli_conn_remote_name(cli->conn));
> > > -+ NULL, smbXcli_conn_remote_sockaddr(cli->conn));
> > > -
> > > - if (r->out.domain_is_ad && r->in.account_ou &&
> > > - !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
> > > -diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
> > > -index 3cfae79..eb34741 100644
> > > ---- a/source3/libsmb/namequery_dc.c
> > > -+++ b/source3/libsmb/namequery_dc.c
> > > -@@ -112,14 +112,12 @@ static bool ads_dc_name(const char *domain,
> > > - create_local_private_krb5_conf_for_domain(realm,
> > > - domain,
> > > - sitename,
> > > -- &ads->ldap.ss,
> > > -- ads->config.ldap_server_name);
> > > -+ &ads->ldap.ss);
> > > - } else {
> > > - create_local_private_krb5_conf_for_domain(realm,
> > > - domain,
> > > - NULL,
> > > -- &ads->ldap.ss,
> > > -- ads->config.ldap_server_name);
> > > -+ &ads->ldap.ss);
> > > - }
> > > - }
> > > - #endif
> > > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > > -index 669a43e..be13a57 100644
> > > ---- a/source3/winbindd/winbindd_cm.c
> > > -+++ b/source3/winbindd/winbindd_cm.c
> > > -@@ -1233,8 +1233,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
> > > - create_local_private_krb5_conf_for_domain(domain->alt_name,
> > > - domain->name,
> > > - sitename,
> > > -- pss,
> > > -- *name);
> > > -+ pss);
> > > -
> > > - SAFE_FREE(sitename);
> > > - } else {
> > > -@@ -1242,8 +1241,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
> > > - create_local_private_krb5_conf_for_domain(domain->alt_name,
> > > - domain->name,
> > > - NULL,
> > > -- pss,
> > > -- *name);
> > > -+ pss);
> > > - }
> > > - winbindd_set_locator_kdc_envs(domain);
> > > -
> > > ---
> > > -1.8.5.3
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> > > deleted file mode 100644
> > > index 26a4caf..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> > > +++ /dev/null
> > > @@ -1,962 +0,0 @@
> > > -From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 17 Jan 2014 14:29:03 +0100
> > > -Subject: [PATCH 1/8] s3-libads: pass down local_service to
> > > - kerberos_return_pac().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/libads/authdata.c | 6 +-----
> > > - source3/libads/kerberos_proto.h | 1 +
> > > - source3/utils/net_ads.c | 8 ++++++++
> > > - source3/winbindd/winbindd_pam.c | 9 +++++++++
> > > - 4 files changed, 19 insertions(+), 5 deletions(-)
> > > -
> > > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > > -index 801e551..dd80dc2 100644
> > > ---- a/source3/libads/authdata.c
> > > -+++ b/source3/libads/authdata.c
> > > -@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - bool add_netbios_addr,
> > > - time_t renewable_time,
> > > - const char *impersonate_princ_s,
> > > -+ const char *local_service,
> > > - struct PAC_LOGON_INFO **_logon_info)
> > > - {
> > > - krb5_error_code ret;
> > > - NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
> > > - DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
> > > - const char *auth_princ = NULL;
> > > -- const char *local_service = NULL;
> > > - const char *cc = "MEMORY:kerberos_return_pac";
> > > - struct auth_session_info *session_info;
> > > - struct gensec_security *gensec_server_context;
> > > -@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - }
> > > - NT_STATUS_HAVE_NO_MEMORY(auth_princ);
> > > -
> > > -- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > > -- lp_netbios_name(), lp_realm());
> > > -- NT_STATUS_HAVE_NO_MEMORY(local_service);
> > > --
> > > - ret = kerberos_kinit_password_ext(auth_princ,
> > > - pass,
> > > - time_offset,
> > > -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> > > -index 2559634..1151d66 100644
> > > ---- a/source3/libads/kerberos_proto.h
> > > -+++ b/source3/libads/kerberos_proto.h
> > > -@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - bool add_netbios_addr,
> > > - time_t renewable_time,
> > > - const char *impersonate_princ_s,
> > > -+ const char *local_service,
> > > - struct PAC_LOGON_INFO **logon_info);
> > > -
> > > - /* The following definitions come from libads/krb5_setpw.c */
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index 89eebf3..5a073b1 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - NTSTATUS status;
> > > - int ret = -1;
> > > - const char *impersonate_princ_s = NULL;
> > > -+ const char *local_service = NULL;
> > > -
> > > - if (c->display_usage) {
> > > - d_printf( "%s\n"
> > > -@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - impersonate_princ_s = argv[0];
> > > - }
> > > -
> > > -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > > -+ lp_netbios_name(), lp_realm());
> > > -+ if (local_service == NULL) {
> > > -+ goto out;
> > > -+ }
> > > -+
> > > - c->opt_password = net_prompt_pass(c, c->opt_user_name);
> > > -
> > > - status = kerberos_return_pac(mem_ctx,
> > > -@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - true,
> > > - 2592000, /* one month */
> > > - impersonate_princ_s,
> > > -+ local_service,
> > > - &info);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - d_printf(_("failed to query kerberos PAC: %s\n"),
> > > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > > -index 3f3ec70..61e2cef 100644
> > > ---- a/source3/winbindd/winbindd_pam.c
> > > -+++ b/source3/winbindd/winbindd_pam.c
> > > -@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > > - time_t time_offset = 0;
> > > - const char *user_ccache_file;
> > > - struct PAC_LOGON_INFO *logon_info = NULL;
> > > -+ const char *local_service;
> > > -
> > > - *info3 = NULL;
> > > -
> > > -@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > > -+ lp_netbios_name(), lp_realm());
> > > -+ if (local_service == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+
> > > - /* if this is a user ccache, we need to act as the user to let the krb5
> > > - * library handle the chown, etc. */
> > > -
> > > -@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > > - true,
> > > - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
> > > - NULL,
> > > -+ local_service,
> > > - &logon_info);
> > > - if (user_ccache_file != NULL) {
> > > - gain_root_privilege();
> > > ---
> > > -1.8.5.3
> > > -
> > > -
> > > -From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Mon, 3 Mar 2014 12:14:51 +0100
> > > -Subject: [PATCH 2/8] auth/kerberos: fix a typo.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - auth/kerberos/kerberos_pac.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
> > > -index 81f7f21..8f55c8f 100644
> > > ---- a/auth/kerberos/kerberos_pac.c
> > > -+++ b/auth/kerberos/kerberos_pac.c
> > > -@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
> > > - }
> > > -
> > > - /**
> > > --* @brief Decode a blob containing a NDR envoded PAC structure
> > > -+* @brief Decode a blob containing a NDR encoded PAC structure
> > > - *
> > > - * @param mem_ctx - The memory context
> > > - * @param pac_data_blob - The data blob containing the NDR encoded data
> > > ---
> > > -1.8.5.3
> > > -
> > > -
> > > -From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Mon, 10 Mar 2014 15:11:18 +0100
> > > -Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used
> > > - in "net ads kerberos pac".
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/utils/net_ads.c | 14 ++++++++++----
> > > - 1 file changed, 10 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index 5a073b1..ac6346f 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - int ret = -1;
> > > - const char *impersonate_princ_s = NULL;
> > > - const char *local_service = NULL;
> > > -+ int i;
> > > -
> > > - if (c->display_usage) {
> > > - d_printf( "%s\n"
> > > -@@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - return 0;
> > > - }
> > > -
> > > -+ for (i=0; i<argc; i++) {
> > > -+ if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
> > > -+ impersonate_princ_s = get_string_param(argv[i]);
> > > -+ if (impersonate_princ_s == NULL) {
> > > -+ return -1;
> > > -+ }
> > > -+ }
> > > -+ }
> > > -+
> > > - mem_ctx = talloc_init("net_ads_kerberos_pac");
> > > - if (!mem_ctx) {
> > > - goto out;
> > > - }
> > > -
> > > -- if (argc > 0) {
> > > -- impersonate_princ_s = argv[0];
> > > -- }
> > > --
> > > - local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > > - lp_netbios_name(), lp_realm());
> > > - if (local_service == NULL) {
> > > ---
> > > -1.8.5.3
> > > -
> > > -
> > > -From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Tue, 11 Mar 2014 16:34:36 +0100
> > > -Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads
> > > - kerberos pac".
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/utils/net_ads.c | 14 +++++++++++---
> > > - 1 file changed, 11 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index ac6346f..c53c8c6 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - return -1;
> > > - }
> > > - }
> > > -+ if (strnequal(argv[i], "local_service", strlen("local_service"))) {
> > > -+ local_service = get_string_param(argv[i]);
> > > -+ if (local_service == NULL) {
> > > -+ return -1;
> > > -+ }
> > > -+ }
> > > - }
> > > -
> > > - mem_ctx = talloc_init("net_ads_kerberos_pac");
> > > -@@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - goto out;
> > > - }
> > > -
> > > -- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > > -- lp_netbios_name(), lp_realm());
> > > - if (local_service == NULL) {
> > > -- goto out;
> > > -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > > -+ lp_netbios_name(), lp_realm());
> > > -+ if (local_service == NULL) {
> > > -+ goto out;
> > > -+ }
> > > - }
> > > -
> > > - c->opt_password = net_prompt_pass(c, c->opt_user_name);
> > > ---
> > > -1.8.5.3
> > > -
> > > -
> > > -From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 21 Feb 2014 18:56:04 +0100
> > > -Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/libads/authdata.c | 28 +++++++++++++++++-----------
> > > - source3/libads/kerberos_proto.h | 4 ++--
> > > - source3/utils/net_ads.c | 17 ++++++++++++++++-
> > > - source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++-
> > > - 4 files changed, 56 insertions(+), 15 deletions(-)
> > > -
> > > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > > -index dd80dc2..53e40ef 100644
> > > ---- a/source3/libads/authdata.c
> > > -+++ b/source3/libads/authdata.c
> > > -@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> > > - struct auth_session_info **session_info)
> > > - {
> > > - TALLOC_CTX *tmp_ctx;
> > > -- struct PAC_LOGON_INFO *logon_info = NULL;
> > > -+ struct PAC_DATA *pac_data = NULL;
> > > - NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
> > > -
> > > - tmp_ctx = talloc_new(mem_ctx);
> > > -@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> > > - }
> > > -
> > > - if (pac_blob) {
> > > -- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
> > > -- NULL, NULL, 0, &logon_info);
> > > -+ status = kerberos_decode_pac(tmp_ctx,
> > > -+ *pac_blob,
> > > -+ NULL,
> > > -+ NULL,
> > > -+ NULL,
> > > -+ NULL,
> > > -+ 0,
> > > -+ &pac_data);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto done;
> > > - }
> > > - }
> > > -
> > > -- talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
> > > -+ talloc_set_name_const(pac_data, "struct PAC_DATA");
> > > -
> > > -- auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
> > > -+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
> > > - *session_info = talloc_zero(mem_ctx, struct auth_session_info);
> > > - if (!*session_info) {
> > > - status = NT_STATUS_NO_MEMORY;
> > > -@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - time_t renewable_time,
> > > - const char *impersonate_princ_s,
> > > - const char *local_service,
> > > -- struct PAC_LOGON_INFO **_logon_info)
> > > -+ struct PAC_DATA **_pac_data)
> > > - {
> > > - krb5_error_code ret;
> > > - NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
> > > -@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - size_t idx = 0;
> > > - struct auth4_context *auth_context;
> > > - struct loadparm_context *lp_ctx;
> > > -- struct PAC_LOGON_INFO *logon_info = NULL;
> > > -+ struct PAC_DATA *pac_data = NULL;
> > > -
> > > - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
> > > - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
> > > -@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - goto out;
> > > - }
> > > -
> > > -- logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> > > -- struct PAC_LOGON_INFO);
> > > -- if (logon_info == NULL) {
> > > -+ pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> > > -+ struct PAC_DATA);
> > > -+ if (pac_data == NULL) {
> > > - DEBUG(1,("no PAC\n"));
> > > - status = NT_STATUS_INVALID_PARAMETER;
> > > - goto out;
> > > - }
> > > -
> > > -- *_logon_info = talloc_move(mem_ctx, &logon_info);
> > > -+ *_pac_data = talloc_move(mem_ctx, &pac_data);
> > > -
> > > - out:
> > > - talloc_free(tmp_ctx);
> > > -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> > > -index 1151d66..b2f7486 100644
> > > ---- a/source3/libads/kerberos_proto.h
> > > -+++ b/source3/libads/kerberos_proto.h
> > > -@@ -32,7 +32,7 @@
> > > -
> > > - #include "system/kerberos.h"
> > > -
> > > --struct PAC_LOGON_INFO;
> > > -+struct PAC_DATA;
> > > -
> > > - #include "libads/ads_status.h"
> > > -
> > > -@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - time_t renewable_time,
> > > - const char *impersonate_princ_s,
> > > - const char *local_service,
> > > -- struct PAC_LOGON_INFO **logon_info);
> > > -+ struct PAC_DATA **pac_data);
> > > -
> > > - /* The following definitions come from libads/krb5_setpw.c */
> > > -
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index c53c8c6..19da6da 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
> > > - static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> > > - {
> > > - struct PAC_LOGON_INFO *info = NULL;
> > > -+ struct PAC_DATA *pac_data = NULL;
> > > - TALLOC_CTX *mem_ctx = NULL;
> > > - NTSTATUS status;
> > > - int ret = -1;
> > > -@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - 2592000, /* one month */
> > > - impersonate_princ_s,
> > > - local_service,
> > > -- &info);
> > > -+ &pac_data);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - d_printf(_("failed to query kerberos PAC: %s\n"),
> > > - nt_errstr(status));
> > > - goto out;
> > > - }
> > > -
> > > -+ for (i=0; i < pac_data->num_buffers; i++) {
> > > -+
> > > -+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> > > -+ continue;
> > > -+ }
> > > -+
> > > -+ info = pac_data->buffers[i].info->logon_info.info;
> > > -+ if (!info) {
> > > -+ goto out;
> > > -+ }
> > > -+
> > > -+ break;
> > > -+ }
> > > -+
> > > - if (info) {
> > > - const char *s;
> > > - s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
> > > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > > -index 61e2cef..a8daae51 100644
> > > ---- a/source3/winbindd/winbindd_pam.c
> > > -+++ b/source3/winbindd/winbindd_pam.c
> > > -@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > > - time_t time_offset = 0;
> > > - const char *user_ccache_file;
> > > - struct PAC_LOGON_INFO *logon_info = NULL;
> > > -+ struct PAC_DATA *pac_data = NULL;
> > > - const char *local_service;
> > > -+ int i;
> > > -
> > > - *info3 = NULL;
> > > -
> > > -@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > > - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
> > > - NULL,
> > > - local_service,
> > > -- &logon_info);
> > > -+ &pac_data);
> > > - if (user_ccache_file != NULL) {
> > > - gain_root_privilege();
> > > - }
> > > -@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > > - goto failed;
> > > - }
> > > -
> > > -+ if (pac_data == NULL) {
> > > -+ goto failed;
> > > -+ }
> > > -+
> > > -+ for (i=0; i < pac_data->num_buffers; i++) {
> > > -+
> > > -+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> > > -+ continue;
> > > -+ }
> > > -+
> > > -+ logon_info = pac_data->buffers[i].info->logon_info.info;
> > > -+ if (!logon_info) {
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > -+ }
> > > -+
> > > -+ break;
> > > -+ }
> > > -+
> > > - *info3 = &logon_info->info3;
> > > -
> > > - DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
> > > ---
> > > -1.8.5.3
> > > -
> > > -
> > > -From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Tue, 11 Mar 2014 18:07:11 +0100
> > > -Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC
> > > - container.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/libads/authdata.c | 29 +++++++++++++++++++++--------
> > > - source3/libads/kerberos_proto.h | 7 ++++++-
> > > - source3/utils/net_ads.c | 5 ++++-
> > > - source3/winbindd/winbindd_pam.c | 8 +++++++-
> > > - 4 files changed, 38 insertions(+), 11 deletions(-)
> > > -
> > > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > > -index 53e40ef..276408d 100644
> > > ---- a/source3/libads/authdata.c
> > > -+++ b/source3/libads/authdata.c
> > > -@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> > > - {
> > > - TALLOC_CTX *tmp_ctx;
> > > - struct PAC_DATA *pac_data = NULL;
> > > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > > - NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
> > > -
> > > - tmp_ctx = talloc_new(mem_ctx);
> > > -@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
> > > - }
> > > - }
> > > -
> > > -- talloc_set_name_const(pac_data, "struct PAC_DATA");
> > > -+ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
> > > -+ if (pac_data_ctr == NULL) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
> > > -+
> > > -+ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
> > > -+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
> > > -+ pac_blob->data,
> > > -+ pac_blob->length);
> > > -+
> > > -+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
> > > -
> > > -- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
> > > - *session_info = talloc_zero(mem_ctx, struct auth_session_info);
> > > - if (!*session_info) {
> > > - status = NT_STATUS_NO_MEMORY;
> > > -@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - time_t renewable_time,
> > > - const char *impersonate_princ_s,
> > > - const char *local_service,
> > > -- struct PAC_DATA **_pac_data)
> > > -+ struct PAC_DATA_CTR **_pac_data_ctr)
> > > - {
> > > - krb5_error_code ret;
> > > - NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
> > > -@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - size_t idx = 0;
> > > - struct auth4_context *auth_context;
> > > - struct loadparm_context *lp_ctx;
> > > -- struct PAC_DATA *pac_data = NULL;
> > > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > > -
> > > - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
> > > - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
> > > -@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - goto out;
> > > - }
> > > -
> > > -- pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> > > -- struct PAC_DATA);
> > > -- if (pac_data == NULL) {
> > > -+ pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
> > > -+ struct PAC_DATA_CTR);
> > > -+ if (pac_data_ctr == NULL) {
> > > - DEBUG(1,("no PAC\n"));
> > > - status = NT_STATUS_INVALID_PARAMETER;
> > > - goto out;
> > > - }
> > > -
> > > -- *_pac_data = talloc_move(mem_ctx, &pac_data);
> > > -+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
> > > -
> > > - out:
> > > - talloc_free(tmp_ctx);
> > > -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
> > > -index b2f7486..3d0ad4b 100644
> > > ---- a/source3/libads/kerberos_proto.h
> > > -+++ b/source3/libads/kerberos_proto.h
> > > -@@ -34,6 +34,11 @@
> > > -
> > > - struct PAC_DATA;
> > > -
> > > -+struct PAC_DATA_CTR {
> > > -+ DATA_BLOB pac_blob;
> > > -+ struct PAC_DATA *pac_data;
> > > -+};
> > > -+
> > > - #include "libads/ads_status.h"
> > > -
> > > - /* The following definitions come from libads/kerberos.c */
> > > -@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - time_t renewable_time,
> > > - const char *impersonate_princ_s,
> > > - const char *local_service,
> > > -- struct PAC_DATA **pac_data);
> > > -+ struct PAC_DATA_CTR **pac_data_ctr);
> > > -
> > > - /* The following definitions come from libads/krb5_setpw.c */
> > > -
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index 19da6da..19c28b1 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - {
> > > - struct PAC_LOGON_INFO *info = NULL;
> > > - struct PAC_DATA *pac_data = NULL;
> > > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > > - TALLOC_CTX *mem_ctx = NULL;
> > > - NTSTATUS status;
> > > - int ret = -1;
> > > -@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - 2592000, /* one month */
> > > - impersonate_princ_s,
> > > - local_service,
> > > -- &pac_data);
> > > -+ &pac_data_ctr);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - d_printf(_("failed to query kerberos PAC: %s\n"),
> > > - nt_errstr(status));
> > > - goto out;
> > > - }
> > > -
> > > -+ pac_data = pac_data_ctr->pac_data;
> > > -+
> > > - for (i=0; i < pac_data->num_buffers; i++) {
> > > -
> > > - if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> > > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > > -index a8daae51..b41291e 100644
> > > ---- a/source3/winbindd/winbindd_pam.c
> > > -+++ b/source3/winbindd/winbindd_pam.c
> > > -@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > > - const char *user_ccache_file;
> > > - struct PAC_LOGON_INFO *logon_info = NULL;
> > > - struct PAC_DATA *pac_data = NULL;
> > > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > > - const char *local_service;
> > > - int i;
> > > -
> > > -@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > > - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
> > > - NULL,
> > > - local_service,
> > > -- &pac_data);
> > > -+ &pac_data_ctr);
> > > - if (user_ccache_file != NULL) {
> > > - gain_root_privilege();
> > > - }
> > > -@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
> > > - goto failed;
> > > - }
> > > -
> > > -+ if (pac_data_ctr == NULL) {
> > > -+ goto failed;
> > > -+ }
> > > -+
> > > -+ pac_data = pac_data_ctr->pac_data;
> > > - if (pac_data == NULL) {
> > > - goto failed;
> > > - }
> > > ---
> > > -1.8.5.3
> > > -
> > > -
> > > -From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Tue, 11 Mar 2014 18:14:39 +0100
> > > -Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac"
> > > - command.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow
> > > -dumping of individial pac buffer types. Ommitting type= or using type=0 will
> > > -dump the whole PAC structure on stdout.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++----------------
> > > - 1 file changed, 77 insertions(+), 38 deletions(-)
> > > -
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index 19c28b1..f54cf23 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
> > > - return ret;
> > > - }
> > > -
> > > --static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> > > -+static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv,
> > > -+ struct PAC_DATA_CTR **pac_data_ctr)
> > > - {
> > > -- struct PAC_LOGON_INFO *info = NULL;
> > > -- struct PAC_DATA *pac_data = NULL;
> > > -- struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > > -- TALLOC_CTX *mem_ctx = NULL;
> > > - NTSTATUS status;
> > > - int ret = -1;
> > > - const char *impersonate_princ_s = NULL;
> > > - const char *local_service = NULL;
> > > - int i;
> > > -
> > > -- if (c->display_usage) {
> > > -- d_printf( "%s\n"
> > > -- "net ads kerberos pac [impersonation_principal]\n"
> > > -- " %s\n",
> > > -- _("Usage:"),
> > > -- _("Dump the Kerberos PAC"));
> > > -- return 0;
> > > -- }
> > > --
> > > - for (i=0; i<argc; i++) {
> > > - if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
> > > - impersonate_princ_s = get_string_param(argv[i]);
> > > -@@ -2633,13 +2621,8 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - }
> > > - }
> > > -
> > > -- mem_ctx = talloc_init("net_ads_kerberos_pac");
> > > -- if (!mem_ctx) {
> > > -- goto out;
> > > -- }
> > > --
> > > - if (local_service == NULL) {
> > > -- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
> > > -+ local_service = talloc_asprintf(c, "%s$@%s",
> > > - lp_netbios_name(), lp_realm());
> > > - if (local_service == NULL) {
> > > - goto out;
> > > -@@ -2648,7 +2631,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > -
> > > - c->opt_password = net_prompt_pass(c, c->opt_user_name);
> > > -
> > > -- status = kerberos_return_pac(mem_ctx,
> > > -+ status = kerberos_return_pac(c,
> > > - c->opt_user_name,
> > > - c->opt_password,
> > > - 0,
> > > -@@ -2660,39 +2643,95 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - 2592000, /* one month */
> > > - impersonate_princ_s,
> > > - local_service,
> > > -- &pac_data_ctr);
> > > -+ pac_data_ctr);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - d_printf(_("failed to query kerberos PAC: %s\n"),
> > > - nt_errstr(status));
> > > - goto out;
> > > - }
> > > -
> > > -- pac_data = pac_data_ctr->pac_data;
> > > -+ ret = 0;
> > > -+ out:
> > > -+ return ret;
> > > -+}
> > > -
> > > -- for (i=0; i < pac_data->num_buffers; i++) {
> > > -+static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv)
> > > -+{
> > > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > > -+ int i;
> > > -+ int ret = -1;
> > > -+ enum PAC_TYPE type = 0;
> > > -
> > > -- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
> > > -- continue;
> > > -+ if (c->display_usage) {
> > > -+ d_printf( "%s\n"
> > > -+ "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n"
> > > -+ " %s\n",
> > > -+ _("Usage:"),
> > > -+ _("Dump the Kerberos PAC"));
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ for (i=0; i<argc; i++) {
> > > -+ if (strnequal(argv[i], "pac_buffer_type", strlen("pac_buffer_type"))) {
> > > -+ type = get_int_param(argv[i]);
> > > - }
> > > -+ }
> > > -
> > > -- info = pac_data->buffers[i].info->logon_info.info;
> > > -- if (!info) {
> > > -- goto out;
> > > -+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
> > > -+ if (ret) {
> > > -+ return ret;
> > > -+ }
> > > -+
> > > -+ if (type == 0) {
> > > -+
> > > -+ char *s = NULL;
> > > -+
> > > -+ s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA,
> > > -+ pac_data_ctr->pac_data);
> > > -+ if (s != NULL) {
> > > -+ d_printf(_("The Pac: %s\n"), s);
> > > -+ talloc_free(s);
> > > - }
> > > -
> > > -- break;
> > > -+ return 0;
> > > - }
> > > -
> > > -- if (info) {
> > > -- const char *s;
> > > -- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
> > > -- d_printf(_("The Pac: %s\n"), s);
> > > -+ for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) {
> > > -+
> > > -+ char *s = NULL;
> > > -+
> > > -+ if (pac_data_ctr->pac_data->buffers[i].type != type) {
> > > -+ continue;
> > > -+ }
> > > -+
> > > -+ s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type,
> > > -+ pac_data_ctr->pac_data->buffers[i].info);
> > > -+ if (s != NULL) {
> > > -+ d_printf(_("The Pac: %s\n"), s);
> > > -+ talloc_free(s);
> > > -+ }
> > > -+ break;
> > > - }
> > > -
> > > -- ret = 0;
> > > -- out:
> > > -- TALLOC_FREE(mem_ctx);
> > > -- return ret;
> > > -+ return 0;
> > > -+}
> > > -+
> > > -+static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> > > -+{
> > > -+ struct functable func[] = {
> > > -+ {
> > > -+ "dump",
> > > -+ net_ads_kerberos_pac_dump,
> > > -+ NET_TRANSPORT_ADS,
> > > -+ N_("Dump Kerberos PAC"),
> > > -+ N_("net ads kerberos pac dump\n"
> > > -+ " Dump a Kerberos PAC to stdout")
> > > -+ },
> > > -+
> > > -+ {NULL, NULL, 0, NULL, NULL}
> > > -+ };
> > > -+
> > > -+ return net_run_function(c, argc, argv, "net ads kerberos pac", func);
> > > - }
> > > -
> > > - static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
> > > ---
> > > -1.8.5.3
> > > -
> > > -
> > > -From 91ceace4ee8fd141cac5dbe5282bed141c38bee7 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Tue, 11 Mar 2014 18:16:40 +0100
> > > -Subject: [PATCH 8/8] s3-net: add a new "net ads kerberos pac save" tool.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Use "filename=string" to define a file where to save the unencrypted PAC to.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/utils/net_ads.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
> > > - 1 file changed, 52 insertions(+)
> > > -
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index f54cf23..8b8e719 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -2716,6 +2716,50 @@ static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char
> > > - return 0;
> > > - }
> > > -
> > > -+static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv)
> > > -+{
> > > -+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
> > > -+ char *filename = NULL;
> > > -+ int ret = -1;
> > > -+ int i;
> > > -+
> > > -+ if (c->display_usage) {
> > > -+ d_printf( "%s\n"
> > > -+ "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n"
> > > -+ " %s\n",
> > > -+ _("Usage:"),
> > > -+ _("Save the Kerberos PAC"));
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ for (i=0; i<argc; i++) {
> > > -+ if (strnequal(argv[i], "filename", strlen("filename"))) {
> > > -+ filename = get_string_param(argv[i]);
> > > -+ if (filename == NULL) {
> > > -+ return -1;
> > > -+ }
> > > -+ }
> > > -+ }
> > > -+
> > > -+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
> > > -+ if (ret) {
> > > -+ return ret;
> > > -+ }
> > > -+
> > > -+ if (filename == NULL) {
> > > -+ d_printf(_("please define \"filename=<filename>\" to save the PAC\n"));
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ /* save the raw format */
> > > -+ if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) {
> > > -+ d_printf(_("failed to save PAC in %s\n"), filename);
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ return 0;
> > > -+}
> > > -+
> > > - static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
> > > - {
> > > - struct functable func[] = {
> > > -@@ -2727,6 +2771,14 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
> > > - N_("net ads kerberos pac dump\n"
> > > - " Dump a Kerberos PAC to stdout")
> > > - },
> > > -+ {
> > > -+ "save",
> > > -+ net_ads_kerberos_pac_save,
> > > -+ NET_TRANSPORT_ADS,
> > > -+ N_("Save Kerberos PAC"),
> > > -+ N_("net ads kerberos pac save\n"
> > > -+ " Save a Kerberos PAC in a file")
> > > -+ },
> > > -
> > > - {NULL, NULL, 0, NULL, NULL}
> > > - };
> > > ---
> > > -1.8.5.3
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> > > deleted file mode 100644
> > > index a2058f1..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> > > +++ /dev/null
> > > @@ -1,211 +0,0 @@
> > > -From 942dedb71437cd89932a7f39ca73d65c09aa59be Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 2 Apr 2014 19:37:34 +0200
> > > -Subject: [PATCH] s3-kerberos: make ipv6 support for generated krb5 config
> > > - files more robust.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Older MIT Kerberos libraries will add any secondary ipv6 address as
> > > -ipv4 address, defining the (default) krb5 port 88 circumvents that.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > ----
> > > - source3/libads/kerberos.c | 29 +++++++++++++++++++++++++++--
> > > - 1 file changed, 27 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > > -index 649e568..f3c23ea 100644
> > > ---- a/source3/libads/kerberos.c
> > > -+++ b/source3/libads/kerberos.c
> > > -@@ -615,6 +615,31 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
> > > - *num_addrs += 1;
> > > - }
> > > -
> > > -+/* print_canonical_sockaddr prints an ipv6 addr in the form of
> > > -+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not
> > > -+* always properly dealt with by some older krb5 libraries. Adding the hard-coded
> > > -+* portnumber workarounds the issue. - gd */
> > > -+
> > > -+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
> > > -+ const struct sockaddr_storage *pss)
> > > -+{
> > > -+ char *str = NULL;
> > > -+
> > > -+ str = print_canonical_sockaddr(mem_ctx, pss);
> > > -+ if (str == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ if (pss->ss_family != AF_INET6) {
> > > -+ return str;
> > > -+ }
> > > -+
> > > -+#if defined(HAVE_IPV6)
> > > -+ str = talloc_asprintf_append(str, ":88");
> > > -+#endif
> > > -+ return str;
> > > -+}
> > > -+
> > > - static char *get_kdc_ip_string(char *mem_ctx,
> > > - const char *realm,
> > > - const char *sitename,
> > > -@@ -634,7 +659,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
> > > - struct netlogon_samlogon_response **responses = NULL;
> > > - NTSTATUS status;
> > > - char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
> > > -- print_canonical_sockaddr(mem_ctx, pss));
> > > -+ print_canonical_sockaddr_with_port(mem_ctx, pss));
> > > -
> > > - if (kdc_str == NULL) {
> > > - TALLOC_FREE(frame);
> > > -@@ -726,7 +751,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
> > > - /* Append to the string - inefficient but not done often. */
> > > - new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
> > > - kdc_str,
> > > -- print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
> > > -+ print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
> > > - if (new_kdc_str == NULL) {
> > > - goto fail;
> > > - }
> > > ---
> > > -1.9.0
> > > -
> > > -From 60db71015f84dd242be889576d85ccd5c6a1f73b Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 16 Apr 2014 16:07:14 +0200
> > > -Subject: [PATCH] s3-libads: allow ads_try_connect() to re-use a resolved ip
> > > - address.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Pass down a struct sockaddr_storage to ads_try_connect.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -
> > > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > > -Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
> > > ----
> > > - source3/libads/ldap.c | 44 ++++++++++++++++++++++++++------------------
> > > - 1 file changed, 26 insertions(+), 18 deletions(-)
> > > -
> > > -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
> > > -index d9bb8e2..8fed8fd 100644
> > > ---- a/source3/libads/ldap.c
> > > -+++ b/source3/libads/ldap.c
> > > -@@ -228,33 +228,27 @@ bool ads_closest_dc(ADS_STRUCT *ads)
> > > - try a connection to a given ldap server, returning True and setting the servers IP
> > > - in the ads struct if successful
> > > - */
> > > --static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
> > > -+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
> > > -+ struct sockaddr_storage *ss)
> > > - {
> > > - struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
> > > - TALLOC_CTX *frame = talloc_stackframe();
> > > - bool ret = false;
> > > -- struct sockaddr_storage ss;
> > > - char addr[INET6_ADDRSTRLEN];
> > > -
> > > -- if (!server || !*server) {
> > > -+ if (ss == NULL) {
> > > - TALLOC_FREE(frame);
> > > - return False;
> > > - }
> > > -
> > > -- if (!resolve_name(server, &ss, 0x20, true)) {
> > > -- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
> > > -- server ));
> > > -- TALLOC_FREE(frame);
> > > -- return false;
> > > -- }
> > > -- print_sockaddr(addr, sizeof(addr), &ss);
> > > -+ print_sockaddr(addr, sizeof(addr), ss);
> > > -
> > > - DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
> > > - addr, ads->server.realm));
> > > -
> > > - ZERO_STRUCT( cldap_reply );
> > > -
> > > -- if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
> > > -+ if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {
> > > - DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
> > > - ret = false;
> > > - goto out;
> > > -@@ -298,7 +292,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
> > > - ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
> > > -
> > > - ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
> > > -- ads->ldap.ss = ss;
> > > -+ ads->ldap.ss = *ss;
> > > -
> > > - /* Store our site name. */
> > > - sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
> > > -@@ -330,6 +324,7 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
> > > - bool use_own_domain = False;
> > > - char *sitename;
> > > - NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
> > > -+ bool ok = false;
> > > -
> > > - /* if the realm and workgroup are both empty, assume they are ours */
> > > -
> > > -@@ -384,12 +379,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
> > > - DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
> > > - (got_realm ? "realm" : "domain"), realm));
> > > -
> > > -- if (get_dc_name(domain, realm, srv_name, &ip_out)) {
> > > -+ ok = get_dc_name(domain, realm, srv_name, &ip_out);
> > > -+ if (ok) {
> > > - /*
> > > - * we call ads_try_connect() to fill in the
> > > - * ads->config details
> > > - */
> > > -- if (ads_try_connect(ads, srv_name, false)) {
> > > -+ ok = ads_try_connect(ads, false, &ip_out);
> > > -+ if (ok) {
> > > - return NT_STATUS_OK;
> > > - }
> > > - }
> > > -@@ -445,7 +442,8 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
> > > - }
> > > - }
> > > -
> > > -- if ( ads_try_connect(ads, server, false) ) {
> > > -+ ok = ads_try_connect(ads, false, &ip_list[i].ss);
> > > -+ if (ok) {
> > > - SAFE_FREE(ip_list);
> > > - SAFE_FREE(sitename);
> > > - return NT_STATUS_OK;
> > > -@@ -630,9 +628,19 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
> > > - TALLOC_FREE(s);
> > > - }
> > > -
> > > -- if (ads->server.ldap_server)
> > > -- {
> > > -- if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
> > > -+ if (ads->server.ldap_server) {
> > > -+ bool ok = false;
> > > -+ struct sockaddr_storage ss;
> > > -+
> > > -+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
> > > -+ if (!ok) {
> > > -+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
> > > -+ ads->server.ldap_server));
> > > -+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
> > > -+ goto out;
> > > -+ }
> > > -+ ok = ads_try_connect(ads, ads->server.gc, &ss);
> > > -+ if (ok) {
> > > - goto got_connection;
> > > - }
> > > -
> > > ---
> > > -1.9.0
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> > > deleted file mode 100644
> > > index c1dfc06..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> > > +++ /dev/null
> > > @@ -1,29894 +0,0 @@
> > > -From 538f62edb2cc4c17204620d8a9b3075c7453422b Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Thu, 4 Sep 2014 12:55:53 +0200
> > > -Subject: [PATCH 002/249] selftest: Fix selftest where pid is used
> > > - uninitialized.
> > > -
> > > -On my system this gets evaluated to 0 so in the end we detect samba to
> > > -be running cause $childpid is set to 0.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10793
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
> > > -Autobuild-Date(master): Thu Sep 4 17:09:17 CEST 2014 on sn-devel-104
> > > -
> > > -(cherry picked from commit 6d2f56dbaf84203b351f33179cc3feaf557e0683)
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -
> > > -Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
> > > -Autobuild-Date(v4-1-test): Mon Sep 8 23:19:29 CEST 2014 on sn-devel-104
> > > ----
> > > - selftest/target/Samba.pm | 7 ++++++-
> > > - 1 file changed, 6 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> > > -index ab3851f..b0817fd 100644
> > > ---- a/selftest/target/Samba.pm
> > > -+++ b/selftest/target/Samba.pm
> > > -@@ -188,7 +188,12 @@ sub get_interface($)
> > > - sub cleanup_child($$)
> > > - {
> > > - my ($pid, $name) = @_;
> > > -- my $childpid = waitpid($pid, WNOHANG);
> > > -+ my $childpid = -1;
> > > -+
> > > -+ if (defined($pid)) {
> > > -+ $childpid = waitpid($pid, WNOHANG);
> > > -+ }
> > > -+
> > > - if ($childpid == 0) {
> > > - } elsif ($childpid < 0) {
> > > - printf STDERR "%s child process %d isn't here any more\n",
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a14c0878c232dcf674008444f80dc0e5d8aada09 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 12:33:25 +0200
> > > -Subject: [PATCH 003/249] auth/credentials: remove pointless talloc_reference()
> > > - from cli_credentials_get_unparsed_name()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 953502925863377b5e566edff4ac68c63e8d151f)
> > > ----
> > > - auth/credentials/credentials.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > > -index e636123..e597809 100644
> > > ---- a/auth/credentials/credentials.c
> > > -+++ b/auth/credentials/credentials.c
> > > -@@ -669,7 +669,7 @@ _PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *c
> > > - const char *name;
> > > -
> > > - if (bind_dn) {
> > > -- name = talloc_reference(mem_ctx, bind_dn);
> > > -+ name = talloc_strdup(mem_ctx, bind_dn);
> > > - } else {
> > > - cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
> > > - if (domain && domain[0]) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a9bbf2e55d56b9d2cec944ee32a127fc72e6ce6a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 12:33:25 +0200
> > > -Subject: [PATCH 004/249] auth/credentials: remove pointless talloc_reference()
> > > - from cli_credentials_get_principal_and_obtained()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit b8f09226458dc13cf901f481ede89d8a6bb94ba7)
> > > ----
> > > - auth/credentials/credentials.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > > -index e597809..7a4b081 100644
> > > ---- a/auth/credentials/credentials.c
> > > -+++ b/auth/credentials/credentials.c
> > > -@@ -267,7 +267,7 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
> > > - }
> > > - }
> > > - *obtained = cred->principal_obtained;
> > > -- return talloc_reference(mem_ctx, cred->principal);
> > > -+ return talloc_strdup(mem_ctx, cred->principal);
> > > - }
> > > -
> > > - /**
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 5df785eba8389be9129984c6c5a1e59487685938 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 12:52:17 +0200
> > > -Subject: [PATCH 005/249] auth/credentials: add
> > > - cli_credentials_[set_]callback_data*
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 6ff6778bdc60f1cd4d52cba83bd47d3398fe5a20)
> > > ----
> > > - auth/credentials/credentials.c | 11 +++++++++++
> > > - auth/credentials/credentials.h | 8 ++++++++
> > > - 2 files changed, 19 insertions(+)
> > > -
> > > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > > -index 7a4b081..e6a4710 100644
> > > ---- a/auth/credentials/credentials.c
> > > -+++ b/auth/credentials/credentials.c
> > > -@@ -114,6 +114,17 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
> > > - return cred;
> > > - }
> > > -
> > > -+_PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
> > > -+ void *callback_data)
> > > -+{
> > > -+ cred->priv_data = callback_data;
> > > -+}
> > > -+
> > > -+_PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
> > > -+{
> > > -+ return cred->priv_data;
> > > -+}
> > > -+
> > > - /**
> > > - * Create a new anonymous credential
> > > - * @param mem_ctx TALLOC_CTX parent for credentials structure
> > > -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> > > -index dbc014f..0f498ad 100644
> > > ---- a/auth/credentials/credentials.h
> > > -+++ b/auth/credentials/credentials.h
> > > -@@ -332,6 +332,14 @@ bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
> > > - bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
> > > - const char *(*workstation_cb) (struct cli_credentials *));
> > > -
> > > -+void cli_credentials_set_callback_data(struct cli_credentials *cred,
> > > -+ void *callback_data);
> > > -+void *_cli_credentials_callback_data(struct cli_credentials *cred);
> > > -+#define cli_credentials_callback_data(_cred, _type) \
> > > -+ talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
> > > -+#define cli_credentials_callback_data_void(_cred) \
> > > -+ _cli_credentials_callback_data(_cred)
> > > -+
> > > - /**
> > > - * Return attached NETLOGON credentials
> > > - */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8fd0244ac8fe4998a0931bc9d51b9dfbb182a2e1 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 13:21:14 +0200
> > > -Subject: [PATCH 006/249] auth/credentials: add cli_credentials_shallow_copy()
> > > -
> > > -This is useful for testing.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit b3cd44d50cff99fa77611679d68d2d57434fefa4)
> > > ----
> > > - auth/credentials/credentials.c | 15 +++++++++++++++
> > > - auth/credentials/credentials.h | 3 +++
> > > - 2 files changed, 18 insertions(+)
> > > -
> > > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > > -index e6a4710..c1c6993 100644
> > > ---- a/auth/credentials/credentials.c
> > > -+++ b/auth/credentials/credentials.c
> > > -@@ -125,6 +125,21 @@ _PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
> > > - return cred->priv_data;
> > > - }
> > > -
> > > -+_PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
> > > -+ struct cli_credentials *src)
> > > -+{
> > > -+ struct cli_credentials *dst;
> > > -+
> > > -+ dst = talloc(mem_ctx, struct cli_credentials);
> > > -+ if (dst == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ *dst = *src;
> > > -+
> > > -+ return dst;
> > > -+}
> > > -+
> > > - /**
> > > - * Create a new anonymous credential
> > > - * @param mem_ctx TALLOC_CTX parent for credentials structure
> > > -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> > > -index 0f498ad..1377bfa 100644
> > > ---- a/auth/credentials/credentials.h
> > > -+++ b/auth/credentials/credentials.h
> > > -@@ -340,6 +340,9 @@ void *_cli_credentials_callback_data(struct cli_credentials *cred);
> > > - #define cli_credentials_callback_data_void(_cred) \
> > > - _cli_credentials_callback_data(_cred)
> > > -
> > > -+struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
> > > -+ struct cli_credentials *src);
> > > -+
> > > - /**
> > > - * Return attached NETLOGON credentials
> > > - */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 52e4028da5db90ce3ee410997ea3464374fec46b Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 13:20:13 +0200
> > > -Subject: [PATCH 007/249] s3:ntlm_auth: remove pointless credentials->priv_data
> > > - = NULL;
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit cfeeb3ce3de5d1df07299fb83327ae258da0bf8d)
> > > ----
> > > - source3/utils/ntlm_auth.c | 1 -
> > > - 1 file changed, 1 deletion(-)
> > > -
> > > -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> > > -index b3bbaa4..a5e0cd2 100644
> > > ---- a/source3/utils/ntlm_auth.c
> > > -+++ b/source3/utils/ntlm_auth.c
> > > -@@ -228,7 +228,6 @@ static const char *get_password(struct cli_credentials *credentials)
> > > -
> > > - /* Ask for a password */
> > > - x_fprintf(x_stdout, "PW\n");
> > > -- credentials->priv_data = NULL;
> > > -
> > > - manage_squid_request(NUM_HELPER_MODES /* bogus */, NULL, NULL, manage_gensec_get_pw_request, (void **)&password);
> > > - talloc_steal(credentials, password);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From bdfb13b91ce8961caeb98b01a75893895e8d484a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 13:22:10 +0200
> > > -Subject: [PATCH 008/249] s4:torture/shell: simplify
> > > - cli_credentials_set_password() call
> > > -
> > > -All we want is to avoid a possible callback...
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 36b3c9506c1ac5549a38140e7ffd57644290069f)
> > > ----
> > > - source4/torture/shell.c | 5 +----
> > > - 1 file changed, 1 insertion(+), 4 deletions(-)
> > > -
> > > -diff --git a/source4/torture/shell.c b/source4/torture/shell.c
> > > -index d6cc94c..aa85da3 100644
> > > ---- a/source4/torture/shell.c
> > > -+++ b/source4/torture/shell.c
> > > -@@ -110,10 +110,7 @@ void torture_shell(struct torture_context *tctx)
> > > - * stops the credentials system prompting when we use the "auth"
> > > - * command to display the current auth parameters.
> > > - */
> > > -- if (cmdline_credentials->password_obtained != CRED_SPECIFIED) {
> > > -- cli_credentials_set_password(cmdline_credentials, "",
> > > -- CRED_SPECIFIED);
> > > -- }
> > > -+ cli_credentials_set_password(cmdline_credentials, "", CRED_GUESS_ENV);
> > > -
> > > - while (1) {
> > > - cline = smb_readline("torture> ", NULL, NULL);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 91c0d6a26823f3057357c6b31bf1f686e5ed0f5e Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 13:23:08 +0200
> > > -Subject: [PATCH 009/249] s4:torture/gentest: make use of
> > > - cli_credentials_get_username()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit d36fcaa5f3c4d1ad54d767f4a7c5fa6c8d69c00e)
> > > ----
> > > - source4/torture/gentest.c | 3 ++-
> > > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source4/torture/gentest.c b/source4/torture/gentest.c
> > > -index 91b60e2..586a25b 100644
> > > ---- a/source4/torture/gentest.c
> > > -+++ b/source4/torture/gentest.c
> > > -@@ -221,7 +221,8 @@ static bool connect_servers(struct tevent_context *ev,
> > > -
> > > - printf("Connecting to \\\\%s\\%s as %s - instance %d\n",
> > > - servers[i].server_name, servers[i].share_name,
> > > -- servers[i].credentials->username, j);
> > > -+ cli_credentials_get_username(servers[i].credentials),
> > > -+ j);
> > > -
> > > - cli_credentials_set_workstation(servers[i].credentials,
> > > - "gentest", CRED_SPECIFIED);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 9687534ac54b732f73c3f4758055a278eaa0cbb2 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 13:23:41 +0200
> > > -Subject: [PATCH 010/249] s4:torture/rpc: make use of
> > > - cli_credentials_set_netlogon_creds()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit d47bf469b8a9064f4f7033918b1fe519adfa0c26)
> > > ----
> > > - source4/torture/rpc/schannel.c | 36 ++++++++++++++++--------------------
> > > - 1 file changed, 16 insertions(+), 20 deletions(-)
> > > -
> > > -diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
> > > -index e0862d2..8203749 100644
> > > ---- a/source4/torture/rpc/schannel.c
> > > -+++ b/source4/torture/rpc/schannel.c
> > > -@@ -604,9 +604,9 @@ bool torture_rpc_schannel2(struct torture_context *torture)
> > > - torture_assert(torture, join_ctx != NULL,
> > > - "Failed to join domain with acct_flags=ACB_WSTRUST");
> > > -
> > > -- credentials2 = (struct cli_credentials *)talloc_memdup(torture, credentials1, sizeof(*credentials1));
> > > -- credentials1->netlogon_creds = NULL;
> > > -- credentials2->netlogon_creds = NULL;
> > > -+ credentials2 = cli_credentials_shallow_copy(torture, credentials1);
> > > -+ cli_credentials_set_netlogon_creds(credentials1, NULL);
> > > -+ cli_credentials_set_netlogon_creds(credentials2, NULL);
> > > -
> > > - status = dcerpc_parse_binding(torture, binding, &b);
> > > - torture_assert_ntstatus_ok(torture, status, "Bad binding string");
> > > -@@ -624,8 +624,8 @@ bool torture_rpc_schannel2(struct torture_context *torture)
> > > - credentials2, torture->ev, torture->lp_ctx);
> > > - torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
> > > -
> > > -- credentials1->netlogon_creds = NULL;
> > > -- credentials2->netlogon_creds = NULL;
> > > -+ cli_credentials_set_netlogon_creds(credentials1, NULL);
> > > -+ cli_credentials_set_netlogon_creds(credentials2, NULL);
> > > -
> > > - torture_comment(torture, "Testing logon on pipe1\n");
> > > - if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
> > > -@@ -827,16 +827,12 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
> > > - s->nprocs = torture_setting_int(torture, "nprocs", 4);
> > > - s->conns = talloc_zero_array(s, struct torture_schannel_bench_conn, s->nprocs);
> > > -
> > > -- s->user1_creds = (struct cli_credentials *)talloc_memdup(s,
> > > -- cmdline_credentials,
> > > -- sizeof(*s->user1_creds));
> > > -+ s->user1_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
> > > - tmp = torture_setting_string(s->tctx, "extra_user1", NULL);
> > > - if (tmp) {
> > > - cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
> > > - }
> > > -- s->user2_creds = (struct cli_credentials *)talloc_memdup(s,
> > > -- cmdline_credentials,
> > > -- sizeof(*s->user1_creds));
> > > -+ s->user2_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
> > > - tmp = torture_setting_string(s->tctx, "extra_user2", NULL);
> > > - if (tmp) {
> > > - cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
> > > -@@ -855,15 +851,16 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
> > > - cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
> > > -
> > > - for (i=0; i < s->nprocs; i++) {
> > > -- s->conns[i].s = s;
> > > -- s->conns[i].index = i;
> > > -- s->conns[i].wks_creds = (struct cli_credentials *)talloc_memdup(
> > > -- s->conns, s->wks_creds1,sizeof(*s->wks_creds1));
> > > -+ struct cli_credentials *wks = s->wks_creds1;
> > > -+
> > > - if ((i % 2) && (torture_setting_bool(torture, "multijoin", false))) {
> > > -- memcpy(s->conns[i].wks_creds, s->wks_creds2,
> > > -- talloc_get_size(s->conns[i].wks_creds));
> > > -+ wks = s->wks_creds2;
> > > - }
> > > -- s->conns[i].wks_creds->netlogon_creds = NULL;
> > > -+
> > > -+ s->conns[i].s = s;
> > > -+ s->conns[i].index = i;
> > > -+ s->conns[i].wks_creds = cli_credentials_shallow_copy(s->conns, wks);
> > > -+ cli_credentials_set_netlogon_creds(s->conns[i].wks_creds, NULL);
> > > - }
> > > -
> > > - status = dcerpc_parse_binding(s, binding, &s->b);
> > > -@@ -962,8 +959,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
> > > -
> > > - /* Just as a test, connect with the new creds */
> > > -
> > > -- talloc_free(s->wks_creds1->netlogon_creds);
> > > -- s->wks_creds1->netlogon_creds = NULL;
> > > -+ cli_credentials_set_netlogon_creds(s->wks_creds1, NULL);
> > > -
> > > - status = dcerpc_pipe_connect_b(s, &net_pipe, s->b,
> > > - &ndr_table_netlogon,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From de6c67e98d94d003f36fef5472b8133c578b3c01 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 13:24:21 +0200
> > > -Subject: [PATCH 011/249] s4:ntlm_auth: make use of
> > > - cli_credentials_[set_]callback_data*
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit bbd63dd8a17468d3e332969a30c06e2b2f1540fc)
> > > ----
> > > - source4/utils/ntlm_auth.c | 10 ++++++----
> > > - 1 file changed, 6 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
> > > -index c363c9d..136e238 100644
> > > ---- a/source4/utils/ntlm_auth.c
> > > -+++ b/source4/utils/ntlm_auth.c
> > > -@@ -299,10 +299,11 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod
> > > - static const char *get_password(struct cli_credentials *credentials)
> > > - {
> > > - char *password = NULL;
> > > --
> > > -+ void *cb = cli_credentials_callback_data_void(credentials);
> > > -+
> > > - /* Ask for a password */
> > > -- mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n");
> > > -- credentials->priv_data = NULL;
> > > -+ mux_printf((unsigned int)(uintptr_t)cb, "PW\n");
> > > -+ cli_credentials_set_callback_data(credentials, NULL);
> > > -
> > > - manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
> > > - return password;
> > > -@@ -505,8 +506,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
> > > - if (state->set_password) {
> > > - cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
> > > - } else {
> > > -+ void *cb = (void*)(uintptr_t)mux_id;
> > > -+ cli_credentials_set_callback_data(creds, cb);
> > > - cli_credentials_set_password_callback(creds, get_password);
> > > -- creds->priv_data = (void*)(uintptr_t)mux_id;
> > > - }
> > > - if (opt_workstation) {
> > > - cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 80c611a2b424e4e4a7e6de7ed6b9368bff0d9afb Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 12:41:40 +0200
> > > -Subject: [PATCH 012/249] auth/credentials: keep cli_credentials private
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 9325bd9cb6bb942ea989f4e32799c76ea8af3d3e)
> > > ----
> > > - auth/credentials/credentials.c | 1 +
> > > - auth/credentials/credentials.h | 101 +++-------------------------
> > > - auth/credentials/credentials_internal.h | 114 ++++++++++++++++++++++++++++++++
> > > - auth/credentials/credentials_krb5.c | 1 +
> > > - auth/credentials/credentials_ntlm.c | 1 +
> > > - auth/credentials/credentials_secrets.c | 1 +
> > > - 6 files changed, 126 insertions(+), 93 deletions(-)
> > > - create mode 100644 auth/credentials/credentials_internal.h
> > > -
> > > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > > -index c1c6993..f334465 100644
> > > ---- a/auth/credentials/credentials.c
> > > -+++ b/auth/credentials/credentials.c
> > > -@@ -24,6 +24,7 @@
> > > - #include "includes.h"
> > > - #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
> > > - #include "auth/credentials/credentials.h"
> > > -+#include "auth/credentials/credentials_internal.h"
> > > - #include "libcli/auth/libcli_auth.h"
> > > - #include "tevent.h"
> > > - #include "param/param.h"
> > > -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> > > -index 1377bfa..cb09dc3 100644
> > > ---- a/auth/credentials/credentials.h
> > > -+++ b/auth/credentials/credentials.h
> > > -@@ -25,9 +25,17 @@
> > > - #include "../lib/util/data_blob.h"
> > > - #include "librpc/gen_ndr/misc.h"
> > > -
> > > -+struct cli_credentials;
> > > - struct ccache_container;
> > > - struct tevent_context;
> > > - struct netlogon_creds_CredentialState;
> > > -+struct ldb_context;
> > > -+struct ldb_message;
> > > -+struct loadparm_context;
> > > -+struct ccache_container;
> > > -+struct gssapi_creds_container;
> > > -+struct smb_krb5_context;
> > > -+struct keytab_container;
> > > -
> > > - /* In order of priority */
> > > - enum credentials_obtained {
> > > -@@ -57,99 +65,6 @@ enum credentials_krb_forwardable {
> > > - #define CLI_CRED_NTLM_AUTH 0x08
> > > - #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
> > > -
> > > --struct cli_credentials {
> > > -- enum credentials_obtained workstation_obtained;
> > > -- enum credentials_obtained username_obtained;
> > > -- enum credentials_obtained password_obtained;
> > > -- enum credentials_obtained domain_obtained;
> > > -- enum credentials_obtained realm_obtained;
> > > -- enum credentials_obtained ccache_obtained;
> > > -- enum credentials_obtained client_gss_creds_obtained;
> > > -- enum credentials_obtained principal_obtained;
> > > -- enum credentials_obtained keytab_obtained;
> > > -- enum credentials_obtained server_gss_creds_obtained;
> > > --
> > > -- /* Threshold values (essentially a MAX() over a number of the
> > > -- * above) for the ccache and GSS credentials, to ensure we
> > > -- * regenerate/pick correctly */
> > > --
> > > -- enum credentials_obtained ccache_threshold;
> > > -- enum credentials_obtained client_gss_creds_threshold;
> > > --
> > > -- const char *workstation;
> > > -- const char *username;
> > > -- const char *password;
> > > -- const char *old_password;
> > > -- const char *domain;
> > > -- const char *realm;
> > > -- const char *principal;
> > > -- char *salt_principal;
> > > -- char *impersonate_principal;
> > > -- char *self_service;
> > > -- char *target_service;
> > > --
> > > -- const char *bind_dn;
> > > --
> > > -- /* Allows authentication from a keytab or similar */
> > > -- struct samr_Password *nt_hash;
> > > --
> > > -- /* Allows NTLM pass-though authentication */
> > > -- DATA_BLOB lm_response;
> > > -- DATA_BLOB nt_response;
> > > --
> > > -- struct ccache_container *ccache;
> > > -- struct gssapi_creds_container *client_gss_creds;
> > > -- struct keytab_container *keytab;
> > > -- struct gssapi_creds_container *server_gss_creds;
> > > --
> > > -- const char *(*workstation_cb) (struct cli_credentials *);
> > > -- const char *(*password_cb) (struct cli_credentials *);
> > > -- const char *(*username_cb) (struct cli_credentials *);
> > > -- const char *(*domain_cb) (struct cli_credentials *);
> > > -- const char *(*realm_cb) (struct cli_credentials *);
> > > -- const char *(*principal_cb) (struct cli_credentials *);
> > > --
> > > -- /* Private handle for the callback routines to use */
> > > -- void *priv_data;
> > > --
> > > -- struct netlogon_creds_CredentialState *netlogon_creds;
> > > -- enum netr_SchannelType secure_channel_type;
> > > -- int kvno;
> > > -- time_t password_last_changed_time;
> > > --
> > > -- struct smb_krb5_context *smb_krb5_context;
> > > --
> > > -- /* We are flagged to get machine account details from the
> > > -- * secrets.ldb when we are asked for a username or password */
> > > -- bool machine_account_pending;
> > > -- struct loadparm_context *machine_account_pending_lp_ctx;
> > > --
> > > -- /* Is this a machine account? */
> > > -- bool machine_account;
> > > --
> > > -- /* Should we be trying to use kerberos? */
> > > -- enum credentials_use_kerberos use_kerberos;
> > > --
> > > -- /* Should we get a forwardable ticket? */
> > > -- enum credentials_krb_forwardable krb_forwardable;
> > > --
> > > -- /* gensec features which should be used for connections */
> > > -- uint32_t gensec_features;
> > > --
> > > -- /* Number of retries left before bailing out */
> > > -- int tries;
> > > --
> > > -- /* Whether any callback is currently running */
> > > -- bool callback_running;
> > > --};
> > > --
> > > --struct ldb_context;
> > > --struct ldb_message;
> > > --struct loadparm_context;
> > > --struct ccache_container;
> > > --
> > > --struct gssapi_creds_container;
> > > --
> > > - const char *cli_credentials_get_workstation(struct cli_credentials *cred);
> > > - bool cli_credentials_set_workstation(struct cli_credentials *cred,
> > > - const char *val,
> > > -diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
> > > -new file mode 100644
> > > -index 0000000..5a3655b
> > > ---- /dev/null
> > > -+++ b/auth/credentials/credentials_internal.h
> > > -@@ -0,0 +1,114 @@
> > > -+/*
> > > -+ samba -- Unix SMB/CIFS implementation.
> > > -+
> > > -+ Client credentials structure
> > > -+
> > > -+ Copyright (C) Jelmer Vernooij 2004-2006
> > > -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
> > > -+
> > > -+ This program is free software; you can redistribute it and/or modify
> > > -+ it under the terms of the GNU General Public License as published by
> > > -+ the Free Software Foundation; either version 3 of the License, or
> > > -+ (at your option) any later version.
> > > -+
> > > -+ This program is distributed in the hope that it will be useful,
> > > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -+ GNU General Public License for more details.
> > > -+
> > > -+ You should have received a copy of the GNU General Public License
> > > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > -+*/
> > > -+#ifndef __CREDENTIALS_INTERNAL_H__
> > > -+#define __CREDENTIALS_INTERNAL_H__
> > > -+
> > > -+#include "../lib/util/data_blob.h"
> > > -+#include "librpc/gen_ndr/misc.h"
> > > -+
> > > -+struct cli_credentials {
> > > -+ enum credentials_obtained workstation_obtained;
> > > -+ enum credentials_obtained username_obtained;
> > > -+ enum credentials_obtained password_obtained;
> > > -+ enum credentials_obtained domain_obtained;
> > > -+ enum credentials_obtained realm_obtained;
> > > -+ enum credentials_obtained ccache_obtained;
> > > -+ enum credentials_obtained client_gss_creds_obtained;
> > > -+ enum credentials_obtained principal_obtained;
> > > -+ enum credentials_obtained keytab_obtained;
> > > -+ enum credentials_obtained server_gss_creds_obtained;
> > > -+
> > > -+ /* Threshold values (essentially a MAX() over a number of the
> > > -+ * above) for the ccache and GSS credentials, to ensure we
> > > -+ * regenerate/pick correctly */
> > > -+
> > > -+ enum credentials_obtained ccache_threshold;
> > > -+ enum credentials_obtained client_gss_creds_threshold;
> > > -+
> > > -+ const char *workstation;
> > > -+ const char *username;
> > > -+ const char *password;
> > > -+ const char *old_password;
> > > -+ const char *domain;
> > > -+ const char *realm;
> > > -+ const char *principal;
> > > -+ char *salt_principal;
> > > -+ char *impersonate_principal;
> > > -+ char *self_service;
> > > -+ char *target_service;
> > > -+
> > > -+ const char *bind_dn;
> > > -+
> > > -+ /* Allows authentication from a keytab or similar */
> > > -+ struct samr_Password *nt_hash;
> > > -+
> > > -+ /* Allows NTLM pass-though authentication */
> > > -+ DATA_BLOB lm_response;
> > > -+ DATA_BLOB nt_response;
> > > -+
> > > -+ struct ccache_container *ccache;
> > > -+ struct gssapi_creds_container *client_gss_creds;
> > > -+ struct keytab_container *keytab;
> > > -+ struct gssapi_creds_container *server_gss_creds;
> > > -+
> > > -+ const char *(*workstation_cb) (struct cli_credentials *);
> > > -+ const char *(*password_cb) (struct cli_credentials *);
> > > -+ const char *(*username_cb) (struct cli_credentials *);
> > > -+ const char *(*domain_cb) (struct cli_credentials *);
> > > -+ const char *(*realm_cb) (struct cli_credentials *);
> > > -+ const char *(*principal_cb) (struct cli_credentials *);
> > > -+
> > > -+ /* Private handle for the callback routines to use */
> > > -+ void *priv_data;
> > > -+
> > > -+ struct netlogon_creds_CredentialState *netlogon_creds;
> > > -+ enum netr_SchannelType secure_channel_type;
> > > -+ int kvno;
> > > -+ time_t password_last_changed_time;
> > > -+
> > > -+ struct smb_krb5_context *smb_krb5_context;
> > > -+
> > > -+ /* We are flagged to get machine account details from the
> > > -+ * secrets.ldb when we are asked for a username or password */
> > > -+ bool machine_account_pending;
> > > -+ struct loadparm_context *machine_account_pending_lp_ctx;
> > > -+
> > > -+ /* Is this a machine account? */
> > > -+ bool machine_account;
> > > -+
> > > -+ /* Should we be trying to use kerberos? */
> > > -+ enum credentials_use_kerberos use_kerberos;
> > > -+
> > > -+ /* Should we get a forwardable ticket? */
> > > -+ enum credentials_krb_forwardable krb_forwardable;
> > > -+
> > > -+ /* gensec features which should be used for connections */
> > > -+ uint32_t gensec_features;
> > > -+
> > > -+ /* Number of retries left before bailing out */
> > > -+ int tries;
> > > -+
> > > -+ /* Whether any callback is currently running */
> > > -+ bool callback_running;
> > > -+};
> > > -+
> > > -+#endif /* __CREDENTIALS_INTERNAL_H__ */
> > > -diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
> > > -index ec6a695..489a959 100644
> > > ---- a/auth/credentials/credentials_krb5.c
> > > -+++ b/auth/credentials/credentials_krb5.c
> > > -@@ -26,6 +26,7 @@
> > > - #include "system/gssapi.h"
> > > - #include "auth/kerberos/kerberos.h"
> > > - #include "auth/credentials/credentials.h"
> > > -+#include "auth/credentials/credentials_internal.h"
> > > - #include "auth/credentials/credentials_proto.h"
> > > - #include "auth/credentials/credentials_krb5.h"
> > > - #include "auth/kerberos/kerberos_credentials.h"
> > > -diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
> > > -index 8f143bf..8c6be39 100644
> > > ---- a/auth/credentials/credentials_ntlm.c
> > > -+++ b/auth/credentials/credentials_ntlm.c
> > > -@@ -26,6 +26,7 @@
> > > - #include "../lib/crypto/crypto.h"
> > > - #include "libcli/auth/libcli_auth.h"
> > > - #include "auth/credentials/credentials.h"
> > > -+#include "auth/credentials/credentials_internal.h"
> > > -
> > > - _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
> > > - int *flags,
> > > -diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
> > > -index 27ee607..678d167 100644
> > > ---- a/auth/credentials/credentials_secrets.c
> > > -+++ b/auth/credentials/credentials_secrets.c
> > > -@@ -28,6 +28,7 @@
> > > - #include "param/secrets.h"
> > > - #include "system/filesys.h"
> > > - #include "auth/credentials/credentials.h"
> > > -+#include "auth/credentials/credentials_internal.h"
> > > - #include "auth/credentials/credentials_proto.h"
> > > - #include "auth/credentials/credentials_krb5.h"
> > > - #include "auth/kerberos/kerberos_util.h"
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 96ea01159cfee1e384dbd5966c7eb512d495e322 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 13:39:17 +0200
> > > -Subject: [PATCH 013/249] auth/credentials: get the old password from
> > > - secrets.tdb
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 26a7420c1c4307023b22676cd85d95010ecbf603)
> > > ----
> > > - auth/credentials/credentials_secrets.c | 11 +++++++++++
> > > - 1 file changed, 11 insertions(+)
> > > -
> > > -diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
> > > -index 678d167..6c1cded 100644
> > > ---- a/auth/credentials/credentials_secrets.c
> > > -+++ b/auth/credentials/credentials_secrets.c
> > > -@@ -238,6 +238,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
> > > - bool secrets_tdb_password_more_recent;
> > > - time_t secrets_tdb_lct = 0;
> > > - char *secrets_tdb_password = NULL;
> > > -+ char *secrets_tdb_old_password = NULL;
> > > - char *keystr;
> > > - char *keystr_upper = NULL;
> > > - char *secrets_tdb;
> > > -@@ -285,6 +286,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
> > > - if (NT_STATUS_IS_OK(status)) {
> > > - secrets_tdb_password = (char *)dbuf.dptr;
> > > - }
> > > -+ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
> > > -+ SECRETS_MACHINE_PASSWORD_PREV,
> > > -+ domain);
> > > -+ keystr_upper = strupper_talloc(tmp_ctx, keystr);
> > > -+ status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
> > > -+ &dbuf);
> > > -+ if (NT_STATUS_IS_OK(status)) {
> > > -+ secrets_tdb_old_password = (char *)dbuf.dptr;
> > > -+ }
> > > - }
> > > -
> > > - filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
> > > -@@ -308,6 +318,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
> > > - if (secrets_tdb_password_more_recent) {
> > > - char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
> > > - cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
> > > -+ cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
> > > - cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
> > > - cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
> > > - } else if (!NT_STATUS_IS_OK(status)) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 74f5c14921f53b95b64dbcbf0352a89d50b20af1 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 14:25:54 +0200
> > > -Subject: [PATCH 014/249] auth/credentials: simplify password_tries state
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 8ea36a8e58d499aa7bf342b365ca00cb39f295b6)
> > > ----
> > > - auth/credentials/credentials.c | 19 ++++++++++++++-----
> > > - auth/credentials/credentials_internal.h | 2 +-
> > > - 2 files changed, 15 insertions(+), 6 deletions(-)
> > > -
> > > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > > -index f334465..4ac5356 100644
> > > ---- a/auth/credentials/credentials.c
> > > -+++ b/auth/credentials/credentials.c
> > > -@@ -104,7 +104,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
> > > -
> > > - cred->machine_account = false;
> > > -
> > > -- cred->tries = 3;
> > > -+ cred->password_tries = 0;
> > > -
> > > - cred->callback_running = false;
> > > -
> > > -@@ -397,6 +397,7 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
> > > - enum credentials_obtained obtained)
> > > - {
> > > - if (obtained >= cred->password_obtained) {
> > > -+ cred->password_tries = 0;
> > > - cred->password = talloc_strdup(cred, val);
> > > - if (cred->password) {
> > > - /* Don't print the actual password in talloc memory dumps */
> > > -@@ -418,6 +419,7 @@ _PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred
> > > - const char *(*password_cb) (struct cli_credentials *))
> > > - {
> > > - if (cred->password_obtained < CRED_CALLBACK) {
> > > -+ cred->password_tries = 3;
> > > - cred->password_cb = password_cb;
> > > - cred->password_obtained = CRED_CALLBACK;
> > > - cli_credentials_invalidate_ccache(cred, cred->password_obtained);
> > > -@@ -897,12 +899,19 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
> > > - if (cred->password_obtained != CRED_CALLBACK_RESULT) {
> > > - return false;
> > > - }
> > > --
> > > -- cred->password_obtained = CRED_CALLBACK;
> > > -
> > > -- cred->tries--;
> > > -+ if (cred->password_tries == 0) {
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ cred->password_tries--;
> > > -
> > > -- return (cred->tries > 0);
> > > -+ if (cred->password_tries == 0) {
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ cred->password_obtained = CRED_CALLBACK;
> > > -+ return true;
> > > - }
> > > -
> > > - _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
> > > -diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
> > > -index 5a3655b..f2f79b9 100644
> > > ---- a/auth/credentials/credentials_internal.h
> > > -+++ b/auth/credentials/credentials_internal.h
> > > -@@ -105,7 +105,7 @@ struct cli_credentials {
> > > - uint32_t gensec_features;
> > > -
> > > - /* Number of retries left before bailing out */
> > > -- int tries;
> > > -+ uint32_t password_tries;
> > > -
> > > - /* Whether any callback is currently running */
> > > - bool callback_running;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8d2c51caeecebc0b7d16fb7cf7b7fe2f2b5d8edd Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 31 Jul 2013 14:32:36 +0200
> > > -Subject: [PATCH 015/249] auth/credentials: use CRED_CALLBACK_RESULT after a
> > > - callback
> > > -
> > > -We only do this if it's still CRED_CALLBACK after the callback,
> > > -this allowes the callback to overwrite it.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> > > -Autobuild-Date(master): Mon Aug 5 09:36:05 CEST 2013 on sn-devel-104
> > > -(cherry picked from commit b699d404bb5d4385a757b5aa5d0e792cf9d5de59)
> > > ----
> > > - auth/credentials/credentials.c | 34 +++++++++++++++++++++++-----------
> > > - 1 file changed, 23 insertions(+), 11 deletions(-)
> > > -
> > > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > > -index 4ac5356..be497bc 100644
> > > ---- a/auth/credentials/credentials.c
> > > -+++ b/auth/credentials/credentials.c
> > > -@@ -206,8 +206,10 @@ _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
> > > - cred->callback_running = true;
> > > - cred->username = cred->username_cb(cred);
> > > - cred->callback_running = false;
> > > -- cred->username_obtained = CRED_SPECIFIED;
> > > -- cli_credentials_invalidate_ccache(cred, cred->username_obtained);
> > > -+ if (cred->username_obtained == CRED_CALLBACK) {
> > > -+ cred->username_obtained = CRED_CALLBACK_RESULT;
> > > -+ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
> > > -+ }
> > > - }
> > > -
> > > - return cred->username;
> > > -@@ -275,8 +277,10 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
> > > - cred->callback_running = true;
> > > - cred->principal = cred->principal_cb(cred);
> > > - cred->callback_running = false;
> > > -- cred->principal_obtained = CRED_SPECIFIED;
> > > -- cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
> > > -+ if (cred->principal_obtained == CRED_CALLBACK) {
> > > -+ cred->principal_obtained = CRED_CALLBACK_RESULT;
> > > -+ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
> > > -+ }
> > > - }
> > > -
> > > - if (cred->principal_obtained < cred->username_obtained
> > > -@@ -382,8 +386,10 @@ _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
> > > - cred->callback_running = true;
> > > - cred->password = cred->password_cb(cred);
> > > - cred->callback_running = false;
> > > -- cred->password_obtained = CRED_CALLBACK_RESULT;
> > > -- cli_credentials_invalidate_ccache(cred, cred->password_obtained);
> > > -+ if (cred->password_obtained == CRED_CALLBACK) {
> > > -+ cred->password_obtained = CRED_CALLBACK_RESULT;
> > > -+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
> > > -+ }
> > > - }
> > > -
> > > - return cred->password;
> > > -@@ -502,8 +508,10 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
> > > - cred->callback_running = true;
> > > - cred->domain = cred->domain_cb(cred);
> > > - cred->callback_running = false;
> > > -- cred->domain_obtained = CRED_SPECIFIED;
> > > -- cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
> > > -+ if (cred->domain_obtained == CRED_CALLBACK) {
> > > -+ cred->domain_obtained = CRED_CALLBACK_RESULT;
> > > -+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
> > > -+ }
> > > - }
> > > -
> > > - return cred->domain;
> > > -@@ -561,8 +569,10 @@ _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
> > > - cred->callback_running = true;
> > > - cred->realm = cred->realm_cb(cred);
> > > - cred->callback_running = false;
> > > -- cred->realm_obtained = CRED_SPECIFIED;
> > > -- cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
> > > -+ if (cred->realm_obtained == CRED_CALLBACK) {
> > > -+ cred->realm_obtained = CRED_CALLBACK_RESULT;
> > > -+ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
> > > -+ }
> > > - }
> > > -
> > > - return cred->realm;
> > > -@@ -612,7 +622,9 @@ _PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cre
> > > - cred->callback_running = true;
> > > - cred->workstation = cred->workstation_cb(cred);
> > > - cred->callback_running = false;
> > > -- cred->workstation_obtained = CRED_SPECIFIED;
> > > -+ if (cred->workstation_obtained == CRED_CALLBACK) {
> > > -+ cred->workstation_obtained = CRED_CALLBACK_RESULT;
> > > -+ }
> > > - }
> > > -
> > > - return cred->workstation;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a498324b38326a874616b0bab1e5a9cd29b664ce Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 17 May 2013 16:02:59 +0200
> > > -Subject: [PATCH 016/249] s3-net: pass down ndr_interface_table to
> > > - connect_dst_pipe().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 93e92faca9c99cd91878c2f48fb244233b16aa0f)
> > > ----
> > > - source3/utils/net_proto.h | 2 +-
> > > - source3/utils/net_rpc.c | 4 ++--
> > > - source3/utils/net_rpc_printer.c | 10 +++++-----
> > > - source3/utils/net_util.c | 4 ++--
> > > - 4 files changed, 10 insertions(+), 10 deletions(-)
> > > -
> > > -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> > > -index 3f99e14..03fb312 100644
> > > ---- a/source3/utils/net_proto.h
> > > -+++ b/source3/utils/net_proto.h
> > > -@@ -416,7 +416,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
> > > - const char *server_name);
> > > - NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> > > - struct rpc_pipe_client **pp_pipe_hnd,
> > > -- const struct ndr_syntax_id *interface);
> > > -+ const struct ndr_interface_table *table);
> > > - int net_use_krb_machine_account(struct net_context *c);
> > > - int net_use_machine_account(struct net_context *c);
> > > - bool net_find_server(struct net_context *c,
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index c5c4d6c..4503f59 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -3654,7 +3654,7 @@ static NTSTATUS rpc_share_migrate_shares_internals(struct net_context *c,
> > > -
> > > - /* connect destination PI_SRVSVC */
> > > - nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
> > > -- &ndr_table_srvsvc.syntax_id);
> > > -+ &ndr_table_srvsvc);
> > > - if (!NT_STATUS_IS_OK(nt_status))
> > > - return nt_status;
> > > -
> > > -@@ -4140,7 +4140,7 @@ static NTSTATUS rpc_share_migrate_security_internals(struct net_context *c,
> > > -
> > > - /* connect destination PI_SRVSVC */
> > > - nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
> > > -- &ndr_table_srvsvc.syntax_id);
> > > -+ &ndr_table_srvsvc);
> > > - if (!NT_STATUS_IS_OK(nt_status))
> > > - return nt_status;
> > > -
> > > -diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c
> > > -index ba34de1..1e42e6f 100644
> > > ---- a/source3/utils/net_rpc_printer.c
> > > -+++ b/source3/utils/net_rpc_printer.c
> > > -@@ -1578,7 +1578,7 @@ NTSTATUS rpc_printer_migrate_security_internals(struct net_context *c,
> > > -
> > > - /* connect destination PI_SPOOLSS */
> > > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > > -- &ndr_table_spoolss.syntax_id);
> > > -+ &ndr_table_spoolss);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - return nt_status;
> > > - }
> > > -@@ -1730,7 +1730,7 @@ NTSTATUS rpc_printer_migrate_forms_internals(struct net_context *c,
> > > -
> > > - /* connect destination PI_SPOOLSS */
> > > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > > -- &ndr_table_spoolss.syntax_id);
> > > -+ &ndr_table_spoolss);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - return nt_status;
> > > - }
> > > -@@ -1907,7 +1907,7 @@ NTSTATUS rpc_printer_migrate_drivers_internals(struct net_context *c,
> > > - DEBUG(3,("copying printer-drivers\n"));
> > > -
> > > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > > -- &ndr_table_spoolss.syntax_id);
> > > -+ &ndr_table_spoolss);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - return nt_status;
> > > - }
> > > -@@ -2126,7 +2126,7 @@ NTSTATUS rpc_printer_migrate_printers_internals(struct net_context *c,
> > > -
> > > - /* connect destination PI_SPOOLSS */
> > > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > > -- &ndr_table_spoolss.syntax_id);
> > > -+ &ndr_table_spoolss);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - return nt_status;
> > > - }
> > > -@@ -2301,7 +2301,7 @@ NTSTATUS rpc_printer_migrate_settings_internals(struct net_context *c,
> > > -
> > > - /* connect destination PI_SPOOLSS */
> > > - nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
> > > -- &ndr_table_spoolss.syntax_id);
> > > -+ &ndr_table_spoolss);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - return nt_status;
> > > - }
> > > -diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
> > > -index 9c4a77e..a4282ec 100644
> > > ---- a/source3/utils/net_util.c
> > > -+++ b/source3/utils/net_util.c
> > > -@@ -231,7 +231,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
> > > - **/
> > > - NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> > > - struct rpc_pipe_client **pp_pipe_hnd,
> > > -- const struct ndr_syntax_id *interface)
> > > -+ const struct ndr_interface_table *table)
> > > - {
> > > - NTSTATUS nt_status;
> > > - char *server_name = SMB_STRDUP("127.0.0.1");
> > > -@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> > > - return nt_status;
> > > - }
> > > -
> > > -- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, interface,
> > > -+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(0, ("couldn't not initialize pipe\n"));
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d5273069a42d7234daaf3dd043d0a6e455348385 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 17 May 2013 16:24:42 +0200
> > > -Subject: [PATCH 017/249] s3-rpc_cli: remove prototype of nonexisting
> > > - cli_rpc_pipe_open_krb5().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit a1368ca6ef8ab4f158c8b303ad058835f1bbf441)
> > > ----
> > > - source3/rpc_client/cli_pipe.h | 9 ---------
> > > - 1 file changed, 9 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index bf785fb..34ae542 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -131,15 +131,6 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > - const char *domain,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > --NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *interface,
> > > -- enum dcerpc_transport_t transport,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > -- const char *service_princ,
> > > -- const char *username,
> > > -- const char *password,
> > > -- struct rpc_pipe_client **presult);
> > > --
> > > - NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > > - struct rpc_pipe_client *cli,
> > > - DATA_BLOB *session_key);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 1a6c1ddb44aac3f201bbe2cabab10e409ffd042b Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 17 May 2013 16:08:16 +0200
> > > -Subject: [PATCH 018/249] s3-libnetapi: pass down ndr_interface_table to
> > > - libnetapi_get_binding_handle().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit fa37bbd9d06865d265bf554a3c49920f956f2185)
> > > ----
> > > - source3/lib/netapi/cm.c | 4 ++--
> > > - source3/lib/netapi/file.c | 6 +++---
> > > - source3/lib/netapi/getdc.c | 6 +++---
> > > - source3/lib/netapi/netapi_private.h | 3 ++-
> > > - source3/lib/netapi/netlogon.c | 4 ++--
> > > - source3/lib/netapi/serverinfo.c | 6 +++---
> > > - source3/lib/netapi/share.c | 10 +++++-----
> > > - source3/lib/netapi/shutdown.c | 4 ++--
> > > - 8 files changed, 22 insertions(+), 21 deletions(-)
> > > -
> > > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > > -index da3d2e1..c3ae19f 100644
> > > ---- a/source3/lib/netapi/cm.c
> > > -+++ b/source3/lib/netapi/cm.c
> > > -@@ -269,7 +269,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > > -
> > > - WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > > - const char *server_name,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct dcerpc_binding_handle **binding_handle)
> > > - {
> > > - struct rpc_pipe_client *pipe_cli;
> > > -@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > > -
> > > - *binding_handle = NULL;
> > > -
> > > -- result = libnetapi_open_pipe(ctx, server_name, interface, &pipe_cli);
> > > -+ result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
> > > - if (!W_ERROR_IS_OK(result)) {
> > > - return result;
> > > - }
> > > -diff --git a/source3/lib/netapi/file.c b/source3/lib/netapi/file.c
> > > -index 1e406d2..551f9ff 100644
> > > ---- a/source3/lib/netapi/file.c
> > > -+++ b/source3/lib/netapi/file.c
> > > -@@ -36,7 +36,7 @@ WERROR NetFileClose_r(struct libnetapi_ctx *ctx,
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -130,7 +130,7 @@ WERROR NetFileGetInfo_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -201,7 +201,7 @@ WERROR NetFileEnum_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -diff --git a/source3/lib/netapi/getdc.c b/source3/lib/netapi/getdc.c
> > > -index 3b26d46..ae976f1 100644
> > > ---- a/source3/lib/netapi/getdc.c
> > > -+++ b/source3/lib/netapi/getdc.c
> > > -@@ -47,7 +47,7 @@ WERROR NetGetDCName_r(struct libnetapi_ctx *ctx,
> > > - void *buffer;
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_netlogon.syntax_id,
> > > -+ &ndr_table_netlogon,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -101,7 +101,7 @@ WERROR NetGetAnyDCName_r(struct libnetapi_ctx *ctx,
> > > - void *buffer;
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_netlogon.syntax_id,
> > > -+ &ndr_table_netlogon,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -173,7 +173,7 @@ WERROR DsGetDcName_r(struct libnetapi_ctx *ctx,
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_netlogon.syntax_id,
> > > -+ &ndr_table_netlogon,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
> > > -index 349287b..62aa7ef 100644
> > > ---- a/source3/lib/netapi/netapi_private.h
> > > -+++ b/source3/lib/netapi/netapi_private.h
> > > -@@ -30,6 +30,7 @@
> > > - return fn ## _r(ctx, r);
> > > -
> > > - struct dcerpc_binding_handle;
> > > -+struct ndr_interface_table;
> > > -
> > > - struct libnetapi_private_ctx {
> > > - struct {
> > > -@@ -64,7 +65,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > > - struct rpc_pipe_client **presult);
> > > - WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > > - const char *server_name,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct dcerpc_binding_handle **binding_handle);
> > > - WERROR libnetapi_samr_open_domain(struct libnetapi_ctx *mem_ctx,
> > > - struct rpc_pipe_client *pipe_cli,
> > > -diff --git a/source3/lib/netapi/netlogon.c b/source3/lib/netapi/netlogon.c
> > > -index a046fb7..136cb48 100644
> > > ---- a/source3/lib/netapi/netlogon.c
> > > -+++ b/source3/lib/netapi/netlogon.c
> > > -@@ -133,7 +133,7 @@ WERROR I_NetLogonControl_r(struct libnetapi_ctx *ctx,
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_netlogon.syntax_id,
> > > -+ &ndr_table_netlogon,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -190,7 +190,7 @@ WERROR I_NetLogonControl2_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_netlogon.syntax_id,
> > > -+ &ndr_table_netlogon,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
> > > -index 046b693..b2a84d1 100644
> > > ---- a/source3/lib/netapi/serverinfo.c
> > > -+++ b/source3/lib/netapi/serverinfo.c
> > > -@@ -503,7 +503,7 @@ WERROR NetServerGetInfo_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -616,7 +616,7 @@ WERROR NetServerSetInfo_r(struct libnetapi_ctx *ctx,
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -658,7 +658,7 @@ WERROR NetRemoteTOD_r(struct libnetapi_ctx *ctx,
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -diff --git a/source3/lib/netapi/share.c b/source3/lib/netapi/share.c
> > > -index d12fa1c..090e1a9 100644
> > > ---- a/source3/lib/netapi/share.c
> > > -+++ b/source3/lib/netapi/share.c
> > > -@@ -200,7 +200,7 @@ WERROR NetShareAdd_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -258,7 +258,7 @@ WERROR NetShareDel_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -321,7 +321,7 @@ WERROR NetShareEnum_r(struct libnetapi_ctx *ctx,
> > > - ZERO_STRUCT(info_ctr);
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -428,7 +428,7 @@ WERROR NetShareGetInfo_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -502,7 +502,7 @@ WERROR NetShareSetInfo_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -diff --git a/source3/lib/netapi/shutdown.c b/source3/lib/netapi/shutdown.c
> > > -index 78bc2fc..9e1e8e1 100644
> > > ---- a/source3/lib/netapi/shutdown.c
> > > -+++ b/source3/lib/netapi/shutdown.c
> > > -@@ -38,7 +38,7 @@ WERROR NetShutdownInit_r(struct libnetapi_ctx *ctx,
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_initshutdown.syntax_id,
> > > -+ &ndr_table_initshutdown,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -82,7 +82,7 @@ WERROR NetShutdownAbort_r(struct libnetapi_ctx *ctx,
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > - werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
> > > -- &ndr_table_initshutdown.syntax_id,
> > > -+ &ndr_table_initshutdown,
> > > - &b);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e25e7bfe15bdb89a9680708c27b50e14a8a86ca3 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 17 May 2013 16:10:13 +0200
> > > -Subject: [PATCH 019/249] s3-libnetapi: pass down ndr_interface_table to
> > > - libnetapi_open_pipe().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 77f7f2a976e5b95f3bd9f542b92926adee4f5fa6)
> > > ----
> > > - source3/lib/netapi/cm.c | 8 ++++----
> > > - source3/lib/netapi/group.c | 18 +++++++++---------
> > > - source3/lib/netapi/joindomain.c | 10 +++++-----
> > > - source3/lib/netapi/localgroup.c | 14 +++++++-------
> > > - source3/lib/netapi/netapi_private.h | 2 +-
> > > - source3/lib/netapi/user.c | 22 +++++++++++-----------
> > > - 6 files changed, 37 insertions(+), 37 deletions(-)
> > > -
> > > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > > -index c3ae19f..dd1f1e3 100644
> > > ---- a/source3/lib/netapi/cm.c
> > > -+++ b/source3/lib/netapi/cm.c
> > > -@@ -234,7 +234,7 @@ static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
> > > -
> > > - WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > > - const char *server_name,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - struct rpc_pipe_client *result = NULL;
> > > -@@ -251,10 +251,10 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > > - return werr;
> > > - }
> > > -
> > > -- status = pipe_cm_open(ctx, ipc, interface, &result);
> > > -+ status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
> > > -- get_pipe_name_from_syntax(talloc_tos(), interface),
> > > -+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > - get_friendly_nt_error_msg(status));
> > > - return WERR_DEST_NOT_FOUND;
> > > - }
> > > -@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > > -
> > > - *binding_handle = NULL;
> > > -
> > > -- result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
> > > -+ result = libnetapi_open_pipe(ctx, server_name, table, &pipe_cli);
> > > - if (!W_ERROR_IS_OK(result)) {
> > > - return result;
> > > - }
> > > -diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
> > > -index b806fc4..6d9b248 100644
> > > ---- a/source3/lib/netapi/group.c
> > > -+++ b/source3/lib/netapi/group.c
> > > -@@ -76,7 +76,7 @@ WERROR NetGroupAdd_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -272,7 +272,7 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -492,7 +492,7 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -770,7 +770,7 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -918,7 +918,7 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -1078,7 +1078,7 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -1397,7 +1397,7 @@ WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -1544,7 +1544,7 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
> > > -
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -1736,7 +1736,7 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
> > > -index b6fb57a..d8e624f 100644
> > > ---- a/source3/lib/netapi/joindomain.c
> > > -+++ b/source3/lib/netapi/joindomain.c
> > > -@@ -116,7 +116,7 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
> > > - DATA_BLOB session_key;
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server,
> > > -- &ndr_table_wkssvc.syntax_id,
> > > -+ &ndr_table_wkssvc,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -257,7 +257,7 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
> > > - DATA_BLOB session_key;
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_wkssvc.syntax_id,
> > > -+ &ndr_table_wkssvc,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -313,7 +313,7 @@ WERROR NetGetJoinInformation_r(struct libnetapi_ctx *ctx,
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_wkssvc.syntax_id,
> > > -+ &ndr_table_wkssvc,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -455,7 +455,7 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
> > > - DATA_BLOB session_key;
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_wkssvc.syntax_id,
> > > -+ &ndr_table_wkssvc,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -508,7 +508,7 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
> > > - DATA_BLOB session_key;
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_wkssvc.syntax_id,
> > > -+ &ndr_table_wkssvc,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
> > > -index 17cab68..241970d 100644
> > > ---- a/source3/lib/netapi/localgroup.c
> > > -+++ b/source3/lib/netapi/localgroup.c
> > > -@@ -185,7 +185,7 @@ WERROR NetLocalGroupAdd_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -319,7 +319,7 @@ WERROR NetLocalGroupDel_r(struct libnetapi_ctx *ctx,
> > > - ZERO_STRUCT(alias_handle);
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -499,7 +499,7 @@ WERROR NetLocalGroupGetInfo_r(struct libnetapi_ctx *ctx,
> > > - ZERO_STRUCT(alias_handle);
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -678,7 +678,7 @@ WERROR NetLocalGroupSetInfo_r(struct libnetapi_ctx *ctx,
> > > - ZERO_STRUCT(alias_handle);
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -828,7 +828,7 @@ WERROR NetLocalGroupEnum_r(struct libnetapi_ctx *ctx,
> > > - ZERO_STRUCT(alias_handle);
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -1141,7 +1141,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
> > > -
> > > - if (r->in.level == 3) {
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_lsarpc.syntax_id,
> > > -+ &ndr_table_lsarpc,
> > > - &lsa_pipe);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -1160,7 +1160,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
> > > -index 62aa7ef..897cf3d 100644
> > > ---- a/source3/lib/netapi/netapi_private.h
> > > -+++ b/source3/lib/netapi/netapi_private.h
> > > -@@ -61,7 +61,7 @@ NET_API_STATUS libnetapi_get_debuglevel(struct libnetapi_ctx *ctx, char **debugl
> > > - WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx);
> > > - WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > > - const char *server_name,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult);
> > > - WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
> > > - const char *server_name,
> > > -diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
> > > -index a971e2d..4a39f69 100644
> > > ---- a/source3/lib/netapi/user.c
> > > -+++ b/source3/lib/netapi/user.c
> > > -@@ -400,7 +400,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -552,7 +552,7 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
> > > - ZERO_STRUCT(user_handle);
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > -
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > -@@ -1322,7 +1322,7 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -1630,7 +1630,7 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -1764,7 +1764,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -1936,7 +1936,7 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -2395,7 +2395,7 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -2880,7 +2880,7 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -3015,7 +3015,7 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -3206,7 +3206,7 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > -@@ -3547,7 +3547,7 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
> > > - }
> > > -
> > > - werr = libnetapi_open_pipe(ctx, r->in.server_name,
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &pipe_cli);
> > > - if (!W_ERROR_IS_OK(werr)) {
> > > - goto done;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4157ba43258373cd995b2ee74dcd4d65782dc2ea Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 17 May 2013 16:13:26 +0200
> > > -Subject: [PATCH 020/249] s3-libnetapi: pass down ndr_interface_table to
> > > - pipe_cm() and friends.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 0ce2178f2ffeaee324c7e8fef7c87727def7bd77)
> > > ----
> > > - source3/lib/netapi/cm.c | 16 ++++++++--------
> > > - 1 file changed, 8 insertions(+), 8 deletions(-)
> > > -
> > > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > > -index dd1f1e3..8551521 100644
> > > ---- a/source3/lib/netapi/cm.c
> > > -+++ b/source3/lib/netapi/cm.c
> > > -@@ -161,7 +161,7 @@ WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx)
> > > - ********************************************************************/
> > > -
> > > - static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - struct client_pipe_connection *p;
> > > -@@ -177,7 +177,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
> > > -
> > > - if (strequal(ipc_remote_name, p->pipe->desthost)
> > > - && ndr_syntax_id_equal(&p->pipe->abstract_syntax,
> > > -- interface)) {
> > > -+ &table->syntax_id)) {
> > > - *presult = p->pipe;
> > > - return NT_STATUS_OK;
> > > - }
> > > -@@ -191,7 +191,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
> > > -
> > > - static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> > > - struct client_ipc_connection *ipc,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - struct client_pipe_connection *p;
> > > -@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(ipc->cli, interface, &p->pipe);
> > > -+ status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - TALLOC_FREE(p);
> > > - return status;
> > > -@@ -219,14 +219,14 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> > > -
> > > - static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
> > > - struct client_ipc_connection *ipc,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > -- if (NT_STATUS_IS_OK(pipe_cm_find(ipc, interface, presult))) {
> > > -+ if (NT_STATUS_IS_OK(pipe_cm_find(ipc, table, presult))) {
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -- return pipe_cm_connect(ctx, ipc, interface, presult);
> > > -+ return pipe_cm_connect(ctx, ipc, table, presult);
> > > - }
> > > -
> > > - /********************************************************************
> > > -@@ -251,7 +251,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > > - return werr;
> > > - }
> > > -
> > > -- status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
> > > -+ status = pipe_cm_open(ctx, ipc, table, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
> > > - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From ec8ba2a371ce4c4cc14d04e852034dcd92862542 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 17 May 2013 16:16:59 +0200
> > > -Subject: [PATCH 021/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - rpc_pipe_open_ncalrpc().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 9b4fb5b074b035eaef98c4a463c9d68006ed52da)
> > > ----
> > > - source3/librpc/rpc/dcerpc_ep.c | 2 +-
> > > - source3/rpc_client/cli_pipe.c | 4 ++--
> > > - source3/rpc_client/cli_pipe.h | 2 +-
> > > - 3 files changed, 4 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source3/librpc/rpc/dcerpc_ep.c b/source3/librpc/rpc/dcerpc_ep.c
> > > -index bb080c5..410caa7 100644
> > > ---- a/source3/librpc/rpc/dcerpc_ep.c
> > > -+++ b/source3/librpc/rpc/dcerpc_ep.c
> > > -@@ -365,7 +365,7 @@ static NTSTATUS ep_register(TALLOC_CTX *mem_ctx,
> > > -
> > > - status = rpc_pipe_open_ncalrpc(tmp_ctx,
> > > - ncalrpc_sock,
> > > -- &ndr_table_epmapper.syntax_id,
> > > -+ &ndr_table_epmapper,
> > > - &cli);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto done;
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 385ae25..427b628 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2682,7 +2682,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> > > - Create a rpc pipe client struct, connecting to a unix domain socket
> > > - ********************************************************************/
> > > - NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > > -- const struct ndr_syntax_id *abstract_syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - struct rpc_pipe_client *result;
> > > -@@ -2696,7 +2696,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- result->abstract_syntax = *abstract_syntax;
> > > -+ result->abstract_syntax = table->syntax_id;
> > > - result->transfer_syntax = ndr_transfer_syntax_ndr;
> > > -
> > > - result->desthost = get_myname(result);
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index 34ae542..3415db0 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -71,7 +71,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > > -- const struct ndr_syntax_id *abstract_syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 816b7983c2342ea500e7467f2ab6c04dff89308f Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 17 May 2013 16:44:05 +0200
> > > -Subject: [PATCH 022/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - rpc_pipe_open_interface().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 6886cff0a7e97864e9094af936cbef08a3c8f6f4)
> > > ----
> > > - source3/printing/nt_printing_migrate_internal.c | 2 +-
> > > - source3/printing/printspoolss.c | 4 +--
> > > - source3/rpc_server/rpc_ncacn_np.c | 8 +++---
> > > - source3/rpc_server/rpc_ncacn_np.h | 2 +-
> > > - source3/smbd/lanman.c | 34 ++++++++++++-------------
> > > - source3/smbd/reply.c | 2 +-
> > > - 6 files changed, 26 insertions(+), 26 deletions(-)
> > > -
> > > -diff --git a/source3/printing/nt_printing_migrate_internal.c b/source3/printing/nt_printing_migrate_internal.c
> > > -index 200db07f..6bc7ea2 100644
> > > ---- a/source3/printing/nt_printing_migrate_internal.c
> > > -+++ b/source3/printing/nt_printing_migrate_internal.c
> > > -@@ -211,7 +211,7 @@ bool nt_printing_tdb_migrate(struct messaging_context *msg_ctx)
> > > - }
> > > -
> > > - status = rpc_pipe_open_interface(tmp_ctx,
> > > -- &ndr_table_winreg.syntax_id,
> > > -+ &ndr_table_winreg,
> > > - session_info,
> > > - NULL,
> > > - msg_ctx,
> > > -diff --git a/source3/printing/printspoolss.c b/source3/printing/printspoolss.c
> > > -index fc1e9c1..0507e83 100644
> > > ---- a/source3/printing/printspoolss.c
> > > -+++ b/source3/printing/printspoolss.c
> > > -@@ -154,7 +154,7 @@ NTSTATUS print_spool_open(files_struct *fsp,
> > > - * a job id */
> > > -
> > > - status = rpc_pipe_open_interface(fsp->conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - fsp->conn->session_info,
> > > - fsp->conn->sconn->remote_address,
> > > - fsp->conn->sconn->msg_ctx,
> > > -@@ -343,7 +343,7 @@ void print_spool_terminate(struct connection_struct *conn,
> > > - rap_jobid_delete(print_file->svcname, print_file->jobid);
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
> > > -index b4602a9..7389b3e 100644
> > > ---- a/source3/rpc_server/rpc_ncacn_np.c
> > > -+++ b/source3/rpc_server/rpc_ncacn_np.c
> > > -@@ -758,7 +758,7 @@ done:
> > > - */
> > > -
> > > - NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > > -- const struct ndr_syntax_id *syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - const struct auth_session_info *session_info,
> > > - const struct tsocket_address *remote_address,
> > > - struct messaging_context *msg_ctx,
> > > -@@ -783,7 +783,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- pipe_name = get_pipe_name_from_syntax(tmp_ctx, syntax);
> > > -+ pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
> > > - if (pipe_name == NULL) {
> > > - status = NT_STATUS_INVALID_PARAMETER;
> > > - goto done;
> > > -@@ -800,7 +800,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > > - switch (pipe_mode) {
> > > - case RPC_SERVICE_MODE_EMBEDDED:
> > > - status = rpc_pipe_open_internal(tmp_ctx,
> > > -- syntax, session_info,
> > > -+ &table->syntax_id, session_info,
> > > - remote_address, msg_ctx,
> > > - &cli);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -813,7 +813,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > > - * to spoolssd. */
> > > -
> > > - status = rpc_pipe_open_external(tmp_ctx,
> > > -- pipe_name, syntax,
> > > -+ pipe_name, &table->syntax_id,
> > > - session_info,
> > > - &cli);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h
> > > -index 586d61b..67cd8a1 100644
> > > ---- a/source3/rpc_server/rpc_ncacn_np.h
> > > -+++ b/source3/rpc_server/rpc_ncacn_np.h
> > > -@@ -50,7 +50,7 @@ NTSTATUS rpcint_binding_handle(TALLOC_CTX *mem_ctx,
> > > - struct messaging_context *msg_ctx,
> > > - struct dcerpc_binding_handle **binding_handle);
> > > - NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > > -- const struct ndr_syntax_id *syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - const struct auth_session_info *session_info,
> > > - const struct tsocket_address *remote_address,
> > > - struct messaging_context *msg_ctx,
> > > -diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
> > > -index d0dae36..3c488ec 100644
> > > ---- a/source3/smbd/lanman.c
> > > -+++ b/source3/smbd/lanman.c
> > > -@@ -832,7 +832,7 @@ static bool api_DosPrintQGetInfo(struct smbd_server_connection *sconn,
> > > - }
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -1029,7 +1029,7 @@ static bool api_DosPrintQEnum(struct smbd_server_connection *sconn,
> > > - }
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -2256,7 +2256,7 @@ static bool api_RNetShareAdd(struct smbd_server_connection *sconn,
> > > - return false;
> > > - }
> > > -
> > > -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
> > > -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -2368,7 +2368,7 @@ static bool api_RNetGroupEnum(struct smbd_server_connection *sconn,
> > > - }
> > > -
> > > - status = rpc_pipe_open_interface(
> > > -- talloc_tos(), &ndr_table_samr.syntax_id,
> > > -+ talloc_tos(), &ndr_table_samr,
> > > - conn->session_info, conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx, &samr_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -2574,7 +2574,7 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn,
> > > - endp = *rdata + *rdata_len;
> > > -
> > > - status = rpc_pipe_open_interface(
> > > -- talloc_tos(), &ndr_table_samr.syntax_id,
> > > -+ talloc_tos(), &ndr_table_samr,
> > > - conn->session_info, conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx, &samr_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -2774,7 +2774,7 @@ static bool api_RNetUserEnum(struct smbd_server_connection *sconn,
> > > - endp = *rdata + *rdata_len;
> > > -
> > > - status = rpc_pipe_open_interface(
> > > -- talloc_tos(), &ndr_table_samr.syntax_id,
> > > -+ talloc_tos(), &ndr_table_samr,
> > > - conn->session_info, conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx, &samr_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -3037,7 +3037,7 @@ static bool api_SamOEMChangePassword(struct smbd_server_connection *sconn,
> > > - memcpy(password.data, data, 516);
> > > - memcpy(hash.hash, data+516, 16);
> > > -
> > > -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
> > > -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -3134,7 +3134,7 @@ static bool api_RDosPrintJobDel(struct smbd_server_connection *sconn,
> > > - ZERO_STRUCT(handle);
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -3262,7 +3262,7 @@ static bool api_WPrintQueueCtrl(struct smbd_server_connection *sconn,
> > > - ZERO_STRUCT(handle);
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -3444,7 +3444,7 @@ static bool api_PrintJobInfo(struct smbd_server_connection *sconn,
> > > - ZERO_STRUCT(handle);
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -3621,7 +3621,7 @@ static bool api_RNetServerGetInfo(struct smbd_server_connection *sconn,
> > > - p = *rdata;
> > > - p2 = p + struct_len;
> > > -
> > > -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
> > > -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -4052,7 +4052,7 @@ static bool api_RNetUserGetInfo(struct smbd_server_connection *sconn,
> > > - ZERO_STRUCT(domain_handle);
> > > - ZERO_STRUCT(user_handle);
> > > -
> > > -- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
> > > -+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -4581,7 +4581,7 @@ static bool api_WPrintJobGetInfo(struct smbd_server_connection *sconn,
> > > - ZERO_STRUCT(handle);
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -4723,7 +4723,7 @@ static bool api_WPrintJobEnumerate(struct smbd_server_connection *sconn,
> > > - ZERO_STRUCT(handle);
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -4923,7 +4923,7 @@ static bool api_WPrintDestGetInfo(struct smbd_server_connection *sconn,
> > > - ZERO_STRUCT(handle);
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -5055,7 +5055,7 @@ static bool api_WPrintDestEnum(struct smbd_server_connection *sconn,
> > > - queuecnt = 0;
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -@@ -5366,7 +5366,7 @@ static bool api_RNetSessionEnum(struct smbd_server_connection *sconn,
> > > - }
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_srvsvc.syntax_id,
> > > -+ &ndr_table_srvsvc,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > -diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
> > > -index 3f5b950..eace557 100644
> > > ---- a/source3/smbd/reply.c
> > > -+++ b/source3/smbd/reply.c
> > > -@@ -5637,7 +5637,7 @@ void reply_printqueue(struct smb_request *req)
> > > - ZERO_STRUCT(handle);
> > > -
> > > - status = rpc_pipe_open_interface(conn,
> > > -- &ndr_table_spoolss.syntax_id,
> > > -+ &ndr_table_spoolss,
> > > - conn->session_info,
> > > - conn->sconn->remote_address,
> > > - conn->sconn->msg_ctx,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 3dc2d438f0b440f34b7cdd9eeac429a15f679460 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:03:23 +0200
> > > -Subject: [PATCH 023/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - cli_rpc_pipe_open_schannel().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit f6d61b571d79ebf1df58513ec728057d00b95f3e)
> > > ----
> > > - source3/auth/auth_domain.c | 2 +-
> > > - source3/rpc_client/cli_pipe.h | 2 +-
> > > - source3/rpc_client/cli_pipe_schannel.c | 4 ++--
> > > - source3/rpcclient/rpcclient.c | 2 +-
> > > - source3/utils/net_rpc.c | 2 +-
> > > - 5 files changed, 6 insertions(+), 6 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > > -index 286c75c..a375f11 100644
> > > ---- a/source3/auth/auth_domain.c
> > > -+++ b/source3/auth/auth_domain.c
> > > -@@ -115,7 +115,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > > - if (lp_client_schannel()) {
> > > - /* We also setup the creds chain in the open_schannel call. */
> > > - result = cli_rpc_pipe_open_schannel(
> > > -- *cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > > -+ *cli, &ndr_table_netlogon, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> > > - } else {
> > > - result = cli_rpc_pipe_open_noauth(
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index 3415db0..d17322a 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -125,7 +125,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index c275720..8bc01a5 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -169,7 +169,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > > - ****************************************************************************/
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
> > > -+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> > > - &result);
> > > -
> > > - /* Now we've bound using the session key we can close the netlog pipe. */
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index d204d7f..6b6478e 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -734,7 +734,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - break;
> > > - case DCERPC_AUTH_TYPE_SCHANNEL:
> > > - ntresult = cli_rpc_pipe_open_schannel(
> > > -- cli, &cmd_entry->table->syntax_id,
> > > -+ cli, cmd_entry->table,
> > > - default_transport,
> > > - pipe_default_auth_level,
> > > - get_cmdline_auth_info_domain(auth_info),
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index 4503f59..dab9fcd 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -191,7 +191,7 @@ int run_rpc_command(struct net_context *c,
> > > - &ndr_table_netlogon.syntax_id))) {
> > > - /* Always try and create an schannel netlogon pipe. */
> > > - nt_status = cli_rpc_pipe_open_schannel(
> > > -- cli, &table->syntax_id, NCACN_NP,
> > > -+ cli, table, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 428596faf89f424c83edb86d45c5a1322e3fb6b5 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:08:33 +0200
> > > -Subject: [PATCH 024/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - cli_rpc_pipe_open_ntlmssp_auth_schannel().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 7f169474fc86479abe09a5716b8029c6febcfaa9)
> > > ----
> > > - source3/rpc_client/cli_pipe.h | 2 +-
> > > - source3/rpc_client/cli_pipe_schannel.c | 4 ++--
> > > - 2 files changed, 3 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index d17322a..7026692 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -116,7 +116,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index 8bc01a5..261a768 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -128,7 +128,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
> > > - ****************************************************************************/
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
> > > -+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> > > - &result);
> > > -
> > > - /* Now we've bound using the session key we can close the netlog pipe. */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From cda31f4e490942ffc89513f000fa147f535a2713 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:17:24 +0200
> > > -Subject: [PATCH 025/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - cli_rpc_pipe_open_schannel_with_key().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 3dc3a6c8483a8de22b483ecf164c81232d4a8d65)
> > > ----
> > > - source3/libnet/libnet_join.c | 2 +-
> > > - source3/rpc_client/cli_pipe.c | 6 +++---
> > > - source3/rpc_client/cli_pipe.h | 2 +-
> > > - source3/rpc_client/cli_pipe_schannel.c | 4 ++--
> > > - source3/utils/net_rpc_join.c | 4 ++--
> > > - source3/winbindd/winbindd_cm.c | 8 ++++----
> > > - 6 files changed, 13 insertions(+), 13 deletions(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index 1418385..9f47f3b 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -1287,7 +1287,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY,
> > > - netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 427b628..34cef32 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -3022,7 +3022,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > > - ****************************************************************************/
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -@@ -3033,7 +3033,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - struct pipe_auth_data *auth;
> > > - NTSTATUS status;
> > > -
> > > -- status = cli_rpc_pipe_open(cli, transport, interface, &result);
> > > -+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -@@ -3070,7 +3070,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > -
> > > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > > - "for domain %s and bound using schannel.\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), interface),
> > > -+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > - result->desthost, domain));
> > > -
> > > - *presult = result;
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index 7026692..65bfbc8 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -108,7 +108,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index 261a768..784e63f 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> > > -+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> > > - &result);
> > > -
> > > - /* Now we've bound using the session key we can close the netlog pipe. */
> > > -@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
> > > -+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> > > - &result);
> > > -
> > > - /* Now we've bound using the session key we can close the netlog pipe. */
> > > -diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
> > > -index 56799cd..4b43769 100644
> > > ---- a/source3/utils/net_rpc_join.c
> > > -+++ b/source3/utils/net_rpc_join.c
> > > -@@ -137,7 +137,7 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
> > > - }
> > > -
> > > - ntret = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY,
> > > - domain, &netlogon_pipe->dc, &pipe_hnd);
> > > -
> > > -@@ -497,7 +497,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > > - struct rpc_pipe_client *netlogon_schannel_pipe;
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY, domain, &pipe_hnd->dc,
> > > - &netlogon_schannel_pipe);
> > > -
> > > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > > -index 61917db..f17fc68 100644
> > > ---- a/source3/winbindd/winbindd_cm.c
> > > -+++ b/source3/winbindd/winbindd_cm.c
> > > -@@ -2415,7 +2415,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - goto anonymous;
> > > - }
> > > - status = cli_rpc_pipe_open_schannel_with_key
> > > -- (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
> > > -+ (conn->cli, &ndr_table_samr, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY,
> > > - domain->name, &p_creds, &conn->samr_pipe);
> > > -
> > > -@@ -2547,7 +2547,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
> > > -- &ndr_table_lsarpc.syntax_id,
> > > -+ &ndr_table_lsarpc,
> > > - NCACN_IP_TCP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY,
> > > - domain->name,
> > > -@@ -2646,7 +2646,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - goto anonymous;
> > > - }
> > > - result = cli_rpc_pipe_open_schannel_with_key
> > > -- (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
> > > -+ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY,
> > > - domain->name, &p_creds, &conn->lsa_pipe);
> > > -
> > > -@@ -2831,7 +2831,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > > - */
> > > -
> > > - result = cli_rpc_pipe_open_schannel_with_key(
> > > -- conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
> > > -+ conn->cli, &ndr_table_netlogon, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
> > > - &conn->netlogon_pipe);
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 9b569e91cd22806eedae76d3fb60cdbd7548e4c2 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:29:28 +0200
> > > -Subject: [PATCH 026/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - cli_rpc_pipe_open_noauth().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 9813fe2b04a5b4abaa95ea1d893b3803edbede4d)
> > > ----
> > > - source3/auth/auth_domain.c | 2 +-
> > > - source3/client/client.c | 2 +-
> > > - source3/lib/netapi/cm.c | 2 +-
> > > - source3/libnet/libnet_join.c | 8 ++++----
> > > - source3/libsmb/libsmb_dir.c | 2 +-
> > > - source3/libsmb/libsmb_server.c | 2 +-
> > > - source3/libsmb/passchange.c | 4 ++--
> > > - source3/libsmb/trustdom_cache.c | 2 +-
> > > - source3/libsmb/trusts_util.c | 2 +-
> > > - source3/rpc_client/cli_pipe.c | 4 ++--
> > > - source3/rpc_client/cli_pipe.h | 2 +-
> > > - source3/rpc_client/cli_pipe_schannel.c | 2 +-
> > > - source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
> > > - source3/rpcclient/cmd_spoolss.c | 2 +-
> > > - source3/rpcclient/cmd_test.c | 4 ++--
> > > - source3/rpcclient/rpcclient.c | 2 +-
> > > - source3/torture/test_async_echo.c | 2 +-
> > > - source3/utils/net_ads.c | 2 +-
> > > - source3/utils/net_rpc.c | 20 ++++++++++----------
> > > - source3/utils/net_rpc_join.c | 6 +++---
> > > - source3/utils/net_rpc_shell.c | 2 +-
> > > - source3/utils/net_rpc_trust.c | 2 +-
> > > - source3/utils/net_util.c | 8 ++++----
> > > - source3/utils/netlookup.c | 2 +-
> > > - source3/utils/smbcacls.c | 7 +++----
> > > - source3/utils/smbcquotas.c | 2 +-
> > > - source3/utils/smbtree.c | 2 +-
> > > - source3/winbindd/winbindd_cm.c | 10 +++++-----
> > > - 28 files changed, 54 insertions(+), 55 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > > -index a375f11..54ee5a1 100644
> > > ---- a/source3/auth/auth_domain.c
> > > -+++ b/source3/auth/auth_domain.c
> > > -@@ -119,7 +119,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > > - DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> > > - } else {
> > > - result = cli_rpc_pipe_open_noauth(
> > > -- *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
> > > -+ *cli, &ndr_table_netlogon, &netlogon_pipe);
> > > - }
> > > -
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > -diff --git a/source3/client/client.c b/source3/client/client.c
> > > -index ab46cb8..dafc5f0 100644
> > > ---- a/source3/client/client.c
> > > -+++ b/source3/client/client.c
> > > -@@ -4227,7 +4227,7 @@ static bool browse_host_rpc(bool sort)
> > > - int i;
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
> > > - &pipe_hnd);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > > -index 8551521..1cfdccf 100644
> > > ---- a/source3/lib/netapi/cm.c
> > > -+++ b/source3/lib/netapi/cm.c
> > > -@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
> > > -+ status = cli_rpc_pipe_open_noauth(ipc->cli, table, &p->pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - TALLOC_FREE(p);
> > > - return status;
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index 9f47f3b..324c8f3 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -749,7 +749,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
> > > - goto done;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
> > > -@@ -819,7 +819,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > > - fstring trust_passwd;
> > > - NTSTATUS status;
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > -@@ -908,7 +908,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
> > > -
> > > - /* Open the domain */
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
> > > -@@ -1377,7 +1377,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
> > > -
> > > - /* Open the domain */
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
> > > -diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
> > > -index 87e10d8..3a07f11 100644
> > > ---- a/source3/libsmb/libsmb_dir.c
> > > -+++ b/source3/libsmb/libsmb_dir.c
> > > -@@ -277,7 +277,7 @@ net_share_enum_rpc(struct cli_state *cli,
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > - /* Open the server service pipe */
> > > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
> > > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(1, ("net_share_enum_rpc pipe open fail!\n"));
> > > -diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
> > > -index d4254da..dff0062 100644
> > > ---- a/source3/libsmb/libsmb_server.c
> > > -+++ b/source3/libsmb/libsmb_server.c
> > > -@@ -802,7 +802,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
> > > - ipc_srv->cli = ipc_cli;
> > > -
> > > - nt_status = cli_rpc_pipe_open_noauth(
> > > -- ipc_srv->cli, &ndr_table_lsarpc.syntax_id, &pipe_hnd);
> > > -+ ipc_srv->cli, &ndr_table_lsarpc, &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(1, ("cli_nt_session_open fail!\n"));
> > > - errno = ENOTSUP;
> > > -diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
> > > -index 3933833..9736ada 100644
> > > ---- a/source3/libsmb/passchange.c
> > > -+++ b/source3/libsmb/passchange.c
> > > -@@ -169,7 +169,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
> > > - * way.
> > > - */
> > > - result = cli_rpc_pipe_open_noauth(
> > > -- cli, &ndr_table_samr.syntax_id, &pipe_hnd);
> > > -+ cli, &ndr_table_samr, &pipe_hnd);
> > > - }
> > > -
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > -@@ -230,7 +230,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
> > > - result = NT_STATUS_UNSUCCESSFUL;
> > > -
> > > - /* OK, this is ugly, but... try an anonymous pipe. */
> > > -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > > -+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > > - &pipe_hnd);
> > > -
> > > - if ( NT_STATUS_IS_OK(result) &&
> > > -diff --git a/source3/libsmb/trustdom_cache.c b/source3/libsmb/trustdom_cache.c
> > > -index 8789d30..dadc751 100644
> > > ---- a/source3/libsmb/trustdom_cache.c
> > > -+++ b/source3/libsmb/trustdom_cache.c
> > > -@@ -289,7 +289,7 @@ static bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
> > > -
> > > - /* open the LSARPC_PIPE */
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &lsa_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto done;
> > > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > > -index 0d039bc..6156ba0 100644
> > > ---- a/source3/libsmb/trusts_util.c
> > > -+++ b/source3/libsmb/trusts_util.c
> > > -@@ -182,7 +182,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
> > > - /* Shouldn't we open this with schannel ? JRA. */
> > > -
> > > - nt_status = cli_rpc_pipe_open_noauth(
> > > -- cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
> > > -+ cli, &ndr_table_netlogon, &netlogon_pipe);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
> > > - dc_name, nt_errstr(nt_status)));
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 34cef32..1137abd 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2948,11 +2948,11 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > - ****************************************************************************/
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
> > > -- interface, presult);
> > > -+ &table->syntax_id, presult);
> > > - }
> > > -
> > > - /****************************************************************************
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index 65bfbc8..9aae61a 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -77,7 +77,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > > - struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index 784e63f..bc672ef 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -217,7 +217,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli,
> > > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > > - NTSTATUS status;
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > > - &netlogon_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > -diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> > > -index 335647b..c12cd05 100644
> > > ---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
> > > -+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
> > > -@@ -2504,7 +2504,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
> > > - * Now start the NT Domain stuff :-).
> > > - */
> > > -
> > > -- ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss.syntax_id, pp_pipe);
> > > -+ ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss, pp_pipe);
> > > - if (!NT_STATUS_IS_OK(ret)) {
> > > - DEBUG(2,("spoolss_connect_to_client: unable to open the spoolss pipe on machine %s. Error was : %s.\n",
> > > - remote_machine, nt_errstr(ret)));
> > > -diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
> > > -index 5c499d4..fb011f8 100644
> > > ---- a/source3/rpcclient/cmd_spoolss.c
> > > -+++ b/source3/rpcclient/cmd_spoolss.c
> > > -@@ -3453,7 +3453,7 @@ static WERROR cmd_spoolss_printercmp(struct rpc_pipe_client *cli,
> > > - if ( !NT_STATUS_IS_OK(nt_status) )
> > > - return WERR_GENERAL_FAILURE;
> > > -
> > > -- nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss.syntax_id,
> > > -+ nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss,
> > > - &cli2);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - printf("failed to open spoolss pipe on server %s (%s)\n",
> > > -diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c
> > > -index 591ae8c..367dc71 100644
> > > ---- a/source3/rpcclient/cmd_test.c
> > > -+++ b/source3/rpcclient/cmd_test.c
> > > -@@ -36,14 +36,14 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
> > > - d_printf("testme\n");
> > > -
> > > - status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
> > > -- &ndr_table_lsarpc.syntax_id,
> > > -+ &ndr_table_lsarpc,
> > > - &lsa_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto done;
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
> > > -- &ndr_table_samr.syntax_id,
> > > -+ &ndr_table_samr,
> > > - &samr_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto done;
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index 6b6478e..e3b35bb 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -167,7 +167,7 @@ static void fetch_machine_sid(struct cli_state *cli)
> > > - goto error;
> > > - }
> > > -
> > > -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &lsapipe);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - fprintf(stderr, "could not initialise lsa pipe. Error was %s\n", nt_errstr(result) );
> > > -diff --git a/source3/torture/test_async_echo.c b/source3/torture/test_async_echo.c
> > > -index 6df95dd..f21daa4 100644
> > > ---- a/source3/torture/test_async_echo.c
> > > -+++ b/source3/torture/test_async_echo.c
> > > -@@ -82,7 +82,7 @@ bool run_async_echo(int dummy)
> > > - printf("torture_open_connection failed\n");
> > > - goto fail;
> > > - }
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho,
> > > - &p);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - printf("Could not open echo pipe: %s\n", nt_errstr(status));
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index 5699943..89eebf3 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -1957,7 +1957,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
> > > - SAFE_FREE(srv_cn_escaped);
> > > - SAFE_FREE(printername_escaped);
> > > -
> > > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
> > > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss, &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
> > > - servername);
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index dab9fcd..69ff14d 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -82,7 +82,7 @@ NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
> > > - union lsa_PolicyInformation *info = NULL;
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &lsa_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
> > > -@@ -212,7 +212,7 @@ int run_rpc_command(struct net_context *c,
> > > - c->opt_password, &pipe_hnd);
> > > - } else {
> > > - nt_status = cli_rpc_pipe_open_noauth(
> > > -- cli, &table->syntax_id,
> > > -+ cli, table,
> > > - &pipe_hnd);
> > > - }
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > -@@ -348,7 +348,7 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
> > > - NTSTATUS result;
> > > - enum netr_SchannelType sec_channel_type;
> > > -
> > > -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > > -+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
> > > -@@ -1966,7 +1966,7 @@ static NTSTATUS get_sid_from_name(struct cli_state *cli,
> > > - NTSTATUS status, result;
> > > - struct dcerpc_binding_handle *b;
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto done;
> > > -@@ -2980,7 +2980,7 @@ static NTSTATUS rpc_list_alias_members(struct net_context *c,
> > > - }
> > > -
> > > - result = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(pipe_hnd),
> > > -- &ndr_table_lsarpc.syntax_id,
> > > -+ &ndr_table_lsarpc,
> > > - &lsa_pipe);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - d_fprintf(stderr, _("Couldn't open LSA pipe. Error was %s\n"),
> > > -@@ -6232,7 +6232,7 @@ static NTSTATUS rpc_trustdom_get_pdc(struct net_context *c,
> > > -
> > > - /* Try netr_GetDcName */
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > > - &netr);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > -@@ -6379,7 +6379,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
> > > - * Call LsaOpenPolicy and LsaQueryInfo
> > > - */
> > > -
> > > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
> > > -@@ -6656,7 +6656,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc,
> > > - return -1;
> > > - };
> > > -
> > > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
> > > -@@ -6834,7 +6834,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
> > > - return -1;
> > > - };
> > > -
> > > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
> > > -@@ -6950,7 +6950,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
> > > - /*
> > > - * Open \PIPE\samr and get needed policy handles
> > > - */
> > > -- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > > -+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
> > > -diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
> > > -index 4b43769..aabbe54 100644
> > > ---- a/source3/utils/net_rpc_join.c
> > > -+++ b/source3/utils/net_rpc_join.c
> > > -@@ -245,7 +245,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > > -
> > > - /* Fetch domain sid */
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
> > > -@@ -280,7 +280,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > > - }
> > > -
> > > - /* Create domain user */
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
> > > -@@ -456,7 +456,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > > -
> > > - /* Now check the whole process from top-to-bottom */
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
> > > -diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c
> > > -index 6086066..120cfa6 100644
> > > ---- a/source3/utils/net_rpc_shell.c
> > > -+++ b/source3/utils/net_rpc_shell.c
> > > -@@ -85,7 +85,7 @@ static NTSTATUS net_sh_run(struct net_context *c,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(ctx->cli, &cmd->table->syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(ctx->cli, cmd->table,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - d_fprintf(stderr, _("Could not open pipe: %s\n"),
> > > -diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
> > > -index 9060700..5e58103 100644
> > > ---- a/source3/utils/net_rpc_trust.c
> > > -+++ b/source3/utils/net_rpc_trust.c
> > > -@@ -210,7 +210,7 @@ static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx,
> > > - return status;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id, pipe_hnd);
> > > -+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc, pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("Failed to initialise lsa pipe with error [%s]\n",
> > > - nt_errstr(status)));
> > > -diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
> > > -index a4282ec..13a0ef1 100644
> > > ---- a/source3/utils/net_util.c
> > > -+++ b/source3/utils/net_util.c
> > > -@@ -45,7 +45,7 @@ NTSTATUS net_rpc_lookup_name(struct net_context *c,
> > > -
> > > - ZERO_STRUCT(pol);
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &lsa_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
> > > -@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
> > > - return nt_status;
> > > - }
> > > -
> > > -- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
> > > -+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, table,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(0, ("couldn't not initialize pipe\n"));
> > > -@@ -571,7 +571,7 @@ static NTSTATUS net_scan_dc_noad(struct net_context *c,
> > > - ZERO_STRUCTP(dc_info);
> > > - ZERO_STRUCT(pol);
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > -@@ -634,7 +634,7 @@ NTSTATUS net_scan_dc(struct net_context *c,
> > > -
> > > - ZERO_STRUCTP(dc_info);
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup,
> > > - &dssetup_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(10,("net_scan_dc: failed to open dssetup pipe with %s, "
> > > -diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c
> > > -index b66c34e..56d3bfe 100644
> > > ---- a/source3/utils/netlookup.c
> > > -+++ b/source3/utils/netlookup.c
> > > -@@ -122,7 +122,7 @@ static struct con_struct *create_cs(struct net_context *c,
> > > - }
> > > -
> > > - nt_status = cli_rpc_pipe_open_noauth(cs->cli,
> > > -- &ndr_table_lsarpc.syntax_id,
> > > -+ &ndr_table_lsarpc,
> > > - &cs->lsapipe);
> > > -
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > -diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
> > > -index 23a1192..f092839 100644
> > > ---- a/source3/utils/smbcacls.c
> > > -+++ b/source3/utils/smbcacls.c
> > > -@@ -96,7 +96,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
> > > - goto tcon_fail;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &p);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto fail;
> > > -@@ -146,7 +146,7 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
> > > - goto tcon_fail;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
> > > - &p);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto fail;
> > > -@@ -187,14 +187,13 @@ static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
> > > - struct policy_handle handle;
> > > - NTSTATUS status, result;
> > > - TALLOC_CTX *frame = talloc_stackframe();
> > > -- const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id;
> > > -
> > > - status = cli_tree_connect(cli, "IPC$", "?????", "", 0);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto done;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe);
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto tdis;
> > > - }
> > > -diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
> > > -index bf1f95c..2791b93 100644
> > > ---- a/source3/utils/smbcquotas.c
> > > -+++ b/source3/utils/smbcquotas.c
> > > -@@ -58,7 +58,7 @@ static bool cli_open_policy_hnd(void)
> > > - NTSTATUS ret;
> > > - cli_ipc = connect_one("IPC$");
> > > - ret = cli_rpc_pipe_open_noauth(cli_ipc,
> > > -- &ndr_table_lsarpc.syntax_id,
> > > -+ &ndr_table_lsarpc,
> > > - &global_pipe_hnd);
> > > - if (!NT_STATUS_IS_OK(ret)) {
> > > - return False;
> > > -diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
> > > -index 40b1f09..5c07b12 100644
> > > ---- a/source3/utils/smbtree.c
> > > -+++ b/source3/utils/smbtree.c
> > > -@@ -177,7 +177,7 @@ static bool get_rpc_shares(struct cli_state *cli,
> > > - return False;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
> > > - &pipe_hnd);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > > -index f17fc68..facef64 100644
> > > ---- a/source3/winbindd/winbindd_cm.c
> > > -+++ b/source3/winbindd/winbindd_cm.c
> > > -@@ -2078,7 +2078,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
> > > - DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
> > > -
> > > - status = cli_rpc_pipe_open_noauth(domain->conn.cli,
> > > -- &ndr_table_dssetup.syntax_id,
> > > -+ &ndr_table_dssetup,
> > > - &cli);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -2129,7 +2129,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
> > > -
> > > - no_dssetup:
> > > - status = cli_rpc_pipe_open_noauth(domain->conn.cli,
> > > -- &ndr_table_lsarpc.syntax_id, &cli);
> > > -+ &ndr_table_lsarpc, &cli);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
> > > -@@ -2447,7 +2447,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - anonymous:
> > > -
> > > - /* Finally fall back to anonymous. */
> > > -- status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
> > > -+ status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
> > > - &conn->samr_pipe);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -2674,7 +2674,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - anonymous:
> > > -
> > > - result = cli_rpc_pipe_open_noauth(conn->cli,
> > > -- &ndr_table_lsarpc.syntax_id,
> > > -+ &ndr_table_lsarpc,
> > > - &conn->lsa_pipe);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - result = NT_STATUS_PIPE_NOT_AVAILABLE;
> > > -@@ -2765,7 +2765,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > > - TALLOC_FREE(conn->netlogon_pipe);
> > > -
> > > - result = cli_rpc_pipe_open_noauth(conn->cli,
> > > -- &ndr_table_netlogon.syntax_id,
> > > -+ &ndr_table_netlogon,
> > > - &netlogon_pipe);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - return result;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fce35e003f655b3564ee4df5ebfe7f3e6ff6d188 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:33:03 +0200
> > > -Subject: [PATCH 027/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - cli_rpc_pipe_open_noauth_transport().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 9aa99c3cfb0ff7a290dd4df472a4ff30d0efcb76)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 13 +++++++------
> > > - source3/rpc_client/cli_pipe.h | 2 +-
> > > - source3/rpcclient/rpcclient.c | 2 +-
> > > - 3 files changed, 9 insertions(+), 8 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 1137abd..4523ab7 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2865,14 +2865,14 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > - enum dcerpc_transport_t transport,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - struct rpc_pipe_client *result;
> > > - struct pipe_auth_data *auth;
> > > - NTSTATUS status;
> > > -
> > > -- status = cli_rpc_pipe_open(cli, transport, interface, &result);
> > > -+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -@@ -2921,7 +2921,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > - status = rpc_pipe_bind(result, auth);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - int lvl = 0;
> > > -- if (ndr_syntax_id_equal(interface,
> > > -+ if (ndr_syntax_id_equal(&table->syntax_id,
> > > - &ndr_table_dssetup.syntax_id)) {
> > > - /* non AD domains just don't have this pipe, avoid
> > > - * level 0 statement in that case - gd */
> > > -@@ -2929,7 +2929,8 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > - }
> > > - DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
> > > - "%s failed with error %s\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), interface),
> > > -+ get_pipe_name_from_syntax(talloc_tos(),
> > > -+ &table->syntax_id),
> > > - nt_errstr(status) ));
> > > - TALLOC_FREE(result);
> > > - return status;
> > > -@@ -2937,7 +2938,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > -
> > > - DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
> > > - "%s and bound anonymously.\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), interface),
> > > -+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > - result->desthost));
> > > -
> > > - *presult = result;
> > > -@@ -2952,7 +2953,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
> > > -- &table->syntax_id, presult);
> > > -+ table, presult);
> > > - }
> > > -
> > > - /****************************************************************************
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index 9aae61a..f37f8a9 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -82,7 +82,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > - enum dcerpc_transport_t transport,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index e3b35bb..c23ff2d 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -690,7 +690,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - case DCERPC_AUTH_TYPE_NONE:
> > > - ntresult = cli_rpc_pipe_open_noauth_transport(
> > > - cli, default_transport,
> > > -- &cmd_entry->table->syntax_id,
> > > -+ cmd_entry->table,
> > > - &cmd_entry->rpc_pipe);
> > > - break;
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 0d85042853b635486912688102253b2f358b5056 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:38:01 +0200
> > > -Subject: [PATCH 028/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - cli_rpc_pipe_open().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 34cc4b409558f229fba24f59e81ef9100a851d24)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 14 +++++++-------
> > > - 1 file changed, 7 insertions(+), 7 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 4523ab7..4dc7345 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2843,7 +2843,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > > -
> > > - static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > > - enum dcerpc_transport_t transport,
> > > -- const struct ndr_syntax_id *interface,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - switch (transport) {
> > > -@@ -2851,9 +2851,9 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > > - return rpc_pipe_open_tcp(NULL,
> > > - smbXcli_conn_remote_name(cli->conn),
> > > - smbXcli_conn_remote_sockaddr(cli->conn),
> > > -- interface, presult);
> > > -+ &table->syntax_id, presult);
> > > - case NCACN_NP:
> > > -- return rpc_pipe_open_np(cli, interface, presult);
> > > -+ return rpc_pipe_open_np(cli, &table->syntax_id, presult);
> > > - default:
> > > - return NT_STATUS_NOT_IMPLEMENTED;
> > > - }
> > > -@@ -2872,7 +2872,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > - struct pipe_auth_data *auth;
> > > - NTSTATUS status;
> > > -
> > > -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > > -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -@@ -2977,7 +2977,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > > -
> > > - NTSTATUS status;
> > > -
> > > -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > > -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -@@ -3034,7 +3034,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - struct pipe_auth_data *auth;
> > > - NTSTATUS status;
> > > -
> > > -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > > -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -@@ -3104,7 +3104,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > -
> > > -- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
> > > -+ status = cli_rpc_pipe_open(cli, transport, table, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d5e312185a7adc8429f8caba29a9808ab7954a27 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:40:45 +0200
> > > -Subject: [PATCH 029/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - rpc_pipe_open_np().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 8cd3a060514ddcc178c938100edfb0b177c00c8c)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 8 ++++----
> > > - 1 file changed, 4 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 4dc7345..0347d76 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2775,7 +2775,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r
> > > - ****************************************************************************/
> > > -
> > > - static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > > -- const struct ndr_syntax_id *abstract_syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - struct rpc_pipe_client *result;
> > > -@@ -2793,7 +2793,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- result->abstract_syntax = *abstract_syntax;
> > > -+ result->abstract_syntax = table->syntax_id;
> > > - result->transfer_syntax = ndr_transfer_syntax_ndr;
> > > - result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
> > > - result->srv_name_slash = talloc_asprintf_strupper_m(
> > > -@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- status = rpc_transport_np_init(result, cli, abstract_syntax,
> > > -+ status = rpc_transport_np_init(result, cli, &table->syntax_id,
> > > - &result->transport);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - TALLOC_FREE(result);
> > > -@@ -2853,7 +2853,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > > - smbXcli_conn_remote_sockaddr(cli->conn),
> > > - &table->syntax_id, presult);
> > > - case NCACN_NP:
> > > -- return rpc_pipe_open_np(cli, &table->syntax_id, presult);
> > > -+ return rpc_pipe_open_np(cli, table, presult);
> > > - default:
> > > - return NT_STATUS_NOT_IMPLEMENTED;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f1fa7838cb933fd0d390a56d823272f8528eb63c Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:44:00 +0200
> > > -Subject: [PATCH 030/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - rpc_pipe_open_tcp().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 5c5cff0a722a0925ae75ea7aa11ede0d82d5b92d)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 8 ++++----
> > > - source3/rpc_client/cli_pipe.h | 2 +-
> > > - source3/torture/rpc_open_tcp.c | 2 +-
> > > - 3 files changed, 6 insertions(+), 6 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 0347d76..46adf69 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2663,19 +2663,19 @@ done:
> > > - */
> > > - NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> > > - const struct sockaddr_storage *addr,
> > > -- const struct ndr_syntax_id *abstract_syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - NTSTATUS status;
> > > - uint16_t port = 0;
> > > -
> > > -- status = rpc_pipe_get_tcp_port(host, addr, abstract_syntax, &port);
> > > -+ status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -
> > > - return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
> > > -- abstract_syntax, presult);
> > > -+ &table->syntax_id, presult);
> > > - }
> > > -
> > > - /********************************************************************
> > > -@@ -2851,7 +2851,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
> > > - return rpc_pipe_open_tcp(NULL,
> > > - smbXcli_conn_remote_name(cli->conn),
> > > - smbXcli_conn_remote_sockaddr(cli->conn),
> > > -- &table->syntax_id, presult);
> > > -+ table, presult);
> > > - case NCACN_NP:
> > > - return rpc_pipe_open_np(cli, table, presult);
> > > - default:
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index f37f8a9..6fcc587 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -67,7 +67,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > > - NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
> > > - const char *host,
> > > - const struct sockaddr_storage *ss_addr,
> > > -- const struct ndr_syntax_id *abstract_syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
> > > -diff --git a/source3/torture/rpc_open_tcp.c b/source3/torture/rpc_open_tcp.c
> > > -index d29f4cf..cd27b5f 100644
> > > ---- a/source3/torture/rpc_open_tcp.c
> > > -+++ b/source3/torture/rpc_open_tcp.c
> > > -@@ -95,7 +95,7 @@ int main(int argc, const char **argv)
> > > - }
> > > -
> > > - status = rpc_pipe_open_tcp(mem_ctx, argv[2], NULL,
> > > -- &((*table)->syntax_id),
> > > -+ *table,
> > > - &rpc_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - d_printf("ERROR calling rpc_pipe_open_tcp(): %s\n",
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 67c01c15af1bbb98916e75f7cad61edcc13c2e2f Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:46:07 +0200
> > > -Subject: [PATCH 031/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - rpc_pipe_get_tcp_port().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 0ff8c2d508949f732716e24047694cecf38597df)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 10 +++++-----
> > > - 1 file changed, 5 insertions(+), 5 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 46adf69..15e77db 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2518,7 +2518,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
> > > - */
> > > - static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > > - const struct sockaddr_storage *addr,
> > > -- const struct ndr_syntax_id *abstract_syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - uint16_t *pport)
> > > - {
> > > - NTSTATUS status;
> > > -@@ -2541,7 +2541,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > > - goto done;
> > > - }
> > > -
> > > -- if (ndr_syntax_id_equal(abstract_syntax,
> > > -+ if (ndr_syntax_id_equal(&table->syntax_id,
> > > - &ndr_table_epmapper.syntax_id)) {
> > > - *pport = 135;
> > > - return NT_STATUS_OK;
> > > -@@ -2576,7 +2576,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > > - }
> > > -
> > > - map_binding->transport = NCACN_IP_TCP;
> > > -- map_binding->object = *abstract_syntax;
> > > -+ map_binding->object = table->syntax_id;
> > > - map_binding->host = host; /* needed? */
> > > - map_binding->endpoint = "0"; /* correct? needed? */
> > > -
> > > -@@ -2612,7 +2612,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > > - status = dcerpc_epm_Map(epm_handle,
> > > - tmp_ctx,
> > > - discard_const_p(struct GUID,
> > > -- &(abstract_syntax->uuid)),
> > > -+ &(table->syntax_id.uuid)),
> > > - map_tower,
> > > - entry_handle,
> > > - max_towers,
> > > -@@ -2669,7 +2669,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> > > - NTSTATUS status;
> > > - uint16_t port = 0;
> > > -
> > > -- status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
> > > -+ status = rpc_pipe_get_tcp_port(host, addr, table, &port);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a032ff8c89e479792947af4315ed6eb59a69f8f5 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:47:16 +0200
> > > -Subject: [PATCH 032/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - rpc_pipe_open_tcp_port().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 7bdcfcb37c5b96ee6aa0cecffd89c6d17291fe62)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 8 ++++----
> > > - 1 file changed, 4 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 15e77db..1b2955f 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2447,7 +2447,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
> > > - static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
> > > - const struct sockaddr_storage *ss_addr,
> > > - uint16_t port,
> > > -- const struct ndr_syntax_id *abstract_syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > - struct rpc_pipe_client *result;
> > > -@@ -2460,7 +2460,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- result->abstract_syntax = *abstract_syntax;
> > > -+ result->abstract_syntax = table->syntax_id;
> > > - result->transfer_syntax = ndr_transfer_syntax_ndr;
> > > -
> > > - result->desthost = talloc_strdup(result, host);
> > > -@@ -2549,7 +2549,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
> > > -
> > > - /* open the connection to the endpoint mapper */
> > > - status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
> > > -- &ndr_table_epmapper.syntax_id,
> > > -+ &ndr_table_epmapper,
> > > - &epm_pipe);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -2675,7 +2675,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
> > > - }
> > > -
> > > - return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
> > > -- &table->syntax_id, presult);
> > > -+ table, presult);
> > > - }
> > > -
> > > - /********************************************************************
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 0b4ae5ec146e35c364f01c033d6c22efb99b7314 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:52:05 +0200
> > > -Subject: [PATCH 033/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - rpc_transport_np_init().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit c41b6e5c5e7fcdbd98c1eb2bea08378b47d343d4)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 2 +-
> > > - source3/rpc_client/rpc_transport.h | 2 +-
> > > - source3/rpc_client/rpc_transport_np.c | 4 ++--
> > > - 3 files changed, 4 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 1b2955f..1fa8d91 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- status = rpc_transport_np_init(result, cli, &table->syntax_id,
> > > -+ status = rpc_transport_np_init(result, cli, table,
> > > - &result->transport);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - TALLOC_FREE(result);
> > > -diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
> > > -index bc115dd..2b4a323 100644
> > > ---- a/source3/rpc_client/rpc_transport.h
> > > -+++ b/source3/rpc_client/rpc_transport.h
> > > -@@ -89,7 +89,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
> > > - TALLOC_CTX *mem_ctx,
> > > - struct rpc_cli_transport **presult);
> > > - NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> > > -- const struct ndr_syntax_id *abstract_syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_cli_transport **presult);
> > > -
> > > - /* The following definitions come from rpc_client/rpc_transport_sock.c */
> > > -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
> > > -index f0696ad..7bd1ca3 100644
> > > ---- a/source3/rpc_client/rpc_transport_np.c
> > > -+++ b/source3/rpc_client/rpc_transport_np.c
> > > -@@ -152,7 +152,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
> > > - }
> > > -
> > > - NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> > > -- const struct ndr_syntax_id *abstract_syntax,
> > > -+ const struct ndr_interface_table *table,
> > > - struct rpc_cli_transport **presult)
> > > - {
> > > - TALLOC_CTX *frame = talloc_stackframe();
> > > -@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> > > - goto fail;
> > > - }
> > > -
> > > -- req = rpc_transport_np_init_send(frame, ev, cli, abstract_syntax);
> > > -+ req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
> > > - if (req == NULL) {
> > > - status = NT_STATUS_NO_MEMORY;
> > > - goto fail;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 739d05d91f23c4c6e17078c84192f30911cbdfcd Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 24 May 2013 13:56:53 +0200
> > > -Subject: [PATCH 034/249] s3-rpc_cli: pass down ndr_interface_table to
> > > - rpc_transport_np_init_send().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit b19e7e6638a5dd53e3c6e6701f78bf31184ed493)
> > > ----
> > > - source3/rpc_client/rpc_transport.h | 2 +-
> > > - source3/rpc_client/rpc_transport_np.c | 6 +++---
> > > - 2 files changed, 4 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
> > > -index 2b4a323..72e7609 100644
> > > ---- a/source3/rpc_client/rpc_transport.h
> > > -+++ b/source3/rpc_client/rpc_transport.h
> > > -@@ -84,7 +84,7 @@ struct cli_state;
> > > - struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> > > - struct tevent_context *ev,
> > > - struct cli_state *cli,
> > > -- const struct ndr_syntax_id *abstract_syntax);
> > > -+ const struct ndr_interface_table *table);
> > > - NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
> > > - TALLOC_CTX *mem_ctx,
> > > - struct rpc_cli_transport **presult);
> > > -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
> > > -index 7bd1ca3..c0f313e 100644
> > > ---- a/source3/rpc_client/rpc_transport_np.c
> > > -+++ b/source3/rpc_client/rpc_transport_np.c
> > > -@@ -40,7 +40,7 @@ static void rpc_transport_np_init_pipe_open(struct tevent_req *subreq);
> > > - struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> > > - struct tevent_context *ev,
> > > - struct cli_state *cli,
> > > -- const struct ndr_syntax_id *abstract_syntax)
> > > -+ const struct ndr_interface_table *table)
> > > - {
> > > - struct tevent_req *req;
> > > - struct rpc_transport_np_init_state *state;
> > > -@@ -55,7 +55,7 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> > > - state->ev = ev;
> > > - state->cli = cli;
> > > - state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
> > > -- state->pipe_name = get_pipe_name_from_syntax(state, abstract_syntax);
> > > -+ state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
> > > - if (tevent_req_nomem(state->pipe_name, req)) {
> > > - return tevent_req_post(req, ev);
> > > - }
> > > -@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
> > > - goto fail;
> > > - }
> > > -
> > > -- req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
> > > -+ req = rpc_transport_np_init_send(frame, ev, cli, table);
> > > - if (req == NULL) {
> > > - status = NT_STATUS_NO_MEMORY;
> > > - goto fail;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From c5529ee9045c44114ab1716b05d3408baa1b4e42 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 24 Sep 2008 11:04:42 +0200
> > > -Subject: [PATCH 035/249] s3: libnet_join: add admin_domain.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit c11a79c5a054e862f61c97093fa2ce5e5040f111)
> > > ----
> > > - source3/librpc/idl/libnet_join.idl | 2 ++
> > > - 1 file changed, 2 insertions(+)
> > > -
> > > -diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
> > > -index 4f28bb6..ac0a350 100644
> > > ---- a/source3/librpc/idl/libnet_join.idl
> > > -+++ b/source3/librpc/idl/libnet_join.idl
> > > -@@ -21,6 +21,7 @@ interface libnetjoin
> > > - [in,ref] string *domain_name,
> > > - [in] string account_ou,
> > > - [in] string admin_account,
> > > -+ [in] string admin_domain,
> > > - [in,noprint] string admin_password,
> > > - [in] string machine_password,
> > > - [in] wkssvc_joinflags join_flags,
> > > -@@ -51,6 +52,7 @@ interface libnetjoin
> > > - [in] string domain_name,
> > > - [in] string account_ou,
> > > - [in] string admin_account,
> > > -+ [in] string admin_domain,
> > > - [in,noprint] string admin_password,
> > > - [in] string machine_password,
> > > - [in] wkssvc_joinflags unjoin_flags,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a0d8f42ac44d279ae7bc599792cd1d564925dcbf Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 24 Sep 2008 11:05:37 +0200
> > > -Subject: [PATCH 036/249] s3: libnet_join: use admin_domain in libnetjoin.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit cc0cbd4fdc6e07538d67cc41ca07bad1eaebf493)
> > > ----
> > > - source3/libnet/libnet_join.c | 27 ++++++++++++++++++++++++++-
> > > - 1 file changed, 26 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index 324c8f3..2253079 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -701,6 +701,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
> > > -
> > > - static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
> > > - const char *user,
> > > -+ const char *domain,
> > > - const char *pass,
> > > - bool use_kerberos,
> > > - struct cli_state **cli)
> > > -@@ -720,7 +721,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
> > > - NULL, 0,
> > > - "IPC$", "IPC",
> > > - user,
> > > -- NULL,
> > > -+ domain,
> > > - pass,
> > > - flags,
> > > - SMB_SIGNING_DEFAULT);
> > > -@@ -742,6 +743,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
> > > -
> > > - status = libnet_join_connect_dc_ipc(r->in.dc_name,
> > > - r->in.admin_account,
> > > -+ r->in.admin_domain,
> > > - r->in.admin_password,
> > > - r->in.use_kerberos,
> > > - cli);
> > > -@@ -1368,6 +1370,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
> > > -
> > > - status = libnet_join_connect_dc_ipc(r->in.dc_name,
> > > - r->in.admin_account,
> > > -+ r->in.admin_domain,
> > > - r->in.admin_password,
> > > - r->in.use_kerberos,
> > > - &cli);
> > > -@@ -1755,6 +1758,17 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
> > > - return WERR_SETUP_DOMAIN_CONTROLLER;
> > > - }
> > > -
> > > -+ if (!r->in.admin_domain) {
> > > -+ char *admin_domain = NULL;
> > > -+ char *admin_account = NULL;
> > > -+ split_domain_user(mem_ctx,
> > > -+ r->in.admin_account,
> > > -+ &admin_domain,
> > > -+ &admin_account);
> > > -+ r->in.admin_domain = admin_domain;
> > > -+ r->in.admin_account = admin_account;
> > > -+ }
> > > -+
> > > - if (!secrets_init()) {
> > > - libnet_join_set_error_string(mem_ctx, r,
> > > - "Unable to open secrets database");
> > > -@@ -2316,6 +2330,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
> > > - return WERR_SETUP_DOMAIN_CONTROLLER;
> > > - }
> > > -
> > > -+ if (!r->in.admin_domain) {
> > > -+ char *admin_domain = NULL;
> > > -+ char *admin_account = NULL;
> > > -+ split_domain_user(mem_ctx,
> > > -+ r->in.admin_account,
> > > -+ &admin_domain,
> > > -+ &admin_account);
> > > -+ r->in.admin_domain = admin_domain;
> > > -+ r->in.admin_account = admin_account;
> > > -+ }
> > > -+
> > > - if (!secrets_init()) {
> > > - libnet_unjoin_set_error_string(mem_ctx, r,
> > > - "Unable to open secrets database");
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 46f8496292a12b7acdd045d126b61fa9d8afee74 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Thu, 6 Nov 2008 11:40:03 +0100
> > > -Subject: [PATCH 037/249] s3-libnetjoin: add machine_name length check.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit c4d6d75cf48aed7b17728e283581366143fa4233)
> > > ----
> > > - source3/libnet/libnet_join.c | 9 +++++++++
> > > - 1 file changed, 9 insertions(+)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index 2253079..b731d9b 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -1746,6 +1746,15 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
> > > - return WERR_INVALID_PARAM;
> > > - }
> > > -
> > > -+ if (strlen(r->in.machine_name) > 15) {
> > > -+ libnet_join_set_error_string(mem_ctx, r,
> > > -+ "Our netbios name can be at most 15 chars long, "
> > > -+ "\"%s\" is %u chars long\n",
> > > -+ r->in.machine_name,
> > > -+ (unsigned int)strlen(r->in.machine_name));
> > > -+ return WERR_INVALID_PARAM;
> > > -+ }
> > > -+
> > > - if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
> > > - &r->in.domain_name,
> > > - &r->in.dc_name)) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a60cf7ddd4e2d41d92cdd35ab05f2d6a30b055c9 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Thu, 6 Nov 2008 13:37:45 +0100
> > > -Subject: [PATCH 038/249] s3-libnetjoin: move "net rpc oldjoin" to use
> > > - libnetjoin.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit d398a12f7907866189c1b253ca6a40e5454f42a1)
> > > ----
> > > - source3/utils/net_rpc.c | 182 ++++++++++++++++++++++--------------------------
> > > - 1 file changed, 84 insertions(+), 98 deletions(-)
> > > -
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index 69ff14d..720e9d2 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -37,6 +37,8 @@
> > > - #include "secrets.h"
> > > - #include "lib/netapi/netapi.h"
> > > - #include "lib/netapi/netapi_net.h"
> > > -+#include "librpc/gen_ndr/libnet_join.h"
> > > -+#include "libnet/libnet_join.h"
> > > - #include "rpc_client/init_lsa.h"
> > > - #include "../libcli/security/security.h"
> > > - #include "libsmb/libsmb.h"
> > > -@@ -314,48 +316,46 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
> > > - }
> > > -
> > > - /**
> > > -- * Join a domain, the old way.
> > > -+ * Join a domain, the old way. This function exists to allow
> > > -+ * the message to be displayed when oldjoin was explicitly
> > > -+ * requested, but not when it was implied by "net rpc join".
> > > - *
> > > - * This uses 'machinename' as the inital password, and changes it.
> > > - *
> > > - * The password should be created with 'server manager' or equiv first.
> > > - *
> > > -- * All parameters are provided by the run_rpc_command function, except for
> > > -- * argc, argv which are passed through.
> > > -- *
> > > -- * @param domain_sid The domain sid acquired from the remote server.
> > > -- * @param cli A cli_state connected to the server.
> > > -- * @param mem_ctx Talloc context, destroyed on completion of the function.
> > > - * @param argc Standard main() style argc.
> > > - * @param argv Standard main() style argv. Initial components are already
> > > - * stripped.
> > > - *
> > > -- * @return Normal NTSTATUS return.
> > > -+ * @return A shell status integer (0 for success).
> > > - **/
> > > -
> > > --static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
> > > -- const struct dom_sid *domain_sid,
> > > -- const char *domain_name,
> > > -- struct cli_state *cli,
> > > -- struct rpc_pipe_client *pipe_hnd,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- int argc,
> > > -- const char **argv)
> > > -+static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
> > > - {
> > > -+ struct libnet_JoinCtx *r = NULL;
> > > -+ TALLOC_CTX *mem_ctx;
> > > -+ WERROR werr;
> > > -+ const char *domain = lp_workgroup(); /* FIXME */
> > > -+ bool modify_config = lp_config_backend_is_registry();
> > > -+ enum netr_SchannelType sec_chan_type;
> > > -+ char *pw = NULL;
> > > -
> > > -- fstring trust_passwd;
> > > -- unsigned char orig_trust_passwd_hash[16];
> > > -- NTSTATUS result;
> > > -- enum netr_SchannelType sec_channel_type;
> > > -+ if (c->display_usage) {
> > > -+ d_printf("Usage:\n"
> > > -+ "net rpc oldjoin\n"
> > > -+ " Join a domain the old way\n");
> > > -+ return 0;
> > > -+ }
> > > -
> > > -- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > > -- &pipe_hnd);
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
> > > -- "error was %s\n",
> > > -- smbXcli_conn_remote_name(cli->conn),
> > > -- nt_errstr(result) ));
> > > -- return result;
> > > -+ mem_ctx = talloc_init("net_rpc_oldjoin");
> > > -+ if (!mem_ctx) {
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ werr = libnet_init_JoinCtx(mem_ctx, &r);
> > > -+ if (!W_ERROR_IS_OK(werr)) {
> > > -+ goto fail;
> > > - }
> > > -
> > > - /*
> > > -@@ -363,92 +363,78 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
> > > - a BDC, the server must agree that we are a BDC.
> > > - */
> > > - if (argc >= 0) {
> > > -- sec_channel_type = get_sec_channel_type(argv[0]);
> > > -+ sec_chan_type = get_sec_channel_type(argv[0]);
> > > - } else {
> > > -- sec_channel_type = get_sec_channel_type(NULL);
> > > -+ sec_chan_type = get_sec_channel_type(NULL);
> > > - }
> > > -
> > > -- fstrcpy(trust_passwd, lp_netbios_name());
> > > -- if (!strlower_m(trust_passwd)) {
> > > -- return NT_STATUS_UNSUCCESSFUL;
> > > -+ if (!c->msg_ctx) {
> > > -+ d_fprintf(stderr, _("Could not initialise message context. "
> > > -+ "Try running as root\n"));
> > > -+ werr = WERR_ACCESS_DENIED;
> > > -+ goto fail;
> > > - }
> > > -
> > > -- /*
> > > -- * Machine names can be 15 characters, but the max length on
> > > -- * a password is 14. --jerry
> > > -- */
> > > --
> > > -- trust_passwd[14] = '\0';
> > > --
> > > -- E_md4hash(trust_passwd, orig_trust_passwd_hash);
> > > --
> > > -- result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup,
> > > -- lp_netbios_name(),
> > > -- orig_trust_passwd_hash,
> > > -- sec_channel_type);
> > > --
> > > -- if (NT_STATUS_IS_OK(result))
> > > -- printf(_("Joined domain %s.\n"), c->opt_target_workgroup);
> > > -+ pw = talloc_strndup(r, lp_netbios_name(), 14);
> > > -+ if (pw == NULL) {
> > > -+ werr = WERR_NOMEM;
> > > -+ goto fail;
> > > -+ }
> > > -
> > > -+ r->in.msg_ctx = c->msg_ctx;
> > > -+ r->in.domain_name = domain;
> > > -+ r->in.secure_channel_type = sec_chan_type;
> > > -+ r->in.dc_name = c->opt_host;
> > > -+ r->in.admin_account = "";
> > > -+ r->in.admin_password = strlower_talloc(r, pw);
> > > -+ if (r->in.admin_password == NULL) {
> > > -+ werr = WERR_NOMEM;
> > > -+ goto fail;
> > > -+ }
> > > -+ r->in.debug = true;
> > > -+ r->in.modify_config = modify_config;
> > > -+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
> > > -+ WKSSVC_JOIN_FLAGS_JOIN_UNSECURE |
> > > -+ WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED;
> > > -
> > > -- if (!secrets_store_domain_sid(c->opt_target_workgroup, domain_sid)) {
> > > -- DEBUG(0, ("error storing domain sid for %s\n", c->opt_target_workgroup));
> > > -- result = NT_STATUS_UNSUCCESSFUL;
> > > -+ werr = libnet_Join(mem_ctx, r);
> > > -+ if (!W_ERROR_IS_OK(werr)) {
> > > -+ goto fail;
> > > - }
> > > -
> > > -- return result;
> > > --}
> > > -+ /* Check the short name of the domain */
> > > -
> > > --/**
> > > -- * Join a domain, the old way.
> > > -- *
> > > -- * @param argc Standard main() style argc.
> > > -- * @param argv Standard main() style argv. Initial components are already
> > > -- * stripped.
> > > -- *
> > > -- * @return A shell status integer (0 for success).
> > > -- **/
> > > -+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
> > > -+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
> > > -+ d_printf("domain name obtained from the server.\n");
> > > -+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
> > > -+ d_printf("You should set \"workgroup = %s\" in %s.\n",
> > > -+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
> > > -+ }
> > > -
> > > --static int net_rpc_perform_oldjoin(struct net_context *c, int argc, const char **argv)
> > > --{
> > > -- return run_rpc_command(c, NULL, &ndr_table_netlogon,
> > > -- NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
> > > -- rpc_oldjoin_internals,
> > > -- argc, argv);
> > > --}
> > > -+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
> > > -
> > > --/**
> > > -- * Join a domain, the old way. This function exists to allow
> > > -- * the message to be displayed when oldjoin was explicitly
> > > -- * requested, but not when it was implied by "net rpc join".
> > > -- *
> > > -- * @param argc Standard main() style argc.
> > > -- * @param argv Standard main() style argv. Initial components are already
> > > -- * stripped.
> > > -- *
> > > -- * @return A shell status integer (0 for success).
> > > -- **/
> > > -+ if (r->out.dns_domain_name) {
> > > -+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
> > > -+ r->out.dns_domain_name);
> > > -+ } else {
> > > -+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
> > > -+ r->out.netbios_domain_name);
> > > -+ }
> > > -
> > > --static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
> > > --{
> > > -- int rc = -1;
> > > -+ TALLOC_FREE(mem_ctx);
> > > -
> > > -- if (c->display_usage) {
> > > -- d_printf( "%s\n"
> > > -- "net rpc oldjoin\n"
> > > -- " %s\n",
> > > -- _("Usage:"),
> > > -- _("Join a domain the old way"));
> > > -- return 0;
> > > -- }
> > > -+ return 0;
> > > -
> > > -- rc = net_rpc_perform_oldjoin(c, argc, argv);
> > > -+fail:
> > > -+ /* issue an overall failure message at the end. */
> > > -+ d_fprintf(stderr, _("Failed to join domain: %s\n"),
> > > -+ r && r->out.error_string ? r->out.error_string :
> > > -+ get_friendly_werror_msg(werr));
> > > -
> > > -- if (rc) {
> > > -- d_fprintf(stderr, _("Failed to join domain\n"));
> > > -- }
> > > -+ TALLOC_FREE(mem_ctx);
> > > -
> > > -- return rc;
> > > -+ return -1;
> > > - }
> > > -
> > > - /**
> > > -@@ -492,7 +478,7 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
> > > - return -1;
> > > - }
> > > -
> > > -- if ((net_rpc_perform_oldjoin(c, argc, argv) == 0))
> > > -+ if ((net_rpc_oldjoin(c, argc, argv) == 0))
> > > - return 0;
> > > -
> > > - return net_rpc_join_newstyle(c, argc, argv);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 3185251186366984b5ec06322c75cfda71dccdbc Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 13 Jun 2013 19:12:27 +0200
> > > -Subject: [PATCH 039/249] s3:libnet: let the caller truncate the pw in
> > > - libnet_join_joindomain_rpc_unsecure()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 1242ab0cb3bf575b695b39313604af9d0a7f1b3a)
> > > ----
> > > - source3/libnet/libnet_join.c | 15 +--------------
> > > - 1 file changed, 1 insertion(+), 14 deletions(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index b731d9b..d8ec235 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -818,7 +818,6 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > > - struct rpc_pipe_client *pipe_hnd = NULL;
> > > - unsigned char orig_trust_passwd_hash[16];
> > > - unsigned char new_trust_passwd_hash[16];
> > > -- fstring trust_passwd;
> > > - NTSTATUS status;
> > > -
> > > - status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > > -@@ -837,19 +836,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > > - E_md4hash(r->in.machine_password, new_trust_passwd_hash);
> > > -
> > > - /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
> > > -- fstrcpy(trust_passwd, r->in.admin_password);
> > > -- if (!strlower_m(trust_passwd)) {
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > -- }
> > > --
> > > -- /*
> > > -- * Machine names can be 15 characters, but the max length on
> > > -- * a password is 14. --jerry
> > > -- */
> > > --
> > > -- trust_passwd[14] = '\0';
> > > --
> > > -- E_md4hash(trust_passwd, orig_trust_passwd_hash);
> > > -+ E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
> > > -
> > > - status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
> > > - r->in.machine_name,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e1e15a73a9a5215866f6471c5e583457c516b47e Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Tue, 3 Feb 2009 20:10:05 +0100
> > > -Subject: [PATCH 040/249] s3-net: use libnetjoin for "net rpc testjoin".
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 9cfa6251600ddea0e821f2bd3fd359c28eb1b7f9)
> > > ----
> > > - source3/utils/net_proto.h | 2 +-
> > > - source3/utils/net_rpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++
> > > - source3/utils/net_rpc_join.c | 29 -------------------
> > > - 3 files changed, 67 insertions(+), 30 deletions(-)
> > > -
> > > -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> > > -index 03fb312..d791708 100644
> > > ---- a/source3/utils/net_proto.h
> > > -+++ b/source3/utils/net_proto.h
> > > -@@ -145,6 +145,7 @@ int run_rpc_command(struct net_context *c,
> > > - int argc,
> > > - const char **argv);
> > > - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
> > > -+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> > > - int net_rpc_join(struct net_context *c, int argc, const char **argv);
> > > - NTSTATUS rpc_info_internals(struct net_context *c,
> > > - const struct dom_sid *domain_sid,
> > > -@@ -205,7 +206,6 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
> > > - const char *server,
> > > - const struct sockaddr_storage *server_ss);
> > > - int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> > > --int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> > > -
> > > - /* The following definitions come from utils/net_rpc_printer.c */
> > > -
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index 720e9d2..592be44 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -438,6 +438,72 @@ fail:
> > > - }
> > > -
> > > - /**
> > > -+ * check that a join is OK
> > > -+ *
> > > -+ * @return A shell status integer (0 for success)
> > > -+ *
> > > -+ **/
> > > -+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+ TALLOC_CTX *mem_ctx;
> > > -+ const char *domain = c->opt_target_workgroup;
> > > -+ const char *dc = c->opt_host;
> > > -+
> > > -+ if (c->display_usage) {
> > > -+ d_printf("Usage\n"
> > > -+ "net rpc testjoin\n"
> > > -+ " Test if a join is OK\n");
> > > -+ return 0;
> > > -+ }
> > > -+
> > > -+ mem_ctx = talloc_init("net_rpc_testjoin");
> > > -+ if (!mem_ctx) {
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ if (!dc) {
> > > -+ struct netr_DsRGetDCNameInfo *info;
> > > -+
> > > -+ if (!c->msg_ctx) {
> > > -+ d_fprintf(stderr, _("Could not initialise message context. "
> > > -+ "Try running as root\n"));
> > > -+ talloc_destroy(mem_ctx);
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ status = dsgetdcname(mem_ctx,
> > > -+ c->msg_ctx,
> > > -+ domain,
> > > -+ NULL,
> > > -+ NULL,
> > > -+ DS_RETURN_DNS_NAME,
> > > -+ &info);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ talloc_destroy(mem_ctx);
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ dc = strip_hostname(info->dc_unc);
> > > -+ }
> > > -+
> > > -+ /* Display success or failure */
> > > -+ status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
> > > -+ c->opt_kerberos);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
> > > -+ domain, nt_errstr(status));
> > > -+ talloc_destroy(mem_ctx);
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ printf("Join to '%s' is OK\n",domain);
> > > -+ talloc_destroy(mem_ctx);
> > > -+
> > > -+ return 0;
> > > -+}
> > > -+
> > > -+/**
> > > - * 'net rpc join' entrypoint.
> > > - * @param argc Standard main() style argc.
> > > - * @param argv Standard main() style argv. Initial components are already
> > > -diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
> > > -index aabbe54..ee39a5c 100644
> > > ---- a/source3/utils/net_rpc_join.c
> > > -+++ b/source3/utils/net_rpc_join.c
> > > -@@ -561,32 +561,3 @@ done:
> > > -
> > > - return retval;
> > > - }
> > > --
> > > --/**
> > > -- * check that a join is OK
> > > -- *
> > > -- * @return A shell status integer (0 for success)
> > > -- *
> > > -- **/
> > > --int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > > --{
> > > -- NTSTATUS nt_status;
> > > --
> > > -- if (c->display_usage) {
> > > -- d_printf(_("Usage\n"
> > > -- "net rpc testjoin\n"
> > > -- " Test if a join is OK\n"));
> > > -- return 0;
> > > -- }
> > > --
> > > -- /* Display success or failure */
> > > -- nt_status = net_rpc_join_ok(c, c->opt_target_workgroup, NULL, NULL);
> > > -- if (!NT_STATUS_IS_OK(nt_status)) {
> > > -- fprintf(stderr, _("Join to domain '%s' is not valid: %s\n"),
> > > -- c->opt_target_workgroup, nt_errstr(nt_status));
> > > -- return -1;
> > > -- }
> > > --
> > > -- printf(_("Join to '%s' is OK\n"), c->opt_target_workgroup);
> > > -- return 0;
> > > --}
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a0474baa59c0991c2b2d8e3f425c9a6845162f45 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Tue, 3 Feb 2009 20:21:05 +0100
> > > -Subject: [PATCH 041/249] s3-net: use libnetjoin for "net rpc join" newstyle.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 3e4ded48bbeacdcd128f3c667cbdd12a3efca312)
> > > ----
> > > - source3/utils/net_proto.h | 8 +---
> > > - source3/utils/net_rpc.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++
> > > - source3/wscript_build | 2 +-
> > > - 3 files changed, 108 insertions(+), 8 deletions(-)
> > > -
> > > -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> > > -index d791708..1809ba9 100644
> > > ---- a/source3/utils/net_proto.h
> > > -+++ b/source3/utils/net_proto.h
> > > -@@ -146,6 +146,7 @@ int run_rpc_command(struct net_context *c,
> > > - const char **argv);
> > > - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
> > > - int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> > > -+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> > > - int net_rpc_join(struct net_context *c, int argc, const char **argv);
> > > - NTSTATUS rpc_info_internals(struct net_context *c,
> > > - const struct dom_sid *domain_sid,
> > > -@@ -200,13 +201,6 @@ int net_rpc(struct net_context *c, int argc, const char **argv);
> > > -
> > > - int net_rpc_audit(struct net_context *c, int argc, const char **argv);
> > > -
> > > --/* The following definitions come from utils/net_rpc_join.c */
> > > --
> > > --NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
> > > -- const char *server,
> > > -- const struct sockaddr_storage *server_ss);
> > > --int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> > > --
> > > - /* The following definitions come from utils/net_rpc_printer.c */
> > > -
> > > - NTSTATUS net_copy_fileattr(struct net_context *c,
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index 592be44..6358460 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -504,6 +504,112 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > > - }
> > > -
> > > - /**
> > > -+ * Join a domain using the administrator username and password
> > > -+ *
> > > -+ * @param argc Standard main() style argc
> > > -+ * @param argc Standard main() style argv. Initial components are already
> > > -+ * stripped. Currently not used.
> > > -+ * @return A shell status integer (0 for success)
> > > -+ *
> > > -+ **/
> > > -+
> > > -+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > > -+{
> > > -+ struct libnet_JoinCtx *r = NULL;
> > > -+ TALLOC_CTX *mem_ctx;
> > > -+ WERROR werr;
> > > -+ const char *domain = lp_workgroup(); /* FIXME */
> > > -+ bool modify_config = lp_config_backend_is_registry();
> > > -+ enum netr_SchannelType sec_chan_type;
> > > -+
> > > -+ if (c->display_usage) {
> > > -+ d_printf("Usage:\n"
> > > -+ "net rpc join\n"
> > > -+ " Join a domain the new way\n");
> > > -+ return 0;
> > > -+ }
> > > -+
> > > -+ mem_ctx = talloc_init("net_rpc_join_newstyle");
> > > -+ if (!mem_ctx) {
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ werr = libnet_init_JoinCtx(mem_ctx, &r);
> > > -+ if (!W_ERROR_IS_OK(werr)) {
> > > -+ goto fail;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ check what type of join - if the user want's to join as
> > > -+ a BDC, the server must agree that we are a BDC.
> > > -+ */
> > > -+ if (argc >= 0) {
> > > -+ sec_chan_type = get_sec_channel_type(argv[0]);
> > > -+ } else {
> > > -+ sec_chan_type = get_sec_channel_type(NULL);
> > > -+ }
> > > -+
> > > -+ if (!c->msg_ctx) {
> > > -+ d_fprintf(stderr, _("Could not initialise message context. "
> > > -+ "Try running as root\n"));
> > > -+ werr = WERR_ACCESS_DENIED;
> > > -+ goto fail;
> > > -+ }
> > > -+
> > > -+ r->in.msg_ctx = c->msg_ctx;
> > > -+ r->in.domain_name = domain;
> > > -+ r->in.secure_channel_type = sec_chan_type;
> > > -+ r->in.dc_name = c->opt_host;
> > > -+ r->in.admin_account = c->opt_user_name;
> > > -+ r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
> > > -+ r->in.debug = true;
> > > -+ r->in.use_kerberos = c->opt_kerberos;
> > > -+ r->in.modify_config = modify_config;
> > > -+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
> > > -+ WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
> > > -+ WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
> > > -+
> > > -+ werr = libnet_Join(mem_ctx, r);
> > > -+ if (!W_ERROR_IS_OK(werr)) {
> > > -+ goto fail;
> > > -+ }
> > > -+
> > > -+ /* Check the short name of the domain */
> > > -+
> > > -+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
> > > -+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
> > > -+ d_printf("domain name obtained from the server.\n");
> > > -+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
> > > -+ d_printf("You should set \"workgroup = %s\" in %s.\n",
> > > -+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
> > > -+ }
> > > -+
> > > -+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
> > > -+
> > > -+ if (r->out.dns_domain_name) {
> > > -+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
> > > -+ r->out.dns_domain_name);
> > > -+ } else {
> > > -+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
> > > -+ r->out.netbios_domain_name);
> > > -+ }
> > > -+
> > > -+ TALLOC_FREE(mem_ctx);
> > > -+
> > > -+ return 0;
> > > -+
> > > -+fail:
> > > -+ /* issue an overall failure message at the end. */
> > > -+ d_printf("Failed to join domain: %s\n",
> > > -+ r && r->out.error_string ? r->out.error_string :
> > > -+ get_friendly_werror_msg(werr));
> > > -+
> > > -+ TALLOC_FREE(mem_ctx);
> > > -+
> > > -+ return -1;
> > > -+}
> > > -+
> > > -+/**
> > > - * 'net rpc join' entrypoint.
> > > - * @param argc Standard main() style argc.
> > > - * @param argv Standard main() style argv. Initial components are already
> > > -diff --git a/source3/wscript_build b/source3/wscript_build
> > > -index 9461b05..0bf84e2 100755
> > > ---- a/source3/wscript_build
> > > -+++ b/source3/wscript_build
> > > -@@ -507,7 +507,7 @@ LIBNET_SAMSYNC_SRC = '''libnet/libnet_samsync.c
> > > -
> > > - NET_SRC1 = '''utils/net.c utils/net_ads.c utils/net_help.c
> > > - utils/net_rap.c utils/net_rpc.c utils/net_rpc_samsync.c
> > > -- utils/net_rpc_join.c utils/net_time.c utils/net_lookup.c
> > > -+ utils/net_time.c utils/net_lookup.c
> > > - utils/net_cache.c utils/net_groupmap.c
> > > - utils/net_idmap.c utils/net_idmap_check.c
> > > - utils/interact.c
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From b2aad96d2ffd5545c250cce605dfdb7f0852806c Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 15 Jul 2013 13:28:34 +0200
> > > -Subject: [PATCH 042/249] s3-net: avoid confusing output in net_rpc_oldjoin()
> > > - if NET_FLAGS_EXPECT_FALLBACK is passed
> > > -
> > > -"net rpc join" tries net_rpc_oldjoin() first and falls back to
> > > -net_rpc_join_newstyle(). We should not print the join failed
> > > -if just net_rpc_oldjoin() failed.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 05d9b4165af9e7f03d3fbeb64db4fc305fcec4df)
> > > ----
> > > - source3/utils/net.h | 1 +
> > > - source3/utils/net_proto.h | 1 -
> > > - source3/utils/net_rpc.c | 15 +++++++++++++--
> > > - 3 files changed, 14 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source3/utils/net.h b/source3/utils/net.h
> > > -index 2056d89..e97734a 100644
> > > ---- a/source3/utils/net.h
> > > -+++ b/source3/utils/net.h
> > > -@@ -182,6 +182,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD };
> > > - #define NET_FLAGS_SIGN 0x00000040 /* sign RPC connection */
> > > - #define NET_FLAGS_SEAL 0x00000080 /* seal RPC connection */
> > > - #define NET_FLAGS_TCP 0x00000100 /* use ncacn_ip_tcp */
> > > -+#define NET_FLAGS_EXPECT_FALLBACK 0x00000200 /* the caller will fallback */
> > > -
> > > - /* net share operation modes */
> > > - #define NET_MODE_SHARE_MIGRATE 1
> > > -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
> > > -index 1809ba9..25e9db2 100644
> > > ---- a/source3/utils/net_proto.h
> > > -+++ b/source3/utils/net_proto.h
> > > -@@ -146,7 +146,6 @@ int run_rpc_command(struct net_context *c,
> > > - const char **argv);
> > > - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
> > > - int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
> > > --int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
> > > - int net_rpc_join(struct net_context *c, int argc, const char **argv);
> > > - NTSTATUS rpc_info_internals(struct net_context *c,
> > > - const struct dom_sid *domain_sid,
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index 6358460..dff8801 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -427,11 +427,16 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
> > > - return 0;
> > > -
> > > - fail:
> > > -+ if (c->opt_flags & NET_FLAGS_EXPECT_FALLBACK) {
> > > -+ goto cleanup;
> > > -+ }
> > > -+
> > > - /* issue an overall failure message at the end. */
> > > - d_fprintf(stderr, _("Failed to join domain: %s\n"),
> > > - r && r->out.error_string ? r->out.error_string :
> > > - get_friendly_werror_msg(werr));
> > > -
> > > -+cleanup:
> > > - TALLOC_FREE(mem_ctx);
> > > -
> > > - return -1;
> > > -@@ -513,7 +518,7 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > > - *
> > > - **/
> > > -
> > > --int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > > -+static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
> > > - {
> > > - struct libnet_JoinCtx *r = NULL;
> > > - TALLOC_CTX *mem_ctx;
> > > -@@ -623,6 +628,8 @@ fail:
> > > -
> > > - int net_rpc_join(struct net_context *c, int argc, const char **argv)
> > > - {
> > > -+ int ret;
> > > -+
> > > - if (c->display_usage) {
> > > - d_printf("%s\n%s",
> > > - _("Usage:"),
> > > -@@ -650,8 +657,12 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
> > > - return -1;
> > > - }
> > > -
> > > -- if ((net_rpc_oldjoin(c, argc, argv) == 0))
> > > -+ c->opt_flags |= NET_FLAGS_EXPECT_FALLBACK;
> > > -+ ret = net_rpc_oldjoin(c, argc, argv);
> > > -+ c->opt_flags &= ~NET_FLAGS_EXPECT_FALLBACK;
> > > -+ if (ret == 0) {
> > > - return 0;
> > > -+ }
> > > -
> > > - return net_rpc_join_newstyle(c, argc, argv);
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8e8a2602d1c793f9a46e5219dea91a46e34d24ca Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 16 Jul 2013 10:07:30 +0200
> > > -Subject: [PATCH 043/249] s4:librpc: fix netlogon connections against servers
> > > - without AES support
> > > -
> > > -LogonGetCapabilities() only works on the credential chain if
> > > -the server supports AES, so we need to work on a temporary copy
> > > -until we know the server replied a valid return authenticator.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 34fa7946993506fde2c6b30e4a41bea27390a814)
> > > ----
> > > - source4/librpc/rpc/dcerpc_schannel.c | 8 ++++++--
> > > - 1 file changed, 6 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
> > > -index 1480486..130ebeb 100644
> > > ---- a/source4/librpc/rpc/dcerpc_schannel.c
> > > -+++ b/source4/librpc/rpc/dcerpc_schannel.c
> > > -@@ -385,6 +385,7 @@ struct auth_schannel_state {
> > > - struct loadparm_context *lp_ctx;
> > > - uint8_t auth_level;
> > > - struct netlogon_creds_CredentialState *creds_state;
> > > -+ struct netlogon_creds_CredentialState save_creds_state;
> > > - struct netr_Authenticator auth;
> > > - struct netr_Authenticator return_auth;
> > > - union netr_Capabilities capabilities;
> > > -@@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx)
> > > - s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
> > > - if (composite_nomem(s->creds_state, c)) return;
> > > -
> > > -- netlogon_creds_client_authenticator(s->creds_state, &s->auth);
> > > -+ s->save_creds_state = *s->creds_state;
> > > -+ netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
> > > -
> > > - s->c.in.server_name = talloc_asprintf(c,
> > > - "\\\\%s",
> > > -@@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq)
> > > - }
> > > -
> > > - /* verify credentials */
> > > -- if (!netlogon_creds_client_check(s->creds_state,
> > > -+ if (!netlogon_creds_client_check(&s->save_creds_state,
> > > - &s->c.out.return_authenticator->cred)) {
> > > - composite_error(c, NT_STATUS_UNSUCCESSFUL);
> > > - return;
> > > - }
> > > -
> > > -+ *s->creds_state = s->save_creds_state;
> > > -+
> > > - if (!NT_STATUS_IS_OK(s->c.out.result)) {
> > > - composite_error(c, s->c.out.result);
> > > - return;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 300fb415d5a6a60702b0c8464e0e76cf0e11fdeb Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 22 Mar 2013 15:07:10 +0100
> > > -Subject: [PATCH 044/249] s3:rpcclient: use talloc_stackframe() in do_cmd()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit d54c908ff5bef774f5cca038741558089ff6baeb)
> > > ----
> > > - source3/rpcclient/rpcclient.c | 8 ++++++--
> > > - 1 file changed, 6 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index c23ff2d..9bf296e 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -678,7 +678,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > -
> > > - /* Create mem_ctx */
> > > -
> > > -- if (!(mem_ctx = talloc_init("do_cmd"))) {
> > > -+ if (!(mem_ctx = talloc_stackframe())) {
> > > - DEBUG(0, ("talloc_init() failed\n"));
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -@@ -745,12 +745,14 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - "auth type %u\n",
> > > - cmd_entry->table->name,
> > > - pipe_default_auth_type ));
> > > -+ talloc_free(mem_ctx);
> > > - return NT_STATUS_UNSUCCESSFUL;
> > > - }
> > > - if (!NT_STATUS_IS_OK(ntresult)) {
> > > - DEBUG(0, ("Could not initialise %s. Error was %s\n",
> > > - cmd_entry->table->name,
> > > - nt_errstr(ntresult) ));
> > > -+ talloc_free(mem_ctx);
> > > - return ntresult;
> > > - }
> > > -
> > > -@@ -765,6 +767,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - trust_password, &machine_account,
> > > - &sec_channel_type))
> > > - {
> > > -+ talloc_free(mem_ctx);
> > > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > - }
> > > -
> > > -@@ -780,6 +783,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - if (!NT_STATUS_IS_OK(ntresult)) {
> > > - DEBUG(0, ("Could not initialise credentials for %s.\n",
> > > - cmd_entry->table->name));
> > > -+ talloc_free(mem_ctx);
> > > - return ntresult;
> > > - }
> > > - }
> > > -@@ -803,7 +807,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > -
> > > - /* Cleanup */
> > > -
> > > -- talloc_destroy(mem_ctx);
> > > -+ talloc_free(mem_ctx);
> > > -
> > > - return ntresult;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 95972ec54aafcf8a66e0164cd1fb478b6f4c58f6 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 24 Apr 2013 12:36:04 +0200
> > > -Subject: [PATCH 045/249] libcli/auth: make
> > > - netlogon_creds_crypt_samlogon_validation more robust
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 39fedd27182d9e1985418ea79b86aef69999dd57)
> > > ----
> > > - libcli/auth/credentials.c | 6 +++++-
> > > - 1 file changed, 5 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > > -index fb77ede..5c8b25b 100644
> > > ---- a/libcli/auth/credentials.c
> > > -+++ b/libcli/auth/credentials.c
> > > -@@ -493,8 +493,12 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> > > - bool encrypt)
> > > - {
> > > - static const char zeros[16];
> > > --
> > > - struct netr_SamBaseInfo *base = NULL;
> > > -+
> > > -+ if (validation == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > - switch (validation_level) {
> > > - case 2:
> > > - if (validation->sam2) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From ac092a319c388cc2577bcbd87e16522ba37dc2d0 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 14 Jun 2013 09:47:50 +0200
> > > -Subject: [PATCH 046/249] libcli/auth: fix shadowed declaration in
> > > - netlogon_creds_crypt_samlogon_validation()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 291f6a1e031dc9db7d03b3ca924c4309b313cae5)
> > > ----
> > > - libcli/auth/credentials.c | 8 ++++----
> > > - 1 file changed, 4 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > > -index 5c8b25b..2e9c87e 100644
> > > ---- a/libcli/auth/credentials.c
> > > -+++ b/libcli/auth/credentials.c
> > > -@@ -490,7 +490,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
> > > - static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
> > > - uint16_t validation_level,
> > > - union netr_Validation *validation,
> > > -- bool encrypt)
> > > -+ bool do_encrypt)
> > > - {
> > > - static const char zeros[16];
> > > - struct netr_SamBaseInfo *base = NULL;
> > > -@@ -531,7 +531,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> > > - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
> > > - if (memcmp(base->key.key, zeros,
> > > - sizeof(base->key.key)) != 0) {
> > > -- if (encrypt) {
> > > -+ if (do_encrypt) {
> > > - netlogon_creds_aes_encrypt(creds,
> > > - base->key.key,
> > > - sizeof(base->key.key));
> > > -@@ -544,7 +544,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> > > -
> > > - if (memcmp(base->LMSessKey.key, zeros,
> > > - sizeof(base->LMSessKey.key)) != 0) {
> > > -- if (encrypt) {
> > > -+ if (do_encrypt) {
> > > - netlogon_creds_aes_encrypt(creds,
> > > - base->LMSessKey.key,
> > > - sizeof(base->LMSessKey.key));
> > > -@@ -574,7 +574,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
> > > - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
> > > - if (memcmp(base->LMSessKey.key, zeros,
> > > - sizeof(base->LMSessKey.key)) != 0) {
> > > -- if (encrypt) {
> > > -+ if (do_encrypt) {
> > > - netlogon_creds_des_encrypt_LMKey(creds,
> > > - &base->LMSessKey);
> > > - } else {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From c535bfb9ead2175ae68b9d18a1692218a0fcf800 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 25 Apr 2013 17:01:00 +0200
> > > -Subject: [PATCH 047/249] libcli/auth: add
> > > - netlogon_creds_[de|en]crypt_samlogon_logon()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit c7319fce604d5f89a89094b6b18ef459a347aef8)
> > > ----
> > > - libcli/auth/credentials.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++
> > > - libcli/auth/proto.h | 6 +++
> > > - 2 files changed, 124 insertions(+)
> > > -
> > > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > > -index 2e9c87e..78a8d7a 100644
> > > ---- a/libcli/auth/credentials.c
> > > -+++ b/libcli/auth/credentials.c
> > > -@@ -601,6 +601,124 @@ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_Credential
> > > - validation, true);
> > > - }
> > > -
> > > -+static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > > -+ enum netr_LogonInfoClass level,
> > > -+ union netr_LogonLevel *logon,
> > > -+ bool encrypt)
> > > -+{
> > > -+ static const char zeros[16];
> > > -+
> > > -+ if (logon == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ switch (level) {
> > > -+ case NetlogonInteractiveInformation:
> > > -+ case NetlogonInteractiveTransitiveInformation:
> > > -+ case NetlogonServiceInformation:
> > > -+ case NetlogonServiceTransitiveInformation:
> > > -+ if (logon->password == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ uint8_t *h;
> > > -+
> > > -+ h = logon->password->lmpassword.hash;
> > > -+ if (memcmp(h, zeros, 16) != 0) {
> > > -+ if (encrypt) {
> > > -+ netlogon_creds_aes_encrypt(creds, h, 16);
> > > -+ } else {
> > > -+ netlogon_creds_aes_decrypt(creds, h, 16);
> > > -+ }
> > > -+ }
> > > -+
> > > -+ h = logon->password->ntpassword.hash;
> > > -+ if (memcmp(h, zeros, 16) != 0) {
> > > -+ if (encrypt) {
> > > -+ netlogon_creds_aes_encrypt(creds, h, 16);
> > > -+ } else {
> > > -+ netlogon_creds_aes_decrypt(creds, h, 16);
> > > -+ }
> > > -+ }
> > > -+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > > -+ uint8_t *h;
> > > -+
> > > -+ h = logon->password->lmpassword.hash;
> > > -+ if (memcmp(h, zeros, 16) != 0) {
> > > -+ netlogon_creds_arcfour_crypt(creds, h, 16);
> > > -+ }
> > > -+
> > > -+ h = logon->password->ntpassword.hash;
> > > -+ if (memcmp(h, zeros, 16) != 0) {
> > > -+ netlogon_creds_arcfour_crypt(creds, h, 16);
> > > -+ }
> > > -+ } else {
> > > -+ struct samr_Password *p;
> > > -+
> > > -+ p = &logon->password->lmpassword;
> > > -+ if (memcmp(p->hash, zeros, 16) != 0) {
> > > -+ if (encrypt) {
> > > -+ netlogon_creds_des_encrypt(creds, p);
> > > -+ } else {
> > > -+ netlogon_creds_des_decrypt(creds, p);
> > > -+ }
> > > -+ }
> > > -+ p = &logon->password->ntpassword;
> > > -+ if (memcmp(p->hash, zeros, 16) != 0) {
> > > -+ if (encrypt) {
> > > -+ netlogon_creds_des_encrypt(creds, p);
> > > -+ } else {
> > > -+ netlogon_creds_des_decrypt(creds, p);
> > > -+ }
> > > -+ }
> > > -+ }
> > > -+ break;
> > > -+
> > > -+ case NetlogonNetworkInformation:
> > > -+ case NetlogonNetworkTransitiveInformation:
> > > -+ break;
> > > -+
> > > -+ case NetlogonGenericInformation:
> > > -+ if (logon->generic == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ if (encrypt) {
> > > -+ netlogon_creds_aes_encrypt(creds,
> > > -+ logon->generic->data,
> > > -+ logon->generic->length);
> > > -+ } else {
> > > -+ netlogon_creds_aes_decrypt(creds,
> > > -+ logon->generic->data,
> > > -+ logon->generic->length);
> > > -+ }
> > > -+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > > -+ netlogon_creds_arcfour_crypt(creds,
> > > -+ logon->generic->data,
> > > -+ logon->generic->length);
> > > -+ } else {
> > > -+ /* Using DES to verify kerberos tickets makes no sense */
> > > -+ }
> > > -+ break;
> > > -+ }
> > > -+}
> > > -+
> > > -+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > > -+ enum netr_LogonInfoClass level,
> > > -+ union netr_LogonLevel *logon)
> > > -+{
> > > -+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, false);
> > > -+}
> > > -+
> > > -+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > > -+ enum netr_LogonInfoClass level,
> > > -+ union netr_LogonLevel *logon)
> > > -+{
> > > -+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
> > > -+}
> > > -+
> > > - /*
> > > - copy a netlogon_creds_CredentialState struct
> > > - */
> > > -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
> > > -index 6bc18d7..110e039 100644
> > > ---- a/libcli/auth/proto.h
> > > -+++ b/libcli/auth/proto.h
> > > -@@ -64,6 +64,12 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
> > > - void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
> > > - uint16_t validation_level,
> > > - union netr_Validation *validation);
> > > -+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > > -+ enum netr_LogonInfoClass level,
> > > -+ union netr_LogonLevel *logon);
> > > -+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > > -+ enum netr_LogonInfoClass level,
> > > -+ union netr_LogonLevel *logon);
> > > -
> > > - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d4f36f187d7c87c8daae3f94cdba52225faa19b8 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 24 Apr 2013 12:53:27 +0200
> > > -Subject: [PATCH 048/249] libcli/auth: add netlogon_creds_shallow_copy_logon()
> > > -
> > > -This can be used before netlogon_creds_encrypt_samlogon_logon()
> > > -in order to keep the provided buffers unchanged.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 2ea749a1a43a6539b01d36dbe0402a99619444e1)
> > > ----
> > > - libcli/auth/credentials.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++
> > > - libcli/auth/proto.h | 3 ++
> > > - 2 files changed, 76 insertions(+)
> > > -
> > > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > > -index 78a8d7a..1f664d3 100644
> > > ---- a/libcli/auth/credentials.c
> > > -+++ b/libcli/auth/credentials.c
> > > -@@ -719,6 +719,79 @@ void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState
> > > - netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
> > > - }
> > > -
> > > -+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
> > > -+ enum netr_LogonInfoClass level,
> > > -+ const union netr_LogonLevel *in)
> > > -+{
> > > -+ union netr_LogonLevel *out;
> > > -+
> > > -+ if (in == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ out = talloc(mem_ctx, union netr_LogonLevel);
> > > -+ if (out == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ *out = *in;
> > > -+
> > > -+ switch (level) {
> > > -+ case NetlogonInteractiveInformation:
> > > -+ case NetlogonInteractiveTransitiveInformation:
> > > -+ case NetlogonServiceInformation:
> > > -+ case NetlogonServiceTransitiveInformation:
> > > -+ if (in->password == NULL) {
> > > -+ return out;
> > > -+ }
> > > -+
> > > -+ out->password = talloc(out, struct netr_PasswordInfo);
> > > -+ if (out->password == NULL) {
> > > -+ talloc_free(out);
> > > -+ return NULL;
> > > -+ }
> > > -+ *out->password = *in->password;
> > > -+
> > > -+ return out;
> > > -+
> > > -+ case NetlogonNetworkInformation:
> > > -+ case NetlogonNetworkTransitiveInformation:
> > > -+ break;
> > > -+
> > > -+ case NetlogonGenericInformation:
> > > -+ if (in->generic == NULL) {
> > > -+ return out;
> > > -+ }
> > > -+
> > > -+ out->generic = talloc(out, struct netr_GenericInfo);
> > > -+ if (out->generic == NULL) {
> > > -+ talloc_free(out);
> > > -+ return NULL;
> > > -+ }
> > > -+ *out->generic = *in->generic;
> > > -+
> > > -+ if (in->generic->data == NULL) {
> > > -+ return out;
> > > -+ }
> > > -+
> > > -+ if (in->generic->length == 0) {
> > > -+ return out;
> > > -+ }
> > > -+
> > > -+ out->generic->data = talloc_memdup(out->generic,
> > > -+ in->generic->data,
> > > -+ in->generic->length);
> > > -+ if (out->generic->data == NULL) {
> > > -+ talloc_free(out);
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ return out;
> > > -+ }
> > > -+
> > > -+ return out;
> > > -+}
> > > -+
> > > - /*
> > > - copy a netlogon_creds_CredentialState struct
> > > - */
> > > -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
> > > -index 110e039..0c319d3 100644
> > > ---- a/libcli/auth/proto.h
> > > -+++ b/libcli/auth/proto.h
> > > -@@ -70,6 +70,9 @@ void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState
> > > - void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
> > > - enum netr_LogonInfoClass level,
> > > - union netr_LogonLevel *logon);
> > > -+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
> > > -+ enum netr_LogonInfoClass level,
> > > -+ const union netr_LogonLevel *in);
> > > -
> > > - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8cf11ba846fc31ce26020aabcf463817b56580a7 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 24 Apr 2013 16:00:18 +0200
> > > -Subject: [PATCH 049/249] s4:netlogon: make use of
> > > - netlogon_creds_decrypt_samlogon_logon()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 9d548318da11247ffe8acf505cdb5299090c16f0)
> > > ----
> > > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++---------------------
> > > - 1 file changed, 6 insertions(+), 22 deletions(-)
> > > -
> > > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -index 70239a4..c41cd02 100644
> > > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -@@ -712,29 +712,15 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
> > > - user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
> > > - NT_STATUS_HAVE_NO_MEMORY(user_info);
> > > -
> > > -+ netlogon_creds_decrypt_samlogon_logon(creds,
> > > -+ r->in.logon_level,
> > > -+ r->in.logon);
> > > -+
> > > - switch (r->in.logon_level) {
> > > - case NetlogonInteractiveInformation:
> > > - case NetlogonServiceInformation:
> > > - case NetlogonInteractiveTransitiveInformation:
> > > - case NetlogonServiceTransitiveInformation:
> > > -- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- netlogon_creds_aes_decrypt(creds,
> > > -- r->in.logon->password->lmpassword.hash,
> > > -- sizeof(r->in.logon->password->lmpassword.hash));
> > > -- netlogon_creds_aes_decrypt(creds,
> > > -- r->in.logon->password->ntpassword.hash,
> > > -- sizeof(r->in.logon->password->ntpassword.hash));
> > > -- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > > -- netlogon_creds_arcfour_crypt(creds,
> > > -- r->in.logon->password->lmpassword.hash,
> > > -- sizeof(r->in.logon->password->lmpassword.hash));
> > > -- netlogon_creds_arcfour_crypt(creds,
> > > -- r->in.logon->password->ntpassword.hash,
> > > -- sizeof(r->in.logon->password->ntpassword.hash));
> > > -- } else {
> > > -- netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword);
> > > -- netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword);
> > > -- }
> > > -
> > > - /* TODO: we need to deny anonymous access here */
> > > - nt_status = auth_context_create(mem_ctx,
> > > -@@ -788,11 +774,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
> > > - case NetlogonGenericInformation:
> > > - {
> > > - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- netlogon_creds_aes_decrypt(creds,
> > > -- r->in.logon->generic->data, r->in.logon->generic->length);
> > > -+ /* OK */
> > > - } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > > -- netlogon_creds_arcfour_crypt(creds,
> > > -- r->in.logon->generic->data, r->in.logon->generic->length);
> > > -+ /* OK */
> > > - } else {
> > > - /* Using DES to verify kerberos tickets makes no sense */
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 22bdc484af1b1a4ebd9451fd5cde4d3993dd6f0a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 24 Apr 2013 16:00:44 +0200
> > > -Subject: [PATCH 050/249] s3:netlogon: make use of
> > > - netlogon_creds_decrypt_samlogon_logon()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 7b3ddd1a0bb41fe84c115555113362044620e484)
> > > ----
> > > - source3/rpc_server/netlogon/srv_netlog_nt.c | 45 ++++++++++++++---------------
> > > - 1 file changed, 21 insertions(+), 24 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > > -index e5ca474..09857b6 100644
> > > ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
> > > -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > > -@@ -1467,6 +1467,15 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> > > - struct auth_context *auth_context = NULL;
> > > - const char *fn;
> > > -
> > > -+#ifdef DEBUG_PASSWORD
> > > -+ logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
> > > -+ r->in.logon_level,
> > > -+ r->in.logon);
> > > -+ if (logon == NULL) {
> > > -+ logon = r->in.logon;
> > > -+ }
> > > -+#endif
> > > -+
> > > - switch (p->opnum) {
> > > - case NDR_NETR_LOGONSAMLOGON:
> > > - fn = "_netr_LogonSamLogon";
> > > -@@ -1547,6 +1556,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> > > -
> > > - status = NT_STATUS_OK;
> > > -
> > > -+ netlogon_creds_decrypt_samlogon_logon(creds,
> > > -+ r->in.logon_level,
> > > -+ logon);
> > > -+
> > > - switch (r->in.logon_level) {
> > > - case NetlogonNetworkInformation:
> > > - case NetlogonNetworkTransitiveInformation:
> > > -@@ -1592,32 +1605,16 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
> > > - uint8_t chal[8];
> > > -
> > > - #ifdef DEBUG_PASSWORD
> > > -- DEBUG(100,("lm owf password:"));
> > > -- dump_data(100, logon->password->lmpassword.hash, 16);
> > > --
> > > -- DEBUG(100,("nt owf password:"));
> > > -- dump_data(100, logon->password->ntpassword.hash, 16);
> > > --#endif
> > > -- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- netlogon_creds_aes_decrypt(creds,
> > > -- logon->password->lmpassword.hash,
> > > -- 16);
> > > -- netlogon_creds_aes_decrypt(creds,
> > > -- logon->password->ntpassword.hash,
> > > -- 16);
> > > -- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > > -- netlogon_creds_arcfour_crypt(creds,
> > > -- logon->password->lmpassword.hash,
> > > -- 16);
> > > -- netlogon_creds_arcfour_crypt(creds,
> > > -- logon->password->ntpassword.hash,
> > > -- 16);
> > > -- } else {
> > > -- netlogon_creds_des_decrypt(creds, &logon->password->lmpassword);
> > > -- netlogon_creds_des_decrypt(creds, &logon->password->ntpassword);
> > > -+ if (logon != r->in.logon) {
> > > -+ DEBUG(100,("lm owf password:"));
> > > -+ dump_data(100,
> > > -+ r->in.logon->password->lmpassword.hash, 16);
> > > -+
> > > -+ DEBUG(100,("nt owf password:"));
> > > -+ dump_data(100,
> > > -+ r->in.logon->password->ntpassword.hash, 16);
> > > - }
> > > -
> > > --#ifdef DEBUG_PASSWORD
> > > - DEBUG(100,("decrypt of lm owf password:"));
> > > - dump_data(100, logon->password->lmpassword.hash, 16);
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From b25c7249bdca17d4b4720a2e8f8ba329c4105e94 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 25 Apr 2013 18:27:57 +0200
> > > -Subject: [PATCH 051/249] s3:rpc_client: make rpccli_schannel_bind_data()
> > > - static
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 6ce645e03c279cbb2ed8a94f033b8e0601b61ef4)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 9 +++++----
> > > - source3/rpc_client/cli_pipe.h | 6 ------
> > > - 2 files changed, 5 insertions(+), 10 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 1fa8d91..66fa2d2 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2401,10 +2401,11 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > > - return status;
> > > - }
> > > -
> > > --NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > -- struct netlogon_creds_CredentialState *creds,
> > > -- struct pipe_auth_data **presult)
> > > -+static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > > -+ const char *domain,
> > > -+ enum dcerpc_AuthLevel auth_level,
> > > -+ struct netlogon_creds_CredentialState *creds,
> > > -+ struct pipe_auth_data **presult)
> > > - {
> > > - struct schannel_state *schannel_auth;
> > > - struct pipe_auth_data *result;
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index 6fcc587..8eb6040 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -58,12 +58,6 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
> > > - NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
> > > - struct pipe_auth_data **presult);
> > > -
> > > --NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > > -- const char *domain,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > -- struct netlogon_creds_CredentialState *creds,
> > > -- struct pipe_auth_data **presult);
> > > --
> > > - NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
> > > - const char *host,
> > > - const struct sockaddr_storage *ss_addr,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 9f56e42ba78ce4e1248f06a0cecfc97789aea260 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 25 Apr 2013 18:29:31 +0200
> > > -Subject: [PATCH 052/249] s3:rpc_client: use the correct context for
> > > - netlogon_creds_copy() in rpccli_schannel_bind_data()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 8a302fc353de8d373a0ec8544da4da6f305ec923)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 5 ++++-
> > > - 1 file changed, 4 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 66fa2d2..afe8030 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2431,7 +2431,10 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > > -
> > > - schannel_auth->state = SCHANNEL_STATE_START;
> > > - schannel_auth->initiator = true;
> > > -- schannel_auth->creds = netlogon_creds_copy(result, creds);
> > > -+ schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
> > > -+ if (schannel_auth->creds == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -
> > > - result->auth_ctx = schannel_auth;
> > > - *presult = result;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 08d78b16f0adf1d223f29d613a498878230522be Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 25 Apr 2013 19:43:58 +0200
> > > -Subject: [PATCH 053/249] s3:rpc_client: rename same variables in
> > > - cli_rpc_pipe_open_schannel_with_key()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 94be8d63cd21fbb9e31bf7a92af82e19c596f94f)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 30 +++++++++++++++---------------
> > > - 1 file changed, 15 insertions(+), 15 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index afe8030..ec804e7 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -3032,32 +3032,32 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > - struct netlogon_creds_CredentialState **pdc,
> > > -- struct rpc_pipe_client **presult)
> > > -+ struct rpc_pipe_client **_rpccli)
> > > - {
> > > -- struct rpc_pipe_client *result;
> > > -- struct pipe_auth_data *auth;
> > > -+ struct rpc_pipe_client *rpccli;
> > > -+ struct pipe_auth_data *rpcauth;
> > > - NTSTATUS status;
> > > -
> > > -- status = cli_rpc_pipe_open(cli, transport, table, &result);
> > > -+ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -
> > > -- status = rpccli_schannel_bind_data(result, domain, auth_level,
> > > -- *pdc, &auth);
> > > -+ status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
> > > -+ *pdc, &rpcauth);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
> > > - nt_errstr(status)));
> > > -- TALLOC_FREE(result);
> > > -+ TALLOC_FREE(rpccli);
> > > - return status;
> > > - }
> > > -
> > > -- status = rpc_pipe_bind(result, auth);
> > > -+ status = rpc_pipe_bind(rpccli, rpcauth);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
> > > - "cli_rpc_pipe_bind failed with error %s\n",
> > > - nt_errstr(status) ));
> > > -- TALLOC_FREE(result);
> > > -+ TALLOC_FREE(rpccli);
> > > - return status;
> > > - }
> > > -
> > > -@@ -3065,10 +3065,10 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - * The credentials on a new netlogon pipe are the ones we are passed
> > > - * in - copy them over
> > > - */
> > > -- if (result->dc == NULL) {
> > > -- result->dc = netlogon_creds_copy(result, *pdc);
> > > -- if (result->dc == NULL) {
> > > -- TALLOC_FREE(result);
> > > -+ if (rpccli->dc == NULL) {
> > > -+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> > > -+ if (rpccli->dc == NULL) {
> > > -+ TALLOC_FREE(rpccli);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > - }
> > > -@@ -3076,9 +3076,9 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > > - "for domain %s and bound using schannel.\n",
> > > - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > -- result->desthost, domain));
> > > -+ rpccli->desthost, domain));
> > > -
> > > -- *presult = result;
> > > -+ *_rpccli = rpccli;
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 33991d3ea286fc5da1458ca64aa4fc004547ae04 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 5 Aug 2013 20:26:54 +0200
> > > -Subject: [PATCH 054/249] s3:libsmb: remove unused cli_state->is_guestlogin
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 11e0be0e72cfc4bc65ba2b0ffd10cbae3ad69b2d)
> > > ----
> > > - source3/include/client.h | 1 -
> > > - source3/libsmb/cliconnect.c | 5 -----
> > > - 2 files changed, 6 deletions(-)
> > > -
> > > -diff --git a/source3/include/client.h b/source3/include/client.h
> > > -index 3f92d6d..59fb104 100644
> > > ---- a/source3/include/client.h
> > > -+++ b/source3/include/client.h
> > > -@@ -72,7 +72,6 @@ struct cli_state {
> > > - int timeout; /* in milliseconds. */
> > > - int initialised;
> > > - int win95;
> > > -- bool is_guestlogin;
> > > - /* What the server offered. */
> > > - uint32_t server_posix_capabilities;
> > > - /* What the client requested. */
> > > -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
> > > -index 13e7704..81bc028 100644
> > > ---- a/source3/libsmb/cliconnect.c
> > > -+++ b/source3/libsmb/cliconnect.c
> > > -@@ -240,7 +240,6 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq)
> > > - p = bytes;
> > > -
> > > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > > -
> > > - status = smb_bytes_talloc_string(cli,
> > > - inhdr,
> > > -@@ -448,7 +447,6 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq)
> > > - p = bytes;
> > > -
> > > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > > -
> > > - status = smb_bytes_talloc_string(cli,
> > > - inhdr,
> > > -@@ -613,7 +611,6 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq)
> > > - p = bytes;
> > > -
> > > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > > -
> > > - status = smb_bytes_talloc_string(cli,
> > > - inhdr,
> > > -@@ -930,7 +927,6 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq)
> > > - p = bytes;
> > > -
> > > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > > -
> > > - status = smb_bytes_talloc_string(cli,
> > > - inhdr,
> > > -@@ -1180,7 +1176,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
> > > - state->inbuf = in;
> > > - inhdr = in + NBT_HDR_SIZE;
> > > - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
> > > -- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
> > > -
> > > - blob_length = SVAL(vwv+3, 0);
> > > - if (blob_length > num_bytes) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 937a0f2fc020e12c21c10597a889275614603add Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 15 Jun 2013 09:41:52 +0200
> > > -Subject: [PATCH 055/249] s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AES
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit d82ab70579ff2bcb69f997068482b198f321d1ef)
> > > ----
> > > - source3/auth/auth_domain.c | 3 ++-
> > > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > > -index 54ee5a1..06078e2 100644
> > > ---- a/source3/auth/auth_domain.c
> > > -+++ b/source3/auth/auth_domain.c
> > > -@@ -133,7 +133,8 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > > -
> > > - if (!lp_client_schannel()) {
> > > - /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -+ NETLOGON_NEG_SUPPORTS_AES;
> > > - enum netr_SchannelType sec_chan_type = 0;
> > > - unsigned char machine_pwd[16];
> > > - const char *account_name;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 981a88bb20cef572e5573ee2f18115a6e395fbf9 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 15 Jun 2013 09:41:52 +0200
> > > -Subject: [PATCH 056/249] s3:libnet_join: try to use NETLOGON_NEG_SUPPORTS_AES
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit beba32619a91977543f882432fd08acc9de78fd3)
> > > ----
> > > - source3/libnet/libnet_join.c | 3 ++-
> > > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index d8ec235..c1eccda 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -1194,7 +1194,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > > - const char *dc_name,
> > > - const bool use_kerberos)
> > > - {
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -+ NETLOGON_NEG_SUPPORTS_AES;
> > > - struct cli_state *cli = NULL;
> > > - struct rpc_pipe_client *pipe_hnd = NULL;
> > > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 846a35f004850695ca7c9d4597cd8729bb7c99e3 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 15 Jun 2013 09:41:52 +0200
> > > -Subject: [PATCH 057/249] s3:rpc_client: try to use NETLOGON_NEG_SUPPORTS_AES
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 04600634b3e761d7c56f699fd4ba80b4cd2926a1)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 3 ++-
> > > - source3/rpc_client/cli_pipe_schannel.c | 6 ++++--
> > > - 2 files changed, 6 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 3d6a3e1..5e8a2fc 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -610,7 +610,8 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > > -
> > > - if (!cli->dc) {
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -+ NETLOGON_NEG_SUPPORTS_AES;
> > > - result = rpccli_netlogon_setup_creds(cli,
> > > - cli->desthost, /* server name */
> > > - lp_workgroup(), /* domain */
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index bc672ef..de745c0 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -136,7 +136,8 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > > - const char *password,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -+ NETLOGON_NEG_SUPPORTS_AES;
> > > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > > - struct rpc_pipe_client *result = NULL;
> > > - NTSTATUS status;
> > > -@@ -175,7 +176,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > - const char *domain,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -+ NETLOGON_NEG_SUPPORTS_AES;
> > > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > > - struct rpc_pipe_client *result = NULL;
> > > - NTSTATUS status;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a56391bc8cbe1fa9142d0a20f4bf977538f27e67 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 15 Jun 2013 09:41:52 +0200
> > > -Subject: [PATCH 058/249] s3:rpcclient: try to use NETLOGON_NEG_SUPPORTS_AES
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit e77a64f505fc43628e487e832033d0cd8ec4de8e)
> > > ----
> > > - source3/rpcclient/cmd_netlogon.c | 3 ++-
> > > - source3/rpcclient/rpcclient.c | 3 ++-
> > > - 2 files changed, 4 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > > -index 01d6da4..d92434b 100644
> > > ---- a/source3/rpcclient/cmd_netlogon.c
> > > -+++ b/source3/rpcclient/cmd_netlogon.c
> > > -@@ -1120,7 +1120,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > > - NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
> > > - NTSTATUS result;
> > > - const char *server_name = cli->desthost;
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -+ NETLOGON_NEG_SUPPORTS_AES;
> > > - struct netr_Authenticator clnt_creds, srv_cred;
> > > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > > - unsigned char trust_passwd_hash[16];
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index 9bf296e..cb7b70f 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -758,7 +758,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > -
> > > - if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> > > - &ndr_table_netlogon.syntax_id)) {
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > > -+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -+ NETLOGON_NEG_SUPPORTS_AES;
> > > - enum netr_SchannelType sec_channel_type;
> > > - uchar trust_password[16];
> > > - const char *machine_account;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 06c4ff36efc63ef014c449602dc314ca4e7016bd Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 25 Apr 2013 19:57:09 +0200
> > > -Subject: [PATCH 059/249] s3:rpc_client: fix/add AES downgrade detection to
> > > - rpc_pipe_bind_step_two_done()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 90e28c1825b2c48714d7b34fdb57d3878116d07e)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 19 +++++++------------
> > > - 1 file changed, 7 insertions(+), 12 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index ec804e7..c354a6f 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1828,8 +1828,7 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> > > - status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
> > > - TALLOC_FREE(subreq);
> > > - if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -- if (state->cli->dc && state->cli->dc->negotiate_flags &
> > > -- NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > - DEBUG(5, ("AES is not supported and the error was %s\n",
> > > - nt_errstr(status)));
> > > - tevent_req_nterror(req,
> > > -@@ -1880,9 +1879,6 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> > > - return;
> > > - }
> > > -
> > > -- TALLOC_FREE(state->cli->dc);
> > > -- state->cli->dc = talloc_steal(state->cli, state->creds);
> > > --
> > > - if (!NT_STATUS_IS_OK(state->r.out.result)) {
> > > - DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
> > > - nt_errstr(state->r.out.result)));
> > > -@@ -1890,18 +1886,17 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> > > - return;
> > > - }
> > > -
> > > -- if (state->creds->negotiate_flags !=
> > > -- state->r.out.capabilities->server_capabilities) {
> > > -- DEBUG(0, ("The client capabilities don't match the server "
> > > -- "capabilities: local[0x%08X] remote[0x%08X]\n",
> > > -- state->creds->negotiate_flags,
> > > -- state->capabilities.server_capabilities));
> > > -+ if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> > > -+ DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
> > > -+ "but AES was not negotiated - downgrade detected",
> > > -+ state->cli->desthost));
> > > - tevent_req_nterror(req,
> > > - NT_STATUS_INVALID_NETWORK_RESPONSE);
> > > - return;
> > > - }
> > > -
> > > -- /* TODO: Add downgrade dectection. */
> > > -+ TALLOC_FREE(state->cli->dc);
> > > -+ state->cli->dc = talloc_move(state->cli, &state->creds);
> > > -
> > > - tevent_req_done(req);
> > > - return;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e6416b9fe5019c3ce1aa8ecf42d73125a049338f Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 25 Apr 2013 19:45:52 +0200
> > > -Subject: [PATCH 060/249] s3:rpc_client: use netlogon_creds_copy before
> > > - rpc_pipe_bind
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit e9c8e3fb92143525f846523e446e2213e5b55d9d)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 24 ++++++++++++------------
> > > - 1 file changed, 12 insertions(+), 12 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index c354a6f..eb172db 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -3047,6 +3047,18 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - return status;
> > > - }
> > > -
> > > -+ /*
> > > -+ * The credentials on a new netlogon pipe are the ones we are passed
> > > -+ * in - copy them over
> > > -+ *
> > > -+ * This may get overwritten... in rpc_pipe_bind()...
> > > -+ */
> > > -+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> > > -+ if (rpccli->dc == NULL) {
> > > -+ TALLOC_FREE(rpccli);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > - status = rpc_pipe_bind(rpccli, rpcauth);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
> > > -@@ -3056,18 +3068,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - return status;
> > > - }
> > > -
> > > -- /*
> > > -- * The credentials on a new netlogon pipe are the ones we are passed
> > > -- * in - copy them over
> > > -- */
> > > -- if (rpccli->dc == NULL) {
> > > -- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> > > -- if (rpccli->dc == NULL) {
> > > -- TALLOC_FREE(rpccli);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- }
> > > --
> > > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > > - "for domain %s and bound using schannel.\n",
> > > - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 1836ea96ed7dd055278fd6cac3f69a06ea979ea2 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 25 Apr 2013 19:34:13 +0200
> > > -Subject: [PATCH 061/249] s3:rpc_client: add netr_LogonGetCapabilities to
> > > - cli_rpc_pipe_open_schannel_with_key()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit eecb5bafba5b362d4fdf33d6a2a32e4ee56f30a4)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 101 ++++++++++++++++++++++++++++++++++++++++++
> > > - 1 file changed, 101 insertions(+)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index eb172db..314eb92 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -3032,6 +3032,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - struct rpc_pipe_client *rpccli;
> > > - struct pipe_auth_data *rpcauth;
> > > - NTSTATUS status;
> > > -+ NTSTATUS result;
> > > -+ struct netlogon_creds_CredentialState save_creds;
> > > -+ struct netr_Authenticator auth;
> > > -+ struct netr_Authenticator return_auth;
> > > -+ union netr_Capabilities capabilities;
> > > -
> > > - status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -3068,6 +3073,102 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - return status;
> > > - }
> > > -
> > > -+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ save_creds = *rpccli->dc;
> > > -+ ZERO_STRUCT(return_auth);
> > > -+ ZERO_STRUCT(capabilities);
> > > -+
> > > -+ netlogon_creds_client_authenticator(&save_creds, &auth);
> > > -+
> > > -+ status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
> > > -+ talloc_tos(),
> > > -+ rpccli->srv_name_slash,
> > > -+ save_creds.computer_name,
> > > -+ &auth, &return_auth,
> > > -+ 1, &capabilities,
> > > -+ &result);
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ DEBUG(5, ("AES was negotiated and the error was %s - "
> > > -+ "downgrade detected\n",
> > > -+ nt_errstr(status)));
> > > -+ TALLOC_FREE(rpccli);
> > > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -+ }
> > > -+
> > > -+ /* This is probably an old Samba Version */
> > > -+ DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
> > > -+ nt_errstr(status)));
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> > > -+ nt_errstr(status)));
> > > -+ TALLOC_FREE(rpccli);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
> > > -+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ /* This means AES isn't supported. */
> > > -+ DEBUG(5, ("AES was negotiated and the result was %s - "
> > > -+ "downgrade detected\n",
> > > -+ nt_errstr(result)));
> > > -+ TALLOC_FREE(rpccli);
> > > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -+ }
> > > -+
> > > -+ /* This is probably an old Windows version */
> > > -+ DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
> > > -+ nt_errstr(result)));
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * We need to check the credential state here, cause win2k3 and earlier
> > > -+ * returns NT_STATUS_NOT_IMPLEMENTED
> > > -+ */
> > > -+ if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
> > > -+ /*
> > > -+ * Server replied with bad credential. Fail.
> > > -+ */
> > > -+ DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
> > > -+ "replied with bad credential\n",
> > > -+ rpccli->desthost));
> > > -+ TALLOC_FREE(rpccli);
> > > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -+ }
> > > -+ *rpccli->dc = save_creds;
> > > -+
> > > -+ if (!NT_STATUS_IS_OK(result)) {
> > > -+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> > > -+ nt_errstr(result)));
> > > -+ TALLOC_FREE(rpccli);
> > > -+ return result;
> > > -+ }
> > > -+
> > > -+ if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> > > -+ /* This means AES isn't supported. */
> > > -+ DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
> > > -+ "was OK - downgrade detected\n"));
> > > -+ TALLOC_FREE(rpccli);
> > > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -+ }
> > > -+
> > > -+ if (save_creds.negotiate_flags != capabilities.server_capabilities) {
> > > -+ DEBUG(0, ("The client capabilities don't match the server "
> > > -+ "capabilities: local[0x%08X] remote[0x%08X]\n",
> > > -+ save_creds.negotiate_flags,
> > > -+ capabilities.server_capabilities));
> > > -+ TALLOC_FREE(rpccli);
> > > -+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -+ }
> > > -+
> > > -+done:
> > > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > > - "for domain %s and bound using schannel.\n",
> > > - get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 675be19880c2ac4bca14d69592ce39bb66a34dec Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 25 Apr 2013 18:30:36 +0200
> > > -Subject: [PATCH 062/249] s3:rpc_client: remove netr_LogonGetCapabilities check
> > > - from rpc_pipe_bind*
> > > -
> > > -It's done in the caller now.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3302356226cca474f0afab9a129220241c16663f)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 150 +-----------------------------------------
> > > - 1 file changed, 1 insertion(+), 149 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 314eb92..cba055a 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1568,15 +1568,9 @@ struct rpc_pipe_bind_state {
> > > - DATA_BLOB rpc_out;
> > > - bool auth3;
> > > - uint32_t rpc_call_id;
> > > -- struct netr_Authenticator auth;
> > > -- struct netr_Authenticator return_auth;
> > > -- struct netlogon_creds_CredentialState *creds;
> > > -- union netr_Capabilities capabilities;
> > > -- struct netr_LogonGetCapabilities r;
> > > - };
> > > -
> > > - static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
> > > --static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
> > > - static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
> > > - struct rpc_pipe_bind_state *state,
> > > - DATA_BLOB *credentials);
> > > -@@ -1679,14 +1673,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> > > -
> > > - case DCERPC_AUTH_TYPE_NONE:
> > > - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
> > > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > > - /* Bind complete. */
> > > - tevent_req_done(req);
> > > - return;
> > > -
> > > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > > -- rpc_pipe_bind_step_two_trigger(req);
> > > -- return;
> > > --
> > > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > - case DCERPC_AUTH_TYPE_KRB5:
> > > -@@ -1763,145 +1754,6 @@ err_out:
> > > - tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
> > > - }
> > > -
> > > --static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq);
> > > --
> > > --static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req)
> > > --{
> > > -- struct rpc_pipe_bind_state *state =
> > > -- tevent_req_data(req,
> > > -- struct rpc_pipe_bind_state);
> > > -- struct dcerpc_binding_handle *b = state->cli->binding_handle;
> > > -- struct schannel_state *schannel_auth =
> > > -- talloc_get_type_abort(state->cli->auth->auth_ctx,
> > > -- struct schannel_state);
> > > -- struct tevent_req *subreq;
> > > --
> > > -- if (schannel_auth == NULL ||
> > > -- !ndr_syntax_id_equal(&state->cli->abstract_syntax,
> > > -- &ndr_table_netlogon.syntax_id)) {
> > > -- tevent_req_done(req);
> > > -- return;
> > > -- }
> > > --
> > > -- ZERO_STRUCT(state->return_auth);
> > > --
> > > -- state->creds = netlogon_creds_copy(state, schannel_auth->creds);
> > > -- if (state->creds == NULL) {
> > > -- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
> > > -- return;
> > > -- }
> > > --
> > > -- netlogon_creds_client_authenticator(state->creds, &state->auth);
> > > --
> > > -- state->r.in.server_name = state->cli->srv_name_slash;
> > > -- state->r.in.computer_name = state->creds->computer_name;
> > > -- state->r.in.credential = &state->auth;
> > > -- state->r.in.query_level = 1;
> > > -- state->r.in.return_authenticator = &state->return_auth;
> > > --
> > > -- state->r.out.capabilities = &state->capabilities;
> > > -- state->r.out.return_authenticator = &state->return_auth;
> > > --
> > > -- subreq = dcerpc_netr_LogonGetCapabilities_r_send(talloc_tos(),
> > > -- state->ev,
> > > -- b,
> > > -- &state->r);
> > > -- if (subreq == NULL) {
> > > -- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
> > > -- return;
> > > -- }
> > > --
> > > -- tevent_req_set_callback(subreq, rpc_pipe_bind_step_two_done, req);
> > > -- return;
> > > --}
> > > --
> > > --static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
> > > --{
> > > -- struct tevent_req *req =
> > > -- tevent_req_callback_data(subreq,
> > > -- struct tevent_req);
> > > -- struct rpc_pipe_bind_state *state =
> > > -- tevent_req_data(req,
> > > -- struct rpc_pipe_bind_state);
> > > -- NTSTATUS status;
> > > --
> > > -- status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
> > > -- TALLOC_FREE(subreq);
> > > -- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- DEBUG(5, ("AES is not supported and the error was %s\n",
> > > -- nt_errstr(status)));
> > > -- tevent_req_nterror(req,
> > > -- NT_STATUS_INVALID_NETWORK_RESPONSE);
> > > -- return;
> > > -- }
> > > --
> > > -- /* This is probably NT */
> > > -- DEBUG(5, ("We are checking against an NT - %s\n",
> > > -- nt_errstr(status)));
> > > -- tevent_req_done(req);
> > > -- return;
> > > -- } else if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
> > > -- nt_errstr(status)));
> > > -- tevent_req_nterror(req, status);
> > > -- return;
> > > -- }
> > > --
> > > -- if (NT_STATUS_EQUAL(state->r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
> > > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- /* This means AES isn't supported. */
> > > -- DEBUG(5, ("AES is not supported and the error was %s\n",
> > > -- nt_errstr(state->r.out.result)));
> > > -- tevent_req_nterror(req,
> > > -- NT_STATUS_INVALID_NETWORK_RESPONSE);
> > > -- return;
> > > -- }
> > > --
> > > -- /* This is probably an old Samba version */
> > > -- DEBUG(5, ("We are checking against an old Samba version - %s\n",
> > > -- nt_errstr(state->r.out.result)));
> > > -- tevent_req_done(req);
> > > -- return;
> > > -- }
> > > --
> > > -- /* We need to check the credential state here, cause win2k3 and earlier
> > > -- * returns NT_STATUS_NOT_IMPLEMENTED */
> > > -- if (!netlogon_creds_client_check(state->creds,
> > > -- &state->r.out.return_authenticator->cred)) {
> > > -- /*
> > > -- * Server replied with bad credential. Fail.
> > > -- */
> > > -- DEBUG(0,("rpc_pipe_bind_step_two_done: server %s "
> > > -- "replied with bad credential\n",
> > > -- state->cli->desthost));
> > > -- tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
> > > -- return;
> > > -- }
> > > --
> > > -- if (!NT_STATUS_IS_OK(state->r.out.result)) {
> > > -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
> > > -- nt_errstr(state->r.out.result)));
> > > -- tevent_req_nterror(req, state->r.out.result);
> > > -- return;
> > > -- }
> > > --
> > > -- if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> > > -- DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
> > > -- "but AES was not negotiated - downgrade detected",
> > > -- state->cli->desthost));
> > > -- tevent_req_nterror(req,
> > > -- NT_STATUS_INVALID_NETWORK_RESPONSE);
> > > -- return;
> > > -- }
> > > --
> > > -- TALLOC_FREE(state->cli->dc);
> > > -- state->cli->dc = talloc_move(state->cli, &state->creds);
> > > --
> > > -- tevent_req_done(req);
> > > -- return;
> > > --}
> > > --
> > > - static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
> > > - struct rpc_pipe_bind_state *state,
> > > - DATA_BLOB *auth_token)
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f9b4e38b8458ec905b5f78e402f21f23c4a967e1 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 25 Apr 2013 19:33:28 +0200
> > > -Subject: [PATCH 063/249] s3:rpc_client: remove unused
> > > - cli_rpc_pipe_open_ntlmssp_auth_schannel()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 04938cbeecc777f7b799a11f1ca0461b351d968a)
> > > ----
> > > - source3/rpc_client/cli_pipe.h | 9 ----
> > > - source3/rpc_client/cli_pipe_schannel.c | 80 ----------------------------------
> > > - 2 files changed, 89 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index 8eb6040..ab99373 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -109,15 +109,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - struct netlogon_creds_CredentialState **pdc,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > --NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > > -- const struct ndr_interface_table *table,
> > > -- enum dcerpc_transport_t transport,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > -- const char *domain,
> > > -- const char *username,
> > > -- const char *password,
> > > -- struct rpc_pipe_client **presult);
> > > --
> > > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > - const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index de745c0..aaae44b 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -86,86 +86,6 @@ static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon
> > > -
> > > - /****************************************************************************
> > > - Open a named pipe to an SMB server and bind using schannel (bind type 68).
> > > -- Fetch the session key ourselves using a temporary netlogon pipe. This
> > > -- version uses an ntlmssp auth bound netlogon pipe to get the key.
> > > -- ****************************************************************************/
> > > --
> > > --static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
> > > -- const char *domain,
> > > -- const char *username,
> > > -- const char *password,
> > > -- uint32 *pneg_flags,
> > > -- struct rpc_pipe_client **presult)
> > > --{
> > > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -- NTSTATUS status;
> > > --
> > > -- status = cli_rpc_pipe_open_spnego(
> > > -- cli, &ndr_table_netlogon, NCACN_NP,
> > > -- GENSEC_OID_NTLMSSP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > > -- smbXcli_conn_remote_name(cli->conn),
> > > -- domain, username, password, &netlogon_pipe);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
> > > -- pneg_flags);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- TALLOC_FREE(netlogon_pipe);
> > > -- return status;
> > > -- }
> > > --
> > > -- *presult = netlogon_pipe;
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > --/****************************************************************************
> > > -- Open a named pipe to an SMB server and bind using schannel (bind type 68).
> > > -- Fetch the session key ourselves using a temporary netlogon pipe. This version
> > > -- uses an ntlmssp bind to get the session key.
> > > -- ****************************************************************************/
> > > --
> > > --NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
> > > -- const struct ndr_interface_table *table,
> > > -- enum dcerpc_transport_t transport,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > -- const char *domain,
> > > -- const char *username,
> > > -- const char *password,
> > > -- struct rpc_pipe_client **presult)
> > > --{
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -- NETLOGON_NEG_SUPPORTS_AES;
> > > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -- struct rpc_pipe_client *result = NULL;
> > > -- NTSTATUS status;
> > > --
> > > -- status = get_schannel_session_key_auth_ntlmssp(
> > > -- cli, domain, username, password, &neg_flags, &netlogon_pipe);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
> > > -- "key from server %s for domain %s.\n",
> > > -- smbXcli_conn_remote_name(cli->conn), domain ));
> > > -- return status;
> > > -- }
> > > --
> > > -- status = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> > > -- &result);
> > > --
> > > -- /* Now we've bound using the session key we can close the netlog pipe. */
> > > -- TALLOC_FREE(netlogon_pipe);
> > > --
> > > -- if (NT_STATUS_IS_OK(status)) {
> > > -- *presult = result;
> > > -- }
> > > -- return status;
> > > --}
> > > --
> > > --/****************************************************************************
> > > -- Open a named pipe to an SMB server and bind using schannel (bind type 68).
> > > - Fetch the session key ourselves using a temporary netlogon pipe.
> > > - ****************************************************************************/
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 35d07a4d7ca15e4cf22f7cc96d6958c9856dc0a0 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 3 Aug 2013 11:26:13 +0200
> > > -Subject: [PATCH 064/249] auth/gensec: first check GENSEC_FEATURE_SESSION_KEY
> > > - before returning NOT_IMPLEMENTED
> > > -
> > > -Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 45c74c8084d2db14fef6a79cd98068be2ab73f30)
> > > ----
> > > - auth/gensec/gensec.c | 7 ++++---
> > > - 1 file changed, 4 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
> > > -index ea62861..9a8f0ef 100644
> > > ---- a/auth/gensec/gensec.c
> > > -+++ b/auth/gensec/gensec.c
> > > -@@ -155,13 +155,14 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
> > > - TALLOC_CTX *mem_ctx,
> > > - DATA_BLOB *session_key)
> > > - {
> > > -- if (!gensec_security->ops->session_key) {
> > > -- return NT_STATUS_NOT_IMPLEMENTED;
> > > -- }
> > > - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
> > > - return NT_STATUS_NO_USER_SESSION_KEY;
> > > - }
> > > -
> > > -+ if (!gensec_security->ops->session_key) {
> > > -+ return NT_STATUS_NOT_IMPLEMENTED;
> > > -+ }
> > > -+
> > > - return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 6eda030bd26347cef3fb670b0876956c97c00bfa Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 3 Aug 2013 11:43:58 +0200
> > > -Subject: [PATCH 065/249] auth/gensec: add gensec_security_by_auth_type()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 59b09564a7edac8dc241269587146342244ce58b)
> > > ----
> > > - auth/gensec/gensec.h | 3 +++
> > > - auth/gensec/gensec_start.c | 26 ++++++++++++++++++++++++++
> > > - 2 files changed, 29 insertions(+)
> > > -
> > > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > > -index 396a16d..c080861 100644
> > > ---- a/auth/gensec/gensec.h
> > > -+++ b/auth/gensec/gensec.h
> > > -@@ -268,6 +268,9 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
> > > - const char *oid_string);
> > > - const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
> > > - const char *sasl_name);
> > > -+const struct gensec_security_ops *gensec_security_by_auth_type(
> > > -+ struct gensec_security *gensec_security,
> > > -+ uint32_t auth_type);
> > > - struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
> > > - TALLOC_CTX *mem_ctx);
> > > - const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > > -index e46f0ee..c2cfa1c 100644
> > > ---- a/auth/gensec/gensec_start.c
> > > -+++ b/auth/gensec/gensec_start.c
> > > -@@ -246,6 +246,32 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
> > > - return NULL;
> > > - }
> > > -
> > > -+_PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
> > > -+ struct gensec_security *gensec_security,
> > > -+ uint32_t auth_type)
> > > -+{
> > > -+ int i;
> > > -+ struct gensec_security_ops **backends;
> > > -+ const struct gensec_security_ops *backend;
> > > -+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > > -+ if (!mem_ctx) {
> > > -+ return NULL;
> > > -+ }
> > > -+ backends = gensec_security_mechs(gensec_security, mem_ctx);
> > > -+ for (i=0; backends && backends[i]; i++) {
> > > -+ if (!gensec_security_ops_enabled(backends[i], gensec_security))
> > > -+ continue;
> > > -+ if (backends[i]->auth_type == auth_type) {
> > > -+ backend = backends[i];
> > > -+ talloc_free(mem_ctx);
> > > -+ return backend;
> > > -+ }
> > > -+ }
> > > -+ talloc_free(mem_ctx);
> > > -+
> > > -+ return NULL;
> > > -+}
> > > -+
> > > - static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
> > > - const char *name)
> > > - {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f4e1506ed3a032d38605207f592cbc4ece93a414 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 24 Apr 2013 12:33:28 +0200
> > > -Subject: [PATCH 066/249] libcli/auth: maintain the sequence number for the
> > > - NETLOGON SSP as 64bit
> > > -
> > > -See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 9f2e81ae02549369db49c05edf7071612a03a8b8)
> > > ----
> > > - libcli/auth/schannel.h | 2 +-
> > > - libcli/auth/schannel_sign.c | 17 +++++++++++++----
> > > - source3/librpc/rpc/dcerpc_helpers.c | 4 ++--
> > > - 3 files changed, 16 insertions(+), 7 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
> > > -index bfccd95..271b5bb 100644
> > > ---- a/libcli/auth/schannel.h
> > > -+++ b/libcli/auth/schannel.h
> > > -@@ -30,7 +30,7 @@ enum schannel_position {
> > > -
> > > - struct schannel_state {
> > > - enum schannel_position state;
> > > -- uint32_t seq_num;
> > > -+ uint64_t seq_num;
> > > - bool initiator;
> > > - struct netlogon_creds_CredentialState *creds;
> > > - };
> > > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > > -index 1871da2..6e5d454 100644
> > > ---- a/libcli/auth/schannel_sign.c
> > > -+++ b/libcli/auth/schannel_sign.c
> > > -@@ -24,6 +24,17 @@
> > > - #include "../libcli/auth/schannel.h"
> > > - #include "../lib/crypto/crypto.h"
> > > -
> > > -+#define SETUP_SEQNUM(state, buf, initiator) do { \
> > > -+ uint8_t *_buf = buf; \
> > > -+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> > > -+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
> > > -+ if (initiator) { \
> > > -+ _seq_num_high |= 0x80000000; \
> > > -+ } \
> > > -+ RSIVAL(_buf, 0, _seq_num_low); \
> > > -+ RSIVAL(_buf, 4, _seq_num_high); \
> > > -+} while(0)
> > > -+
> > > - static void netsec_offset_and_sizes(struct schannel_state *state,
> > > - bool do_seal,
> > > - uint32_t *_min_sig_size,
> > > -@@ -255,8 +266,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > > - confounder = NULL;
> > > - }
> > > -
> > > -- RSIVAL(seq_num, 0, state->seq_num);
> > > -- SIVAL(seq_num, 4, state->initiator?0:0x80);
> > > -+ SETUP_SEQNUM(state, seq_num, !state->initiator);
> > > -
> > > - if (do_unseal) {
> > > - netsec_do_seal(state, seq_num,
> > > -@@ -325,8 +335,7 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > > - &checksum_length,
> > > - &confounder_ofs);
> > > -
> > > -- RSIVAL(seq_num, 0, state->seq_num);
> > > -- SIVAL(seq_num, 4, state->initiator?0x80:0);
> > > -+ SETUP_SEQNUM(state, seq_num, state->initiator);
> > > -
> > > - if (do_seal) {
> > > - confounder = _confounder;
> > > -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> > > -index a55e419..0095990 100644
> > > ---- a/source3/librpc/rpc/dcerpc_helpers.c
> > > -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> > > -@@ -462,8 +462,8 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > -
> > > -- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
> > > -- sas->seq_num));
> > > -+ DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
> > > -+ (unsigned long long)sas->seq_num));
> > > -
> > > - switch (auth_level) {
> > > - case DCERPC_AUTH_LEVEL_PRIVACY:
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f99afc1924dbb267e696bbdf26db606a8c77f093 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 12:53:42 +0200
> > > -Subject: [PATCH 067/249] libcli/auth: add netsec_create_state()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 33215398f32c76f4b8ada7b547c6d0741cb2ac16)
> > > ----
> > > - libcli/auth/schannel_proto.h | 3 +++
> > > - libcli/auth/schannel_sign.c | 23 +++++++++++++++++++++++
> > > - 2 files changed, 26 insertions(+)
> > > -
> > > -diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
> > > -index 0414218..da76559 100644
> > > ---- a/libcli/auth/schannel_proto.h
> > > -+++ b/libcli/auth/schannel_proto.h
> > > -@@ -28,6 +28,9 @@ struct schannel_state;
> > > - struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
> > > - struct loadparm_context *lp_ctx);
> > > -
> > > -+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState *creds,
> > > -+ bool initiator);
> > > - NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > > - bool do_unseal,
> > > - uint8_t *data, size_t length,
> > > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > > -index 6e5d454..518a6a9 100644
> > > ---- a/libcli/auth/schannel_sign.c
> > > -+++ b/libcli/auth/schannel_sign.c
> > > -@@ -35,6 +35,29 @@
> > > - RSIVAL(_buf, 4, _seq_num_high); \
> > > - } while(0)
> > > -
> > > -+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState *creds,
> > > -+ bool initiator)
> > > -+{
> > > -+ struct schannel_state *state;
> > > -+
> > > -+ state = talloc(mem_ctx, struct schannel_state);
> > > -+ if (state == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ state->state = SCHANNEL_STATE_UPDATE_1;
> > > -+ state->initiator = initiator;
> > > -+ state->seq_num = 0;
> > > -+ state->creds = netlogon_creds_copy(state, creds);
> > > -+ if (state->creds == NULL) {
> > > -+ talloc_free(state);
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ return state;
> > > -+}
> > > -+
> > > - static void netsec_offset_and_sizes(struct schannel_state *state,
> > > - bool do_seal,
> > > - uint32_t *_min_sig_size,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f13417a00173fcde96417773a1a551caced24c8b Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 13:28:11 +0200
> > > -Subject: [PATCH 068/249] s3:cli_pipe: make use of netsec_create_state()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit e96142fc439efb7c90719f9c387778c4218ae637)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 9 +--------
> > > - 1 file changed, 1 insertion(+), 8 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index cba055a..9e979b0 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2271,18 +2271,11 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > > - goto fail;
> > > - }
> > > -
> > > -- schannel_auth = talloc_zero(result, struct schannel_state);
> > > -+ schannel_auth = netsec_create_state(result, creds, true /* initiator */);
> > > - if (schannel_auth == NULL) {
> > > - goto fail;
> > > - }
> > > -
> > > -- schannel_auth->state = SCHANNEL_STATE_START;
> > > -- schannel_auth->initiator = true;
> > > -- schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
> > > -- if (schannel_auth->creds == NULL) {
> > > -- goto fail;
> > > -- }
> > > --
> > > - result->auth_ctx = schannel_auth;
> > > - *presult = result;
> > > - return NT_STATUS_OK;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From becf68bc072fdfab4489326d148775ebdbe27fda Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 13:28:59 +0200
> > > -Subject: [PATCH 069/249] s3:cli_pipe: pass down creds->computer_name to
> > > - NL_AUTH_MESSAGE
> > > -
> > > -We need to use the same computer_name value as in the netr_Authenticate3()
> > > -request.
> > > -
> > > -We abuse cli->auth->user_name to pass the value down.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 838cb539621ef19cac6badb4b10678dcc3a6f68a)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 13 ++++++-------
> > > - 1 file changed, 6 insertions(+), 7 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 9e979b0..1de71fb 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1027,13 +1027,12 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > > - NTSTATUS status;
> > > - struct NL_AUTH_MESSAGE r;
> > > -
> > > -- /* Use lp_workgroup() if domain not specified */
> > > -+ if (!cli->auth->user_name || !cli->auth->user_name[0]) {
> > > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > > -+ }
> > > -
> > > - if (!cli->auth->domain || !cli->auth->domain[0]) {
> > > -- cli->auth->domain = talloc_strdup(cli, lp_workgroup());
> > > -- if (cli->auth->domain == NULL) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > > - }
> > > -
> > > - /*
> > > -@@ -1044,7 +1043,7 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > > - r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > > - NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > > - r.oem_netbios_domain.a = cli->auth->domain;
> > > -- r.oem_netbios_computer.a = lp_netbios_name();
> > > -+ r.oem_netbios_computer.a = cli->auth->user_name;
> > > -
> > > - status = dcerpc_push_schannel_bind(cli, &r, auth_token);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -2265,7 +2264,7 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > > - result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
> > > - result->auth_level = auth_level;
> > > -
> > > -- result->user_name = talloc_strdup(result, "");
> > > -+ result->user_name = talloc_strdup(result, creds->computer_name);
> > > - result->domain = talloc_strdup(result, domain);
> > > - if ((result->user_name == NULL) || (result->domain == NULL)) {
> > > - goto fail;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From b447ab32047f33d306ee891d1d3fe2ae5a8c56f1 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 3 Aug 2013 08:50:54 +0200
> > > -Subject: [PATCH 070/249] s3:cli_pipe.c: return NO_USER_SESSION_KEY in
> > > - cli_get_session_key() for schannel
> > > -
> > > -SCHANNEL connections don't have a user session key,
> > > -they're like anonymous connections.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit af4dc306846a30a5a1201306cc2cbf4d494e16e7)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 7 -------
> > > - 1 file changed, 7 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 1de71fb..470469f 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -3091,7 +3091,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > > - {
> > > - NTSTATUS status;
> > > - struct pipe_auth_data *a;
> > > -- struct schannel_state *schannel_auth;
> > > - struct gensec_security *gensec_security;
> > > - DATA_BLOB sk = data_blob_null;
> > > - bool make_dup = false;
> > > -@@ -3107,12 +3106,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > > - }
> > > -
> > > - switch (cli->auth->auth_type) {
> > > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > > -- schannel_auth = talloc_get_type_abort(a->auth_ctx,
> > > -- struct schannel_state);
> > > -- sk = data_blob_const(schannel_auth->creds->session_key, 16);
> > > -- make_dup = true;
> > > -- break;
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > > - case DCERPC_AUTH_TYPE_KRB5:
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From abebeb10c26f6fa7e61c56553ce1e52b5d45937a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 13:33:37 +0200
> > > -Subject: [PATCH 071/249] s3:rpc_server: make use of netsec_create_state()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a964309bf7631f4f6953e0d6556f8ed8e5300dcc)
> > > ----
> > > - source3/rpc_server/srv_pipe.c | 12 ++++--------
> > > - 1 file changed, 4 insertions(+), 8 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > > -index 7daff04..9043a14 100644
> > > ---- a/source3/rpc_server/srv_pipe.c
> > > -+++ b/source3/rpc_server/srv_pipe.c
> > > -@@ -462,8 +462,8 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
> > > - */
> > > -
> > > - become_root();
> > > -- status = schannel_get_creds_state(p, lp_ctx,
> > > -- neg.oem_netbios_computer.a, &creds);
> > > -+ status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
> > > -+ neg.oem_netbios_computer.a, &creds);
> > > - unbecome_root();
> > > -
> > > - talloc_unlink(p, lp_ctx);
> > > -@@ -472,16 +472,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
> > > - return False;
> > > - }
> > > -
> > > -- schannel_auth = talloc_zero(p, struct schannel_state);
> > > -+ schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
> > > -+ TALLOC_FREE(creds);
> > > - if (!schannel_auth) {
> > > -- TALLOC_FREE(creds);
> > > - return False;
> > > - }
> > > -
> > > -- schannel_auth->state = SCHANNEL_STATE_START;
> > > -- schannel_auth->initiator = false;
> > > -- schannel_auth->creds = creds;
> > > --
> > > - /*
> > > - * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
> > > - * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From b567c4ef93de5c098d724c15b614f5f233903812 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 13:36:30 +0200
> > > -Subject: [PATCH 072/249] s3:dcerpc_helpers: remove unused DEBUG message of
> > > - schannel_state->seq_num.
> > > -
> > > -This is a layer violation and not needed anymore as we know
> > > -how the seqnum handling works now.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a36ccdc83edb7437dd00601c459421286fd79db4)
> > > ----
> > > - source3/librpc/rpc/dcerpc_helpers.c | 3 ---
> > > - 1 file changed, 3 deletions(-)
> > > -
> > > -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> > > -index 0095990..97999d7 100644
> > > ---- a/source3/librpc/rpc/dcerpc_helpers.c
> > > -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> > > -@@ -462,9 +462,6 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > -
> > > -- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
> > > -- (unsigned long long)sas->seq_num));
> > > --
> > > - switch (auth_level) {
> > > - case DCERPC_AUTH_LEVEL_PRIVACY:
> > > - status = netsec_outgoing_packet(sas,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e044773b51b76b3582669ee7e3a388d6471e2f2e Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 10:08:54 +0200
> > > -Subject: [PATCH 073/249] s4:libnet: avoid usage of dcerpc_schannel_creds()
> > > -
> > > -We use cli_credentials_get_netlogon_creds() which returns the same value.
> > > -
> > > -dcerpc_schannel_creds() is a layer violation.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit c0144273af8f0956a05d102113c40cec77069f7a)
> > > ----
> > > - source4/libnet/libnet_samsync.c | 7 +++----
> > > - 1 file changed, 3 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source4/libnet/libnet_samsync.c b/source4/libnet/libnet_samsync.c
> > > -index 9629b9f..206d81e 100644
> > > ---- a/source4/libnet/libnet_samsync.c
> > > -+++ b/source4/libnet/libnet_samsync.c
> > > -@@ -25,7 +25,6 @@
> > > - #include "libcli/auth/libcli_auth.h"
> > > - #include "../libcli/samsync/samsync.h"
> > > - #include "auth/gensec/gensec.h"
> > > --#include "auth/gensec/schannel.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "libcli/auth/schannel.h"
> > > - #include "librpc/gen_ndr/ndr_netlogon.h"
> > > -@@ -183,9 +182,9 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx
> > > -
> > > - /* get NETLOGON credentials */
> > > -
> > > -- nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds);
> > > -- if (!NT_STATUS_IS_OK(nt_status)) {
> > > -- r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer");
> > > -+ creds = cli_credentials_get_netlogon_creds(machine_account);
> > > -+ if (creds == NULL) {
> > > -+ r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from credentials");
> > > - talloc_free(samsync_ctx);
> > > - return nt_status;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 322dc86454fc4e60de641ef02da2c2744c347001 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 10:08:54 +0200
> > > -Subject: [PATCH 074/249] s4:torture: avoid usage of dcerpc_schannel_creds()
> > > -
> > > -We use cli_credentials_get_netlogon_creds() which returns the same value.
> > > -
> > > -dcerpc_schannel_creds() is a layer violation.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 2ea3a24dced0814100e352bbbca124011be73602)
> > > ----
> > > - source4/torture/rpc/samlogon.c | 5 ++---
> > > - source4/torture/rpc/samr.c | 6 +++---
> > > - source4/torture/rpc/samsync.c | 11 ++++-------
> > > - source4/torture/rpc/schannel.c | 6 ++----
> > > - 4 files changed, 11 insertions(+), 17 deletions(-)
> > > -
> > > -diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
> > > -index 4861038..886ff39 100644
> > > ---- a/source4/torture/rpc/samlogon.c
> > > -+++ b/source4/torture/rpc/samlogon.c
> > > -@@ -29,7 +29,6 @@
> > > - #include "lib/cmdline/popt_common.h"
> > > - #include "torture/rpc/torture_rpc.h"
> > > - #include "auth/gensec/gensec.h"
> > > --#include "auth/gensec/schannel.h"
> > > - #include "libcli/auth/libcli_auth.h"
> > > - #include "param/param.h"
> > > -
> > > -@@ -1764,8 +1763,8 @@ bool torture_rpc_samlogon(struct torture_context *torture)
> > > - torture_assert_ntstatus_ok_goto(torture, status, ret, failed,
> > > - talloc_asprintf(torture, "RPC pipe connect as domain member failed: %s\n", nt_errstr(status)));
> > > -
> > > -- status = dcerpc_schannel_creds(p->conn->security_state.generic_state, mem_ctx, &creds);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -+ creds = cli_credentials_get_netlogon_creds(machine_credentials);
> > > -+ if (creds == NULL) {
> > > - ret = false;
> > > - goto failed;
> > > - }
> > > -diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
> > > -index cdfa2b8..d4d64f9 100644
> > > ---- a/source4/torture/rpc/samr.c
> > > -+++ b/source4/torture/rpc/samr.c
> > > -@@ -37,7 +37,6 @@
> > > - #include "torture/rpc/torture_rpc.h"
> > > - #include "param/param.h"
> > > - #include "auth/gensec/gensec.h"
> > > --#include "auth/gensec/schannel.h"
> > > - #include "auth/gensec/gensec_proto.h"
> > > - #include "../libcli/auth/schannel.h"
> > > -
> > > -@@ -2959,6 +2958,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
> > > -
> > > - static bool test_SamLogon(struct torture_context *tctx,
> > > - struct dcerpc_pipe *p,
> > > -+ struct cli_credentials *machine_credentials,
> > > - struct cli_credentials *test_credentials,
> > > - NTSTATUS expected_result,
> > > - bool interactive)
> > > -@@ -2978,7 +2978,7 @@ static bool test_SamLogon(struct torture_context *tctx,
> > > - struct netr_Authenticator a;
> > > - struct dcerpc_binding_handle *b = p->binding_handle;
> > > -
> > > -- torture_assert_ntstatus_ok(tctx, dcerpc_schannel_creds(p->conn->security_state.generic_state, tctx, &creds), "");
> > > -+ torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
> > > -
> > > - if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
> > > - flags |= CLI_CRED_LANMAN_AUTH;
> > > -@@ -3105,7 +3105,7 @@ static bool test_SamLogon_with_creds(struct torture_context *tctx,
> > > - torture_comment(tctx, "Testing samlogon (%s) as %s password: %s\n",
> > > - interactive ? "interactive" : "network", acct_name, password);
> > > -
> > > -- if (!test_SamLogon(tctx, p, test_credentials,
> > > -+ if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
> > > - expected_samlogon_result, interactive)) {
> > > - torture_warning(tctx, "new password did not work\n");
> > > - ret = false;
> > > -diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
> > > -index 81027d0..15cab73 100644
> > > ---- a/source4/torture/rpc/samsync.c
> > > -+++ b/source4/torture/rpc/samsync.c
> > > -@@ -27,7 +27,6 @@
> > > - #include "system/time.h"
> > > - #include "torture/rpc/torture_rpc.h"
> > > - #include "auth/gensec/gensec.h"
> > > --#include "auth/gensec/schannel.h"
> > > - #include "libcli/auth/libcli_auth.h"
> > > - #include "libcli/samsync/samsync.h"
> > > - #include "libcli/security/security.h"
> > > -@@ -1720,9 +1719,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
> > > - }
> > > - samsync_state->b = samsync_state->p->binding_handle;
> > > -
> > > -- status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state,
> > > -- samsync_state, &samsync_state->creds);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -+ samsync_state->creds = cli_credentials_get_netlogon_creds(credentials);
> > > -+ if (samsync_state->creds == NULL) {
> > > - ret = false;
> > > - }
> > > -
> > > -@@ -1758,9 +1756,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
> > > - goto failed;
> > > - }
> > > -
> > > -- status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->conn->security_state.generic_state,
> > > -- samsync_state, &samsync_state->creds_netlogon_wksta);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -+ samsync_state->creds_netlogon_wksta = cli_credentials_get_netlogon_creds(credentials_wksta);
> > > -+ if (samsync_state->creds_netlogon_wksta == NULL) {
> > > - torture_comment(torture, "Failed to obtail schanel creds!\n");
> > > - ret = false;
> > > - }
> > > -diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
> > > -index 8203749..0098dcf 100644
> > > ---- a/source4/torture/rpc/schannel.c
> > > -+++ b/source4/torture/rpc/schannel.c
> > > -@@ -26,14 +26,12 @@
> > > - #include "auth/credentials/credentials.h"
> > > - #include "torture/rpc/torture_rpc.h"
> > > - #include "lib/cmdline/popt_common.h"
> > > --#include "auth/gensec/schannel.h"
> > > - #include "../libcli/auth/schannel.h"
> > > - #include "libcli/auth/libcli_auth.h"
> > > - #include "libcli/security/security.h"
> > > - #include "system/filesys.h"
> > > - #include "param/param.h"
> > > - #include "librpc/rpc/dcerpc_proto.h"
> > > --#include "auth/gensec/gensec.h"
> > > - #include "libcli/composite/composite.h"
> > > - #include "lib/events/events.h"
> > > -
> > > -@@ -413,8 +411,8 @@ static bool test_schannel(struct torture_context *tctx,
> > > -
> > > - torture_assert_ntstatus_ok(tctx, status, "bind auth");
> > > -
> > > -- status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
> > > -- torture_assert_ntstatus_ok(tctx, status, "schannel creds");
> > > -+ creds = cli_credentials_get_netlogon_creds(credentials);
> > > -+ torture_assert(tctx, (creds != NULL), "schannel creds");
> > > -
> > > - /* checks the capabilities */
> > > - torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fa1c5bc2cdff9decd361c919567c502ef0c09385 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 12:31:41 +0200
> > > -Subject: [PATCH 075/249] s4:gensec/schannel: remove unused
> > > - dcerpc_schannel_creds()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 4cad5dcb6d5e49cc9bb1aa4ca454f369e00e8c6f)
> > > ----
> > > - source4/auth/gensec/schannel.c | 23 -----------------------
> > > - source4/auth/gensec/schannel.h | 26 --------------------------
> > > - 2 files changed, 49 deletions(-)
> > > - delete mode 100644 source4/auth/gensec/schannel.h
> > > -
> > > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > > -index e7c545f..10d2565 100644
> > > ---- a/source4/auth/gensec/schannel.c
> > > -+++ b/source4/auth/gensec/schannel.c
> > > -@@ -29,7 +29,6 @@
> > > - #include "../libcli/auth/schannel.h"
> > > - #include "librpc/rpc/dcerpc.h"
> > > - #include "param/param.h"
> > > --#include "auth/gensec/schannel.h"
> > > - #include "auth/gensec/gensec_toplevel_proto.h"
> > > -
> > > - _PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > > -@@ -204,28 +203,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > > - }
> > > -
> > > - /**
> > > -- * Return the struct netlogon_creds_CredentialState.
> > > -- *
> > > -- * Make sure not to call this unless gensec is using schannel...
> > > -- */
> > > --
> > > --/* TODO: make this non-public */
> > > --
> > > --_PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- struct netlogon_creds_CredentialState **creds)
> > > --{
> > > -- struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
> > > --
> > > -- *creds = talloc_reference(mem_ctx, state->creds);
> > > -- if (!*creds) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > --
> > > --/**
> > > - * Returns anonymous credentials for schannel, matching Win2k3.
> > > - *
> > > - */
> > > -diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h
> > > -deleted file mode 100644
> > > -index 88a32a7..0000000
> > > ---- a/source4/auth/gensec/schannel.h
> > > -+++ /dev/null
> > > -@@ -1,26 +0,0 @@
> > > --/*
> > > -- Unix SMB/CIFS implementation.
> > > --
> > > -- dcerpc schannel operations
> > > --
> > > -- Copyright (C) Andrew Tridgell 2004
> > > -- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> > > --
> > > -- This program is free software; you can redistribute it and/or modify
> > > -- it under the terms of the GNU General Public License as published by
> > > -- the Free Software Foundation; either version 3 of the License, or
> > > -- (at your option) any later version.
> > > --
> > > -- This program is distributed in the hope that it will be useful,
> > > -- but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -- GNU General Public License for more details.
> > > --
> > > -- You should have received a copy of the GNU General Public License
> > > -- along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > --*/
> > > --
> > > --struct netlogon_creds_CredentialState;
> > > --NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- struct netlogon_creds_CredentialState **creds);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From eeb52af669e963ac856fc77be6a47f7ed33d8580 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 13:04:07 +0200
> > > -Subject: [PATCH 076/249] s4:gensec/schannel: simplify the code by using
> > > - netsec_create_state()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 49f347eb11bd12a3f25b0fcb8ba36d4a36594868)
> > > ----
> > > - source4/auth/gensec/schannel.c | 98 +++++++++++++-----------------------------
> > > - 1 file changed, 30 insertions(+), 68 deletions(-)
> > > -
> > > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > > -index 10d2565..3896a41 100644
> > > ---- a/source4/auth/gensec/schannel.c
> > > -+++ b/source4/auth/gensec/schannel.c
> > > -@@ -35,12 +35,11 @@ _PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > > -
> > > - static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
> > > - {
> > > -- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
> > > -- uint32_t sig_size;
> > > --
> > > -- sig_size = netsec_outgoing_sig_size(state);
> > > -+ struct schannel_state *state =
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -
> > > -- return sig_size;
> > > -+ return netsec_outgoing_sig_size(state);
> > > - }
> > > -
> > > - static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
> > > -@@ -54,7 +53,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > > - struct tevent_context *ev,
> > > - const DATA_BLOB in, DATA_BLOB *out)
> > > - {
> > > -- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
> > > -+ struct schannel_state *state =
> > > -+ talloc_get_type(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > - NTSTATUS status;
> > > - enum ndr_err_code ndr_err;
> > > - struct NL_AUTH_MESSAGE bind_schannel;
> > > -@@ -67,24 +68,22 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > > -
> > > - switch (gensec_security->gensec_role) {
> > > - case GENSEC_CLIENT:
> > > -- if (state->state != SCHANNEL_STATE_START) {
> > > -+ if (state != NULL) {
> > > - /* we could parse the bind ack, but we don't know what it is yet */
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -- state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> > > -- if (state->creds == NULL) {
> > > -+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> > > -+ if (creds == NULL) {
> > > - return NT_STATUS_INVALID_PARAMETER_MIX;
> > > - }
> > > -- /*
> > > -- * We need to create a reference here or we don't get
> > > -- * updates performed on the credentials if we create a
> > > -- * copy.
> > > -- */
> > > -- state->creds = talloc_reference(state, state->creds);
> > > -- if (state->creds == NULL) {
> > > -+
> > > -+ state = netsec_create_state(gensec_security,
> > > -+ creds, true /* initiator */);
> > > -+ if (state == NULL) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -+ gensec_security->private_data = state;
> > > -
> > > - bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> > > - #if 0
> > > -@@ -117,12 +116,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > > - return status;
> > > - }
> > > -
> > > -- state->state = SCHANNEL_STATE_UPDATE_1;
> > > --
> > > - return NT_STATUS_MORE_PROCESSING_REQUIRED;
> > > - case GENSEC_SERVER:
> > > -
> > > -- if (state->state != SCHANNEL_STATE_START) {
> > > -+ if (state != NULL) {
> > > - /* no third leg on this protocol */
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > -@@ -177,7 +174,12 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > > - return status;
> > > - }
> > > -
> > > -- state->creds = talloc_steal(state, creds);
> > > -+ state = netsec_create_state(gensec_security,
> > > -+ creds, false /* not initiator */);
> > > -+ if (state == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ gensec_security->private_data = state;
> > > -
> > > - bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> > > - bind_schannel_ack.Flags = 0;
> > > -@@ -195,8 +197,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > > - return status;
> > > - }
> > > -
> > > -- state->state = SCHANNEL_STATE_UPDATE_1;
> > > --
> > > - return NT_STATUS_OK;
> > > - }
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > -@@ -214,54 +214,16 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> > > - return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
> > > - }
> > > -
> > > --static NTSTATUS schannel_start(struct gensec_security *gensec_security)
> > > --{
> > > -- struct schannel_state *state;
> > > --
> > > -- state = talloc_zero(gensec_security, struct schannel_state);
> > > -- if (!state) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- state->state = SCHANNEL_STATE_START;
> > > -- gensec_security->private_data = state;
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > - static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> > > - {
> > > -- NTSTATUS status;
> > > -- struct schannel_state *state;
> > > --
> > > -- status = schannel_start(gensec_security);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- state = (struct schannel_state *)gensec_security->private_data;
> > > -- state->initiator = false;
> > > --
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > - static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
> > > - {
> > > -- NTSTATUS status;
> > > -- struct schannel_state *state;
> > > --
> > > -- status = schannel_start(gensec_security);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- state = (struct schannel_state *)gensec_security->private_data;
> > > -- state->initiator = true;
> > > --
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > --
> > > - static bool schannel_have_feature(struct gensec_security *gensec_security,
> > > - uint32_t feature)
> > > - {
> > > -@@ -287,8 +249,8 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> > > - const DATA_BLOB *sig)
> > > - {
> > > - struct schannel_state *state =
> > > -- talloc_get_type(gensec_security->private_data,
> > > -- struct schannel_state);
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -
> > > - return netsec_incoming_packet(state, true,
> > > - discard_const_p(uint8_t, data),
> > > -@@ -304,8 +266,8 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> > > - const DATA_BLOB *sig)
> > > - {
> > > - struct schannel_state *state =
> > > -- talloc_get_type(gensec_security->private_data,
> > > -- struct schannel_state);
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -
> > > - return netsec_incoming_packet(state, false,
> > > - discard_const_p(uint8_t, data),
> > > -@@ -321,8 +283,8 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> > > - DATA_BLOB *sig)
> > > - {
> > > - struct schannel_state *state =
> > > -- talloc_get_type(gensec_security->private_data,
> > > -- struct schannel_state);
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -
> > > - return netsec_outgoing_packet(state, mem_ctx, true,
> > > - data, length, sig);
> > > -@@ -338,8 +300,8 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> > > - DATA_BLOB *sig)
> > > - {
> > > - struct schannel_state *state =
> > > -- talloc_get_type(gensec_security->private_data,
> > > -- struct schannel_state);
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -
> > > - return netsec_outgoing_packet(state, mem_ctx, false,
> > > - discard_const_p(uint8_t, data),
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 685f00cfd7be11f4c62441e17d6416b9a668bb47 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 13:25:20 +0200
> > > -Subject: [PATCH 077/249] s4:gensec/schannel: use the correct computer_name
> > > - from netlogon_creds_CredentialState
> > > -
> > > -We need to use the same computer_name we used in the netr_Authenticate3
> > > -request.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit b5104768225ae0308aa3f22f8d9bca389ef3cb3a)
> > > ----
> > > - source4/auth/gensec/schannel.c | 6 +++---
> > > - 1 file changed, 3 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > > -index 3896a41..91f166b 100644
> > > ---- a/source4/auth/gensec/schannel.c
> > > -+++ b/source4/auth/gensec/schannel.c
> > > -@@ -94,17 +94,17 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > > - NL_FLAG_UTF8_DNS_DOMAIN_NAME |
> > > - NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
> > > - bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > > -- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
> > > -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > > - bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
> > > - /* w2k3 refuses us if we use the full DNS workstation?
> > > - why? perhaps because we don't fill in the dNSHostName
> > > - attribute in the machine account? */
> > > -- bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
> > > -+ bind_schannel.utf8_netbios_computer = creds->computer_name;
> > > - #else
> > > - bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > > - NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > > - bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > > -- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
> > > -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > > - #endif
> > > -
> > > - ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From bd54e89fc5eb4d6afed3ef770dabf14a6ac6b060 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 3 Aug 2013 11:21:32 +0200
> > > -Subject: [PATCH 078/249] s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is
> > > - not supported
> > > -
> > > -There's a sequence number attached to the connection,
> > > -which needs to be incremented with each message...
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a07049a839729e29ca888bae353cd37fd6238486)
> > > ----
> > > - source4/auth/gensec/schannel.c | 3 ---
> > > - 1 file changed, 3 deletions(-)
> > > -
> > > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > > -index 91f166b..7fc0c7c 100644
> > > ---- a/source4/auth/gensec/schannel.c
> > > -+++ b/source4/auth/gensec/schannel.c
> > > -@@ -234,9 +234,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
> > > - if (feature & GENSEC_FEATURE_DCE_STYLE) {
> > > - return true;
> > > - }
> > > -- if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
> > > -- return true;
> > > -- }
> > > - return false;
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From afcf626800e8aaf94878d62d1fd7318b2ffe21c1 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 3 Aug 2013 11:27:55 +0200
> > > -Subject: [PATCH 079/249] s4:gensec/schannel: there's no point in having
> > > - schannel_session_key()
> > > -
> > > -gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
> > > -before calling schannel_session_key(), as we don't provide
> > > -GENSEC_FEATURE_SESSION_KEY.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 9b9ab1ae6963b3819dc2b095cbe9e1432f3459b7)
> > > ----
> > > - source4/auth/gensec/schannel.c | 8 --------
> > > - 1 file changed, 8 deletions(-)
> > > -
> > > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > > -index 7fc0c7c..ebf6469 100644
> > > ---- a/source4/auth/gensec/schannel.c
> > > -+++ b/source4/auth/gensec/schannel.c
> > > -@@ -42,13 +42,6 @@ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t
> > > - return netsec_outgoing_sig_size(state);
> > > - }
> > > -
> > > --static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- DATA_BLOB *session_key)
> > > --{
> > > -- return NT_STATUS_NOT_IMPLEMENTED;
> > > --}
> > > --
> > > - static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > > - struct tevent_context *ev,
> > > - const DATA_BLOB in, DATA_BLOB *out)
> > > -@@ -315,7 +308,6 @@ static const struct gensec_security_ops gensec_schannel_security_ops = {
> > > - .sign_packet = schannel_sign_packet,
> > > - .check_packet = schannel_check_packet,
> > > - .unseal_packet = schannel_unseal_packet,
> > > -- .session_key = schannel_session_key,
> > > - .session_info = schannel_session_info,
> > > - .sig_size = schannel_sig_size,
> > > - .have_feature = schannel_have_feature,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 56599b7019eabe3656bdba676214c74191ad068f Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 3 Aug 2013 11:32:31 +0200
> > > -Subject: [PATCH 080/249] s4:gensec/schannel: only require
> > > - librpc/gen_ndr/dcerpc.h
> > > -
> > > -We just need DCERPC_AUTH_TYPE_SCHANNEL
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit e90e1b5c76db4cf589adf8856eb32e5f0d955734)
> > > ----
> > > - source4/auth/gensec/schannel.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > > -index ebf6469..e67432c 100644
> > > ---- a/source4/auth/gensec/schannel.c
> > > -+++ b/source4/auth/gensec/schannel.c
> > > -@@ -27,7 +27,7 @@
> > > - #include "auth/gensec/gensec.h"
> > > - #include "auth/gensec/gensec_proto.h"
> > > - #include "../libcli/auth/schannel.h"
> > > --#include "librpc/rpc/dcerpc.h"
> > > -+#include "librpc/gen_ndr/dcerpc.h"
> > > - #include "param/param.h"
> > > - #include "auth/gensec/gensec_toplevel_proto.h"
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From baa82a6ef22c1761c7206323e90781d008a7888b Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 13:37:54 +0200
> > > -Subject: [PATCH 081/249] libcli/auth/schannel: make struct schannel_state
> > > - private
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 4c978b68d9a87001f625c10421e7d4cc140b4554)
> > > ----
> > > - libcli/auth/schannel.h | 13 -------------
> > > - libcli/auth/schannel_sign.c | 12 ++++++++++++
> > > - 2 files changed, 12 insertions(+), 13 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
> > > -index 271b5bb..c53d68e 100644
> > > ---- a/libcli/auth/schannel.h
> > > -+++ b/libcli/auth/schannel.h
> > > -@@ -22,17 +22,4 @@
> > > -
> > > - #include "libcli/auth/libcli_auth.h"
> > > - #include "libcli/auth/schannel_state.h"
> > > --
> > > --enum schannel_position {
> > > -- SCHANNEL_STATE_START = 0,
> > > -- SCHANNEL_STATE_UPDATE_1
> > > --};
> > > --
> > > --struct schannel_state {
> > > -- enum schannel_position state;
> > > -- uint64_t seq_num;
> > > -- bool initiator;
> > > -- struct netlogon_creds_CredentialState *creds;
> > > --};
> > > --
> > > - #include "libcli/auth/schannel_proto.h"
> > > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > > -index 518a6a9..88a6e1e 100644
> > > ---- a/libcli/auth/schannel_sign.c
> > > -+++ b/libcli/auth/schannel_sign.c
> > > -@@ -24,6 +24,18 @@
> > > - #include "../libcli/auth/schannel.h"
> > > - #include "../lib/crypto/crypto.h"
> > > -
> > > -+enum schannel_position {
> > > -+ SCHANNEL_STATE_START = 0,
> > > -+ SCHANNEL_STATE_UPDATE_1
> > > -+};
> > > -+
> > > -+struct schannel_state {
> > > -+ enum schannel_position state;
> > > -+ uint64_t seq_num;
> > > -+ bool initiator;
> > > -+ struct netlogon_creds_CredentialState *creds;
> > > -+};
> > > -+
> > > - #define SETUP_SEQNUM(state, buf, initiator) do { \
> > > - uint8_t *_buf = buf; \
> > > - uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 29806ef23a9826688ace1dc52cd7af554cf83294 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 2 Aug 2013 15:42:21 +0200
> > > -Subject: [PATCH 082/249] libcli/auth/schannel: remove unused schannel_position
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 57bcbb9c50f0a0252110a1e04a2883b511cd9165)
> > > ----
> > > - libcli/auth/schannel_sign.c | 7 -------
> > > - 1 file changed, 7 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > > -index 88a6e1e..9502cba 100644
> > > ---- a/libcli/auth/schannel_sign.c
> > > -+++ b/libcli/auth/schannel_sign.c
> > > -@@ -24,13 +24,7 @@
> > > - #include "../libcli/auth/schannel.h"
> > > - #include "../lib/crypto/crypto.h"
> > > -
> > > --enum schannel_position {
> > > -- SCHANNEL_STATE_START = 0,
> > > -- SCHANNEL_STATE_UPDATE_1
> > > --};
> > > --
> > > - struct schannel_state {
> > > -- enum schannel_position state;
> > > - uint64_t seq_num;
> > > - bool initiator;
> > > - struct netlogon_creds_CredentialState *creds;
> > > -@@ -58,7 +52,6 @@ struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > > - return NULL;
> > > - }
> > > -
> > > -- state->state = SCHANNEL_STATE_UPDATE_1;
> > > - state->initiator = initiator;
> > > - state->seq_num = 0;
> > > - state->creds = netlogon_creds_copy(state, creds);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a6ad9118c250446ea9571f5ce9895b11ab8537ed Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 5 Aug 2013 07:12:01 +0200
> > > -Subject: [PATCH 083/249] auth/gensec: introduce gensec_internal.h
> > > -
> > > -We should treat most gensec related structures private.
> > > -
> > > -It's a long way, but this is a start.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 71c63e85e7a09acb57f6b75284358f2b3b29eeed)
> > > ----
> > > - auth/gensec/gensec.c | 1 +
> > > - auth/gensec/gensec.h | 100 ++-------------------------
> > > - auth/gensec/gensec_internal.h | 127 +++++++++++++++++++++++++++++++++++
> > > - auth/gensec/gensec_start.c | 1 +
> > > - auth/gensec/gensec_util.c | 1 +
> > > - auth/gensec/spnego.c | 1 +
> > > - auth/ntlmssp/gensec_ntlmssp.c | 1 +
> > > - auth/ntlmssp/gensec_ntlmssp_server.c | 1 +
> > > - auth/ntlmssp/ntlmssp.c | 1 +
> > > - auth/ntlmssp/ntlmssp_client.c | 1 +
> > > - auth/ntlmssp/ntlmssp_server.c | 1 +
> > > - source3/libads/authdata.c | 1 +
> > > - source3/librpc/crypto/gse.c | 1 +
> > > - source3/libsmb/ntlmssp_wrap.c | 1 +
> > > - source3/utils/ntlm_auth.c | 1 +
> > > - source4/auth/gensec/cyrus_sasl.c | 1 +
> > > - source4/auth/gensec/gensec_gssapi.c | 1 +
> > > - source4/auth/gensec/gensec_krb5.c | 1 +
> > > - source4/auth/gensec/pygensec.c | 1 +
> > > - source4/auth/gensec/schannel.c | 1 +
> > > - source4/ldap_server/ldap_backend.c | 1 +
> > > - source4/libcli/ldap/ldap_bind.c | 1 +
> > > - source4/torture/auth/ntlmssp.c | 1 +
> > > - source4/utils/ntlm_auth.c | 1 +
> > > - 24 files changed, 153 insertions(+), 96 deletions(-)
> > > - create mode 100644 auth/gensec/gensec_internal.h
> > > -
> > > -diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
> > > -index 9a8f0ef..d364a34 100644
> > > ---- a/auth/gensec/gensec.c
> > > -+++ b/auth/gensec/gensec.c
> > > -@@ -26,6 +26,7 @@
> > > - #include "lib/tsocket/tsocket.h"
> > > - #include "lib/util/tevent_ntstatus.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "librpc/rpc/dcerpc.h"
> > > -
> > > - /*
> > > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > > -index c080861..5d39d81 100644
> > > ---- a/auth/gensec/gensec.h
> > > -+++ b/auth/gensec/gensec.h
> > > -@@ -76,6 +76,7 @@ struct gensec_settings;
> > > - struct tevent_context;
> > > - struct tevent_req;
> > > - struct smb_krb5_context;
> > > -+struct tsocket_address;
> > > -
> > > - struct gensec_settings {
> > > - struct loadparm_context *lp_ctx;
> > > -@@ -93,106 +94,13 @@ struct gensec_settings {
> > > - const char *server_netbios_name;
> > > - };
> > > -
> > > --struct gensec_security_ops {
> > > -- const char *name;
> > > -- const char *sasl_name;
> > > -- uint8_t auth_type; /* 0 if not offered on DCE-RPC */
> > > -- const char **oid; /* NULL if not offered by SPNEGO */
> > > -- NTSTATUS (*client_start)(struct gensec_security *gensec_security);
> > > -- NTSTATUS (*server_start)(struct gensec_security *gensec_security);
> > > -- /**
> > > -- Determine if a packet has the right 'magic' for this mechanism
> > > -- */
> > > -- NTSTATUS (*magic)(struct gensec_security *gensec_security,
> > > -- const DATA_BLOB *first_packet);
> > > -- NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > > -- struct tevent_context *ev,
> > > -- const DATA_BLOB in, DATA_BLOB *out);
> > > -- NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > > -- uint8_t *data, size_t length,
> > > -- const uint8_t *whole_pdu, size_t pdu_length,
> > > -- DATA_BLOB *sig);
> > > -- NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > > -- const uint8_t *data, size_t length,
> > > -- const uint8_t *whole_pdu, size_t pdu_length,
> > > -- DATA_BLOB *sig);
> > > -- size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
> > > -- size_t (*max_input_size)(struct gensec_security *gensec_security);
> > > -- size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
> > > -- NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
> > > -- const uint8_t *data, size_t length,
> > > -- const uint8_t *whole_pdu, size_t pdu_length,
> > > -- const DATA_BLOB *sig);
> > > -- NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
> > > -- uint8_t *data, size_t length,
> > > -- const uint8_t *whole_pdu, size_t pdu_length,
> > > -- const DATA_BLOB *sig);
> > > -- NTSTATUS (*wrap)(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const DATA_BLOB *in,
> > > -- DATA_BLOB *out);
> > > -- NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const DATA_BLOB *in,
> > > -- DATA_BLOB *out);
> > > -- NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const DATA_BLOB *in,
> > > -- DATA_BLOB *out,
> > > -- size_t *len_processed);
> > > -- NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const DATA_BLOB *in,
> > > -- DATA_BLOB *out,
> > > -- size_t *len_processed);
> > > -- NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
> > > -- DATA_BLOB blob, size_t *size);
> > > -- NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> > > -- DATA_BLOB *session_key);
> > > -- NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> > > -- struct auth_session_info **session_info);
> > > -- void (*want_feature)(struct gensec_security *gensec_security,
> > > -- uint32_t feature);
> > > -- bool (*have_feature)(struct gensec_security *gensec_security,
> > > -- uint32_t feature);
> > > -- NTTIME (*expire_time)(struct gensec_security *gensec_security);
> > > -- bool enabled;
> > > -- bool kerberos;
> > > -- enum gensec_priority priority;
> > > --};
> > > --
> > > --struct gensec_security_ops_wrapper {
> > > -- const struct gensec_security_ops *op;
> > > -- const char *oid;
> > > --};
> > > -+struct gensec_security_ops;
> > > -+struct gensec_security_ops_wrapper;
> > > -
> > > - #define GENSEC_INTERFACE_VERSION 0
> > > -
> > > --struct gensec_security {
> > > -- const struct gensec_security_ops *ops;
> > > -- void *private_data;
> > > -- struct cli_credentials *credentials;
> > > -- struct gensec_target target;
> > > -- enum gensec_role gensec_role;
> > > -- bool subcontext;
> > > -- uint32_t want_features;
> > > -- uint32_t max_update_size;
> > > -- uint8_t dcerpc_auth_level;
> > > -- struct tsocket_address *local_addr, *remote_addr;
> > > -- struct gensec_settings *settings;
> > > --
> > > -- /* When we are a server, this may be filled in to provide an
> > > -- * NTLM authentication backend, and user lookup (such as if no
> > > -- * PAC is found) */
> > > -- struct auth4_context *auth_context;
> > > --};
> > > --
> > > - /* this structure is used by backends to determine the size of some critical types */
> > > --struct gensec_critical_sizes {
> > > -- int interface_version;
> > > -- int sizeof_gensec_security_ops;
> > > -- int sizeof_gensec_security;
> > > --};
> > > -+struct gensec_critical_sizes;
> > > - const struct gensec_critical_sizes *gensec_interface_version(void);
> > > -
> > > - /* Socket wrapper */
> > > -diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
> > > -new file mode 100644
> > > -index 0000000..41b6f0d
> > > ---- /dev/null
> > > -+++ b/auth/gensec/gensec_internal.h
> > > -@@ -0,0 +1,127 @@
> > > -+/*
> > > -+ Unix SMB/CIFS implementation.
> > > -+
> > > -+ Generic Authentication Interface
> > > -+
> > > -+ Copyright (C) Andrew Tridgell 2003
> > > -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> > > -+
> > > -+ This program is free software; you can redistribute it and/or modify
> > > -+ it under the terms of the GNU General Public License as published by
> > > -+ the Free Software Foundation; either version 3 of the License, or
> > > -+ (at your option) any later version.
> > > -+
> > > -+ This program is distributed in the hope that it will be useful,
> > > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -+ GNU General Public License for more details.
> > > -+
> > > -+ You should have received a copy of the GNU General Public License
> > > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > -+*/
> > > -+
> > > -+#ifndef __GENSEC_INTERNAL_H__
> > > -+#define __GENSEC_INTERNAL_H__
> > > -+
> > > -+struct gensec_security;
> > > -+
> > > -+struct gensec_security_ops {
> > > -+ const char *name;
> > > -+ const char *sasl_name;
> > > -+ uint8_t auth_type; /* 0 if not offered on DCE-RPC */
> > > -+ const char **oid; /* NULL if not offered by SPNEGO */
> > > -+ NTSTATUS (*client_start)(struct gensec_security *gensec_security);
> > > -+ NTSTATUS (*server_start)(struct gensec_security *gensec_security);
> > > -+ /**
> > > -+ Determine if a packet has the right 'magic' for this mechanism
> > > -+ */
> > > -+ NTSTATUS (*magic)(struct gensec_security *gensec_security,
> > > -+ const DATA_BLOB *first_packet);
> > > -+ NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ const DATA_BLOB in, DATA_BLOB *out);
> > > -+ NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > > -+ uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > -+ DATA_BLOB *sig);
> > > -+ NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > > -+ const uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > -+ DATA_BLOB *sig);
> > > -+ size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
> > > -+ size_t (*max_input_size)(struct gensec_security *gensec_security);
> > > -+ size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
> > > -+ NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
> > > -+ const uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > -+ const DATA_BLOB *sig);
> > > -+ NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
> > > -+ uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > -+ const DATA_BLOB *sig);
> > > -+ NTSTATUS (*wrap)(struct gensec_security *gensec_security,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ const DATA_BLOB *in,
> > > -+ DATA_BLOB *out);
> > > -+ NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ const DATA_BLOB *in,
> > > -+ DATA_BLOB *out);
> > > -+ NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ const DATA_BLOB *in,
> > > -+ DATA_BLOB *out,
> > > -+ size_t *len_processed);
> > > -+ NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ const DATA_BLOB *in,
> > > -+ DATA_BLOB *out,
> > > -+ size_t *len_processed);
> > > -+ NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
> > > -+ DATA_BLOB blob, size_t *size);
> > > -+ NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> > > -+ DATA_BLOB *session_key);
> > > -+ NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
> > > -+ struct auth_session_info **session_info);
> > > -+ void (*want_feature)(struct gensec_security *gensec_security,
> > > -+ uint32_t feature);
> > > -+ bool (*have_feature)(struct gensec_security *gensec_security,
> > > -+ uint32_t feature);
> > > -+ NTTIME (*expire_time)(struct gensec_security *gensec_security);
> > > -+ bool enabled;
> > > -+ bool kerberos;
> > > -+ enum gensec_priority priority;
> > > -+};
> > > -+
> > > -+struct gensec_security_ops_wrapper {
> > > -+ const struct gensec_security_ops *op;
> > > -+ const char *oid;
> > > -+};
> > > -+
> > > -+struct gensec_security {
> > > -+ const struct gensec_security_ops *ops;
> > > -+ void *private_data;
> > > -+ struct cli_credentials *credentials;
> > > -+ struct gensec_target target;
> > > -+ enum gensec_role gensec_role;
> > > -+ bool subcontext;
> > > -+ uint32_t want_features;
> > > -+ uint32_t max_update_size;
> > > -+ uint8_t dcerpc_auth_level;
> > > -+ struct tsocket_address *local_addr, *remote_addr;
> > > -+ struct gensec_settings *settings;
> > > -+
> > > -+ /* When we are a server, this may be filled in to provide an
> > > -+ * NTLM authentication backend, and user lookup (such as if no
> > > -+ * PAC is found) */
> > > -+ struct auth4_context *auth_context;
> > > -+};
> > > -+
> > > -+/* this structure is used by backends to determine the size of some critical types */
> > > -+struct gensec_critical_sizes {
> > > -+ int interface_version;
> > > -+ int sizeof_gensec_security_ops;
> > > -+ int sizeof_gensec_security;
> > > -+};
> > > -+
> > > -+#endif /* __GENSEC_H__ */
> > > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > > -index c2cfa1c..34029f5 100644
> > > ---- a/auth/gensec/gensec_start.c
> > > -+++ b/auth/gensec/gensec_start.c
> > > -@@ -27,6 +27,7 @@
> > > - #include "librpc/rpc/dcerpc.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "lib/param/param.h"
> > > - #include "lib/util/tsort.h"
> > > - #include "lib/util/samba_modules.h"
> > > -diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
> > > -index 64952b1..568128a 100644
> > > ---- a/auth/gensec/gensec_util.c
> > > -+++ b/auth/gensec/gensec_util.c
> > > -@@ -22,6 +22,7 @@
> > > -
> > > - #include "includes.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/common_auth.h"
> > > - #include "../lib/util/asn1.h"
> > > -
> > > -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
> > > -index da1fc0e..38a45f8 100644
> > > ---- a/auth/gensec/spnego.c
> > > -+++ b/auth/gensec/spnego.c
> > > -@@ -27,6 +27,7 @@
> > > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "param/param.h"
> > > - #include "lib/util/asn1.h"
> > > -
> > > -diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
> > > -index 9e1d8a8..654c0e3 100644
> > > ---- a/auth/ntlmssp/gensec_ntlmssp.c
> > > -+++ b/auth/ntlmssp/gensec_ntlmssp.c
> > > -@@ -22,6 +22,7 @@
> > > - #include "includes.h"
> > > - #include "auth/ntlmssp/ntlmssp.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/ntlmssp/ntlmssp_private.h"
> > > -
> > > - NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security,
> > > -diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
> > > -index f4dfab3..69c56fb 100644
> > > ---- a/auth/ntlmssp/gensec_ntlmssp_server.c
> > > -+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
> > > -@@ -31,6 +31,7 @@
> > > - #include "../libcli/auth/libcli_auth.h"
> > > - #include "../lib/crypto/crypto.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/common_auth.h"
> > > - #include "param/param.h"
> > > -
> > > -diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
> > > -index 1a2d662..916b376 100644
> > > ---- a/auth/ntlmssp/ntlmssp.c
> > > -+++ b/auth/ntlmssp/ntlmssp.c
> > > -@@ -29,6 +29,7 @@ struct auth_session_info;
> > > - #include "../libcli/auth/libcli_auth.h"
> > > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > -
> > > - /**
> > > - * Callbacks for NTLMSSP - for both client and server operating modes
> > > -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
> > > -index fc66a8d..f99257d 100644
> > > ---- a/auth/ntlmssp/ntlmssp_client.c
> > > -+++ b/auth/ntlmssp/ntlmssp_client.c
> > > -@@ -29,6 +29,7 @@ struct auth_session_info;
> > > - #include "../libcli/auth/libcli_auth.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "param/param.h"
> > > - #include "auth/ntlmssp/ntlmssp_private.h"
> > > - #include "../librpc/gen_ndr/ndr_ntlmssp.h"
> > > -diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
> > > -index 57179e1..2f3f0bb 100644
> > > ---- a/auth/ntlmssp/ntlmssp_server.c
> > > -+++ b/auth/ntlmssp/ntlmssp_server.c
> > > -@@ -28,6 +28,7 @@
> > > - #include "../libcli/auth/libcli_auth.h"
> > > - #include "../lib/crypto/crypto.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/common_auth.h"
> > > -
> > > - /**
> > > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > > -index 2c667a6..582917d 100644
> > > ---- a/source3/libads/authdata.c
> > > -+++ b/source3/libads/authdata.c
> > > -@@ -30,6 +30,7 @@
> > > - #include "lib/param/param.h"
> > > - #include "librpc/crypto/gse.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > > - #include "../libcli/auth/spnego.h"
> > > -
> > > - #ifdef HAVE_KRB5
> > > -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
> > > -index 11a5457..8db3cdd 100644
> > > ---- a/source3/librpc/crypto/gse.c
> > > -+++ b/source3/librpc/crypto/gse.c
> > > -@@ -26,6 +26,7 @@
> > > - #include "libads/kerberos_proto.h"
> > > - #include "auth/common_auth.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "../librpc/gen_ndr/dcerpc.h"
> > > -
> > > -diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
> > > -index 9ce4b12..46f68ae 100644
> > > ---- a/source3/libsmb/ntlmssp_wrap.c
> > > -+++ b/source3/libsmb/ntlmssp_wrap.c
> > > -@@ -23,6 +23,7 @@
> > > - #include "auth/ntlmssp/ntlmssp_private.h"
> > > - #include "auth_generic.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "librpc/rpc/dcerpc.h"
> > > - #include "lib/param/param.h"
> > > -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> > > -index a5e0cd2..5fcb60e 100644
> > > ---- a/source3/utils/ntlm_auth.c
> > > -+++ b/source3/utils/ntlm_auth.c
> > > -@@ -32,6 +32,7 @@
> > > - #include "../libcli/auth/spnego.h"
> > > - #include "auth/ntlmssp/ntlmssp.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "librpc/crypto/gse.h"
> > > - #include "smb_krb5.h"
> > > -diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
> > > -index 2e733bf..08dccd6 100644
> > > ---- a/source4/auth/gensec/cyrus_sasl.c
> > > -+++ b/source4/auth/gensec/cyrus_sasl.c
> > > -@@ -23,6 +23,7 @@
> > > - #include "lib/tsocket/tsocket.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/gensec/gensec_proto.h"
> > > - #include "auth/gensec/gensec_toplevel_proto.h"
> > > - #include <sasl/sasl.h>
> > > -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> > > -index 4fc544f..63a53bf 100644
> > > ---- a/source4/auth/gensec/gensec_gssapi.c
> > > -+++ b/source4/auth/gensec/gensec_gssapi.c
> > > -@@ -34,6 +34,7 @@
> > > - #include "auth/credentials/credentials.h"
> > > - #include "auth/credentials/credentials_krb5.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/gensec/gensec_proto.h"
> > > - #include "auth/gensec/gensec_toplevel_proto.h"
> > > - #include "param/param.h"
> > > -diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
> > > -index fbec64c..ecc3331 100644
> > > ---- a/source4/auth/gensec/gensec_krb5.c
> > > -+++ b/source4/auth/gensec/gensec_krb5.c
> > > -@@ -34,6 +34,7 @@
> > > - #include "auth/credentials/credentials_krb5.h"
> > > - #include "auth/kerberos/kerberos_credentials.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/gensec/gensec_proto.h"
> > > - #include "auth/gensec/gensec_toplevel_proto.h"
> > > - #include "param/param.h"
> > > -diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c
> > > -index 02e5ae2..fd6daff 100644
> > > ---- a/source4/auth/gensec/pygensec.c
> > > -+++ b/source4/auth/gensec/pygensec.c
> > > -@@ -20,6 +20,7 @@
> > > - #include "includes.h"
> > > - #include "param/pyparam.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > > - #include "auth/credentials/pycredentials.h"
> > > - #include "libcli/util/pyerrors.h"
> > > - #include "python/modules.h"
> > > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > > -index e67432c..eb2e100 100644
> > > ---- a/source4/auth/gensec/schannel.c
> > > -+++ b/source4/auth/gensec/schannel.c
> > > -@@ -25,6 +25,7 @@
> > > - #include "auth/auth.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/gensec/gensec_proto.h"
> > > - #include "../libcli/auth/schannel.h"
> > > - #include "librpc/gen_ndr/dcerpc.h"
> > > -diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
> > > -index 4a195e5..f0da82c 100644
> > > ---- a/source4/ldap_server/ldap_backend.c
> > > -+++ b/source4/ldap_server/ldap_backend.c
> > > -@@ -23,6 +23,7 @@
> > > - #include "../lib/util/dlinklist.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > > - #include "param/param.h"
> > > - #include "smbd/service_stream.h"
> > > - #include "dsdb/samdb/samdb.h"
> > > -diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
> > > -index b355e18..f0a498b 100644
> > > ---- a/source4/libcli/ldap/ldap_bind.c
> > > -+++ b/source4/libcli/ldap/ldap_bind.c
> > > -@@ -27,6 +27,7 @@
> > > - #include "libcli/ldap/ldap_client.h"
> > > - #include "lib/tls/tls.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > > - #include "auth/gensec/gensec_socket.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "lib/stream/packet.h"
> > > -diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c
> > > -index bdaa65b..45e5889 100644
> > > ---- a/source4/torture/auth/ntlmssp.c
> > > -+++ b/source4/torture/auth/ntlmssp.c
> > > -@@ -19,6 +19,7 @@
> > > -
> > > - #include "includes.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > - #include "auth/ntlmssp/ntlmssp.h"
> > > - #include "auth/ntlmssp/ntlmssp_private.h"
> > > - #include "lib/cmdline/popt_common.h"
> > > -diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
> > > -index 136e238..1e2feb0 100644
> > > ---- a/source4/utils/ntlm_auth.c
> > > -+++ b/source4/utils/ntlm_auth.c
> > > -@@ -27,6 +27,7 @@
> > > - #include <ldb.h>
> > > - #include "auth/credentials/credentials.h"
> > > - #include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
> > > - #include "auth/auth.h"
> > > - #include "librpc/gen_ndr/ndr_netlogon.h"
> > > - #include "auth/auth_sam.h"
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fabdf9f539385d97bc4bf2550e7fd4de2d1b5d01 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 5 Aug 2013 10:37:26 +0200
> > > -Subject: [PATCH 084/249] auth/gensec: avoid talloc_reference in
> > > - gensec_use_kerberos_mechs()
> > > -
> > > -We now always copy.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3e3534f882651880093381f5a7846c0938df6501)
> > > ----
> > > - auth/gensec/gensec_start.c | 38 ++++++++++++++++++++------------------
> > > - 1 file changed, 20 insertions(+), 18 deletions(-)
> > > -
> > > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > > -index 34029f5..096ad36 100644
> > > ---- a/auth/gensec/gensec_start.c
> > > -+++ b/auth/gensec/gensec_start.c
> > > -@@ -80,13 +80,6 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> > > - use_kerberos = cli_credentials_get_kerberos_state(creds);
> > > - }
> > > -
> > > -- if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
> > > -- if (!talloc_reference(mem_ctx, old_gensec_list)) {
> > > -- return NULL;
> > > -- }
> > > -- return old_gensec_list;
> > > -- }
> > > --
> > > - for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
> > > - /* noop */
> > > - }
> > > -@@ -99,35 +92,44 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> > > - j = 0;
> > > - for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
> > > - int oid_idx;
> > > -- bool found_spnego = false;
> > > -+ bool keep = false;
> > > -+
> > > - for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
> > > - if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
> > > -- new_gensec_list[j] = old_gensec_list[i];
> > > -- j++;
> > > -- found_spnego = true;
> > > -+ keep = true;
> > > - break;
> > > - }
> > > - }
> > > -- if (found_spnego) {
> > > -- continue;
> > > -- }
> > > -+
> > > - switch (use_kerberos) {
> > > -+ case CRED_AUTO_USE_KERBEROS:
> > > -+ keep = true;
> > > -+ break;
> > > -+
> > > - case CRED_DONT_USE_KERBEROS:
> > > - if (old_gensec_list[i]->kerberos == false) {
> > > -- new_gensec_list[j] = old_gensec_list[i];
> > > -- j++;
> > > -+ keep = true;
> > > - }
> > > -+
> > > - break;
> > > -+
> > > - case CRED_MUST_USE_KERBEROS:
> > > - if (old_gensec_list[i]->kerberos == true) {
> > > -- new_gensec_list[j] = old_gensec_list[i];
> > > -- j++;
> > > -+ keep = true;
> > > - }
> > > -+
> > > - break;
> > > - default:
> > > - /* Can't happen or invalid parameter */
> > > - return NULL;
> > > - }
> > > -+
> > > -+ if (!keep) {
> > > -+ continue;
> > > -+ }
> > > -+
> > > -+ new_gensec_list[j] = old_gensec_list[i];
> > > -+ j++;
> > > - }
> > > - new_gensec_list[j] = NULL;
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From b71ed3dd183d64beda108d0881c03978ef4b3892 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 5 Aug 2013 10:39:16 +0200
> > > -Subject: [PATCH 085/249] auth/gensec: avoid talloc_reference in
> > > - gensec_security_mechs()
> > > -
> > > -We now always copy.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 6a7a44db5999af7262478eb1c186d784d6075beb)
> > > ----
> > > - auth/gensec/gensec_start.c | 27 +++++++++------------------
> > > - 1 file changed, 9 insertions(+), 18 deletions(-)
> > > -
> > > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > > -index 096ad36..00e2759 100644
> > > ---- a/auth/gensec/gensec_start.c
> > > -+++ b/auth/gensec/gensec_start.c
> > > -@@ -140,28 +140,19 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
> > > - struct gensec_security *gensec_security,
> > > - TALLOC_CTX *mem_ctx)
> > > - {
> > > -- struct gensec_security_ops **backends;
> > > -- if (!gensec_security) {
> > > -- backends = gensec_security_all();
> > > -- if (!talloc_reference(mem_ctx, backends)) {
> > > -- return NULL;
> > > -- }
> > > -- return backends;
> > > -- } else {
> > > -- struct cli_credentials *creds = gensec_get_credentials(gensec_security);
> > > -+ struct cli_credentials *creds = NULL;
> > > -+ struct gensec_security_ops **backends = gensec_security_all();
> > > -+
> > > -+ if (gensec_security != NULL) {
> > > -+ creds = gensec_get_credentials(gensec_security);
> > > -+
> > > - if (gensec_security->settings->backends) {
> > > - backends = gensec_security->settings->backends;
> > > -- } else {
> > > -- backends = gensec_security_all();
> > > - }
> > > -- if (!creds) {
> > > -- if (!talloc_reference(mem_ctx, backends)) {
> > > -- return NULL;
> > > -- }
> > > -- return backends;
> > > -- }
> > > -- return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
> > > - }
> > > -+
> > > -+ return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
> > > -+
> > > - }
> > > -
> > > - static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fe6a14d48b0eb3dfcfc6d7f0b68e8f28b7ad9796 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 5 Aug 2013 16:12:13 +0200
> > > -Subject: [PATCH 086/249] auth/gensec: make it possible to implement async
> > > - backends
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit e81550c8117166d0fbf69ba1d3957cb950c42961)
> > > ----
> > > - auth/gensec/gensec.c | 202 ++++++++++++++++++++++++++++++++----------
> > > - auth/gensec/gensec_internal.h | 7 ++
> > > - 2 files changed, 160 insertions(+), 49 deletions(-)
> > > -
> > > -diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
> > > -index d364a34..abcbcb9 100644
> > > ---- a/auth/gensec/gensec.c
> > > -+++ b/auth/gensec/gensec.c
> > > -@@ -218,61 +218,92 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
> > > - const DATA_BLOB in, DATA_BLOB *out)
> > > - {
> > > - NTSTATUS status;
> > > -+ const struct gensec_security_ops *ops = gensec_security->ops;
> > > -+ TALLOC_CTX *frame = NULL;
> > > -+ struct tevent_req *subreq = NULL;
> > > -+ bool ok;
> > > -
> > > -- status = gensec_security->ops->update(gensec_security, out_mem_ctx,
> > > -- ev, in, out);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > -+ if (ops->update_send == NULL) {
> > > -
> > > -- /*
> > > -- * Because callers using the
> > > -- * gensec_start_mech_by_auth_type() never call
> > > -- * gensec_want_feature(), it isn't sensible for them
> > > -- * to have to call gensec_have_feature() manually, and
> > > -- * these are not points of negotiation, but are
> > > -- * asserted by the client
> > > -- */
> > > -- switch (gensec_security->dcerpc_auth_level) {
> > > -- case DCERPC_AUTH_LEVEL_INTEGRITY:
> > > -- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> > > -- DEBUG(0,("Did not manage to negotiate mandetory feature "
> > > -- "SIGN for dcerpc auth_level %u\n",
> > > -- gensec_security->dcerpc_auth_level));
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -- }
> > > -- break;
> > > -- case DCERPC_AUTH_LEVEL_PRIVACY:
> > > -- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> > > -- DEBUG(0,("Did not manage to negotiate mandetory feature "
> > > -- "SIGN for dcerpc auth_level %u\n",
> > > -- gensec_security->dcerpc_auth_level));
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -+ status = ops->update(gensec_security, out_mem_ctx,
> > > -+ ev, in, out);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > - }
> > > -- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
> > > -- DEBUG(0,("Did not manage to negotiate mandetory feature "
> > > -- "SEAL for dcerpc auth_level %u\n",
> > > -- gensec_security->dcerpc_auth_level));
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -+
> > > -+ /*
> > > -+ * Because callers using the
> > > -+ * gensec_start_mech_by_auth_type() never call
> > > -+ * gensec_want_feature(), it isn't sensible for them
> > > -+ * to have to call gensec_have_feature() manually, and
> > > -+ * these are not points of negotiation, but are
> > > -+ * asserted by the client
> > > -+ */
> > > -+ switch (gensec_security->dcerpc_auth_level) {
> > > -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> > > -+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> > > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > > -+ "SIGN for dcerpc auth_level %u\n",
> > > -+ gensec_security->dcerpc_auth_level));
> > > -+ return NT_STATUS_ACCESS_DENIED;
> > > -+ }
> > > -+ break;
> > > -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> > > -+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
> > > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > > -+ "SIGN for dcerpc auth_level %u\n",
> > > -+ gensec_security->dcerpc_auth_level));
> > > -+ return NT_STATUS_ACCESS_DENIED;
> > > -+ }
> > > -+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
> > > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > > -+ "SEAL for dcerpc auth_level %u\n",
> > > -+ gensec_security->dcerpc_auth_level));
> > > -+ return NT_STATUS_ACCESS_DENIED;
> > > -+ }
> > > -+ break;
> > > -+ default:
> > > -+ break;
> > > - }
> > > -- break;
> > > -- default:
> > > -- break;
> > > -+
> > > -+ return NT_STATUS_OK;
> > > - }
> > > -
> > > -- return NT_STATUS_OK;
> > > -+ frame = talloc_stackframe();
> > > -+
> > > -+ subreq = ops->update_send(frame, ev, gensec_security, in);
> > > -+ if (subreq == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ ok = tevent_req_poll_ntstatus(subreq, ev, &status);
> > > -+ if (!ok) {
> > > -+ goto fail;
> > > -+ }
> > > -+ status = ops->update_recv(subreq, out_mem_ctx, out);
> > > -+ fail:
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > - }
> > > -
> > > - struct gensec_update_state {
> > > -- struct tevent_immediate *im;
> > > -+ const struct gensec_security_ops *ops;
> > > -+ struct tevent_req *subreq;
> > > - struct gensec_security *gensec_security;
> > > -- DATA_BLOB in;
> > > - DATA_BLOB out;
> > > -+
> > > -+ /*
> > > -+ * only for sync backends, we should remove this
> > > -+ * once all backends are async.
> > > -+ */
> > > -+ struct tevent_immediate *im;
> > > -+ DATA_BLOB in;
> > > - };
> > > -
> > > - static void gensec_update_async_trigger(struct tevent_context *ctx,
> > > - struct tevent_immediate *im,
> > > - void *private_data);
> > > -+static void gensec_update_subreq_done(struct tevent_req *subreq);
> > > -+
> > > - /**
> > > - * Next state function for the GENSEC state machine async version
> > > - *
> > > -@@ -298,17 +329,31 @@ _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
> > > - return NULL;
> > > - }
> > > -
> > > -- state->gensec_security = gensec_security;
> > > -- state->in = in;
> > > -- state->out = data_blob(NULL, 0);
> > > -- state->im = tevent_create_immediate(state);
> > > -- if (tevent_req_nomem(state->im, req)) {
> > > -+ state->ops = gensec_security->ops;
> > > -+ state->gensec_security = gensec_security;
> > > -+
> > > -+ if (state->ops->update_send == NULL) {
> > > -+ state->in = in;
> > > -+ state->im = tevent_create_immediate(state);
> > > -+ if (tevent_req_nomem(state->im, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ tevent_schedule_immediate(state->im, ev,
> > > -+ gensec_update_async_trigger,
> > > -+ req);
> > > -+
> > > -+ return req;
> > > -+ }
> > > -+
> > > -+ state->subreq = state->ops->update_send(state, ev, gensec_security, in);
> > > -+ if (tevent_req_nomem(state->subreq, req)) {
> > > - return tevent_req_post(req, ev);
> > > - }
> > > -
> > > -- tevent_schedule_immediate(state->im, ev,
> > > -- gensec_update_async_trigger,
> > > -- req);
> > > -+ tevent_req_set_callback(state->subreq,
> > > -+ gensec_update_subreq_done,
> > > -+ req);
> > > -
> > > - return req;
> > > - }
> > > -@@ -323,12 +368,71 @@ static void gensec_update_async_trigger(struct tevent_context *ctx,
> > > - tevent_req_data(req, struct gensec_update_state);
> > > - NTSTATUS status;
> > > -
> > > -- status = gensec_update(state->gensec_security, state, ctx,
> > > -- state->in, &state->out);
> > > -+ status = state->ops->update(state->gensec_security, state, ctx,
> > > -+ state->in, &state->out);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ tevent_req_done(req);
> > > -+}
> > > -+
> > > -+static void gensec_update_subreq_done(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct gensec_update_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct gensec_update_state);
> > > -+ NTSTATUS status;
> > > -+
> > > -+ state->subreq = NULL;
> > > -+
> > > -+ status = state->ops->update_recv(subreq, state, &state->out);
> > > -+ TALLOC_FREE(subreq);
> > > - if (tevent_req_nterror(req, status)) {
> > > - return;
> > > - }
> > > -
> > > -+ /*
> > > -+ * Because callers using the
> > > -+ * gensec_start_mech_by_authtype() never call
> > > -+ * gensec_want_feature(), it isn't sensible for them
> > > -+ * to have to call gensec_have_feature() manually, and
> > > -+ * these are not points of negotiation, but are
> > > -+ * asserted by the client
> > > -+ */
> > > -+ switch (state->gensec_security->dcerpc_auth_level) {
> > > -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> > > -+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
> > > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > > -+ "SIGN for dcerpc auth_level %u\n",
> > > -+ state->gensec_security->dcerpc_auth_level));
> > > -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> > > -+ return;
> > > -+ }
> > > -+ break;
> > > -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> > > -+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
> > > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > > -+ "SIGN for dcerpc auth_level %u\n",
> > > -+ state->gensec_security->dcerpc_auth_level));
> > > -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> > > -+ return;
> > > -+ }
> > > -+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
> > > -+ DEBUG(0,("Did not manage to negotiate mandetory feature "
> > > -+ "SEAL for dcerpc auth_level %u\n",
> > > -+ state->gensec_security->dcerpc_auth_level));
> > > -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> > > -+ return;
> > > -+ }
> > > -+ break;
> > > -+ default:
> > > -+ break;
> > > -+ }
> > > -+
> > > - tevent_req_done(req);
> > > - }
> > > -
> > > -diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
> > > -index 41b6f0d..c04164a 100644
> > > ---- a/auth/gensec/gensec_internal.h
> > > -+++ b/auth/gensec/gensec_internal.h
> > > -@@ -40,6 +40,13 @@ struct gensec_security_ops {
> > > - NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > > - struct tevent_context *ev,
> > > - const DATA_BLOB in, DATA_BLOB *out);
> > > -+ struct tevent_req *(*update_send)(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct gensec_security *gensec_security,
> > > -+ const DATA_BLOB in);
> > > -+ NTSTATUS (*update_recv)(struct tevent_req *req,
> > > -+ TALLOC_CTX *out_mem_ctx,
> > > -+ DATA_BLOB *out);
> > > - NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
> > > - uint8_t *data, size_t length,
> > > - const uint8_t *whole_pdu, size_t pdu_length,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From aa559f2fc6f228fba268adafa92392dff8152747 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 5 Aug 2013 11:10:55 +0200
> > > -Subject: [PATCH 087/249] auth/gensec: use 'const char * const *' for function
> > > - parameters
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit c81b6f7448d7f945635784de645bea4f7f2e230f)
> > > ----
> > > - auth/gensec/gensec.h | 2 +-
> > > - auth/gensec/gensec_start.c | 2 +-
> > > - auth/gensec/spnego.c | 2 +-
> > > - 3 files changed, 3 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > > -index 5d39d81..d0bc451 100644
> > > ---- a/auth/gensec/gensec.h
> > > -+++ b/auth/gensec/gensec.h
> > > -@@ -184,7 +184,7 @@ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gense
> > > - const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > > - struct gensec_security *gensec_security,
> > > - TALLOC_CTX *mem_ctx,
> > > -- const char **oid_strings,
> > > -+ const char * const *oid_strings,
> > > - const char *skip);
> > > - const char **gensec_security_oids(struct gensec_security *gensec_security,
> > > - TALLOC_CTX *mem_ctx,
> > > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > > -index 00e2759..2874c13 100644
> > > ---- a/auth/gensec/gensec_start.c
> > > -+++ b/auth/gensec/gensec_start.c
> > > -@@ -373,7 +373,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
> > > - _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > > - struct gensec_security *gensec_security,
> > > - TALLOC_CTX *mem_ctx,
> > > -- const char **oid_strings,
> > > -+ const char * const *oid_strings,
> > > - const char *skip)
> > > - {
> > > - struct gensec_security_ops_wrapper *backends_out;
> > > -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
> > > -index 38a45f8..0eb6da1 100644
> > > ---- a/auth/gensec/spnego.c
> > > -+++ b/auth/gensec/spnego.c
> > > -@@ -417,7 +417,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
> > > - struct spnego_state *spnego_state,
> > > - TALLOC_CTX *out_mem_ctx,
> > > - struct tevent_context *ev,
> > > -- const char **mechType,
> > > -+ const char * const *mechType,
> > > - const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out)
> > > - {
> > > - int i;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a2e14962e1eeebaac2fb4539794a454b0f486869 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 5 Aug 2013 11:20:21 +0200
> > > -Subject: [PATCH 088/249] auth/gensec: treat struct gensec_security_ops as
> > > - const if possible.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 966faef9c61d2ec02d75fc3ccc82a61524fb77e4)
> > > ----
> > > - auth/gensec/gensec.h | 14 +++++-----
> > > - auth/gensec/gensec_start.c | 52 ++++++++++++++++++++------------------
> > > - auth/gensec/spnego.c | 8 +++---
> > > - source3/auth/auth_generic.c | 15 ++++++-----
> > > - source3/libads/authdata.c | 11 ++++----
> > > - source3/libsmb/auth_generic.c | 15 ++++++-----
> > > - source3/utils/ntlm_auth.c | 22 ++++++++--------
> > > - source4/ldap_server/ldap_backend.c | 4 +--
> > > - 8 files changed, 75 insertions(+), 66 deletions(-)
> > > -
> > > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > > -index d0bc451..ac1fadf 100644
> > > ---- a/auth/gensec/gensec.h
> > > -+++ b/auth/gensec/gensec.h
> > > -@@ -85,7 +85,7 @@ struct gensec_settings {
> > > - /* this allows callers to specify a specific set of ops that
> > > - * should be used, rather than those loaded by the plugin
> > > - * mechanism */
> > > -- struct gensec_security_ops **backends;
> > > -+ const struct gensec_security_ops * const *backends;
> > > -
> > > - /* To fill in our own name in the NTLMSSP server */
> > > - const char *server_dns_domain;
> > > -@@ -179,7 +179,7 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
> > > - const struct gensec_security_ops *gensec_security_by_auth_type(
> > > - struct gensec_security *gensec_security,
> > > - uint32_t auth_type);
> > > --struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
> > > -+const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
> > > - TALLOC_CTX *mem_ctx);
> > > - const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > > - struct gensec_security *gensec_security,
> > > -@@ -243,11 +243,11 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
> > > - const DATA_BLOB *in,
> > > - DATA_BLOB *out);
> > > -
> > > --struct gensec_security_ops **gensec_security_all(void);
> > > --bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security);
> > > --struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> > > -- struct gensec_security_ops **old_gensec_list,
> > > -- struct cli_credentials *creds);
> > > -+const struct gensec_security_ops * const *gensec_security_all(void);
> > > -+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security);
> > > -+const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> > > -+ const struct gensec_security_ops * const *old_gensec_list,
> > > -+ struct cli_credentials *creds);
> > > -
> > > - NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
> > > - const char *sasl_name);
> > > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > > -index 2874c13..3ae64d5 100644
> > > ---- a/auth/gensec/gensec_start.c
> > > -+++ b/auth/gensec/gensec_start.c
> > > -@@ -33,17 +33,17 @@
> > > - #include "lib/util/samba_modules.h"
> > > -
> > > - /* the list of currently registered GENSEC backends */
> > > --static struct gensec_security_ops **generic_security_ops;
> > > -+static const struct gensec_security_ops **generic_security_ops;
> > > - static int gensec_num_backends;
> > > -
> > > - /* Return all the registered mechs. Don't modify the return pointer,
> > > -- * but you may talloc_reference it if convient */
> > > --_PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
> > > -+ * but you may talloc_referen it if convient */
> > > -+_PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
> > > - {
> > > - return generic_security_ops;
> > > - }
> > > -
> > > --bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
> > > -+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
> > > - {
> > > - return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
> > > - }
> > > -@@ -68,11 +68,11 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_
> > > - * more compplex.
> > > - */
> > > -
> > > --_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> > > -- struct gensec_security_ops **old_gensec_list,
> > > -- struct cli_credentials *creds)
> > > -+_PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
> > > -+ const struct gensec_security_ops * const *old_gensec_list,
> > > -+ struct cli_credentials *creds)
> > > - {
> > > -- struct gensec_security_ops **new_gensec_list;
> > > -+ const struct gensec_security_ops **new_gensec_list;
> > > - int i, j, num_mechs_in;
> > > - enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
> > > -
> > > -@@ -84,7 +84,9 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> > > - /* noop */
> > > - }
> > > -
> > > -- new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
> > > -+ new_gensec_list = talloc_array(mem_ctx,
> > > -+ const struct gensec_security_ops *,
> > > -+ num_mechs_in + 1);
> > > - if (!new_gensec_list) {
> > > - return NULL;
> > > - }
> > > -@@ -136,12 +138,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
> > > - return new_gensec_list;
> > > - }
> > > -
> > > --_PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
> > > -+_PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
> > > - struct gensec_security *gensec_security,
> > > - TALLOC_CTX *mem_ctx)
> > > - {
> > > - struct cli_credentials *creds = NULL;
> > > -- struct gensec_security_ops **backends = gensec_security_all();
> > > -+ const struct gensec_security_ops * const *backends = gensec_security_all();
> > > -
> > > - if (gensec_security != NULL) {
> > > - creds = gensec_get_credentials(gensec_security);
> > > -@@ -159,7 +161,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
> > > - uint8_t auth_type)
> > > - {
> > > - int i;
> > > -- struct gensec_security_ops **backends;
> > > -+ const struct gensec_security_ops **backends;
> > > - const struct gensec_security_ops *backend;
> > > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > > - if (!mem_ctx) {
> > > -@@ -185,7 +187,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
> > > - const char *oid_string)
> > > - {
> > > - int i, j;
> > > -- struct gensec_security_ops **backends;
> > > -+ const struct gensec_security_ops **backends;
> > > - const struct gensec_security_ops *backend;
> > > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > > - if (!mem_ctx) {
> > > -@@ -218,7 +220,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
> > > - const char *sasl_name)
> > > - {
> > > - int i;
> > > -- struct gensec_security_ops **backends;
> > > -+ const struct gensec_security_ops **backends;
> > > - const struct gensec_security_ops *backend;
> > > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > > - if (!mem_ctx) {
> > > -@@ -245,7 +247,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
> > > - uint32_t auth_type)
> > > - {
> > > - int i;
> > > -- struct gensec_security_ops **backends;
> > > -+ const struct gensec_security_ops **backends;
> > > - const struct gensec_security_ops *backend;
> > > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > > - if (!mem_ctx) {
> > > -@@ -270,7 +272,7 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
> > > - const char *name)
> > > - {
> > > - int i;
> > > -- struct gensec_security_ops **backends;
> > > -+ const struct gensec_security_ops **backends;
> > > - const struct gensec_security_ops *backend;
> > > - TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > > - if (!mem_ctx) {
> > > -@@ -306,7 +308,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
> > > - const char **sasl_names)
> > > - {
> > > - const struct gensec_security_ops **backends_out;
> > > -- struct gensec_security_ops **backends;
> > > -+ const struct gensec_security_ops **backends;
> > > - int i, k, sasl_idx;
> > > - int num_backends_out = 0;
> > > -
> > > -@@ -377,7 +379,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > > - const char *skip)
> > > - {
> > > - struct gensec_security_ops_wrapper *backends_out;
> > > -- struct gensec_security_ops **backends;
> > > -+ const struct gensec_security_ops **backends;
> > > - int i, j, k, oid_idx;
> > > - int num_backends_out = 0;
> > > -
> > > -@@ -451,7 +453,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
> > > - static const char **gensec_security_oids_from_ops(
> > > - struct gensec_security *gensec_security,
> > > - TALLOC_CTX *mem_ctx,
> > > -- struct gensec_security_ops **ops,
> > > -+ const struct gensec_security_ops * const *ops,
> > > - const char *skip)
> > > - {
> > > - int i;
> > > -@@ -542,8 +544,10 @@ _PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_securi
> > > - TALLOC_CTX *mem_ctx,
> > > - const char *skip)
> > > - {
> > > -- struct gensec_security_ops **ops
> > > -- = gensec_security_mechs(gensec_security, mem_ctx);
> > > -+ const struct gensec_security_ops **ops;
> > > -+
> > > -+ ops = gensec_security_mechs(gensec_security, mem_ctx);
> > > -+
> > > - return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
> > > - }
> > > -
> > > -@@ -876,13 +880,13 @@ _PUBLIC_ NTSTATUS gensec_register(const struct gensec_security_ops *ops)
> > > -
> > > - generic_security_ops = talloc_realloc(talloc_autofree_context(),
> > > - generic_security_ops,
> > > -- struct gensec_security_ops *,
> > > -+ const struct gensec_security_ops *,
> > > - gensec_num_backends+2);
> > > - if (!generic_security_ops) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
> > > -+ generic_security_ops[gensec_num_backends] = ops;
> > > - gensec_num_backends++;
> > > - generic_security_ops[gensec_num_backends] = NULL;
> > > -
> > > -@@ -908,7 +912,7 @@ _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
> > > - return &critical_sizes;
> > > - }
> > > -
> > > --static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
> > > -+static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
> > > - return (*gs2)->priority - (*gs1)->priority;
> > > - }
> > > -
> > > -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
> > > -index 0eb6da1..d90a50c 100644
> > > ---- a/auth/gensec/spnego.c
> > > -+++ b/auth/gensec/spnego.c
> > > -@@ -352,9 +352,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
> > > - const DATA_BLOB in, DATA_BLOB *out)
> > > - {
> > > - int i,j;
> > > -- struct gensec_security_ops **all_ops
> > > -- = gensec_security_mechs(gensec_security, out_mem_ctx);
> > > -- for (i=0; all_ops[i]; i++) {
> > > -+ const struct gensec_security_ops **all_ops;
> > > -+
> > > -+ all_ops = gensec_security_mechs(gensec_security, out_mem_ctx);
> > > -+
> > > -+ for (i=0; all_ops && all_ops[i]; i++) {
> > > - bool is_spnego;
> > > - NTSTATUS nt_status;
> > > -
> > > -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> > > -index a2ba4e3..e15c87e 100644
> > > ---- a/source3/auth/auth_generic.c
> > > -+++ b/source3/auth/auth_generic.c
> > > -@@ -203,6 +203,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> > > - return nt_status;
> > > - }
> > > - } else {
> > > -+ const struct gensec_security_ops **backends = NULL;
> > > - struct gensec_settings *gensec_settings;
> > > - struct loadparm_context *lp_ctx;
> > > - size_t idx = 0;
> > > -@@ -259,24 +260,24 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> > > -- struct gensec_security_ops *, 4);
> > > -- if (gensec_settings->backends == NULL) {
> > > -+ backends = talloc_zero_array(gensec_settings,
> > > -+ const struct gensec_security_ops *, 4);
> > > -+ if (backends == NULL) {
> > > - TALLOC_FREE(tmp_ctx);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -+ gensec_settings->backends = backends;
> > > -
> > > - gensec_init();
> > > -
> > > - /* These need to be in priority order, krb5 before NTLMSSP */
> > > - #if defined(HAVE_KRB5)
> > > -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> > > -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> > > - #endif
> > > -
> > > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> > > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> > > -
> > > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
> > > -- GENSEC_OID_SPNEGO);
> > > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > > -
> > > - /*
> > > - * This is anonymous for now, because we just use it
> > > -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
> > > -index 582917d..801e551 100644
> > > ---- a/source3/libads/authdata.c
> > > -+++ b/source3/libads/authdata.c
> > > -@@ -111,7 +111,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - const char *cc = "MEMORY:kerberos_return_pac";
> > > - struct auth_session_info *session_info;
> > > - struct gensec_security *gensec_server_context;
> > > --
> > > -+ const struct gensec_security_ops **backends;
> > > - struct gensec_settings *gensec_settings;
> > > - size_t idx = 0;
> > > - struct auth4_context *auth_context;
> > > -@@ -230,16 +230,17 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
> > > - goto out;
> > > - }
> > > -
> > > -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> > > -- struct gensec_security_ops *, 2);
> > > -- if (gensec_settings->backends == NULL) {
> > > -+ backends = talloc_zero_array(gensec_settings,
> > > -+ const struct gensec_security_ops *, 2);
> > > -+ if (backends == NULL) {
> > > - status = NT_STATUS_NO_MEMORY;
> > > - goto out;
> > > - }
> > > -+ gensec_settings->backends = backends;
> > > -
> > > - gensec_init();
> > > -
> > > -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> > > -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> > > -
> > > - status = gensec_server_start(tmp_ctx, gensec_settings,
> > > - auth_context, &gensec_server_context);
> > > -diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
> > > -index ba0a0ce..e30c1b7 100644
> > > ---- a/source3/libsmb/auth_generic.c
> > > -+++ b/source3/libsmb/auth_generic.c
> > > -@@ -54,6 +54,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> > > - NTSTATUS nt_status;
> > > - size_t idx = 0;
> > > - struct gensec_settings *gensec_settings;
> > > -+ const struct gensec_security_ops **backends = NULL;
> > > - struct loadparm_context *lp_ctx;
> > > -
> > > - ans = talloc_zero(mem_ctx, struct auth_generic_state);
> > > -@@ -76,24 +77,24 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> > > -- struct gensec_security_ops *, 4);
> > > -- if (gensec_settings->backends == NULL) {
> > > -+ backends = talloc_zero_array(gensec_settings,
> > > -+ const struct gensec_security_ops *, 4);
> > > -+ if (backends == NULL) {
> > > - TALLOC_FREE(ans);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -+ gensec_settings->backends = backends;
> > > -
> > > - gensec_init();
> > > -
> > > - /* These need to be in priority order, krb5 before NTLMSSP */
> > > - #if defined(HAVE_KRB5)
> > > -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> > > -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> > > - #endif
> > > -
> > > -- gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
> > > -+ backends[idx++] = &gensec_ntlmssp3_client_ops;
> > > -
> > > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
> > > -- GENSEC_OID_SPNEGO);
> > > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > > -
> > > - nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
> > > -
> > > -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> > > -index 5fcb60e..25e717c 100644
> > > ---- a/source3/utils/ntlm_auth.c
> > > -+++ b/source3/utils/ntlm_auth.c
> > > -@@ -1035,7 +1035,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
> > > - NTSTATUS nt_status;
> > > -
> > > - TALLOC_CTX *tmp_ctx;
> > > --
> > > -+ const struct gensec_security_ops **backends;
> > > - struct gensec_settings *gensec_settings;
> > > - size_t idx = 0;
> > > - struct cli_credentials *server_credentials;
> > > -@@ -1079,26 +1079,26 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
> > > - gensec_settings->server_dns_name = strlower_talloc(gensec_settings,
> > > - get_mydnsfullname());
> > > -
> > > -- gensec_settings->backends = talloc_zero_array(gensec_settings,
> > > -- struct gensec_security_ops *, 4);
> > > -+ backends = talloc_zero_array(gensec_settings,
> > > -+ const struct gensec_security_ops *, 4);
> > > -
> > > -- if (gensec_settings->backends == NULL) {
> > > -+ if (backends == NULL) {
> > > - TALLOC_FREE(tmp_ctx);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > --
> > > -+ gensec_settings->backends = backends;
> > > -+
> > > - gensec_init();
> > > -
> > > - /* These need to be in priority order, krb5 before NTLMSSP */
> > > - #if defined(HAVE_KRB5)
> > > -- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
> > > -+ backends[idx++] = &gensec_gse_krb5_security_ops;
> > > - #endif
> > > --
> > > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> > > -
> > > -- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
> > > -- GENSEC_OID_SPNEGO);
> > > --
> > > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
> > > -+
> > > -+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > > -+
> > > - /*
> > > - * This is anonymous for now, because we just use it
> > > - * to set the kerberos state at the moment
> > > -diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
> > > -index f0da82c..3432594 100644
> > > ---- a/source4/ldap_server/ldap_backend.c
> > > -+++ b/source4/ldap_server/ldap_backend.c
> > > -@@ -192,8 +192,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
> > > -
> > > - if (conn->server_credentials) {
> > > - char **sasl_mechs = NULL;
> > > -- struct gensec_security_ops **backends = gensec_security_all();
> > > -- struct gensec_security_ops **ops
> > > -+ const struct gensec_security_ops * const *backends = gensec_security_all();
> > > -+ const struct gensec_security_ops **ops
> > > - = gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
> > > - unsigned int i, j = 0;
> > > - for (i = 0; ops && ops[i]; i++) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 6a58d4f4cb60bf25c1493ef0aedd5978abc06969 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 5 Aug 2013 10:43:38 +0200
> > > -Subject: [PATCH 089/249] libcli/auth: avoid possible mem leak in
> > > - read_negTokenInit()
> > > -
> > > -Also add error checks.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit f1e60142e12deb560e3c62441fd9ff2acd086b60)
> > > ----
> > > - libcli/auth/spnego_parse.c | 19 +++++++++++++++----
> > > - 1 file changed, 15 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
> > > -index 3bf7aea..2c73613 100644
> > > ---- a/libcli/auth/spnego_parse.c
> > > -+++ b/libcli/auth/spnego_parse.c
> > > -@@ -46,13 +46,24 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
> > > - asn1_start_tag(asn1, ASN1_CONTEXT(0));
> > > - asn1_start_tag(asn1, ASN1_SEQUENCE(0));
> > > -
> > > -- token->mechTypes = talloc(NULL, const char *);
> > > -+ token->mechTypes = talloc(mem_ctx, const char *);
> > > -+ if (token->mechTypes == NULL) {
> > > -+ asn1->has_error = true;
> > > -+ return false;
> > > -+ }
> > > - for (i = 0; !asn1->has_error &&
> > > - 0 < asn1_tag_remaining(asn1); i++) {
> > > - char *oid;
> > > -- token->mechTypes = talloc_realloc(NULL,
> > > -- token->mechTypes,
> > > -- const char *, i+2);
> > > -+ const char **p;
> > > -+ p = talloc_realloc(mem_ctx,
> > > -+ token->mechTypes,
> > > -+ const char *, i+2);
> > > -+ if (p == NULL) {
> > > -+ TALLOC_FREE(token->mechTypes);
> > > -+ asn1->has_error = true;
> > > -+ return false;
> > > -+ }
> > > -+ token->mechTypes = p;
> > > - asn1_read_OID(asn1, token->mechTypes, &oid);
> > > - token->mechTypes[i] = oid;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8835471a993521e49aa48ef55f324874e1933108 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 5 Aug 2013 10:46:47 +0200
> > > -Subject: [PATCH 090/249] libcli/auth: add more const to
> > > - spnego_negTokenInit->mechTypes
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > > -Autobuild-Date(master): Sat Aug 10 11:11:54 CEST 2013 on sn-devel-104
> > > -(cherry picked from commit 9177a0d1c1c92c45ef92fbda55fc6dd8aeb76b6c)
> > > ----
> > > - libcli/auth/spnego.h | 2 +-
> > > - libcli/auth/spnego_parse.c | 27 ++++++++++++++++-----------
> > > - libcli/auth/spnego_proto.h | 2 +-
> > > - source3/utils/ntlm_auth.c | 2 +-
> > > - 4 files changed, 19 insertions(+), 14 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
> > > -index 9a93f2e..539b903 100644
> > > ---- a/libcli/auth/spnego.h
> > > -+++ b/libcli/auth/spnego.h
> > > -@@ -49,7 +49,7 @@ enum spnego_negResult {
> > > - };
> > > -
> > > - struct spnego_negTokenInit {
> > > -- const char **mechTypes;
> > > -+ const char * const *mechTypes;
> > > - DATA_BLOB reqFlags;
> > > - uint8_t reqFlagsPadding;
> > > - DATA_BLOB mechToken;
> > > -diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
> > > -index 2c73613..b1ca07d 100644
> > > ---- a/libcli/auth/spnego_parse.c
> > > -+++ b/libcli/auth/spnego_parse.c
> > > -@@ -42,12 +42,14 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
> > > -
> > > - switch (context) {
> > > - /* Read mechTypes */
> > > -- case ASN1_CONTEXT(0):
> > > -+ case ASN1_CONTEXT(0): {
> > > -+ const char **mechTypes;
> > > -+
> > > - asn1_start_tag(asn1, ASN1_CONTEXT(0));
> > > - asn1_start_tag(asn1, ASN1_SEQUENCE(0));
> > > -
> > > -- token->mechTypes = talloc(mem_ctx, const char *);
> > > -- if (token->mechTypes == NULL) {
> > > -+ mechTypes = talloc(mem_ctx, const char *);
> > > -+ if (mechTypes == NULL) {
> > > - asn1->has_error = true;
> > > - return false;
> > > - }
> > > -@@ -56,22 +58,25 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
> > > - char *oid;
> > > - const char **p;
> > > - p = talloc_realloc(mem_ctx,
> > > -- token->mechTypes,
> > > -+ mechTypes,
> > > - const char *, i+2);
> > > - if (p == NULL) {
> > > -- TALLOC_FREE(token->mechTypes);
> > > -+ talloc_free(mechTypes);
> > > - asn1->has_error = true;
> > > - return false;
> > > - }
> > > -- token->mechTypes = p;
> > > -- asn1_read_OID(asn1, token->mechTypes, &oid);
> > > -- token->mechTypes[i] = oid;
> > > -+ mechTypes = p;
> > > -+
> > > -+ asn1_read_OID(asn1, mechTypes, &oid);
> > > -+ mechTypes[i] = oid;
> > > - }
> > > -- token->mechTypes[i] = NULL;
> > > -+ mechTypes[i] = NULL;
> > > -+ token->mechTypes = mechTypes;
> > > -
> > > - asn1_end_tag(asn1);
> > > - asn1_end_tag(asn1);
> > > - break;
> > > -+ }
> > > - /* Read reqFlags */
> > > - case ASN1_CONTEXT(1):
> > > - asn1_start_tag(asn1, ASN1_CONTEXT(1));
> > > -@@ -366,7 +371,7 @@ bool spnego_free_data(struct spnego_data *spnego)
> > > - switch(spnego->type) {
> > > - case SPNEGO_NEG_TOKEN_INIT:
> > > - if (spnego->negTokenInit.mechTypes) {
> > > -- talloc_free(spnego->negTokenInit.mechTypes);
> > > -+ talloc_free(discard_const(spnego->negTokenInit.mechTypes));
> > > - }
> > > - data_blob_free(&spnego->negTokenInit.reqFlags);
> > > - data_blob_free(&spnego->negTokenInit.mechToken);
> > > -@@ -390,7 +395,7 @@ out:
> > > - }
> > > -
> > > - bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
> > > -- const char **mech_types,
> > > -+ const char * const *mech_types,
> > > - DATA_BLOB *blob)
> > > - {
> > > - struct asn1_data *asn1 = asn1_init(mem_ctx);
> > > -diff --git a/libcli/auth/spnego_proto.h b/libcli/auth/spnego_proto.h
> > > -index 5fd5e59..c0fa934 100644
> > > ---- a/libcli/auth/spnego_proto.h
> > > -+++ b/libcli/auth/spnego_proto.h
> > > -@@ -24,5 +24,5 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
> > > - ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego);
> > > - bool spnego_free_data(struct spnego_data *spnego);
> > > - bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
> > > -- const char **mech_types,
> > > -+ const char * const *mech_types,
> > > - DATA_BLOB *blob);
> > > -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
> > > -index 25e717c..1df615c 100644
> > > ---- a/source3/utils/ntlm_auth.c
> > > -+++ b/source3/utils/ntlm_auth.c
> > > -@@ -2058,7 +2058,7 @@ static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper
> > > -
> > > - /* The server offers a list of mechanisms */
> > > -
> > > -- const char **mechType = (const char **)spnego.negTokenInit.mechTypes;
> > > -+ const char *const *mechType = spnego.negTokenInit.mechTypes;
> > > -
> > > - while (*mechType != NULL) {
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From c06bb0c3d2c032f8b4848c75baa1fd900650866a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 9 Aug 2013 10:15:05 +0200
> > > -Subject: [PATCH 091/249] auth/credentials: make sure
> > > - cli_credentials_get_nt_hash() always returns a talloc object
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - auth/credentials/credentials.c | 19 ++++++++++++++-----
> > > - auth/credentials/credentials.h | 4 ++--
> > > - 2 files changed, 16 insertions(+), 7 deletions(-)
> > > -
> > > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > > -index be497bc..57a7c0b 100644
> > > ---- a/auth/credentials/credentials.c
> > > -+++ b/auth/credentials/credentials.c
> > > -@@ -471,8 +471,8 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
> > > - * @param cred credentials context
> > > - * @retval If set, the cleartext password, otherwise NULL
> > > - */
> > > --_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> > > -- TALLOC_CTX *mem_ctx)
> > > -+_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> > > -+ TALLOC_CTX *mem_ctx)
> > > - {
> > > - const char *password = cli_credentials_get_password(cred);
> > > -
> > > -@@ -481,13 +481,22 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
> > > - if (!nt_hash) {
> > > - return NULL;
> > > - }
> > > --
> > > -+
> > > - E_md4hash(password, nt_hash->hash);
> > > -
> > > - return nt_hash;
> > > -- } else {
> > > -- return cred->nt_hash;
> > > -+ } else if (cred->nt_hash != NULL) {
> > > -+ struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
> > > -+ if (!nt_hash) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ *nt_hash = *cred->nt_hash;
> > > -+
> > > -+ return nt_hash;
> > > - }
> > > -+
> > > -+ return NULL;
> > > - }
> > > -
> > > - /**
> > > -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
> > > -index cb09dc3..766a513 100644
> > > ---- a/auth/credentials/credentials.h
> > > -+++ b/auth/credentials/credentials.h
> > > -@@ -141,8 +141,8 @@ bool cli_credentials_set_password(struct cli_credentials *cred,
> > > - enum credentials_obtained obtained);
> > > - struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
> > > - void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
> > > --const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> > > -- TALLOC_CTX *mem_ctx);
> > > -+struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
> > > -+ TALLOC_CTX *mem_ctx);
> > > - bool cli_credentials_set_realm(struct cli_credentials *cred,
> > > - const char *val,
> > > - enum credentials_obtained obtained);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8a3ed9f72ef9f9de32da4d454b866d64eb24ee17 Mon Sep 17 00:00:00 2001
> > > -From: Howard Chu <hyc@symas.com>
> > > -Date: Tue, 17 Sep 2013 13:09:50 -0700
> > > -Subject: [PATCH 092/249] Add SASL/EXTERNAL gensec module
> > > -
> > > -Signed-off-by: Howard Chu <hyc@symas.com>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
> > > -(cherry picked from commit 6bf59b03d72b94b71e53fc2404c11e0d237e41b2)
> > > ----
> > > - auth/gensec/external.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++
> > > - auth/gensec/gensec.h | 3 +-
> > > - auth/gensec/wscript_build | 7 ++++
> > > - 3 files changed, 91 insertions(+), 1 deletion(-)
> > > - create mode 100644 auth/gensec/external.c
> > > -
> > > -diff --git a/auth/gensec/external.c b/auth/gensec/external.c
> > > -new file mode 100644
> > > -index 0000000..a26e435
> > > ---- /dev/null
> > > -+++ b/auth/gensec/external.c
> > > -@@ -0,0 +1,82 @@
> > > -+/*
> > > -+ Unix SMB/CIFS implementation.
> > > -+
> > > -+ SASL/EXTERNAL authentication.
> > > -+
> > > -+ Copyright (C) Howard Chu <hyc@symas.com> 2013
> > > -+
> > > -+ This program is free software; you can redistribute it and/or modify
> > > -+ it under the terms of the GNU General Public License as published by
> > > -+ the Free Software Foundation; either version 3 of the License, or
> > > -+ (at your option) any later version.
> > > -+
> > > -+ This program is distributed in the hope that it will be useful,
> > > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -+ GNU General Public License for more details.
> > > -+
> > > -+ You should have received a copy of the GNU General Public License
> > > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > -+*/
> > > -+
> > > -+#include "includes.h"
> > > -+#include "auth/credentials/credentials.h"
> > > -+#include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > -+#include "auth/gensec/gensec_proto.h"
> > > -+#include "auth/gensec/gensec_toplevel_proto.h"
> > > -+
> > > -+/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
> > > -+ * layer is already mutually authenticated.
> > > -+ */
> > > -+
> > > -+NTSTATUS gensec_external_init(void);
> > > -+
> > > -+static NTSTATUS gensec_external_start(struct gensec_security *gensec_security)
> > > -+{
> > > -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN)
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > -+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL)
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+static NTSTATUS gensec_external_update(struct gensec_security *gensec_security,
> > > -+ TALLOC_CTX *out_mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ const DATA_BLOB in, DATA_BLOB *out)
> > > -+{
> > > -+ *out = data_blob_talloc(out_mem_ctx, "", 0);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+/* We have no features */
> > > -+static bool gensec_external_have_feature(struct gensec_security *gensec_security,
> > > -+ uint32_t feature)
> > > -+{
> > > -+ return false;
> > > -+}
> > > -+
> > > -+static const struct gensec_security_ops gensec_external_ops = {
> > > -+ .name = "sasl-EXTERNAL",
> > > -+ .sasl_name = "EXTERNAL",
> > > -+ .client_start = gensec_external_start,
> > > -+ .update = gensec_external_update,
> > > -+ .have_feature = gensec_external_have_feature,
> > > -+ .enabled = true,
> > > -+ .priority = GENSEC_EXTERNAL
> > > -+};
> > > -+
> > > -+
> > > -+NTSTATUS gensec_external_init(void)
> > > -+{
> > > -+ NTSTATUS ret;
> > > -+
> > > -+ ret = gensec_register(&gensec_external_ops);
> > > -+ if (!NT_STATUS_IS_OK(ret)) {
> > > -+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
> > > -+ gensec_external_ops.name));
> > > -+ }
> > > -+ return ret;
> > > -+}
> > > -diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
> > > -index ac1fadf..6974f87 100644
> > > ---- a/auth/gensec/gensec.h
> > > -+++ b/auth/gensec/gensec.h
> > > -@@ -41,7 +41,8 @@ enum gensec_priority {
> > > - GENSEC_SCHANNEL = 60,
> > > - GENSEC_NTLMSSP = 50,
> > > - GENSEC_SASL = 20,
> > > -- GENSEC_OTHER = 0
> > > -+ GENSEC_OTHER = 10,
> > > -+ GENSEC_EXTERNAL = 0
> > > - };
> > > -
> > > - struct gensec_security;
> > > -diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
> > > -index fcd74a3..71222f7 100755
> > > ---- a/auth/gensec/wscript_build
> > > -+++ b/auth/gensec/wscript_build
> > > -@@ -16,3 +16,10 @@ bld.SAMBA_MODULE('gensec_spnego',
> > > - init_function='gensec_spnego_init',
> > > - deps='asn1util samba-credentials SPNEGO_PARSE'
> > > - )
> > > -+
> > > -+bld.SAMBA_MODULE('gensec_external',
> > > -+ source='external.c',
> > > -+ autoproto='external_proto.h',
> > > -+ subsystem='gensec',
> > > -+ init_function='gensec_external_init'
> > > -+ )
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 75d9566940069ebeb367191ec6a6641bf7d45a83 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 17:24:10 +0200
> > > -Subject: [PATCH 093/249] gensec: move schannel module to toplevel.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 4d2ec9e37ee9dcf7b521806a1c0aabdffe524d47)
> > > ----
> > > - auth/gensec/schannel.c | 330 ++++++++++++++++++++++++++++++++++++++
> > > - auth/gensec/wscript_build | 8 +
> > > - source4/auth/gensec/schannel.c | 330 --------------------------------------
> > > - source4/auth/gensec/wscript_build | 10 --
> > > - 4 files changed, 338 insertions(+), 340 deletions(-)
> > > - create mode 100644 auth/gensec/schannel.c
> > > - delete mode 100644 source4/auth/gensec/schannel.c
> > > -
> > > -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
> > > -new file mode 100644
> > > -index 0000000..eb2e100
> > > ---- /dev/null
> > > -+++ b/auth/gensec/schannel.c
> > > -@@ -0,0 +1,330 @@
> > > -+/*
> > > -+ Unix SMB/CIFS implementation.
> > > -+
> > > -+ dcerpc schannel operations
> > > -+
> > > -+ Copyright (C) Andrew Tridgell 2004
> > > -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> > > -+
> > > -+ This program is free software; you can redistribute it and/or modify
> > > -+ it under the terms of the GNU General Public License as published by
> > > -+ the Free Software Foundation; either version 3 of the License, or
> > > -+ (at your option) any later version.
> > > -+
> > > -+ This program is distributed in the hope that it will be useful,
> > > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -+ GNU General Public License for more details.
> > > -+
> > > -+ You should have received a copy of the GNU General Public License
> > > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > -+*/
> > > -+
> > > -+#include "includes.h"
> > > -+#include "librpc/gen_ndr/ndr_schannel.h"
> > > -+#include "auth/auth.h"
> > > -+#include "auth/credentials/credentials.h"
> > > -+#include "auth/gensec/gensec.h"
> > > -+#include "auth/gensec/gensec_internal.h"
> > > -+#include "auth/gensec/gensec_proto.h"
> > > -+#include "../libcli/auth/schannel.h"
> > > -+#include "librpc/gen_ndr/dcerpc.h"
> > > -+#include "param/param.h"
> > > -+#include "auth/gensec/gensec_toplevel_proto.h"
> > > -+
> > > -+_PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > > -+
> > > -+static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
> > > -+{
> > > -+ struct schannel_state *state =
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -+
> > > -+ return netsec_outgoing_sig_size(state);
> > > -+}
> > > -+
> > > -+static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ const DATA_BLOB in, DATA_BLOB *out)
> > > -+{
> > > -+ struct schannel_state *state =
> > > -+ talloc_get_type(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -+ NTSTATUS status;
> > > -+ enum ndr_err_code ndr_err;
> > > -+ struct NL_AUTH_MESSAGE bind_schannel;
> > > -+ struct NL_AUTH_MESSAGE bind_schannel_ack;
> > > -+ struct netlogon_creds_CredentialState *creds;
> > > -+ const char *workstation;
> > > -+ const char *domain;
> > > -+
> > > -+ *out = data_blob(NULL, 0);
> > > -+
> > > -+ switch (gensec_security->gensec_role) {
> > > -+ case GENSEC_CLIENT:
> > > -+ if (state != NULL) {
> > > -+ /* we could parse the bind ack, but we don't know what it is yet */
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> > > -+ if (creds == NULL) {
> > > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > > -+ }
> > > -+
> > > -+ state = netsec_create_state(gensec_security,
> > > -+ creds, true /* initiator */);
> > > -+ if (state == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ gensec_security->private_data = state;
> > > -+
> > > -+ bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> > > -+#if 0
> > > -+ /* to support this we'd need to have access to the full domain name */
> > > -+ /* 0x17, 23 */
> > > -+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > > -+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
> > > -+ NL_FLAG_UTF8_DNS_DOMAIN_NAME |
> > > -+ NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
> > > -+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > > -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > > -+ bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
> > > -+ /* w2k3 refuses us if we use the full DNS workstation?
> > > -+ why? perhaps because we don't fill in the dNSHostName
> > > -+ attribute in the machine account? */
> > > -+ bind_schannel.utf8_netbios_computer = creds->computer_name;
> > > -+#else
> > > -+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > > -+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > > -+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > > -+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > > -+#endif
> > > -+
> > > -+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
> > > -+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -+ status = ndr_map_error2ntstatus(ndr_err);
> > > -+ DEBUG(3, ("Could not create schannel bind: %s\n",
> > > -+ nt_errstr(status)));
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
> > > -+ case GENSEC_SERVER:
> > > -+
> > > -+ if (state != NULL) {
> > > -+ /* no third leg on this protocol */
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > -+ }
> > > -+
> > > -+ /* parse the schannel startup blob */
> > > -+ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
> > > -+ (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
> > > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -+ status = ndr_map_error2ntstatus(ndr_err);
> > > -+ DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
> > > -+ nt_errstr(status)));
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
> > > -+ domain = bind_schannel.oem_netbios_domain.a;
> > > -+ if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
> > > -+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> > > -+ domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
> > > -+ return NT_STATUS_LOGON_FAILURE;
> > > -+ }
> > > -+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
> > > -+ domain = bind_schannel.utf8_dns_domain.u;
> > > -+ if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
> > > -+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> > > -+ domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
> > > -+ return NT_STATUS_LOGON_FAILURE;
> > > -+ }
> > > -+ } else {
> > > -+ DEBUG(3, ("Request for schannel to without domain\n"));
> > > -+ return NT_STATUS_LOGON_FAILURE;
> > > -+ }
> > > -+
> > > -+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
> > > -+ workstation = bind_schannel.oem_netbios_computer.a;
> > > -+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
> > > -+ workstation = bind_schannel.utf8_netbios_computer.u;
> > > -+ } else {
> > > -+ DEBUG(3, ("Request for schannel to without netbios workstation\n"));
> > > -+ return NT_STATUS_LOGON_FAILURE;
> > > -+ }
> > > -+
> > > -+ status = schannel_get_creds_state(out_mem_ctx,
> > > -+ gensec_security->settings->lp_ctx,
> > > -+ workstation, &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
> > > -+ workstation, nt_errstr(status)));
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
> > > -+ return NT_STATUS_LOGON_FAILURE;
> > > -+ }
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ state = netsec_create_state(gensec_security,
> > > -+ creds, false /* not initiator */);
> > > -+ if (state == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ gensec_security->private_data = state;
> > > -+
> > > -+ bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> > > -+ bind_schannel_ack.Flags = 0;
> > > -+ bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
> > > -+ * this does not have
> > > -+ * any meaning here
> > > -+ * - gd */
> > > -+
> > > -+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
> > > -+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -+ status = ndr_map_error2ntstatus(ndr_err);
> > > -+ DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
> > > -+ workstation, nt_errstr(status)));
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > -+}
> > > -+
> > > -+/**
> > > -+ * Returns anonymous credentials for schannel, matching Win2k3.
> > > -+ *
> > > -+ */
> > > -+
> > > -+static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct auth_session_info **_session_info)
> > > -+{
> > > -+ return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
> > > -+}
> > > -+
> > > -+static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> > > -+{
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
> > > -+{
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+static bool schannel_have_feature(struct gensec_security *gensec_security,
> > > -+ uint32_t feature)
> > > -+{
> > > -+ if (feature & (GENSEC_FEATURE_SIGN |
> > > -+ GENSEC_FEATURE_SEAL)) {
> > > -+ return true;
> > > -+ }
> > > -+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
> > > -+ return true;
> > > -+ }
> > > -+ return false;
> > > -+}
> > > -+
> > > -+/*
> > > -+ unseal a packet
> > > -+*/
> > > -+static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> > > -+ uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > -+ const DATA_BLOB *sig)
> > > -+{
> > > -+ struct schannel_state *state =
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -+
> > > -+ return netsec_incoming_packet(state, true,
> > > -+ discard_const_p(uint8_t, data),
> > > -+ length, sig);
> > > -+}
> > > -+
> > > -+/*
> > > -+ check the signature on a packet
> > > -+*/
> > > -+static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> > > -+ const uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > -+ const DATA_BLOB *sig)
> > > -+{
> > > -+ struct schannel_state *state =
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -+
> > > -+ return netsec_incoming_packet(state, false,
> > > -+ discard_const_p(uint8_t, data),
> > > -+ length, sig);
> > > -+}
> > > -+/*
> > > -+ seal a packet
> > > -+*/
> > > -+static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > -+ DATA_BLOB *sig)
> > > -+{
> > > -+ struct schannel_state *state =
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -+
> > > -+ return netsec_outgoing_packet(state, mem_ctx, true,
> > > -+ data, length, sig);
> > > -+}
> > > -+
> > > -+/*
> > > -+ sign a packet
> > > -+*/
> > > -+static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ const uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > -+ DATA_BLOB *sig)
> > > -+{
> > > -+ struct schannel_state *state =
> > > -+ talloc_get_type_abort(gensec_security->private_data,
> > > -+ struct schannel_state);
> > > -+
> > > -+ return netsec_outgoing_packet(state, mem_ctx, false,
> > > -+ discard_const_p(uint8_t, data),
> > > -+ length, sig);
> > > -+}
> > > -+
> > > -+static const struct gensec_security_ops gensec_schannel_security_ops = {
> > > -+ .name = "schannel",
> > > -+ .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
> > > -+ .client_start = schannel_client_start,
> > > -+ .server_start = schannel_server_start,
> > > -+ .update = schannel_update,
> > > -+ .seal_packet = schannel_seal_packet,
> > > -+ .sign_packet = schannel_sign_packet,
> > > -+ .check_packet = schannel_check_packet,
> > > -+ .unseal_packet = schannel_unseal_packet,
> > > -+ .session_info = schannel_session_info,
> > > -+ .sig_size = schannel_sig_size,
> > > -+ .have_feature = schannel_have_feature,
> > > -+ .enabled = true,
> > > -+ .priority = GENSEC_SCHANNEL
> > > -+};
> > > -+
> > > -+_PUBLIC_ NTSTATUS gensec_schannel_init(void)
> > > -+{
> > > -+ NTSTATUS ret;
> > > -+ ret = gensec_register(&gensec_schannel_security_ops);
> > > -+ if (!NT_STATUS_IS_OK(ret)) {
> > > -+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
> > > -+ gensec_schannel_security_ops.name));
> > > -+ return ret;
> > > -+ }
> > > -+
> > > -+ return ret;
> > > -+}
> > > -diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
> > > -index 71222f7..7329eec 100755
> > > ---- a/auth/gensec/wscript_build
> > > -+++ b/auth/gensec/wscript_build
> > > -@@ -17,6 +17,14 @@ bld.SAMBA_MODULE('gensec_spnego',
> > > - deps='asn1util samba-credentials SPNEGO_PARSE'
> > > - )
> > > -
> > > -+bld.SAMBA_MODULE('gensec_schannel',
> > > -+ source='schannel.c',
> > > -+ autoproto='schannel_proto.h',
> > > -+ subsystem='gensec',
> > > -+ init_function='gensec_schannel_init',
> > > -+ deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session'
> > > -+ )
> > > -+
> > > - bld.SAMBA_MODULE('gensec_external',
> > > - source='external.c',
> > > - autoproto='external_proto.h',
> > > -diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
> > > -deleted file mode 100644
> > > -index eb2e100..0000000
> > > ---- a/source4/auth/gensec/schannel.c
> > > -+++ /dev/null
> > > -@@ -1,330 +0,0 @@
> > > --/*
> > > -- Unix SMB/CIFS implementation.
> > > --
> > > -- dcerpc schannel operations
> > > --
> > > -- Copyright (C) Andrew Tridgell 2004
> > > -- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
> > > --
> > > -- This program is free software; you can redistribute it and/or modify
> > > -- it under the terms of the GNU General Public License as published by
> > > -- the Free Software Foundation; either version 3 of the License, or
> > > -- (at your option) any later version.
> > > --
> > > -- This program is distributed in the hope that it will be useful,
> > > -- but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -- GNU General Public License for more details.
> > > --
> > > -- You should have received a copy of the GNU General Public License
> > > -- along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > --*/
> > > --
> > > --#include "includes.h"
> > > --#include "librpc/gen_ndr/ndr_schannel.h"
> > > --#include "auth/auth.h"
> > > --#include "auth/credentials/credentials.h"
> > > --#include "auth/gensec/gensec.h"
> > > --#include "auth/gensec/gensec_internal.h"
> > > --#include "auth/gensec/gensec_proto.h"
> > > --#include "../libcli/auth/schannel.h"
> > > --#include "librpc/gen_ndr/dcerpc.h"
> > > --#include "param/param.h"
> > > --#include "auth/gensec/gensec_toplevel_proto.h"
> > > --
> > > --_PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > > --
> > > --static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
> > > --{
> > > -- struct schannel_state *state =
> > > -- talloc_get_type_abort(gensec_security->private_data,
> > > -- struct schannel_state);
> > > --
> > > -- return netsec_outgoing_sig_size(state);
> > > --}
> > > --
> > > --static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
> > > -- struct tevent_context *ev,
> > > -- const DATA_BLOB in, DATA_BLOB *out)
> > > --{
> > > -- struct schannel_state *state =
> > > -- talloc_get_type(gensec_security->private_data,
> > > -- struct schannel_state);
> > > -- NTSTATUS status;
> > > -- enum ndr_err_code ndr_err;
> > > -- struct NL_AUTH_MESSAGE bind_schannel;
> > > -- struct NL_AUTH_MESSAGE bind_schannel_ack;
> > > -- struct netlogon_creds_CredentialState *creds;
> > > -- const char *workstation;
> > > -- const char *domain;
> > > --
> > > -- *out = data_blob(NULL, 0);
> > > --
> > > -- switch (gensec_security->gensec_role) {
> > > -- case GENSEC_CLIENT:
> > > -- if (state != NULL) {
> > > -- /* we could parse the bind ack, but we don't know what it is yet */
> > > -- return NT_STATUS_OK;
> > > -- }
> > > --
> > > -- creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
> > > -- if (creds == NULL) {
> > > -- return NT_STATUS_INVALID_PARAMETER_MIX;
> > > -- }
> > > --
> > > -- state = netsec_create_state(gensec_security,
> > > -- creds, true /* initiator */);
> > > -- if (state == NULL) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- gensec_security->private_data = state;
> > > --
> > > -- bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> > > --#if 0
> > > -- /* to support this we'd need to have access to the full domain name */
> > > -- /* 0x17, 23 */
> > > -- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > > -- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
> > > -- NL_FLAG_UTF8_DNS_DOMAIN_NAME |
> > > -- NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
> > > -- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > > -- bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > > -- bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
> > > -- /* w2k3 refuses us if we use the full DNS workstation?
> > > -- why? perhaps because we don't fill in the dNSHostName
> > > -- attribute in the machine account? */
> > > -- bind_schannel.utf8_netbios_computer = creds->computer_name;
> > > --#else
> > > -- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > > -- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > > -- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
> > > -- bind_schannel.oem_netbios_computer.a = creds->computer_name;
> > > --#endif
> > > --
> > > -- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
> > > -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -- status = ndr_map_error2ntstatus(ndr_err);
> > > -- DEBUG(3, ("Could not create schannel bind: %s\n",
> > > -- nt_errstr(status)));
> > > -- return status;
> > > -- }
> > > --
> > > -- return NT_STATUS_MORE_PROCESSING_REQUIRED;
> > > -- case GENSEC_SERVER:
> > > --
> > > -- if (state != NULL) {
> > > -- /* no third leg on this protocol */
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > -- }
> > > --
> > > -- /* parse the schannel startup blob */
> > > -- ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
> > > -- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
> > > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -- status = ndr_map_error2ntstatus(ndr_err);
> > > -- DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
> > > -- nt_errstr(status)));
> > > -- return status;
> > > -- }
> > > --
> > > -- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
> > > -- domain = bind_schannel.oem_netbios_domain.a;
> > > -- if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
> > > -- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> > > -- domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
> > > -- return NT_STATUS_LOGON_FAILURE;
> > > -- }
> > > -- } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
> > > -- domain = bind_schannel.utf8_dns_domain.u;
> > > -- if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
> > > -- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
> > > -- domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
> > > -- return NT_STATUS_LOGON_FAILURE;
> > > -- }
> > > -- } else {
> > > -- DEBUG(3, ("Request for schannel to without domain\n"));
> > > -- return NT_STATUS_LOGON_FAILURE;
> > > -- }
> > > --
> > > -- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
> > > -- workstation = bind_schannel.oem_netbios_computer.a;
> > > -- } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
> > > -- workstation = bind_schannel.utf8_netbios_computer.u;
> > > -- } else {
> > > -- DEBUG(3, ("Request for schannel to without netbios workstation\n"));
> > > -- return NT_STATUS_LOGON_FAILURE;
> > > -- }
> > > --
> > > -- status = schannel_get_creds_state(out_mem_ctx,
> > > -- gensec_security->settings->lp_ctx,
> > > -- workstation, &creds);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
> > > -- workstation, nt_errstr(status)));
> > > -- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
> > > -- return NT_STATUS_LOGON_FAILURE;
> > > -- }
> > > -- return status;
> > > -- }
> > > --
> > > -- state = netsec_create_state(gensec_security,
> > > -- creds, false /* not initiator */);
> > > -- if (state == NULL) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- gensec_security->private_data = state;
> > > --
> > > -- bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> > > -- bind_schannel_ack.Flags = 0;
> > > -- bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
> > > -- * this does not have
> > > -- * any meaning here
> > > -- * - gd */
> > > --
> > > -- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
> > > -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -- status = ndr_map_error2ntstatus(ndr_err);
> > > -- DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
> > > -- workstation, nt_errstr(status)));
> > > -- return status;
> > > -- }
> > > --
> > > -- return NT_STATUS_OK;
> > > -- }
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > --}
> > > --
> > > --/**
> > > -- * Returns anonymous credentials for schannel, matching Win2k3.
> > > -- *
> > > -- */
> > > --
> > > --static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- struct auth_session_info **_session_info)
> > > --{
> > > -- return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
> > > --}
> > > --
> > > --static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> > > --{
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > --static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
> > > --{
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > --static bool schannel_have_feature(struct gensec_security *gensec_security,
> > > -- uint32_t feature)
> > > --{
> > > -- if (feature & (GENSEC_FEATURE_SIGN |
> > > -- GENSEC_FEATURE_SEAL)) {
> > > -- return true;
> > > -- }
> > > -- if (feature & GENSEC_FEATURE_DCE_STYLE) {
> > > -- return true;
> > > -- }
> > > -- return false;
> > > --}
> > > --
> > > --/*
> > > -- unseal a packet
> > > --*/
> > > --static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> > > -- uint8_t *data, size_t length,
> > > -- const uint8_t *whole_pdu, size_t pdu_length,
> > > -- const DATA_BLOB *sig)
> > > --{
> > > -- struct schannel_state *state =
> > > -- talloc_get_type_abort(gensec_security->private_data,
> > > -- struct schannel_state);
> > > --
> > > -- return netsec_incoming_packet(state, true,
> > > -- discard_const_p(uint8_t, data),
> > > -- length, sig);
> > > --}
> > > --
> > > --/*
> > > -- check the signature on a packet
> > > --*/
> > > --static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> > > -- const uint8_t *data, size_t length,
> > > -- const uint8_t *whole_pdu, size_t pdu_length,
> > > -- const DATA_BLOB *sig)
> > > --{
> > > -- struct schannel_state *state =
> > > -- talloc_get_type_abort(gensec_security->private_data,
> > > -- struct schannel_state);
> > > --
> > > -- return netsec_incoming_packet(state, false,
> > > -- discard_const_p(uint8_t, data),
> > > -- length, sig);
> > > --}
> > > --/*
> > > -- seal a packet
> > > --*/
> > > --static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- uint8_t *data, size_t length,
> > > -- const uint8_t *whole_pdu, size_t pdu_length,
> > > -- DATA_BLOB *sig)
> > > --{
> > > -- struct schannel_state *state =
> > > -- talloc_get_type_abort(gensec_security->private_data,
> > > -- struct schannel_state);
> > > --
> > > -- return netsec_outgoing_packet(state, mem_ctx, true,
> > > -- data, length, sig);
> > > --}
> > > --
> > > --/*
> > > -- sign a packet
> > > --*/
> > > --static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const uint8_t *data, size_t length,
> > > -- const uint8_t *whole_pdu, size_t pdu_length,
> > > -- DATA_BLOB *sig)
> > > --{
> > > -- struct schannel_state *state =
> > > -- talloc_get_type_abort(gensec_security->private_data,
> > > -- struct schannel_state);
> > > --
> > > -- return netsec_outgoing_packet(state, mem_ctx, false,
> > > -- discard_const_p(uint8_t, data),
> > > -- length, sig);
> > > --}
> > > --
> > > --static const struct gensec_security_ops gensec_schannel_security_ops = {
> > > -- .name = "schannel",
> > > -- .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
> > > -- .client_start = schannel_client_start,
> > > -- .server_start = schannel_server_start,
> > > -- .update = schannel_update,
> > > -- .seal_packet = schannel_seal_packet,
> > > -- .sign_packet = schannel_sign_packet,
> > > -- .check_packet = schannel_check_packet,
> > > -- .unseal_packet = schannel_unseal_packet,
> > > -- .session_info = schannel_session_info,
> > > -- .sig_size = schannel_sig_size,
> > > -- .have_feature = schannel_have_feature,
> > > -- .enabled = true,
> > > -- .priority = GENSEC_SCHANNEL
> > > --};
> > > --
> > > --_PUBLIC_ NTSTATUS gensec_schannel_init(void)
> > > --{
> > > -- NTSTATUS ret;
> > > -- ret = gensec_register(&gensec_schannel_security_ops);
> > > -- if (!NT_STATUS_IS_OK(ret)) {
> > > -- DEBUG(0,("Failed to register '%s' gensec backend!\n",
> > > -- gensec_schannel_security_ops.name));
> > > -- return ret;
> > > -- }
> > > --
> > > -- return ret;
> > > --}
> > > -diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
> > > -index 04fccc5..a3eff97 100755
> > > ---- a/source4/auth/gensec/wscript_build
> > > -+++ b/source4/auth/gensec/wscript_build
> > > -@@ -32,16 +32,6 @@ bld.SAMBA_MODULE('cyrus_sasl',
> > > - )
> > > -
> > > -
> > > --bld.SAMBA_MODULE('gensec_schannel',
> > > -- source='schannel.c',
> > > -- subsystem='gensec',
> > > -- deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials ndr auth_session',
> > > -- internal_module=True,
> > > -- autoproto='schannel_proto.h',
> > > -- init_function='gensec_schannel_init'
> > > -- )
> > > --
> > > --
> > > - bld.SAMBA_PYTHON('pygensec',
> > > - source='pygensec.c',
> > > - deps='gensec pytalloc-util pyparam_util',
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From c4829848f45db27d6c145b35a20bea2f33bcb4d7 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 17:24:49 +0200
> > > -Subject: [PATCH 094/249] gensec: remove duplicate
> > > - gensec_security_by_authtype() call.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -We should use the equivalent gensec_security_by_auth_type() call which is
> > > -exposed in the public header.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit d433ad077f354de4fc1d5a155d991f417ae9967c)
> > > ----
> > > - auth/gensec/gensec_start.c | 29 ++---------------------------
> > > - 1 file changed, 2 insertions(+), 27 deletions(-)
> > > -
> > > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > > -index 3ae64d5..906ef67 100644
> > > ---- a/auth/gensec/gensec_start.c
> > > -+++ b/auth/gensec/gensec_start.c
> > > -@@ -157,31 +157,6 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
> > > -
> > > - }
> > > -
> > > --static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
> > > -- uint8_t auth_type)
> > > --{
> > > -- int i;
> > > -- const struct gensec_security_ops **backends;
> > > -- const struct gensec_security_ops *backend;
> > > -- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
> > > -- if (!mem_ctx) {
> > > -- return NULL;
> > > -- }
> > > -- backends = gensec_security_mechs(gensec_security, mem_ctx);
> > > -- for (i=0; backends && backends[i]; i++) {
> > > -- if (!gensec_security_ops_enabled(backends[i], gensec_security))
> > > -- continue;
> > > -- if (backends[i]->auth_type == auth_type) {
> > > -- backend = backends[i];
> > > -- talloc_free(mem_ctx);
> > > -- return backend;
> > > -- }
> > > -- }
> > > -- talloc_free(mem_ctx);
> > > --
> > > -- return NULL;
> > > --}
> > > --
> > > - _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
> > > - struct gensec_security *gensec_security,
> > > - const char *oid_string)
> > > -@@ -719,7 +694,7 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
> > > - _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
> > > - uint8_t auth_type, uint8_t auth_level)
> > > - {
> > > -- gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
> > > -+ gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type);
> > > - if (!gensec_security->ops) {
> > > - DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > -@@ -746,7 +721,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
> > > - _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
> > > - {
> > > - const struct gensec_security_ops *ops;
> > > -- ops = gensec_security_by_authtype(gensec_security, authtype);
> > > -+ ops = gensec_security_by_auth_type(gensec_security, authtype);
> > > - if (ops) {
> > > - return ops->name;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8c54d2ee4861a35def7cce29b900a68112356f6b Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 17:25:55 +0200
> > > -Subject: [PATCH 095/249] gensec: check for NULL gensec_security in
> > > - gensec_security_by_auth_type().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -We have equivalent checks in other gensec_security_by_X calls already.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 4f979525e4137c536118a9c2b2b4ef798c270e27)
> > > ----
> > > - auth/gensec/gensec_start.c | 6 ++++--
> > > - 1 file changed, 4 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
> > > -index 906ef67..476134a 100644
> > > ---- a/auth/gensec/gensec_start.c
> > > -+++ b/auth/gensec/gensec_start.c
> > > -@@ -230,8 +230,10 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
> > > - }
> > > - backends = gensec_security_mechs(gensec_security, mem_ctx);
> > > - for (i=0; backends && backends[i]; i++) {
> > > -- if (!gensec_security_ops_enabled(backends[i], gensec_security))
> > > -- continue;
> > > -+ if (gensec_security != NULL &&
> > > -+ !gensec_security_ops_enabled(backends[i], gensec_security)) {
> > > -+ continue;
> > > -+ }
> > > - if (backends[i]->auth_type == auth_type) {
> > > - backend = backends[i];
> > > - talloc_free(mem_ctx);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 5b941811c7ebd51bf2c8d421517fd92b3065ba47 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 17:27:28 +0200
> > > -Subject: [PATCH 096/249] s3-auth: also load schannel module from
> > > - auth_generic_client_prepare().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 8fce75aa58ec70547ad218bde154e141f2d17303)
> > > ----
> > > - source3/libsmb/auth_generic.c | 3 ++-
> > > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
> > > -index e30c1b7..3130dec 100644
> > > ---- a/source3/libsmb/auth_generic.c
> > > -+++ b/source3/libsmb/auth_generic.c
> > > -@@ -78,7 +78,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> > > - }
> > > -
> > > - backends = talloc_zero_array(gensec_settings,
> > > -- const struct gensec_security_ops *, 4);
> > > -+ const struct gensec_security_ops *, 5);
> > > - if (backends == NULL) {
> > > - TALLOC_FREE(ans);
> > > - return NT_STATUS_NO_MEMORY;
> > > -@@ -95,6 +95,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
> > > - backends[idx++] = &gensec_ntlmssp3_client_ops;
> > > -
> > > - backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > > -+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
> > > -
> > > - nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 28b5f156bcc03b88f8c0f3e52cd051a0b069334e Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 17:44:10 +0200
> > > -Subject: [PATCH 097/249] s3-rpc_cli: allow to pass down a netlogon
> > > - CredentialState struct to gensec.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 7b570b4128f9af212048ce56abd841a1f6fdc259)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 5 ++++-
> > > - 1 file changed, 4 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 470469f..2acbad6 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2178,6 +2178,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > > - const char *username,
> > > - const char *password,
> > > - enum credentials_use_kerberos use_kerberos,
> > > -+ struct netlogon_creds_CredentialState *creds,
> > > - struct pipe_auth_data **presult)
> > > - {
> > > - struct auth_generic_state *auth_generic_ctx;
> > > -@@ -2231,6 +2232,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > > - }
> > > -
> > > - cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
> > > -+ cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
> > > -
> > > - status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -2830,6 +2832,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > > - server, target_service,
> > > - domain, username, password,
> > > - CRED_AUTO_USE_KERBEROS,
> > > -+ NULL,
> > > - &auth);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> > > -@@ -3057,7 +3060,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> > > - DCERPC_AUTH_TYPE_SPNEGO, auth_level,
> > > - server, target_service,
> > > - domain, username, password,
> > > -- use_kerberos,
> > > -+ use_kerberos, NULL,
> > > - &auth);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4775b3fd2905e54b2c824d901fd8a99fb8caae04 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 18:23:40 +0200
> > > -Subject: [PATCH 098/249] s3-auth: register schannel gensec module in
> > > - auth_generic_prepare() as well.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 090671aca5234f47f390054de771198e3c177060)
> > > ----
> > > - source3/auth/auth_generic.c | 5 ++++-
> > > - 1 file changed, 4 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> > > -index e15c87e..e07d3b7 100644
> > > ---- a/source3/auth/auth_generic.c
> > > -+++ b/source3/auth/auth_generic.c
> > > -@@ -32,6 +32,7 @@
> > > - #include "librpc/crypto/gse.h"
> > > - #include "auth/credentials/credentials.h"
> > > - #include "lib/param/loadparm.h"
> > > -+#include "librpc/gen_ndr/dcerpc.h"
> > > -
> > > - static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > > - TALLOC_CTX *mem_ctx,
> > > -@@ -261,7 +262,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> > > - }
> > > -
> > > - backends = talloc_zero_array(gensec_settings,
> > > -- const struct gensec_security_ops *, 4);
> > > -+ const struct gensec_security_ops *, 5);
> > > - if (backends == NULL) {
> > > - TALLOC_FREE(tmp_ctx);
> > > - return NT_STATUS_NO_MEMORY;
> > > -@@ -279,6 +280,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> > > -
> > > - backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
> > > -
> > > -+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
> > > -+
> > > - /*
> > > - * This is anonymous for now, because we just use it
> > > - * to set the kerberos state at the moment
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 080c2ac3cbd28318bc6c682dff0aea17fad07a2c Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 18:33:14 +0200
> > > -Subject: [PATCH 099/249] s3-rpc_cli: use gensec for schannel bind.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 89d0b89b5d58ceef13bc10036d396b10f8a102ae)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 22 +++++++++++++---------
> > > - 1 file changed, 13 insertions(+), 9 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 2acbad6..8a642e2 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1120,12 +1120,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
> > > -
> > > - switch (auth->auth_type) {
> > > - case DCERPC_AUTH_TYPE_SCHANNEL:
> > > -- ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
> > > -- if (!NT_STATUS_IS_OK(ret)) {
> > > -- return ret;
> > > -- }
> > > -- break;
> > > --
> > > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > > - case DCERPC_AUTH_TYPE_KRB5:
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > -@@ -2884,16 +2878,26 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - struct netr_Authenticator auth;
> > > - struct netr_Authenticator return_auth;
> > > - union netr_Capabilities capabilities;
> > > -+ const char *target_service = table->authservices->names[0];
> > > -
> > > - status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -
> > > -- status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
> > > -- *pdc, &rpcauth);
> > > -+ status = rpccli_generic_bind_data(rpccli,
> > > -+ DCERPC_AUTH_TYPE_SCHANNEL,
> > > -+ auth_level,
> > > -+ NULL,
> > > -+ target_service,
> > > -+ domain,
> > > -+ (*pdc)->computer_name,
> > > -+ NULL,
> > > -+ CRED_AUTO_USE_KERBEROS,
> > > -+ *pdc,
> > > -+ &rpcauth);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
> > > -+ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> > > - nt_errstr(status)));
> > > - TALLOC_FREE(rpccli);
> > > - return status;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 40ffd89f975e06821379fbd240187f5e268da5fe Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 18:34:58 +0200
> > > -Subject: [PATCH 100/249] s3-rpc_srv: use gensec for schannel bind.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit a32a83ba9d6c7b5bbe9077973e5402ba65c068e7)
> > > ----
> > > - source3/rpc_server/srv_pipe.c | 9 +++++++--
> > > - 1 file changed, 7 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > > -index 9043a14..fd7a90a 100644
> > > ---- a/source3/rpc_server/srv_pipe.c
> > > -+++ b/source3/rpc_server/srv_pipe.c
> > > -@@ -808,10 +808,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > > - break;
> > > -
> > > - case DCERPC_AUTH_TYPE_SCHANNEL:
> > > -- if (!pipe_schannel_auth_bind(p, pkt,
> > > -- &auth_info, &auth_resp)) {
> > > -+ if (!pipe_auth_generic_bind(p, pkt,
> > > -+ &auth_info, &auth_resp)) {
> > > -+ goto err_exit;
> > > -+ }
> > > -+ if (!session_info_set_session_key(p->session_info, generic_session_key())) {
> > > -+ DEBUG(0, ("session_info_set_session_key failed\n"));
> > > - goto err_exit;
> > > - }
> > > -+ p->pipe_bound = true;
> > > - break;
> > > -
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 285de020b6e284ad5074492d62740ba8a370826a Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 18:36:19 +0200
> > > -Subject: [PATCH 101/249] s3-rpc: use gensec for schannel footer processing.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 5a628490e46f428432cd9b32c2b4b3a34a3736ae)
> > > ----
> > > - source3/librpc/rpc/dcerpc_helpers.c | 35 +++--------------------------------
> > > - 1 file changed, 3 insertions(+), 32 deletions(-)
> > > -
> > > -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> > > -index 97999d7..b9e05cb 100644
> > > ---- a/source3/librpc/rpc/dcerpc_helpers.c
> > > -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> > > -@@ -273,7 +273,6 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
> > > - size_t max_len;
> > > - size_t mod_len;
> > > - struct gensec_security *gensec_security;
> > > -- struct schannel_state *schannel_auth;
> > > -
> > > - /* no auth token cases first */
> > > - switch (auth->auth_level) {
> > > -@@ -307,16 +306,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > > - case DCERPC_AUTH_TYPE_KRB5:
> > > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > > - gensec_security = talloc_get_type_abort(auth->auth_ctx,
> > > - struct gensec_security);
> > > - *auth_len = gensec_sig_size(gensec_security, max_len);
> > > - break;
> > > --
> > > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > > -- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
> > > -- struct schannel_state);
> > > -- *auth_len = netsec_outgoing_sig_size(schannel_auth);
> > > -- break;
> > > - default:
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > -@@ -548,7 +542,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
> > > - NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
> > > - size_t pad_len, DATA_BLOB *rpc_out)
> > > - {
> > > -- struct schannel_state *schannel_auth;
> > > - struct gensec_security *gensec_security;
> > > - char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
> > > - DATA_BLOB auth_info;
> > > -@@ -600,19 +593,13 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > - case DCERPC_AUTH_TYPE_KRB5:
> > > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > > - gensec_security = talloc_get_type_abort(auth->auth_ctx,
> > > - struct gensec_security);
> > > - status = add_generic_auth_footer(gensec_security,
> > > - auth->auth_level,
> > > - rpc_out);
> > > - break;
> > > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > > -- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
> > > -- struct schannel_state);
> > > -- status = add_schannel_auth_footer(schannel_auth,
> > > -- auth->auth_level,
> > > -- rpc_out);
> > > -- break;
> > > - default:
> > > - status = NT_STATUS_INVALID_PARAMETER;
> > > - break;
> > > -@@ -640,7 +627,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> > > - DATA_BLOB *raw_pkt,
> > > - size_t *pad_len)
> > > - {
> > > -- struct schannel_state *schannel_auth;
> > > - struct gensec_security *gensec_security;
> > > - NTSTATUS status;
> > > - struct dcerpc_auth auth_info;
> > > -@@ -710,6 +696,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > - case DCERPC_AUTH_TYPE_KRB5:
> > > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > > -
> > > - DEBUG(10, ("GENSEC auth\n"));
> > > -
> > > -@@ -723,22 +710,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> > > - return status;
> > > - }
> > > - break;
> > > --
> > > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > > --
> > > -- DEBUG(10, ("SCHANNEL auth\n"));
> > > --
> > > -- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
> > > -- struct schannel_state);
> > > -- status = get_schannel_auth_footer(pkt, schannel_auth,
> > > -- auth->auth_level,
> > > -- &data, &full_pkt,
> > > -- &auth_info.credentials);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > -- break;
> > > --
> > > - default:
> > > - DEBUG(0, ("process_request_pdu: "
> > > - "unknown auth type %u set.\n",
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From cfa396d153cedb9b10356540a479ff299c480cae Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Thu, 19 Sep 2013 11:03:31 +0200
> > > -Subject: [PATCH 102/249] s3-rpc_cli: remove unused schannel calls from
> > > - dcerpc_helpers.c
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 639f60b1513a8c877d307ed86b7748250821fb3f)
> > > ----
> > > - source3/librpc/rpc/dcerpc.h | 3 -
> > > - source3/librpc/rpc/dcerpc_helpers.c | 124 ------------------------------------
> > > - 2 files changed, 127 deletions(-)
> > > -
> > > -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> > > -index b3ae3b4..38d59cd 100644
> > > ---- a/source3/librpc/rpc/dcerpc.h
> > > -+++ b/source3/librpc/rpc/dcerpc.h
> > > -@@ -60,9 +60,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
> > > - const DATA_BLOB *blob,
> > > - struct ncacn_packet *r,
> > > - bool bigendian);
> > > --NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
> > > -- struct NL_AUTH_MESSAGE *r,
> > > -- DATA_BLOB *blob);
> > > - NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
> > > - enum dcerpc_AuthType auth_type,
> > > - enum dcerpc_AuthLevel auth_level,
> > > -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
> > > -index b9e05cb..2400bfd 100644
> > > ---- a/source3/librpc/rpc/dcerpc_helpers.c
> > > -+++ b/source3/librpc/rpc/dcerpc_helpers.c
> > > -@@ -21,9 +21,6 @@
> > > - #include "includes.h"
> > > - #include "librpc/rpc/dcerpc.h"
> > > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > > --#include "librpc/gen_ndr/ndr_schannel.h"
> > > --#include "../libcli/auth/schannel.h"
> > > --#include "../libcli/auth/spnego.h"
> > > - #include "librpc/crypto/gse.h"
> > > - #include "auth/gensec/gensec.h"
> > > -
> > > -@@ -135,34 +132,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
> > > - }
> > > -
> > > - /**
> > > --* @brief NDR Encodes a NL_AUTH_MESSAGE
> > > --*
> > > --* @param mem_ctx The memory context the blob will be allocated on
> > > --* @param r The NL_AUTH_MESSAGE to encode
> > > --* @param blob [out] The encoded blob if successful
> > > --*
> > > --* @return a NTSTATUS error code
> > > --*/
> > > --NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
> > > -- struct NL_AUTH_MESSAGE *r,
> > > -- DATA_BLOB *blob)
> > > --{
> > > -- enum ndr_err_code ndr_err;
> > > --
> > > -- ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
> > > -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -- return ndr_map_error2ntstatus(ndr_err);
> > > -- }
> > > --
> > > -- if (DEBUGLEVEL >= 10) {
> > > -- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
> > > -- }
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > --/**
> > > - * @brief NDR Encodes a dcerpc_auth structure
> > > - *
> > > - * @param mem_ctx The memory context the blob will be allocated on
> > > -@@ -437,99 +406,6 @@ static NTSTATUS get_generic_auth_footer(struct gensec_security *gensec_security,
> > > - }
> > > - }
> > > -
> > > --/*******************************************************************
> > > -- Create and add the schannel sign/seal auth data.
> > > -- ********************************************************************/
> > > --
> > > --static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > -- DATA_BLOB *rpc_out)
> > > --{
> > > -- uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
> > > -- size_t data_and_pad_len = rpc_out->length
> > > -- - DCERPC_RESPONSE_LENGTH
> > > -- - DCERPC_AUTH_TRAILER_LENGTH;
> > > -- DATA_BLOB auth_blob;
> > > -- NTSTATUS status;
> > > --
> > > -- if (!sas) {
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > -- }
> > > --
> > > -- switch (auth_level) {
> > > -- case DCERPC_AUTH_LEVEL_PRIVACY:
> > > -- status = netsec_outgoing_packet(sas,
> > > -- rpc_out->data,
> > > -- true,
> > > -- data_p,
> > > -- data_and_pad_len,
> > > -- &auth_blob);
> > > -- break;
> > > -- case DCERPC_AUTH_LEVEL_INTEGRITY:
> > > -- status = netsec_outgoing_packet(sas,
> > > -- rpc_out->data,
> > > -- false,
> > > -- data_p,
> > > -- data_and_pad_len,
> > > -- &auth_blob);
> > > -- break;
> > > -- default:
> > > -- status = NT_STATUS_INTERNAL_ERROR;
> > > -- break;
> > > -- }
> > > --
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
> > > -- nt_errstr(status)));
> > > -- return status;
> > > -- }
> > > --
> > > -- if (DEBUGLEVEL >= 10) {
> > > -- dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
> > > -- }
> > > --
> > > -- /* Finally attach the blob. */
> > > -- if (!data_blob_append(NULL, rpc_out,
> > > -- auth_blob.data, auth_blob.length)) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- data_blob_free(&auth_blob);
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > --/*******************************************************************
> > > -- Check/unseal the Schannel auth data. (Unseal in place).
> > > -- ********************************************************************/
> > > --
> > > --static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
> > > -- struct schannel_state *auth_state,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > -- DATA_BLOB *data, DATA_BLOB *full_pkt,
> > > -- DATA_BLOB *auth_token)
> > > --{
> > > -- switch (auth_level) {
> > > -- case DCERPC_AUTH_LEVEL_PRIVACY:
> > > -- /* Data portion is encrypted. */
> > > -- return netsec_incoming_packet(auth_state,
> > > -- true,
> > > -- data->data,
> > > -- data->length,
> > > -- auth_token);
> > > --
> > > -- case DCERPC_AUTH_LEVEL_INTEGRITY:
> > > -- /* Data is signed. */
> > > -- return netsec_incoming_packet(auth_state,
> > > -- false,
> > > -- data->data,
> > > -- data->length,
> > > -- auth_token);
> > > --
> > > -- default:
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > -- }
> > > --}
> > > --
> > > - /**
> > > - * @brief Append an auth footer according to what is the current mechanism
> > > - *
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 3c10a3501c04e1f5f9bd2bb1418b95b4b17248a8 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Thu, 19 Sep 2013 11:04:19 +0200
> > > -Subject: [PATCH 103/249] s3-rpc_cli: remove unused schannel calls from
> > > - cli_pipe.c
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 45949d721892a0e8a6b1a76e221c6b3bfd6a872f)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 76 -------------------------------------------
> > > - 1 file changed, 76 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 8a642e2..b73f2f2 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -22,11 +22,8 @@
> > > - #include "includes.h"
> > > - #include "../lib/util/tevent_ntstatus.h"
> > > - #include "librpc/gen_ndr/ndr_epmapper_c.h"
> > > --#include "../librpc/gen_ndr/ndr_schannel.h"
> > > - #include "../librpc/gen_ndr/ndr_dssetup.h"
> > > - #include "../libcli/auth/schannel.h"
> > > --#include "../libcli/auth/spnego.h"
> > > --#include "../auth/ntlmssp/ntlmssp.h"
> > > - #include "auth_generic.h"
> > > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > > - #include "librpc/gen_ndr/ndr_netlogon_c.h"
> > > -@@ -1018,42 +1015,6 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > > - }
> > > -
> > > - /*******************************************************************
> > > -- Creates schannel auth bind.
> > > -- ********************************************************************/
> > > --
> > > --static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > > -- DATA_BLOB *auth_token)
> > > --{
> > > -- NTSTATUS status;
> > > -- struct NL_AUTH_MESSAGE r;
> > > --
> > > -- if (!cli->auth->user_name || !cli->auth->user_name[0]) {
> > > -- return NT_STATUS_INVALID_PARAMETER_MIX;
> > > -- }
> > > --
> > > -- if (!cli->auth->domain || !cli->auth->domain[0]) {
> > > -- return NT_STATUS_INVALID_PARAMETER_MIX;
> > > -- }
> > > --
> > > -- /*
> > > -- * Now marshall the data into the auth parse_struct.
> > > -- */
> > > --
> > > -- r.MessageType = NL_NEGOTIATE_REQUEST;
> > > -- r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
> > > -- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
> > > -- r.oem_netbios_domain.a = cli->auth->domain;
> > > -- r.oem_netbios_computer.a = cli->auth->user_name;
> > > --
> > > -- status = dcerpc_push_schannel_bind(cli, &r, auth_token);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > --/*******************************************************************
> > > - Creates the internals of a DCE/RPC bind request or alter context PDU.
> > > - ********************************************************************/
> > > -
> > > -@@ -2243,43 +2204,6 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > > - return status;
> > > - }
> > > -
> > > --static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
> > > -- const char *domain,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > -- struct netlogon_creds_CredentialState *creds,
> > > -- struct pipe_auth_data **presult)
> > > --{
> > > -- struct schannel_state *schannel_auth;
> > > -- struct pipe_auth_data *result;
> > > --
> > > -- result = talloc(mem_ctx, struct pipe_auth_data);
> > > -- if (result == NULL) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
> > > -- result->auth_level = auth_level;
> > > --
> > > -- result->user_name = talloc_strdup(result, creds->computer_name);
> > > -- result->domain = talloc_strdup(result, domain);
> > > -- if ((result->user_name == NULL) || (result->domain == NULL)) {
> > > -- goto fail;
> > > -- }
> > > --
> > > -- schannel_auth = netsec_create_state(result, creds, true /* initiator */);
> > > -- if (schannel_auth == NULL) {
> > > -- goto fail;
> > > -- }
> > > --
> > > -- result->auth_ctx = schannel_auth;
> > > -- *presult = result;
> > > -- return NT_STATUS_OK;
> > > --
> > > -- fail:
> > > -- TALLOC_FREE(result);
> > > -- return NT_STATUS_NO_MEMORY;
> > > --}
> > > --
> > > - /**
> > > - * Create an rpc pipe client struct, connecting to a tcp port.
> > > - */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e4b33d6311e051501815199bd6c6dbba33f1bc55 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Thu, 19 Sep 2013 11:05:21 +0200
> > > -Subject: [PATCH 104/249] s3-rpc_srv: remove unused schannel calls from
> > > - srv_pipe.c
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > > -Autobuild-Date(master): Thu Sep 19 12:59:04 CEST 2013 on sn-devel-104
> > > -(cherry picked from commit 6965f918c04328535c55a0ef9b7fe6392fba193a)
> > > ----
> > > - source3/rpc_server/srv_pipe.c | 116 ------------------------------------------
> > > - 1 file changed, 116 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > > -index fd7a90a..06752a8 100644
> > > ---- a/source3/rpc_server/srv_pipe.c
> > > -+++ b/source3/rpc_server/srv_pipe.c
> > > -@@ -30,11 +30,8 @@
> > > - #include "includes.h"
> > > - #include "system/filesys.h"
> > > - #include "srv_pipe_internal.h"
> > > --#include "../librpc/gen_ndr/ndr_schannel.h"
> > > - #include "../librpc/gen_ndr/dcerpc.h"
> > > - #include "../librpc/rpc/rpc_common.h"
> > > --#include "../libcli/auth/schannel.h"
> > > --#include "../libcli/auth/spnego.h"
> > > - #include "dcesrv_auth_generic.h"
> > > - #include "rpc_server.h"
> > > - #include "rpc_dce.h"
> > > -@@ -415,119 +412,6 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
> > > - }
> > > -
> > > - /*******************************************************************
> > > -- Handle an schannel bind auth.
> > > --*******************************************************************/
> > > --
> > > --static bool pipe_schannel_auth_bind(struct pipes_struct *p,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- struct dcerpc_auth *auth_info,
> > > -- DATA_BLOB *response)
> > > --{
> > > -- struct NL_AUTH_MESSAGE neg;
> > > -- struct NL_AUTH_MESSAGE reply;
> > > -- bool ret;
> > > -- NTSTATUS status;
> > > -- struct netlogon_creds_CredentialState *creds;
> > > -- enum ndr_err_code ndr_err;
> > > -- struct schannel_state *schannel_auth;
> > > -- struct loadparm_context *lp_ctx;
> > > --
> > > -- ndr_err = ndr_pull_struct_blob(
> > > -- &auth_info->credentials, mem_ctx, &neg,
> > > -- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
> > > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -- DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
> > > -- return false;
> > > -- }
> > > --
> > > -- if (DEBUGLEVEL >= 10) {
> > > -- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
> > > -- }
> > > --
> > > -- if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
> > > -- DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
> > > -- return false;
> > > -- }
> > > --
> > > -- lp_ctx = loadparm_init_s3(p, loadparm_s3_helpers());
> > > -- if (!lp_ctx) {
> > > -- DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
> > > -- return false;
> > > -- }
> > > --
> > > -- /*
> > > -- * The neg.oem_netbios_computer.a key here must match the remote computer name
> > > -- * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
> > > -- * operations that use credentials.
> > > -- */
> > > --
> > > -- become_root();
> > > -- status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
> > > -- neg.oem_netbios_computer.a, &creds);
> > > -- unbecome_root();
> > > --
> > > -- talloc_unlink(p, lp_ctx);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
> > > -- return False;
> > > -- }
> > > --
> > > -- schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
> > > -- TALLOC_FREE(creds);
> > > -- if (!schannel_auth) {
> > > -- return False;
> > > -- }
> > > --
> > > -- /*
> > > -- * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
> > > -- * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
> > > -- * struct of the person who opened the pipe. I need to test this further. JRA.
> > > -- *
> > > -- * VL. As we are mapping this to guest set the generic key
> > > -- * "SystemLibraryDTC" key here. It's a bit difficult to test against
> > > -- * W2k3, as it does not allow schannel binds against SAMR and LSA
> > > -- * anymore.
> > > -- */
> > > --
> > > -- ret = session_info_set_session_key(p->session_info, generic_session_key());
> > > --
> > > -- if (!ret) {
> > > -- DEBUG(0, ("session_info_set_session_key failed\n"));
> > > -- return false;
> > > -- }
> > > --
> > > -- /*** SCHANNEL verifier ***/
> > > --
> > > -- reply.MessageType = NL_NEGOTIATE_RESPONSE;
> > > -- reply.Flags = 0;
> > > -- reply.Buffer.dummy = 5; /* ??? actually I don't think
> > > -- * this has any meaning
> > > -- * here - gd */
> > > --
> > > -- ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
> > > -- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
> > > -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -- DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
> > > -- return false;
> > > -- }
> > > --
> > > -- if (DEBUGLEVEL >= 10) {
> > > -- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
> > > -- }
> > > --
> > > -- DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
> > > -- neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
> > > --
> > > -- /* We're finished with this bind - no more packets. */
> > > -- p->auth.auth_ctx = schannel_auth;
> > > -- p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
> > > --
> > > -- p->pipe_bound = True;
> > > --
> > > -- return True;
> > > --}
> > > --
> > > --/*******************************************************************
> > > - Handle an NTLMSSP bind auth.
> > > - *******************************************************************/
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 68fbdf567cb7d0bc3550b826204c0708a771a4dc Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Mon, 12 Aug 2013 17:22:15 +0200
> > > -Subject: [PATCH 105/249] librpc/ndr: call ndr_table_list() from all ndr_X
> > > - functions.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 88c1dbf722889a2d7379cdcbac1ce9b140a42356)
> > > ----
> > > - librpc/ndr/ndr_table.c | 6 +++---
> > > - 1 file changed, 3 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
> > > -index 7ca0417..01d9094 100644
> > > ---- a/librpc/ndr/ndr_table.c
> > > -+++ b/librpc/ndr/ndr_table.c
> > > -@@ -73,7 +73,7 @@ const char *ndr_interface_name(const struct GUID *uuid, uint32_t if_version)
> > > - int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
> > > - {
> > > - const struct ndr_interface_list *l;
> > > -- for (l=ndr_interfaces;l;l=l->next){
> > > -+ for (l=ndr_table_list();l;l=l->next){
> > > - if (GUID_equal(&l->table->syntax_id.uuid, uuid) &&
> > > - l->table->syntax_id.if_version == if_version) {
> > > - return l->table->num_calls;
> > > -@@ -89,7 +89,7 @@ int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
> > > - const struct ndr_interface_table *ndr_table_by_name(const char *name)
> > > - {
> > > - const struct ndr_interface_list *l;
> > > -- for (l=ndr_interfaces;l;l=l->next) {
> > > -+ for (l=ndr_table_list();l;l=l->next) {
> > > - if (strcasecmp(l->table->name, name) == 0) {
> > > - return l->table;
> > > - }
> > > -@@ -103,7 +103,7 @@ const struct ndr_interface_table *ndr_table_by_name(const char *name)
> > > - const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
> > > - {
> > > - const struct ndr_interface_list *l;
> > > -- for (l=ndr_interfaces;l;l=l->next) {
> > > -+ for (l=ndr_table_list();l;l=l->next) {
> > > - if (GUID_equal(&l->table->syntax_id.uuid, uuid)) {
> > > - return l->table;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From c936c80f7e567bab6fc749fb35e60176fca020af Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Thu, 8 Aug 2013 17:34:56 +0200
> > > -Subject: [PATCH 106/249] librpc/ndr: make sure ndr_table_list() always calls
> > > - ndr_init_table() first.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 21200b12dc14673f9a610c5798635b6052370dbe)
> > > ----
> > > - librpc/ndr/ndr_table.c | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
> > > -index 01d9094..f73b9fc 100644
> > > ---- a/librpc/ndr/ndr_table.c
> > > -+++ b/librpc/ndr/ndr_table.c
> > > -@@ -116,6 +116,7 @@ const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
> > > - */
> > > - const struct ndr_interface_list *ndr_table_list(void)
> > > - {
> > > -+ ndr_table_init();
> > > - return ndr_interfaces;
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 2ced3243b3589b673967452a6401d665dd514525 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Thu, 8 Aug 2013 17:40:22 +0200
> > > -Subject: [PATCH 107/249] s3-rpc: use table->name directly in DEBUG contexts.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit a94e278883c58b35d383753e86135ff6a1d14ec7)
> > > ----
> > > - source3/lib/netapi/cm.c | 2 +-
> > > - source3/rpc_client/cli_pipe.c | 7 +++----
> > > - 2 files changed, 4 insertions(+), 5 deletions(-)
> > > -
> > > -diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
> > > -index 1cfdccf..bb5d6b2 100644
> > > ---- a/source3/lib/netapi/cm.c
> > > -+++ b/source3/lib/netapi/cm.c
> > > -@@ -254,7 +254,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
> > > - status = pipe_cm_open(ctx, ipc, table, &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > -+ table->name,
> > > - get_friendly_nt_error_msg(status));
> > > - return WERR_DEST_NOT_FOUND;
> > > - }
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index b73f2f2..64e7f1c 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2692,8 +2692,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > - }
> > > - DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
> > > - "%s failed with error %s\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(),
> > > -- &table->syntax_id),
> > > -+ table->name,
> > > - nt_errstr(status) ));
> > > - TALLOC_FREE(result);
> > > - return status;
> > > -@@ -2701,7 +2700,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
> > > -
> > > - DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
> > > - "%s and bound anonymously.\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > -+ table->name,
> > > - result->desthost));
> > > -
> > > - *presult = result;
> > > -@@ -2946,7 +2945,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - done:
> > > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > > - "for domain %s and bound using schannel.\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
> > > -+ table->name,
> > > - rpccli->desthost, domain));
> > > -
> > > - *_rpccli = rpccli;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From cd864f1a3748c219df78600fc826a6e1d81fa07d Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 10:58:16 +0200
> > > -Subject: [PATCH 108/249] s3-rpc: use ndr_interface_name() instead of
> > > - get_pipe_name_from_syntax() in DEBUG.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 3135533710b2a1b64aaf6b10d30b86f3c004657d)
> > > ----
> > > - source3/rpc_server/rpc_handles.c | 15 +++++++++------
> > > - source3/rpc_server/srv_pipe.c | 22 ++++++++++++++--------
> > > - source3/rpc_server/srv_pipe_hnd.c | 16 +++++++++++-----
> > > - source3/wscript_build | 3 ++-
> > > - 4 files changed, 36 insertions(+), 20 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
> > > -index 70c3919..409299a 100644
> > > ---- a/source3/rpc_server/rpc_handles.c
> > > -+++ b/source3/rpc_server/rpc_handles.c
> > > -@@ -27,6 +27,7 @@
> > > - #include "rpc_server/rpc_pipes.h"
> > > - #include "../libcli/security/security.h"
> > > - #include "lib/tsocket/tsocket.h"
> > > -+#include "librpc/ndr/ndr_table.h"
> > > -
> > > - #undef DBGC_CLASS
> > > - #define DBGC_CLASS DBGC_RPC_SRV
> > > -@@ -218,7 +219,8 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
> > > -
> > > - DEBUG(10,("init_pipe_handle_list: created handle list for "
> > > - "pipe %s\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), syntax)));
> > > -+ ndr_interface_name(&syntax->uuid,
> > > -+ syntax->if_version)));
> > > - }
> > > -
> > > - /*
> > > -@@ -235,7 +237,7 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
> > > -
> > > - DEBUG(10,("init_pipe_handle_list: pipe_handles ref count = %lu for "
> > > - "pipe %s\n", (unsigned long)p->pipe_handles->pipe_ref_count,
> > > -- get_pipe_name_from_syntax(talloc_tos(), syntax)));
> > > -+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
> > > -
> > > - return True;
> > > - }
> > > -@@ -412,8 +414,8 @@ void close_policy_by_pipe(struct pipes_struct *p)
> > > - TALLOC_FREE(p->pipe_handles);
> > > -
> > > - DEBUG(10,("Deleted handle list for RPC connection %s\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(),
> > > -- &p->contexts->syntax)));
> > > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > > -+ p->contexts->syntax.if_version)));
> > > - }
> > > - }
> > > -
> > > -@@ -456,8 +458,9 @@ void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd,
> > > - if (p->pipe_handles->count > MAX_OPEN_POLS) {
> > > - DEBUG(0, ("ERROR: Too many handles (%d) for RPC connection %s\n",
> > > - (int) p->pipe_handles->count,
> > > -- get_pipe_name_from_syntax(talloc_tos(),
> > > -- &p->contexts->syntax)));
> > > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > > -+ p->contexts->syntax.if_version)));
> > > -+
> > > - *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
> > > - return NULL;
> > > - }
> > > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > > -index 06752a8..19dbc37 100644
> > > ---- a/source3/rpc_server/srv_pipe.c
> > > -+++ b/source3/rpc_server/srv_pipe.c
> > > -@@ -41,6 +41,7 @@
> > > - #include "rpc_server/srv_pipe.h"
> > > - #include "rpc_server/rpc_contexts.h"
> > > - #include "lib/param/param.h"
> > > -+#include "librpc/ndr/ndr_table.h"
> > > -
> > > - #undef DBGC_CLASS
> > > - #define DBGC_CLASS DBGC_RPC_SRV
> > > -@@ -336,7 +337,8 @@ static bool check_bind_req(struct pipes_struct *p,
> > > - bool ok;
> > > -
> > > - DEBUG(3,("check_bind_req for %s\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), abstract)));
> > > -+ ndr_interface_name(&abstract->uuid,
> > > -+ abstract->if_version)));
> > > -
> > > - /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
> > > - if (rpc_srv_pipe_exists_by_id(abstract) &&
> > > -@@ -580,7 +582,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > > - if (NT_STATUS_IS_ERR(status)) {
> > > - DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
> > > - "%s in bind request.\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &id)));
> > > -+ ndr_interface_name(&id.uuid,
> > > -+ id.if_version)));
> > > -
> > > - return setup_bind_nak(p, pkt);
> > > - }
> > > -@@ -595,8 +598,10 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > > - } else {
> > > - DEBUG(0, ("module %s doesn't provide functions for "
> > > - "pipe %s!\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &id),
> > > -- get_pipe_name_from_syntax(talloc_tos(), &id)));
> > > -+ ndr_interface_name(&id.uuid,
> > > -+ id.if_version),
> > > -+ ndr_interface_name(&id.uuid,
> > > -+ id.if_version)));
> > > - return setup_bind_nak(p, pkt);
> > > - }
> > > - }
> > > -@@ -1206,7 +1211,8 @@ static bool api_pipe_request(struct pipes_struct *p,
> > > - TALLOC_CTX *frame = talloc_stackframe();
> > > -
> > > - DEBUG(5, ("Requested %s rpc service\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
> > > -+ ndr_interface_name(&pipe_fns->syntax.uuid,
> > > -+ pipe_fns->syntax.if_version)));
> > > -
> > > - ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
> > > - &pipe_fns->syntax);
> > > -@@ -1237,7 +1243,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > > -
> > > - /* interpret the command */
> > > - DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
> > > -- get_pipe_name_from_syntax(talloc_tos(), syntax),
> > > -+ ndr_interface_name(&syntax->uuid, syntax->if_version),
> > > - pkt->u.request.opnum));
> > > -
> > > - if (DEBUGLEVEL >= 50) {
> > > -@@ -1276,7 +1282,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > > - /* do the actual command */
> > > - if(!api_rpc_cmds[fn_num].fn(p)) {
> > > - DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), syntax),
> > > -+ ndr_interface_name(&syntax->uuid, syntax->if_version),
> > > - api_rpc_cmds[fn_num].name));
> > > - data_blob_free(&p->out_data.rdata);
> > > - return False;
> > > -@@ -1299,7 +1305,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > > - }
> > > -
> > > - DEBUG(5,("api_rpcTNP: called %s successfully\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), syntax)));
> > > -+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
> > > -
> > > - /* Check for buffer underflow in rpc parsing */
> > > - if ((DEBUGLEVEL >= 10) &&
> > > -diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
> > > -index 3f8ff44..fcbfa77 100644
> > > ---- a/source3/rpc_server/srv_pipe_hnd.c
> > > -+++ b/source3/rpc_server/srv_pipe_hnd.c
> > > -@@ -30,6 +30,7 @@
> > > - #include "rpc_server/rpc_config.h"
> > > - #include "../lib/tsocket/tsocket.h"
> > > - #include "../lib/util/tevent_ntstatus.h"
> > > -+#include "librpc/ndr/ndr_table.h"
> > > -
> > > - #undef DBGC_CLASS
> > > - #define DBGC_CLASS DBGC_RPC_SRV
> > > -@@ -281,7 +282,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > > - }
> > > -
> > > - DEBUG(6,(" name: %s len: %u\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> > > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > > -+ p->contexts->syntax.if_version),
> > > - (unsigned int)n));
> > > -
> > > - /*
> > > -@@ -299,7 +301,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > > - DEBUG(5,("read_from_pipe: too large read (%u) requested on "
> > > - "pipe %s. We can only service %d sized reads.\n",
> > > - (unsigned int)n,
> > > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> > > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > > -+ p->contexts->syntax.if_version),
> > > - RPC_MAX_PDU_FRAG_LEN ));
> > > - n = RPC_MAX_PDU_FRAG_LEN;
> > > - }
> > > -@@ -320,7 +323,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > > -
> > > - DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, "
> > > - "current_pdu_sent = %u returning %d bytes.\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> > > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > > -+ p->contexts->syntax.if_version),
> > > - (unsigned int)p->out_data.frag.length,
> > > - (unsigned int)p->out_data.current_pdu_sent,
> > > - (int)data_returned));
> > > -@@ -341,7 +345,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > > -
> > > - DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length "
> > > - "= %u, p->out_data.rdata.length = %u.\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
> > > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > > -+ p->contexts->syntax.if_version),
> > > - (int)p->fault_state,
> > > - (unsigned int)p->out_data.data_sent_length,
> > > - (unsigned int)p->out_data.rdata.length));
> > > -@@ -363,7 +368,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
> > > -
> > > - if(!create_next_pdu(p)) {
> > > - DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n",
> > > -- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax)));
> > > -+ ndr_interface_name(&p->contexts->syntax.uuid,
> > > -+ p->contexts->syntax.if_version)));
> > > - return -1;
> > > - }
> > > -
> > > -diff --git a/source3/wscript_build b/source3/wscript_build
> > > -index 0bf84e2..bb2e928 100755
> > > ---- a/source3/wscript_build
> > > -+++ b/source3/wscript_build
> > > -@@ -672,7 +672,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
> > > - deps='''ndr ndr-standard
> > > - RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
> > > - LIBTSOCKET gse dcerpc-binding
> > > -- libsmb''',
> > > -+ libsmb
> > > -+ ndr-table''',
> > > - vars=locals(),
> > > - private_library=True)
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 6e6ba9bb34ac4e1d55056ef82e4bad8ab2d65b0d Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Thu, 8 Aug 2013 17:33:29 +0200
> > > -Subject: [PATCH 109/249] librpc: add dcerpc_default_transport_endpoint()
> > > - function.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 40ee3d8a5f7439b90f1ebf5e40535fad51038fe6)
> > > ----
> > > - librpc/rpc/dcerpc_util.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++
> > > - librpc/rpc/rpc_common.h | 3 +++
> > > - 2 files changed, 58 insertions(+)
> > > -
> > > -diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
> > > -index 0b9cca3..4046f32 100644
> > > ---- a/librpc/rpc/dcerpc_util.c
> > > -+++ b/librpc/rpc/dcerpc_util.c
> > > -@@ -332,3 +332,58 @@ NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
> > > - tevent_req_received(req);
> > > - return NT_STATUS_OK;
> > > - }
> > > -+
> > > -+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
> > > -+ enum dcerpc_transport_t transport,
> > > -+ const struct ndr_interface_table *table)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+ const char *p = NULL;
> > > -+ const char *endpoint = NULL;
> > > -+ int i;
> > > -+ struct dcerpc_binding *default_binding = NULL;
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+
> > > -+ /* Find one of the default pipes for this interface */
> > > -+
> > > -+ for (i = 0; i < table->endpoints->count; i++) {
> > > -+
> > > -+ status = dcerpc_parse_binding(frame, table->endpoints->names[i],
> > > -+ &default_binding);
> > > -+ if (NT_STATUS_IS_OK(status)) {
> > > -+ if (transport == NCA_UNKNOWN &&
> > > -+ default_binding->endpoint != NULL) {
> > > -+ p = default_binding->endpoint;
> > > -+ break;
> > > -+ }
> > > -+ if (default_binding->transport == transport &&
> > > -+ default_binding->endpoint != NULL) {
> > > -+ p = default_binding->endpoint;
> > > -+ break;
> > > -+ }
> > > -+ }
> > > -+ }
> > > -+
> > > -+ if (i == table->endpoints->count || p == NULL) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * extract the pipe name without \\pipe from for example
> > > -+ * ncacn_np:[\\pipe\\epmapper]
> > > -+ */
> > > -+ if (default_binding->transport == NCACN_NP) {
> > > -+ if (strncasecmp(p, "\\pipe\\", 6) == 0) {
> > > -+ p += 6;
> > > -+ }
> > > -+ if (strncmp(p, "\\", 1) == 0) {
> > > -+ p += 1;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ endpoint = talloc_strdup(mem_ctx, p);
> > > -+
> > > -+ done:
> > > -+ talloc_free(frame);
> > > -+ return endpoint;
> > > -+}
> > > -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
> > > -index e2b3755..d2816f5 100644
> > > ---- a/librpc/rpc/rpc_common.h
> > > -+++ b/librpc/rpc/rpc_common.h
> > > -@@ -143,6 +143,9 @@ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v);
> > > - uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob);
> > > - void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v);
> > > - uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
> > > -+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
> > > -+ enum dcerpc_transport_t transport,
> > > -+ const struct ndr_interface_table *table);
> > > -
> > > - /**
> > > - * @brief Pull a dcerpc_auth structure, taking account of any auth
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a71f6912117ef5054cba4346f8bfd555d70d7837 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 18 Sep 2013 10:59:14 +0200
> > > -Subject: [PATCH 110/249] s3-rpc: use dcerpc_default_transport_endpoint
> > > - function.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit b73e2d927b2221cb3fde8776789c8ca085cf2b8f)
> > > ----
> > > - source3/rpc_client/rpc_transport_np.c | 4 +++-
> > > - source3/rpc_server/rpc_ncacn_np.c | 12 ++++++++++--
> > > - source3/rpc_server/srv_pipe.c | 28 +++++++++++++++++++++-------
> > > - 3 files changed, 34 insertions(+), 10 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
> > > -index c0f313e..91943f4 100644
> > > ---- a/source3/rpc_client/rpc_transport_np.c
> > > -+++ b/source3/rpc_client/rpc_transport_np.c
> > > -@@ -22,6 +22,7 @@
> > > - #include "rpc_client/rpc_transport.h"
> > > - #include "libsmb/cli_np_tstream.h"
> > > - #include "client.h"
> > > -+#include "librpc/ndr/ndr_table.h"
> > > -
> > > - #undef DBGC_CLASS
> > > - #define DBGC_CLASS DBGC_RPC_CLI
> > > -@@ -55,7 +56,8 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
> > > - state->ev = ev;
> > > - state->cli = cli;
> > > - state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
> > > -- state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
> > > -+ state->pipe_name = dcerpc_default_transport_endpoint(state, NCACN_NP,
> > > -+ table);
> > > - if (tevent_req_nomem(state->pipe_name, req)) {
> > > - return tevent_req_post(req, ev);
> > > - }
> > > -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
> > > -index 7389b3e..46b77fd 100644
> > > ---- a/source3/rpc_server/rpc_ncacn_np.c
> > > -+++ b/source3/rpc_server/rpc_ncacn_np.c
> > > -@@ -36,6 +36,7 @@
> > > - #include "../lib/util/tevent_ntstatus.h"
> > > - #include "rpc_contexts.h"
> > > - #include "rpc_server/rpc_config.h"
> > > -+#include "librpc/ndr/ndr_table.h"
> > > -
> > > - #undef DBGC_CLASS
> > > - #define DBGC_CLASS DBGC_RPC_SRV
> > > -@@ -54,8 +55,15 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
> > > - struct pipe_rpc_fns *context_fns;
> > > - const char *pipe_name;
> > > - int ret;
> > > -+ const struct ndr_interface_table *table;
> > > -
> > > -- pipe_name = get_pipe_name_from_syntax(talloc_tos(), syntax);
> > > -+ table = ndr_table_by_uuid(&syntax->uuid);
> > > -+ if (table == NULL) {
> > > -+ DEBUG(0,("unknown interface\n"));
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
> > > -
> > > - DEBUG(4,("Create pipe requested %s\n", pipe_name));
> > > -
> > > -@@ -783,7 +791,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
> > > -+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
> > > - if (pipe_name == NULL) {
> > > - status = NT_STATUS_INVALID_PARAMETER;
> > > - goto done;
> > > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > > -index 19dbc37..5f834fb 100644
> > > ---- a/source3/rpc_server/srv_pipe.c
> > > -+++ b/source3/rpc_server/srv_pipe.c
> > > -@@ -552,6 +552,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > > - struct dcerpc_ack_ctx bind_ack_ctx;
> > > - DATA_BLOB auth_resp = data_blob_null;
> > > - DATA_BLOB auth_blob = data_blob_null;
> > > -+ const struct ndr_interface_table *table;
> > > -
> > > - /* No rebinds on a bound pipe - use alter context. */
> > > - if (p->pipe_bound) {
> > > -@@ -569,15 +570,21 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > > - * that this is a pipe name we support.
> > > - */
> > > - id = pkt->u.bind.ctx_list[0].abstract_syntax;
> > > -+
> > > -+ table = ndr_table_by_uuid(&id.uuid);
> > > -+ if (table == NULL) {
> > > -+ DEBUG(0,("unknown interface\n"));
> > > -+ return false;
> > > -+ }
> > > -+
> > > - if (rpc_srv_pipe_exists_by_id(&id)) {
> > > - DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
> > > - rpc_srv_get_pipe_cli_name(&id),
> > > - rpc_srv_get_pipe_srv_name(&id)));
> > > - } else {
> > > - status = smb_probe_module(
> > > -- "rpc", get_pipe_name_from_syntax(
> > > -- talloc_tos(),
> > > -- &id));
> > > -+ "rpc", dcerpc_default_transport_endpoint(pkt,
> > > -+ NCACN_NP, table));
> > > -
> > > - if (NT_STATUS_IS_ERR(status)) {
> > > - DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
> > > -@@ -589,8 +596,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > > - }
> > > -
> > > - if (rpc_srv_get_pipe_interface_by_cli_name(
> > > -- get_pipe_name_from_syntax(talloc_tos(),
> > > -- &id),
> > > -+ dcerpc_default_transport_endpoint(pkt,
> > > -+ NCACN_NP, table),
> > > - &id)) {
> > > - DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
> > > - rpc_srv_get_pipe_cli_name(&id),
> > > -@@ -1240,16 +1247,23 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > > - {
> > > - int fn_num;
> > > - uint32_t offset1;
> > > -+ const struct ndr_interface_table *table;
> > > -
> > > - /* interpret the command */
> > > - DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
> > > - ndr_interface_name(&syntax->uuid, syntax->if_version),
> > > - pkt->u.request.opnum));
> > > -
> > > -+ table = ndr_table_by_uuid(&syntax->uuid);
> > > -+ if (table == NULL) {
> > > -+ DEBUG(0,("unknown interface\n"));
> > > -+ return false;
> > > -+ }
> > > -+
> > > - if (DEBUGLEVEL >= 50) {
> > > - fstring name;
> > > - slprintf(name, sizeof(name)-1, "in_%s",
> > > -- get_pipe_name_from_syntax(talloc_tos(), syntax));
> > > -+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
> > > - dump_pdu_region(name, pkt->u.request.opnum,
> > > - &p->in_data.data, 0,
> > > - p->in_data.data.length);
> > > -@@ -1298,7 +1312,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
> > > - if (DEBUGLEVEL >= 50) {
> > > - fstring name;
> > > - slprintf(name, sizeof(name)-1, "out_%s",
> > > -- get_pipe_name_from_syntax(talloc_tos(), syntax));
> > > -+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
> > > - dump_pdu_region(name, pkt->u.request.opnum,
> > > - &p->out_data.rdata, offset1,
> > > - p->out_data.rdata.length);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8bb6f177b210159ea6317b20e2cc12732b4d273a Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 7 Aug 2013 17:43:08 +0200
> > > -Subject: [PATCH 111/249] s3-rpc: remove unused source3/librpc/rpc/rpc_common.c
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > > -Autobuild-Date(master): Fri Sep 20 14:57:06 CEST 2013 on sn-devel-104
> > > -(cherry picked from commit 807628ecac445999e75ec9ea1abdc5f2fde356d6)
> > > ----
> > > - source3/librpc/rpc/dcerpc.h | 8 --
> > > - source3/librpc/rpc/rpc_common.c | 209 ----------------------------------------
> > > - source3/wscript_build | 1 -
> > > - 3 files changed, 218 deletions(-)
> > > - delete mode 100644 source3/librpc/rpc/rpc_common.c
> > > -
> > > -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> > > -index 38d59cd..b18b7ba 100644
> > > ---- a/source3/librpc/rpc/dcerpc.h
> > > -+++ b/source3/librpc/rpc/dcerpc.h
> > > -@@ -85,12 +85,4 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
> > > - DATA_BLOB *raw_pkt,
> > > - size_t *pad_len);
> > > -
> > > --/* The following definitions come from librpc/rpc/rpc_common.c */
> > > --
> > > --bool smb_register_ndr_interface(const struct ndr_interface_table *interface);
> > > --const struct ndr_interface_table *get_iface_from_syntax(
> > > -- const struct ndr_syntax_id *syntax);
> > > --const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
> > > -- const struct ndr_syntax_id *syntax);
> > > --
> > > - #endif /* __S3_DCERPC_H__ */
> > > -diff --git a/source3/librpc/rpc/rpc_common.c b/source3/librpc/rpc/rpc_common.c
> > > -deleted file mode 100644
> > > -index 1219b2d..0000000
> > > ---- a/source3/librpc/rpc/rpc_common.c
> > > -+++ /dev/null
> > > -@@ -1,209 +0,0 @@
> > > --/*
> > > -- * Unix SMB/CIFS implementation.
> > > -- * RPC Pipe client / server routines
> > > -- * Largely rewritten by Jeremy Allison 2005.
> > > -- *
> > > -- * This program is free software; you can redistribute it and/or modify
> > > -- * it under the terms of the GNU General Public License as published by
> > > -- * the Free Software Foundation; either version 3 of the License, or
> > > -- * (at your option) any later version.
> > > -- *
> > > -- * This program is distributed in the hope that it will be useful,
> > > -- * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -- * GNU General Public License for more details.
> > > -- *
> > > -- * You should have received a copy of the GNU General Public License
> > > -- * along with this program; if not, see <http://www.gnu.org/licenses/>.
> > > -- */
> > > --
> > > --#include "includes.h"
> > > --#include "librpc/rpc/dcerpc.h"
> > > --#include "../librpc/gen_ndr/ndr_lsa.h"
> > > --#include "../librpc/gen_ndr/ndr_dssetup.h"
> > > --#include "../librpc/gen_ndr/ndr_samr.h"
> > > --#include "../librpc/gen_ndr/ndr_netlogon.h"
> > > --#include "../librpc/gen_ndr/ndr_srvsvc.h"
> > > --#include "../librpc/gen_ndr/ndr_wkssvc.h"
> > > --#include "../librpc/gen_ndr/ndr_winreg.h"
> > > --#include "../librpc/gen_ndr/ndr_spoolss.h"
> > > --#include "../librpc/gen_ndr/ndr_dfs.h"
> > > --#include "../librpc/gen_ndr/ndr_echo.h"
> > > --#include "../librpc/gen_ndr/ndr_initshutdown.h"
> > > --#include "../librpc/gen_ndr/ndr_svcctl.h"
> > > --#include "../librpc/gen_ndr/ndr_eventlog.h"
> > > --#include "../librpc/gen_ndr/ndr_ntsvcs.h"
> > > --#include "../librpc/gen_ndr/ndr_epmapper.h"
> > > --#include "../librpc/gen_ndr/ndr_drsuapi.h"
> > > --#include "../librpc/gen_ndr/ndr_fsrvp.h"
> > > --
> > > --static const char *get_pipe_name_from_iface(
> > > -- TALLOC_CTX *mem_ctx, const struct ndr_interface_table *interface)
> > > --{
> > > -- int i;
> > > -- const struct ndr_interface_string_array *ep = interface->endpoints;
> > > -- char *p;
> > > --
> > > -- for (i=0; i<ep->count; i++) {
> > > -- if (strncmp(ep->names[i], "ncacn_np:[\\pipe\\", 16) == 0) {
> > > -- break;
> > > -- }
> > > -- }
> > > -- if (i == ep->count) {
> > > -- return NULL;
> > > -- }
> > > --
> > > -- /*
> > > -- * extract the pipe name without \\pipe from for example
> > > -- * ncacn_np:[\\pipe\\epmapper]
> > > -- */
> > > -- p = strchr(ep->names[i]+15, ']');
> > > -- if (p == NULL) {
> > > -- return "PIPE";
> > > -- }
> > > -- return talloc_strndup(mem_ctx, ep->names[i]+15, p - ep->names[i] - 15);
> > > --}
> > > --
> > > --static const struct ndr_interface_table **interfaces;
> > > --
> > > --bool smb_register_ndr_interface(const struct ndr_interface_table *interface)
> > > --{
> > > -- int num_interfaces = talloc_array_length(interfaces);
> > > -- const struct ndr_interface_table **tmp;
> > > -- int i;
> > > --
> > > -- for (i=0; i<num_interfaces; i++) {
> > > -- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id,
> > > -- &interface->syntax_id)) {
> > > -- return true;
> > > -- }
> > > -- }
> > > --
> > > -- tmp = talloc_realloc(NULL, interfaces,
> > > -- const struct ndr_interface_table *,
> > > -- num_interfaces + 1);
> > > -- if (tmp == NULL) {
> > > -- DEBUG(1, ("smb_register_ndr_interface: talloc failed\n"));
> > > -- return false;
> > > -- }
> > > -- interfaces = tmp;
> > > -- interfaces[num_interfaces] = interface;
> > > -- return true;
> > > --}
> > > --
> > > --static bool initialize_interfaces(void)
> > > --{
> > > -- if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_samr)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_winreg)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_eventlog)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
> > > -- return false;
> > > -- }
> > > -- if (!smb_register_ndr_interface(&ndr_table_FileServerVssAgent)) {
> > > -- return false;
> > > -- }
> > > -- return true;
> > > --}
> > > --
> > > --const struct ndr_interface_table *get_iface_from_syntax(
> > > -- const struct ndr_syntax_id *syntax)
> > > --{
> > > -- int num_interfaces;
> > > -- int i;
> > > --
> > > -- if (interfaces == NULL) {
> > > -- if (!initialize_interfaces()) {
> > > -- return NULL;
> > > -- }
> > > -- }
> > > -- num_interfaces = talloc_array_length(interfaces);
> > > --
> > > -- for (i=0; i<num_interfaces; i++) {
> > > -- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id, syntax)) {
> > > -- return interfaces[i];
> > > -- }
> > > -- }
> > > --
> > > -- return NULL;
> > > --}
> > > --
> > > --/****************************************************************************
> > > -- Return the pipe name from the interface.
> > > -- ****************************************************************************/
> > > --
> > > --const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
> > > -- const struct ndr_syntax_id *syntax)
> > > --{
> > > -- const struct ndr_interface_table *interface;
> > > -- char *guid_str;
> > > -- const char *result;
> > > --
> > > -- interface = get_iface_from_syntax(syntax);
> > > -- if (interface != NULL) {
> > > -- result = get_pipe_name_from_iface(mem_ctx, interface);
> > > -- if (result != NULL) {
> > > -- return result;
> > > -- }
> > > -- }
> > > --
> > > -- /*
> > > -- * Here we should ask \\epmapper, but for now our code is only
> > > -- * interested in the known pipes mentioned in pipe_names[]
> > > -- */
> > > --
> > > -- guid_str = GUID_string(talloc_tos(), &syntax->uuid);
> > > -- if (guid_str == NULL) {
> > > -- return NULL;
> > > -- }
> > > -- result = talloc_asprintf(mem_ctx, "Interface %s.%d", guid_str,
> > > -- (int)syntax->if_version);
> > > -- TALLOC_FREE(guid_str);
> > > --
> > > -- if (result == NULL) {
> > > -- return "PIPE";
> > > -- }
> > > -- return result;
> > > --}
> > > --
> > > -diff --git a/source3/wscript_build b/source3/wscript_build
> > > -index bb2e928..8126cf6 100755
> > > ---- a/source3/wscript_build
> > > -+++ b/source3/wscript_build
> > > -@@ -141,7 +141,6 @@ LIBSMB_SRC = '''libsmb/clientgen.c libsmb/cliconnect.c libsmb/clifile.c
> > > -
> > > - LIBMSRPC_SRC = '''
> > > - rpc_client/cli_pipe.c
> > > -- librpc/rpc/rpc_common.c
> > > - rpc_client/rpc_transport_np.c
> > > - rpc_client/rpc_transport_sock.c
> > > - rpc_client/rpc_transport_tstream.c
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 2b2d978bd97299371a1fd7798d69ab377a76d389 Mon Sep 17 00:00:00 2001
> > > -From: Volker Lendecke <vl@samba.org>
> > > -Date: Wed, 14 Aug 2013 09:27:59 +0000
> > > -Subject: [PATCH 112/249] winbind3: Fix an invalid free
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -This fixes a warning I've never seen before :-)
> > > -
> > > -../source3/winbindd/winbindd_cm.c:781:59: warning: attempt to free a non-heap object ‘machine_krb5_principal’ [-Wfree-nonheap-object]
> > > -
> > > -Signed-off-by: Volker Lendecke <vl@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > > -Autobuild-Date(master): Wed Aug 14 14:04:16 CEST 2013 on sn-devel-104
> > > -(cherry picked from commit 5f75814586f2d6f7c2dc8fd9342cb045c1f7e68c)
> > > ----
> > > - source3/winbindd/winbindd_cm.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > > -index facef64..d868826 100644
> > > ---- a/source3/winbindd/winbindd_cm.c
> > > -+++ b/source3/winbindd/winbindd_cm.c
> > > -@@ -840,7 +840,7 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
> > > - }
> > > -
> > > - if (!strupper_m(*machine_krb5_principal)) {
> > > -- SAFE_FREE(machine_krb5_principal);
> > > -+ SAFE_FREE(*machine_krb5_principal);
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 1b88903c4f5931397e22874b3751dd05a03a2dea Mon Sep 17 00:00:00 2001
> > > -From: Andrew Bartlett <abartlet@samba.org>
> > > -Date: Fri, 11 Oct 2013 13:34:13 +1300
> > > -Subject: [PATCH 113/249] s3-winbindd: Remove undocumented winbindd:socket dir
> > > - parameter
> > > -
> > > -This uses the documeted "winbindd socket directory" parameter instead.
> > > -
> > > -This came about due to the merge of the two smb.conf tables in s3 and
> > > -s4 for the Samba 4.0 release. The s4 code used a real parameter,
> > > -which caused this to be documented, whereas no automatic procedure
> > > -existed to notice the parametric option and the need to document that.
> > > -The fact that this was not used consistently in both codebases is one
> > > -of the many areas of technical debt we still need to pay off here.
> > > -
> > > -Andrew Bartlett
> > > -
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit e512491552d9ed0dc1005a23ffc8f77ba237f863)
> > > ----
> > > - selftest/target/Samba3.pm | 2 +-
> > > - source3/include/proto.h | 1 +
> > > - source3/param/loadparm.c | 1 +
> > > - source3/winbindd/winbindd.c | 9 ++-------
> > > - source3/winbindd/winbindd_proto.h | 1 -
> > > - 5 files changed, 5 insertions(+), 9 deletions(-)
> > > -
> > > -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
> > > -index ba01154..d8f0c27 100755
> > > ---- a/selftest/target/Samba3.pm
> > > -+++ b/selftest/target/Samba3.pm
> > > -@@ -972,7 +972,7 @@ sub provision($$$$$$)
> > > - printing = bsd
> > > - printcap name = /dev/null
> > > -
> > > -- winbindd:socket dir = $wbsockdir
> > > -+ winbindd socket directory = $wbsockdir
> > > - nmbd:socket dir = $nmbdsockdir
> > > - idmap config * : range = 100000-200000
> > > - winbind enum users = yes
> > > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > > -index cbad7ac..53cd59d 100644
> > > ---- a/source3/include/proto.h
> > > -+++ b/source3/include/proto.h
> > > -@@ -1069,6 +1069,7 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
> > > - const char *lp_template_homedir(void);
> > > - const char *lp_template_shell(void);
> > > - const char *lp_winbind_separator(void);
> > > -+const char *lp_winbindd_socket_directory(void);
> > > - bool lp_winbind_enum_users(void);
> > > - bool lp_winbind_enum_groups(void);
> > > - bool lp_winbind_use_default_domain(void);
> > > -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> > > -index 4b31023..b2804ae 100644
> > > ---- a/source3/param/loadparm.c
> > > -+++ b/source3/param/loadparm.c
> > > -@@ -961,6 +961,7 @@ static void init_globals(bool reinit_globals)
> > > - string_set(&Globals.szTemplateShell, "/bin/false");
> > > - string_set(&Globals.szTemplateHomedir, "/home/%D/%U");
> > > - string_set(&Globals.szWinbindSeparator, "\\");
> > > -+ string_set(&Globals.szWinbinddSocketDirectory, dyn_WINBINDD_SOCKET_DIR);
> > > -
> > > - string_set(&Globals.szCupsServer, "");
> > > - string_set(&Globals.szIPrintServer, "");
> > > -diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
> > > -index f101e52..69a17bf 100644
> > > ---- a/source3/winbindd/winbindd.c
> > > -+++ b/source3/winbindd/winbindd.c
> > > -@@ -189,7 +189,7 @@ static void terminate(bool is_parent)
> > > - char *path = NULL;
> > > -
> > > - if (asprintf(&path, "%s/%s",
> > > -- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME) > 0) {
> > > -+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME) > 0) {
> > > - unlink(path);
> > > - SAFE_FREE(path);
> > > - }
> > > -@@ -1067,11 +1067,6 @@ static void winbindd_listen_fde_handler(struct tevent_context *ev,
> > > - * Winbindd socket accessor functions
> > > - */
> > > -
> > > --const char *get_winbind_pipe_dir(void)
> > > --{
> > > -- return lp_parm_const_string(-1, "winbindd", "socket dir", get_dyn_WINBINDD_SOCKET_DIR());
> > > --}
> > > --
> > > - char *get_winbind_priv_pipe_dir(void)
> > > - {
> > > - return state_path(WINBINDD_PRIV_SOCKET_SUBDIR);
> > > -@@ -1092,7 +1087,7 @@ static bool winbindd_setup_listeners(void)
> > > -
> > > - pub_state->privileged = false;
> > > - pub_state->fd = create_pipe_sock(
> > > -- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
> > > -+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME, 0755);
> > > - if (pub_state->fd == -1) {
> > > - goto failed;
> > > - }
> > > -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
> > > -index 3df7d7c..cfc19d0 100644
> > > ---- a/source3/winbindd/winbindd_proto.h
> > > -+++ b/source3/winbindd/winbindd_proto.h
> > > -@@ -34,7 +34,6 @@ bool winbindd_setup_stdin_handler(bool parent, bool foreground);
> > > - bool winbindd_setup_sig_hup_handler(const char *lfile);
> > > - bool winbindd_use_idmap_cache(void);
> > > - bool winbindd_use_cache(void);
> > > --const char *get_winbind_pipe_dir(void);
> > > - char *get_winbind_priv_pipe_dir(void);
> > > - struct tevent_context *winbind_event_context(void);
> > > - int main(int argc, char **argv, char **envp);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d0ae2d10385dea4b8fae3d8932d40f546ff8905b Mon Sep 17 00:00:00 2001
> > > -From: Andrew Bartlett <abartlet@samba.org>
> > > -Date: Mon, 14 Oct 2013 15:33:20 +1300
> > > -Subject: [PATCH 114/249] lib/param: lp_magicchar takes a const struct
> > > - share_params *p so should be FN_LOCAL_PARM_CHAR
> > > -
> > > -This was found when trying to autogenerate prototypes for lp_ functions again.
> > > -
> > > -Andrew Bartlett
> > > -
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - lib/param/loadparm.c | 2 +-
> > > - lib/param/param_functions.c | 2 +-
> > > - source3/param/loadparm.c | 2 +-
> > > - 3 files changed, 3 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> > > -index 455c5e6..4497dbf 100644
> > > ---- a/lib/param/loadparm.c
> > > -+++ b/lib/param/loadparm.c
> > > -@@ -314,7 +314,7 @@ static struct loadparm_context *global_loadparm_context;
> > > -
> > > - #define FN_LOCAL_PARM_INTEGER(fn_name, val) FN_LOCAL_INTEGER(fn_name, val)
> > > -
> > > --#define FN_LOCAL_CHAR(fn_name,val) \
> > > -+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
> > > - _PUBLIC_ char lpcfg_ ## fn_name(struct loadparm_service *service, \
> > > - struct loadparm_service *sDefault) { \
> > > - return((service != NULL)? service->val : sDefault->val); \
> > > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > > -index d9d5df6..60f9c07 100644
> > > ---- a/lib/param/param_functions.c
> > > -+++ b/lib/param/param_functions.c
> > > -@@ -147,7 +147,7 @@ FN_LOCAL_INTEGER(aio_write_size, iAioWriteSize)
> > > - FN_LOCAL_INTEGER(map_readonly, iMap_readonly)
> > > - FN_LOCAL_INTEGER(directory_name_cache_size, iDirectoryNameCacheSize)
> > > - FN_LOCAL_INTEGER(smb_encrypt, ismb_encrypt)
> > > --FN_LOCAL_CHAR(magicchar, magic_char)
> > > -+FN_LOCAL_PARM_CHAR(magicchar, magic_char)
> > > - FN_LOCAL_STRING(cups_options, szCupsOptions)
> > > - FN_LOCAL_PARM_BOOL(change_notify, bChangeNotify)
> > > - FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
> > > -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> > > -index b2804ae..40f3242 100644
> > > ---- a/source3/param/loadparm.c
> > > -+++ b/source3/param/loadparm.c
> > > -@@ -1116,7 +1116,7 @@ char *lp_ ## fn_name(TALLOC_CTX *ctx,int i) {return(lp_string((ctx), (LP_SNUM_OK
> > > - bool lp_ ## fn_name(const struct share_params *p) {return(bool)(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
> > > - #define FN_LOCAL_PARM_INTEGER(fn_name,val) \
> > > - int lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
> > > --#define FN_LOCAL_CHAR(fn_name,val) \
> > > -+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
> > > - char lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
> > > -
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From bf5cb3b6c6e2d3171b70fff5deb9a7767d6609a8 Mon Sep 17 00:00:00 2001
> > > -From: Andrew Bartlett <abartlet@samba.org>
> > > -Date: Mon, 14 Oct 2013 13:47:27 +1300
> > > -Subject: [PATCH 115/249] build: Move loadparm-related build rules to
> > > - source3/param/wscript_build
> > > -
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/param/wscript_build | 32 ++++++++++++++++++++++++++++++++
> > > - source3/wscript_build | 36 ++----------------------------------
> > > - 2 files changed, 34 insertions(+), 34 deletions(-)
> > > - create mode 100644 source3/param/wscript_build
> > > -
> > > -diff --git a/source3/param/wscript_build b/source3/param/wscript_build
> > > -new file mode 100644
> > > -index 0000000..278d5f5
> > > ---- /dev/null
> > > -+++ b/source3/param/wscript_build
> > > -@@ -0,0 +1,32 @@
> > > -+#!/usr/bin/env python
> > > -+
> > > -+bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
> > > -+ source='util.c',
> > > -+ deps='talloc')
> > > -+
> > > -+bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
> > > -+ source='loadparm_ctx.c',
> > > -+ deps='''talloc s3_param_h param''')
> > > -+
> > > -+bld.SAMBA_GENERATOR('s3_param_global_h',
> > > -+ source= '../../script/mkparamdefs.pl loadparm.c ../../lib/param/param_functions.c',
> > > -+ target='param_global.h',
> > > -+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
> > > -+
> > > -+bld.SAMBA3_PYTHON('pys3param',
> > > -+ source='pyparam.c',
> > > -+ deps='param',
> > > -+ public_deps='samba-hostconfig pytalloc-util talloc',
> > > -+ realname='samba/samba3/param.so')
> > > -+
> > > -+bld.SAMBA3_SUBSYSTEM('param_service',
> > > -+ source='service.c',
> > > -+ deps = 'USER_UTIL param PRINTING')
> > > -+
> > > -+bld.SAMBA3_BINARY('test_lp_load',
> > > -+ source='test_lp_load.c',
> > > -+ deps='''
> > > -+ talloc
> > > -+ param
> > > -+ popt_samba3''',
> > > -+ install=False)
> > > -diff --git a/source3/wscript_build b/source3/wscript_build
> > > -index 8126cf6..13d15c3 100755
> > > ---- a/source3/wscript_build
> > > -+++ b/source3/wscript_build
> > > -@@ -751,33 +751,9 @@ bld.SAMBA3_SUBSYSTEM('SERVER_MUTEX',
> > > - source=SERVER_MUTEX_SRC,
> > > - deps='talloc')
> > > -
> > > --bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
> > > -- source=PARAM_UTIL_SRC,
> > > -- deps='talloc')
> > > --
> > > --bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
> > > -- source='param/loadparm_ctx.c',
> > > -- deps='''talloc s3_param_h param''',
> > > -- vars=locals())
> > > --
> > > --bld.SAMBA_GENERATOR('param/param_global_h',
> > > -- source= '../script/mkparamdefs.pl param/loadparm.c ../lib/param/param_functions.c',
> > > -- target='param/param_global.h',
> > > -- rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
> > > --
> > > - bld.SAMBA3_SUBSYSTEM('param',
> > > - source=PARAM_WITHOUT_REG_SRC,
> > > -- deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h param/param_global_h cups''')
> > > --
> > > --bld.SAMBA3_PYTHON('pys3param',
> > > -- source='param/pyparam.c',
> > > -- deps='param',
> > > -- public_deps='samba-hostconfig pytalloc-util talloc',
> > > -- realname='samba/samba3/param.so')
> > > --
> > > --bld.SAMBA3_SUBSYSTEM('param_service',
> > > -- source='param/service.c',
> > > -- deps = 'USER_UTIL param PRINTING')
> > > -+ deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h s3_param_global_h cups''')
> > > -
> > > - bld.SAMBA3_SUBSYSTEM('REGFIO',
> > > - source=REGFIO_SRC,
> > > -@@ -1566,15 +1542,6 @@ bld.SAMBA3_BINARY('rpc_open_tcp',
> > > - install=False,
> > > - vars=locals())
> > > -
> > > --bld.SAMBA3_BINARY('test_lp_load',
> > > -- source=TEST_LP_LOAD_SRC,
> > > -- deps='''
> > > -- talloc
> > > -- param
> > > -- popt_samba3''',
> > > -- install=False,
> > > -- vars=locals())
> > > --
> > > - bld.SAMBA3_BINARY('dbwrap_tool',
> > > - source=DBWRAP_TOOL_SRC,
> > > - deps='''
> > > -@@ -1638,6 +1605,7 @@ bld.RECURSE('librpc/idl')
> > > - bld.RECURSE('libsmb')
> > > - bld.RECURSE('modules')
> > > - bld.RECURSE('pam_smbpass')
> > > -+bld.RECURSE('param')
> > > - bld.RECURSE('passdb')
> > > - bld.RECURSE('rpc_server')
> > > - bld.RECURSE('script')
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 281cb415404f7044a4bdbc93a21b2f755cbc74ee Mon Sep 17 00:00:00 2001
> > > -From: Andrew Bartlett <abartlet@samba.org>
> > > -Date: Mon, 14 Oct 2013 15:34:40 +1300
> > > -Subject: [PATCH 116/249] lib/param: Do not attempt to access the s3 function
> > > - for allocated and subbed string parameters
> > > -
> > > -This allows us not to generate array entries for these, which in turn allows
> > > -us to avoid initialising them. The issue is that we do not have the
> > > -% macro sub context nor a talloc context handy (yet).
> > > -
> > > -Andrew Bartlett
> > > -
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - lib/param/loadparm.c | 21 ++++++++++-----------
> > > - 1 file changed, 10 insertions(+), 11 deletions(-)
> > > -
> > > -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> > > -index 4497dbf..23b45e2 100644
> > > ---- a/lib/param/loadparm.c
> > > -+++ b/lib/param/loadparm.c
> > > -@@ -232,7 +232,16 @@ static struct loadparm_context *global_loadparm_context;
> > > - #define lpcfg_default_service global_loadparm_context->sDefault
> > > - #define lpcfg_global_service(i) global_loadparm_context->services[i]
> > > -
> > > --#define FN_GLOBAL_STRING(fn_name,var_name) \
> > > -+#define FN_GLOBAL_STRING(fn_name,var_name) \
> > > -+ _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
> > > -+ if (lp_ctx == NULL) return NULL; \
> > > -+ if (lp_ctx->s3_fns) { \
> > > -+ smb_panic( __location__ ": " #fn_name " not implemented because it is an allocated and substiuted string"); \
> > > -+ } \
> > > -+ return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
> > > -+}
> > > -+
> > > -+#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
> > > - _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
> > > - if (lp_ctx == NULL) return NULL; \
> > > - if (lp_ctx->s3_fns) { \
> > > -@@ -242,16 +251,6 @@ static struct loadparm_context *global_loadparm_context;
> > > - return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
> > > - }
> > > -
> > > --#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
> > > -- _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
> > > -- if (lp_ctx == NULL) return NULL; \
> > > -- if (lp_ctx->s3_fns) { \
> > > -- SMB_ASSERT(lp_ctx->s3_fns->fn_name); \
> > > -- return lp_ctx->s3_fns->fn_name(); \
> > > -- } \
> > > -- return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
> > > -- }
> > > --
> > > - #define FN_GLOBAL_LIST(fn_name,var_name) \
> > > - _PUBLIC_ const char **lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
> > > - if (lp_ctx == NULL) return NULL; \
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e610d185d26910e6cb96ddf8507c31c5f1503271 Mon Sep 17 00:00:00 2001
> > > -From: Andrew Bartlett <abartlet@samba.org>
> > > -Date: Mon, 14 Oct 2013 15:36:18 +1300
> > > -Subject: [PATCH 117/249] param: Skip generating hooks for local and string
> > > - parameters
> > > -
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - script/mks3param.pl | 9 ++++++++-
> > > - 1 file changed, 8 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/script/mks3param.pl b/script/mks3param.pl
> > > -index 4222ca5..799958c 100644
> > > ---- a/script/mks3param.pl
> > > -+++ b/script/mks3param.pl
> > > -@@ -108,7 +108,14 @@ sub handle_loadparm($$)
> > > - {
> > > - my ($file,$line) = @_;
> > > -
> > > -- if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
> > > -+ # Local parameters don't need the ->s3_fns because the struct
> > > -+ # loadparm_service is shared and lpcfg_service() checks the ->s3_fns
> > > -+ # hook
> > > -+ #
> > > -+ # STRING isn't handled as we do not yet have a way to pass in a memory context nor
> > > -+ # do we have a good way of dealing with the % macros yet.
> > > -+
> > > -+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
> > > - my $scope = $1;
> > > - my $type = $2;
> > > - my $name = $3;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 970290dc75404ab366617210edfca718fe21864b Mon Sep 17 00:00:00 2001
> > > -From: Andrew Bartlett <abartlet@samba.org>
> > > -Date: Mon, 14 Oct 2013 15:39:10 +1300
> > > -Subject: [PATCH 118/249] s3/param: Autogenerate parameters prototypes again
> > > - after proto.h was frozen
> > > -
> > > -This autogenerates the parameters so that we can keep everything in sync easier,
> > > -particularly when adding new parameters. This will also make it easier to move
> > > -to a fully autogenerated system in the future, as it reduces special cases.
> > > -
> > > -Andrew Bartlett
> > > -
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - script/mks3param_proto.pl | 199 ++++++++++++++++++++++++++++++++++++++++++++
> > > - source3/include/proto.h | 2 +
> > > - source3/param/wscript_build | 5 ++
> > > - 3 files changed, 206 insertions(+)
> > > - create mode 100644 script/mks3param_proto.pl
> > > -
> > > -diff --git a/script/mks3param_proto.pl b/script/mks3param_proto.pl
> > > -new file mode 100644
> > > -index 0000000..446e343
> > > ---- /dev/null
> > > -+++ b/script/mks3param_proto.pl
> > > -@@ -0,0 +1,199 @@
> > > -+#!/usr/bin/perl
> > > -+# Generate loadparm interfaces tables for Samba3/Samba4 integration
> > > -+# by Andrew Bartlett
> > > -+# based on mkproto.pl Written by Jelmer Vernooij
> > > -+# based on the original mkproto.sh by Andrew Tridgell
> > > -+
> > > -+use strict;
> > > -+
> > > -+# don't use warnings module as it is not portable enough
> > > -+# use warnings;
> > > -+
> > > -+use Getopt::Long;
> > > -+use File::Basename;
> > > -+use File::Path;
> > > -+
> > > -+#####################################################################
> > > -+# read a file into a string
> > > -+
> > > -+my $file = undef;
> > > -+my $public_define = undef;
> > > -+my $_public = "";
> > > -+my $_private = "";
> > > -+my $public_data = \$_public;
> > > -+my $builddir = ".";
> > > -+my $srcdir = ".";
> > > -+
> > > -+sub public($)
> > > -+{
> > > -+ my ($d) = @_;
> > > -+ $$public_data .= $d;
> > > -+}
> > > -+
> > > -+sub usage()
> > > -+{
> > > -+ print "Usage: mks3param.pl [options] [c files]\n";
> > > -+ print "OPTIONS:\n";
> > > -+ print " --srcdir=path Read files relative to this directory\n";
> > > -+ print " --builddir=path Write file relative to this directory\n";
> > > -+ print " --help Print this help message\n\n";
> > > -+ exit 0;
> > > -+}
> > > -+
> > > -+GetOptions(
> > > -+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
> > > -+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
> > > -+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
> > > -+ 'help' => \&usage
> > > -+) or exit(1);
> > > -+
> > > -+sub normalize_define($$)
> > > -+{
> > > -+ my ($define, $file) = @_;
> > > -+
> > > -+ if (not defined($define) and defined($file)) {
> > > -+ $define = "__" . uc($file) . "__";
> > > -+ $define =~ tr{./}{__};
> > > -+ $define =~ tr{\-}{_};
> > > -+ } elsif (not defined($define)) {
> > > -+ $define = '_S3_PARAM_PROTO_H_';
> > > -+ }
> > > -+
> > > -+ return $define;
> > > -+}
> > > -+
> > > -+$public_define = normalize_define($public_define, $file);
> > > -+
> > > -+sub file_load($)
> > > -+{
> > > -+ my($filename) = @_;
> > > -+ local(*INPUTFILE);
> > > -+ open(INPUTFILE, $filename) or return undef;
> > > -+ my($saved_delim) = $/;
> > > -+ undef $/;
> > > -+ my($data) = <INPUTFILE>;
> > > -+ close(INPUTFILE);
> > > -+ $/ = $saved_delim;
> > > -+ return $data;
> > > -+}
> > > -+
> > > -+sub print_header($$)
> > > -+{
> > > -+ my ($file, $header_name) = @_;
> > > -+ $file->("#ifndef $header_name\n");
> > > -+ $file->("#define $header_name\n\n");
> > > -+ $file->("/* This file was automatically generated by mks3param_proto.pl. DO NOT EDIT */\n\n");
> > > -+}
> > > -+
> > > -+sub print_footer($$)
> > > -+{
> > > -+ my ($file, $header_name) = @_;
> > > -+ $file->("\n#endif /* $header_name */\n\n");
> > > -+}
> > > -+
> > > -+sub handle_loadparm($$)
> > > -+{
> > > -+ my ($file,$line) = @_;
> > > -+
> > > -+ my $scope;
> > > -+ my $type;
> > > -+ my $name;
> > > -+ my $var;
> > > -+ my $param;
> > > -+
> > > -+ if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
> > > -+ $scope = $1;
> > > -+ $type = $2;
> > > -+ $name = $3;
> > > -+ $var = $4;
> > > -+ $param = "int";
> > > -+ } elsif ($line =~ /^FN_(GLOBAL|LOCAL)_PARM_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
> > > -+ $scope = $1;
> > > -+ $type = $2;
> > > -+ $name = $3;
> > > -+ $var = $4;
> > > -+ $param = "const struct share_params *p";
> > > -+ } else {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ my %tmap = (
> > > -+ "BOOL" => "bool ",
> > > -+ "CONST_STRING" => "const char *",
> > > -+ "STRING" => "char *",
> > > -+ "INTEGER" => "int ",
> > > -+ "CHAR" => "char ",
> > > -+ "LIST" => "const char **",
> > > -+ );
> > > -+
> > > -+ my %smap = (
> > > -+ "GLOBAL" => "void",
> > > -+ "LOCAL" => "$param"
> > > -+ );
> > > -+
> > > -+ if (($type eq "STRING") and ($scope eq "GLOBAL")) {
> > > -+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx);\n");
> > > -+ } elsif (($type eq "STRING") and ($scope eq "LOCAL")) {
> > > -+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx, $smap{$scope});\n");
> > > -+ } else {
> > > -+ $file->("$tmap{$type}lp_$name($smap{$scope});\n");
> > > -+ }
> > > -+}
> > > -+
> > > -+sub process_file($$)
> > > -+{
> > > -+ my ($file, $filename) = @_;
> > > -+
> > > -+ $filename =~ s/\.o$/\.c/g;
> > > -+
> > > -+ if ($filename =~ /^\//) {
> > > -+ open(FH, "<$filename") or die("Failed to open $filename");
> > > -+ } elsif (!open(FH, "< $builddir/$filename")) {
> > > -+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
> > > -+ }
> > > -+
> > > -+ my $comment = undef;
> > > -+ my $incomment = 0;
> > > -+ while (my $line = <FH>) {
> > > -+ if ($line =~ /^\/\*\*/) {
> > > -+ $comment = "";
> > > -+ $incomment = 1;
> > > -+ }
> > > -+
> > > -+ if ($incomment) {
> > > -+ $comment .= $line;
> > > -+ if ($line =~ /\*\//) {
> > > -+ $incomment = 0;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ # these are ordered for maximum speed
> > > -+ next if ($line =~ /^\s/);
> > > -+
> > > -+ next unless ($line =~ /\(/);
> > > -+
> > > -+ next if ($line =~ /^\/|[;]/);
> > > -+
> > > -+ if ($line =~ /^FN_/) {
> > > -+ handle_loadparm($file, $line);
> > > -+ }
> > > -+ next;
> > > -+ }
> > > -+
> > > -+ close(FH);
> > > -+}
> > > -+
> > > -+
> > > -+print_header(\&public, $public_define);
> > > -+
> > > -+process_file(\&public, $_) foreach (@ARGV);
> > > -+print_footer(\&public, $public_define);
> > > -+
> > > -+if (not defined($file)) {
> > > -+ print STDOUT $$public_data;
> > > -+}
> > > -+
> > > -+mkpath(dirname($file), 0, 0755);
> > > -+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
> > > -+print PUBLIC "$$public_data";
> > > -+close(PUBLIC);
> > > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > > -index 53cd59d..614baa4 100644
> > > ---- a/source3/include/proto.h
> > > -+++ b/source3/include/proto.h
> > > -@@ -993,6 +993,8 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
> > > -
> > > - /* The following definitions come from param/loadparm.c */
> > > -
> > > -+#include "source3/param/param_proto.h"
> > > -+
> > > - const char **lp_smb_ports(void);
> > > - const char *lp_dos_charset(void);
> > > - const char *lp_unix_charset(void);
> > > -diff --git a/source3/param/wscript_build b/source3/param/wscript_build
> > > -index 278d5f5..643c27e 100644
> > > ---- a/source3/param/wscript_build
> > > -+++ b/source3/param/wscript_build
> > > -@@ -13,6 +13,11 @@ bld.SAMBA_GENERATOR('s3_param_global_h',
> > > - target='param_global.h',
> > > - rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
> > > -
> > > -+bld.SAMBA_GENERATOR('s3_param_proto_h',
> > > -+ source= '../../script/mks3param_proto.pl loadparm.c ../../lib/param/param_functions.c',
> > > -+ target='param_proto.h',
> > > -+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> > > -+
> > > - bld.SAMBA3_PYTHON('pys3param',
> > > - source='pyparam.c',
> > > - deps='param',
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4f87a4ca65b386e90cca479aabdf9051de2c67e3 Mon Sep 17 00:00:00 2001
> > > -From: Andrew Bartlett <abartlet@samba.org>
> > > -Date: Mon, 14 Oct 2013 15:46:43 +1300
> > > -Subject: [PATCH 119/249] param: Autogenerate s3 lp_ctx glue table
> > > -
> > > -This allows us to use more lpcfg_ functions without adding them
> > > -manually.
> > > -
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - lib/param/wscript_build | 1 +
> > > - script/mks3param_ctx_table.pl | 139 ++++++++++++++++++++++++++++++++++++++++++
> > > - source3/param/loadparm_ctx.c | 64 +------------------
> > > - source3/param/wscript_build | 5 ++
> > > - 4 files changed, 146 insertions(+), 63 deletions(-)
> > > - create mode 100644 script/mks3param_ctx_table.pl
> > > -
> > > -diff --git a/lib/param/wscript_build b/lib/param/wscript_build
> > > -index 10e05a3..0e1a2e0 100644
> > > ---- a/lib/param/wscript_build
> > > -+++ b/lib/param/wscript_build
> > > -@@ -11,6 +11,7 @@ bld.SAMBA_GENERATOR('s3_param_h',
> > > - target='s3_param.h',
> > > - rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> > > -
> > > -+
> > > - bld.SAMBA_GENERATOR('param_global_h',
> > > - source= '../../script/mkparamdefs.pl loadparm.c param_functions.c',
> > > - target='param_global.h',
> > > -diff --git a/script/mks3param_ctx_table.pl b/script/mks3param_ctx_table.pl
> > > -new file mode 100644
> > > -index 0000000..cfd6e02
> > > ---- /dev/null
> > > -+++ b/script/mks3param_ctx_table.pl
> > > -@@ -0,0 +1,139 @@
> > > -+#!/usr/bin/perl
> > > -+# Generate loadparm interfaces tables for Samba3/Samba4 integration
> > > -+# by Andrew Bartlett
> > > -+# based on mkproto.pl Written by Jelmer Vernooij
> > > -+# based on the original mkproto.sh by Andrew Tridgell
> > > -+
> > > -+use strict;
> > > -+
> > > -+# don't use warnings module as it is not portable enough
> > > -+# use warnings;
> > > -+
> > > -+use Getopt::Long;
> > > -+use File::Basename;
> > > -+use File::Path;
> > > -+
> > > -+#####################################################################
> > > -+# read a file into a string
> > > -+
> > > -+my $file = undef;
> > > -+my $public_define = undef;
> > > -+my $_public = "";
> > > -+my $_private = "";
> > > -+my $public_data = \$_public;
> > > -+my $builddir = ".";
> > > -+my $srcdir = ".";
> > > -+
> > > -+sub public($)
> > > -+{
> > > -+ my ($d) = @_;
> > > -+ $$public_data .= $d;
> > > -+}
> > > -+
> > > -+sub usage()
> > > -+{
> > > -+ print "Usage: mks3param.pl [options] [c files]\n";
> > > -+ print "OPTIONS:\n";
> > > -+ print " --srcdir=path Read files relative to this directory\n";
> > > -+ print " --builddir=path Write file relative to this directory\n";
> > > -+ print " --help Print this help message\n\n";
> > > -+ exit 0;
> > > -+}
> > > -+
> > > -+GetOptions(
> > > -+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
> > > -+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
> > > -+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
> > > -+ 'help' => \&usage
> > > -+) or exit(1);
> > > -+
> > > -+sub file_load($)
> > > -+{
> > > -+ my($filename) = @_;
> > > -+ local(*INPUTFILE);
> > > -+ open(INPUTFILE, $filename) or return undef;
> > > -+ my($saved_delim) = $/;
> > > -+ undef $/;
> > > -+ my($data) = <INPUTFILE>;
> > > -+ close(INPUTFILE);
> > > -+ $/ = $saved_delim;
> > > -+ return $data;
> > > -+}
> > > -+
> > > -+sub print_header($)
> > > -+{
> > > -+ my ($file) = @_;
> > > -+ $file->("/* This file was automatically generated by mks3param_ctx.pl. DO NOT EDIT */\n\n");
> > > -+ $file->("static const struct loadparm_s3_helpers s3_fns = \n");
> > > -+ $file->("{\n");
> > > -+ $file->("\t.get_parametric = lp_parm_const_string_service,\n");
> > > -+ $file->("\t.get_parm_struct = lp_get_parameter,\n");
> > > -+ $file->("\t.get_parm_ptr = lp_parm_ptr,\n");
> > > -+ $file->("\t.get_service = lp_service_for_s4_ctx,\n");
> > > -+ $file->("\t.get_servicebynum = lp_servicebynum_for_s4_ctx,\n");
> > > -+ $file->("\t.get_default_loadparm_service = lp_default_loadparm_service,\n");
> > > -+ $file->("\t.get_numservices = lp_numservices,\n");
> > > -+ $file->("\t.load = lp_load_for_s4_ctx,\n");
> > > -+ $file->("\t.set_cmdline = lp_set_cmdline,\n");
> > > -+ $file->("\t.dump = lp_dump,\n");
> > > -+}
> > > -+
> > > -+sub print_footer($)
> > > -+{
> > > -+ my ($file) = @_;
> > > -+ $file->("};");
> > > -+}
> > > -+
> > > -+sub handle_loadparm($$)
> > > -+{
> > > -+ my ($file,$line) = @_;
> > > -+
> > > -+ # STRING isn't handled here, as we still don't know what to do with the substituted vars */
> > > -+ # LOCAL also isn't handled here
> > > -+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
> > > -+ my $scope = $1;
> > > -+ my $type = $2;
> > > -+ my $name = $3;
> > > -+
> > > -+ $file->(".$name = lp_$name,\n");
> > > -+ }
> > > -+}
> > > -+
> > > -+sub process_file($$)
> > > -+{
> > > -+ my ($file, $filename) = @_;
> > > -+
> > > -+ $filename =~ s/\.o$/\.c/g;
> > > -+
> > > -+ if ($filename =~ /^\//) {
> > > -+ open(FH, "<$filename") or die("Failed to open $filename");
> > > -+ } elsif (!open(FH, "< $builddir/$filename")) {
> > > -+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
> > > -+ }
> > > -+
> > > -+ my $comment = undef;
> > > -+ my $incomment = 0;
> > > -+ while (my $line = <FH>) {
> > > -+ if ($line =~ /^FN_/) {
> > > -+ handle_loadparm($file, $line);
> > > -+ }
> > > -+ next;
> > > -+ }
> > > -+
> > > -+ close(FH);
> > > -+}
> > > -+
> > > -+
> > > -+print_header(\&public);
> > > -+
> > > -+process_file(\&public, $_) foreach (@ARGV);
> > > -+print_footer(\&public);
> > > -+
> > > -+if (not defined($file)) {
> > > -+ print STDOUT $$public_data;
> > > -+}
> > > -+
> > > -+mkpath(dirname($file), 0, 0755);
> > > -+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
> > > -+print PUBLIC "$$public_data";
> > > -+close(PUBLIC);
> > > -diff --git a/source3/param/loadparm_ctx.c b/source3/param/loadparm_ctx.c
> > > -index 63ead53..5cbc920 100644
> > > ---- a/source3/param/loadparm_ctx.c
> > > -+++ b/source3/param/loadparm_ctx.c
> > > -@@ -56,69 +56,7 @@ static bool lp_load_for_s4_ctx(const char *filename)
> > > - return status;
> > > - }
> > > -
> > > --/* These are in the order that they appear in the s4 loadparm file.
> > > -- * All of the s4 loadparm functions should be here eventually, once
> > > -- * they are implemented in the s3 loadparm, have the same format (enum
> > > -- * values in particular) and defaults. */
> > > --static const struct loadparm_s3_helpers s3_fns =
> > > --{
> > > -- .get_parametric = lp_parm_const_string_service,
> > > -- .get_parm_struct = lp_get_parameter,
> > > -- .get_parm_ptr = lp_parm_ptr,
> > > -- .get_service = lp_service_for_s4_ctx,
> > > -- .get_servicebynum = lp_servicebynum_for_s4_ctx,
> > > -- .get_default_loadparm_service = lp_default_loadparm_service,
> > > -- .get_numservices = lp_numservices,
> > > -- .load = lp_load_for_s4_ctx,
> > > -- .set_cmdline = lp_set_cmdline,
> > > -- .dump = lp_dump,
> > > --
> > > -- ._server_role = lp__server_role,
> > > -- ._security = lp__security,
> > > -- ._domain_master = lp__domain_master,
> > > -- ._domain_logons = lp__domain_logons,
> > > --
> > > -- .winbind_separator = lp_winbind_separator,
> > > -- .template_homedir = lp_template_homedir,
> > > -- .template_shell = lp_template_shell,
> > > --
> > > -- .dos_charset = lp_dos_charset,
> > > -- .unix_charset = lp_unix_charset,
> > > --
> > > -- .realm = lp_realm,
> > > -- .dnsdomain = lp_dnsdomain,
> > > -- .socket_options = lp_socket_options,
> > > -- .workgroup = lp_workgroup,
> > > --
> > > -- .netbios_name = lp_netbios_name,
> > > -- .netbios_scope = lp_netbios_scope,
> > > -- .netbios_aliases = lp_netbios_aliases,
> > > --
> > > -- .lanman_auth = lp_lanman_auth,
> > > -- .ntlm_auth = lp_ntlm_auth,
> > > --
> > > -- .client_plaintext_auth = lp_client_plaintext_auth,
> > > -- .client_lanman_auth = lp_client_lanman_auth,
> > > -- .client_ntlmv2_auth = lp_client_ntlmv2_auth,
> > > -- .client_use_spnego_principal = lp_client_use_spnego_principal,
> > > --
> > > -- .private_dir = lp_private_dir,
> > > -- .ncalrpc_dir = lp_ncalrpc_dir,
> > > -- .lockdir = lp_lockdir,
> > > --
> > > -- .passdb_backend = lp_passdb_backend,
> > > --
> > > -- .host_msdfs = lp_host_msdfs,
> > > -- .unix_extensions = lp_unix_extensions,
> > > -- .use_spnego = lp_use_spnego,
> > > -- .use_mmap = lp_use_mmap,
> > > -- .use_ntdb = lp_use_ntdb,
> > > --
> > > -- .srv_minprotocol = lp_srv_minprotocol,
> > > -- .srv_maxprotocol = lp_srv_maxprotocol,
> > > --
> > > -- .passwordserver = lp_passwordserver
> > > --};
> > > -+#include "loadparm_ctx_table.c"
> > > -
> > > - const struct loadparm_s3_helpers *loadparm_s3_helpers(void)
> > > - {
> > > -diff --git a/source3/param/wscript_build b/source3/param/wscript_build
> > > -index 643c27e..673cb4d 100644
> > > ---- a/source3/param/wscript_build
> > > -+++ b/source3/param/wscript_build
> > > -@@ -18,6 +18,11 @@ bld.SAMBA_GENERATOR('s3_param_proto_h',
> > > - target='param_proto.h',
> > > - rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> > > -
> > > -+bld.SAMBA_GENERATOR('s3_loadparm_ctx_table_c',
> > > -+ source= ' ../../script/mks3param_ctx_table.pl ../../lib/param/loadparm.c ../../lib/param/param_functions.c',
> > > -+ target='loadparm_ctx_table.c',
> > > -+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
> > > -+
> > > - bld.SAMBA3_PYTHON('pys3param',
> > > - source='pyparam.c',
> > > - deps='param',
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 0046f49e1c690cf5b119859650f06559697fd103 Mon Sep 17 00:00:00 2001
> > > -From: Andrew Bartlett <abartlet@samba.org>
> > > -Date: Mon, 14 Oct 2013 15:49:25 +1300
> > > -Subject: [PATCH 120/249] proto: Remove manually written lp_ prototypes
> > > -
> > > -This also ensures we remove prototypes from parameters we remove or
> > > -rename, and easily see how many special cases we have left.
> > > -
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/include/proto.h | 361 +-----------------------------------------------
> > > - 1 file changed, 1 insertion(+), 360 deletions(-)
> > > -
> > > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > > -index 614baa4..5e068d2 100644
> > > ---- a/source3/include/proto.h
> > > -+++ b/source3/include/proto.h
> > > -@@ -995,379 +995,20 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
> > > -
> > > - #include "source3/param/param_proto.h"
> > > -
> > > --const char **lp_smb_ports(void);
> > > --const char *lp_dos_charset(void);
> > > --const char *lp_unix_charset(void);
> > > --char *lp_logfile(TALLOC_CTX *ctx);
> > > --char *lp_configfile(TALLOC_CTX *ctx);
> > > --const char *lp_smb_passwd_file(void);
> > > --const char *lp_private_dir(void);
> > > --char *lp_serverstring(TALLOC_CTX *ctx);
> > > --int lp_printcap_cache_time(void);
> > > --char *lp_addport_cmd(TALLOC_CTX *ctx);
> > > --char *lp_enumports_cmd(TALLOC_CTX *ctx);
> > > --char *lp_addprinter_cmd(TALLOC_CTX *ctx);
> > > --char *lp_deleteprinter_cmd(TALLOC_CTX *ctx);
> > > --char *lp_os2_driver_map(TALLOC_CTX *ctx);
> > > --const char *lp_lockdir(void);
> > > - const char *lp_statedir(void);
> > > - const char *lp_cachedir(void);
> > > --const char *lp_piddir(void);
> > > --char *lp_mangling_method(TALLOC_CTX *ctx);
> > > --int lp_mangle_prefix(void);
> > > --const char *lp_utmpdir(void);
> > > --const char *lp_wtmpdir(void);
> > > --bool lp_utmp(void);
> > > --char *lp_rootdir(TALLOC_CTX *ctx);
> > > --char *lp_defaultservice(TALLOC_CTX *ctx);
> > > --char *lp_msg_command(TALLOC_CTX *ctx);
> > > --char *lp_get_quota_command(TALLOC_CTX *ctx);
> > > --char *lp_set_quota_command(TALLOC_CTX *ctx);
> > > --char *lp_auto_services(TALLOC_CTX *ctx);
> > > --char *lp_passwd_program(TALLOC_CTX *ctx);
> > > --char *lp_passwd_chat(TALLOC_CTX *ctx);
> > > --const char *lp_passwordserver(void);
> > > --const char **lp_name_resolve_order(void);
> > > --const char *lp_netbios_scope(void);
> > > --const char *lp_netbios_name(void);
> > > --const char *lp_workgroup(void);
> > > --const char *lp_realm(void);
> > > --const char *lp_dnsdomain(void);
> > > --const char *lp_afs_username_map(void);
> > > --int lp_afs_token_lifetime(void);
> > > --char *lp_log_nt_token_command(TALLOC_CTX *ctx);
> > > --char *lp_username_map(TALLOC_CTX *ctx);
> > > --const char *lp_logon_script(void);
> > > --const char *lp_logon_path(void);
> > > --const char *lp_logon_drive(void);
> > > --const char *lp_logon_home(void);
> > > --char *lp_remote_announce(TALLOC_CTX *ctx);
> > > --char *lp_remote_browse_sync(TALLOC_CTX *ctx);
> > > --bool lp_nmbd_bind_explicit_broadcast(void);
> > > --const char **lp_wins_server_list(void);
> > > --const char **lp_interfaces(void);
> > > --const char *lp_nbt_client_socket_address(void);
> > > --char *lp_nis_home_map_name(TALLOC_CTX *ctx);
> > > --const char **lp_netbios_aliases(void);
> > > --const char *lp_passdb_backend(void);
> > > --const char **lp_preload_modules(void);
> > > --char *lp_panic_action(TALLOC_CTX *ctx);
> > > --char *lp_adduser_script(TALLOC_CTX *ctx);
> > > --char *lp_renameuser_script(TALLOC_CTX *ctx);
> > > --char *lp_deluser_script(TALLOC_CTX *ctx);
> > > --const char *lp_guestaccount(void);
> > > --char *lp_addgroup_script(TALLOC_CTX *ctx);
> > > --char *lp_delgroup_script(TALLOC_CTX *ctx);
> > > --char *lp_addusertogroup_script(TALLOC_CTX *ctx);
> > > --char *lp_deluserfromgroup_script(TALLOC_CTX *ctx);
> > > --char *lp_setprimarygroup_script(TALLOC_CTX *ctx);
> > > --char *lp_addmachine_script(TALLOC_CTX *ctx);
> > > --char *lp_shutdown_script(TALLOC_CTX *ctx);
> > > --char *lp_abort_shutdown_script(TALLOC_CTX *ctx);
> > > --char *lp_username_map_script(TALLOC_CTX *ctx);
> > > --int lp_username_map_cache_time(void);
> > > --char *lp_check_password_script(TALLOC_CTX *ctx);
> > > --char *lp_wins_hook(TALLOC_CTX *ctx);
> > > --const char *lp_template_homedir(void);
> > > --const char *lp_template_shell(void);
> > > --const char *lp_winbind_separator(void);
> > > --const char *lp_winbindd_socket_directory(void);
> > > --bool lp_winbind_enum_users(void);
> > > --bool lp_winbind_enum_groups(void);
> > > --bool lp_winbind_use_default_domain(void);
> > > --bool lp_winbind_trusted_domains_only(void);
> > > --bool lp_winbind_nested_groups(void);
> > > --int lp_winbind_expand_groups(void);
> > > --bool lp_winbind_refresh_tickets(void);
> > > --bool lp_winbind_offline_logon(void);
> > > --bool lp_winbind_normalize_names(void);
> > > --bool lp_winbind_rpc_only(void);
> > > --bool lp_create_krb5_conf(void);
> > > - int lp_winbind_max_domain_connections(void);
> > > --int lp_idmap_cache_time(void);
> > > --int lp_idmap_negative_cache_time(void);
> > > - bool lp_idmap_range(const char *domain_name, uint32_t *low, uint32_t *high);
> > > - bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
> > > - const char *lp_idmap_backend(const char *domain_name);
> > > - const char *lp_idmap_default_backend (void);
> > > --int lp_keepalive(void);
> > > --bool lp_passdb_expand_explicit(void);
> > > --char *lp_ldap_suffix(TALLOC_CTX *ctx);
> > > --char *lp_ldap_admin_dn(TALLOC_CTX *ctx);
> > > --int lp_ldap_ssl(void);
> > > --bool lp_ldap_ssl_ads(void);
> > > --int lp_ldap_deref(void);
> > > --int lp_ldap_follow_referral(void);
> > > --int lp_ldap_passwd_sync(void);
> > > --bool lp_ldap_delete_dn(void);
> > > --int lp_ldap_replication_sleep(void);
> > > --int lp_ldap_timeout(void);
> > > --int lp_ldap_connection_timeout(void);
> > > --int lp_ldap_page_size(void);
> > > --int lp_ldap_debug_level(void);
> > > --int lp_ldap_debug_threshold(void);
> > > --char *lp_add_share_cmd(TALLOC_CTX *ctx);
> > > --char *lp_change_share_cmd(TALLOC_CTX *ctx);
> > > --char *lp_delete_share_cmd(TALLOC_CTX *ctx);
> > > --char *lp_usershare_path(TALLOC_CTX *ctx);
> > > --const char **lp_usershare_prefix_allow_list(void);
> > > --const char **lp_usershare_prefix_deny_list(void);
> > > --const char **lp_eventlog_list(void);
> > > --bool lp_registry_shares(void);
> > > --bool lp_usershare_allow_guests(void);
> > > --bool lp_usershare_owner_only(void);
> > > --bool lp_disable_netbios(void);
> > > --bool lp_reset_on_zero_vc(void);
> > > --bool lp_log_writeable_files_on_exit(void);
> > > --bool lp_ms_add_printer_wizard(void);
> > > --bool lp_wins_dns_proxy(void);
> > > --bool lp_we_are_a_wins_server(void);
> > > --bool lp_wins_proxy(void);
> > > --bool lp_local_master(void);
> > > --const char **lp_init_logon_delayed_hosts(void);
> > > --int lp_init_logon_delay(void);
> > > --bool lp_load_printers(void);
> > > - bool lp_readraw(void);
> > > --bool lp_large_readwrite(void);
> > > - bool lp_writeraw(void);
> > > --bool lp_null_passwords(void);
> > > --bool lp_obey_pam_restrictions(void);
> > > --bool lp_encrypted_passwords(void);
> > > --int lp_client_schannel(void);
> > > --int lp_server_schannel(void);
> > > --bool lp_syslog_only(void);
> > > --bool lp_timestamp_logs(void);
> > > --bool lp_debug_prefix_timestamp(void);
> > > --bool lp_debug_hires_timestamp(void);
> > > --bool lp_debug_pid(void);
> > > --bool lp_debug_uid(void);
> > > --bool lp_debug_class(void);
> > > --bool lp_enable_core_files(void);
> > > --bool lp_browse_list(void);
> > > --bool lp_nis_home_map(void);
> > > --bool lp_bind_interfaces_only(void);
> > > --bool lp_pam_password_change(void);
> > > --bool lp_unix_password_sync(void);
> > > --bool lp_passwd_chat_debug(void);
> > > --int lp_passwd_chat_timeout(void);
> > > --bool lp_nt_pipe_support(void);
> > > --bool lp_nt_status_support(void);
> > > --bool lp_stat_cache(void);
> > > --int lp_max_stat_cache_size(void);
> > > --bool lp_allow_trusted_domains(void);
> > > --bool lp_map_untrusted_to_domain(void);
> > > --int lp_restrict_anonymous(void);
> > > --bool lp_lanman_auth(void);
> > > --bool lp_ntlm_auth(void);
> > > --bool lp_client_plaintext_auth(void);
> > > --bool lp_client_lanman_auth(void);
> > > --bool lp_client_ntlmv2_auth(void);
> > > --bool lp_host_msdfs(void);
> > > --bool lp_enhanced_browsing(void);
> > > --bool lp_use_mmap(void);
> > > --bool lp_use_ntdb(void);
> > > --bool lp_unix_extensions(void);
> > > --bool lp_unicode(void);
> > > --bool lp_use_spnego(void);
> > > --bool lp_client_use_spnego(void);
> > > --bool lp_client_use_spnego_principal(void);
> > > --bool lp_hostname_lookups(void);
> > > --bool lp_change_notify(const struct share_params *p );
> > > --bool lp_kernel_change_notify(const struct share_params *p );
> > > --const char * lp_dedicated_keytab_file(void);
> > > --int lp_kerberos_method(void);
> > > --bool lp_defer_sharing_violations(void);
> > > --bool lp_enable_privileges(void);
> > > --bool lp_enable_asu_support(void);
> > > --int lp_os_level(void);
> > > --int lp_max_ttl(void);
> > > --int lp_max_wins_ttl(void);
> > > --int lp_min_wins_ttl(void);
> > > --int lp_max_log_size(void);
> > > --int lp_max_open_files(void);
> > > --int lp_open_files_db_hash_size(void);
> > > --int lp_max_xmit(void);
> > > --int lp_maxmux(void);
> > > --int lp_passwordlevel(void);
> > > --int lp_usernamelevel(void);
> > > --int lp_deadtime(void);
> > > --bool lp_getwd_cache(void);
> > > --int lp_srv_maxprotocol(void);
> > > --int lp_srv_minprotocol(void);
> > > --int lp_cli_maxprotocol(void);
> > > --int lp_cli_minprotocol(void);
> > > - int lp_security(void);
> > > --int lp__server_role(void);
> > > --int lp__security(void);
> > > --int lp__domain_master(void);
> > > --bool lp__domain_logons(void);
> > > --const char **lp_auth_methods(void);
> > > --bool lp_paranoid_server_security(void);
> > > --int lp_maxdisksize(void);
> > > --int lp_lpqcachetime(void);
> > > --int lp_max_smbd_processes(void);
> > > --bool lp__disable_spoolss(void);
> > > --int lp_syslog(void);
> > > --int lp_lm_announce(void);
> > > --int lp_lm_interval(void);
> > > --int lp_machine_password_timeout(void);
> > > --int lp_map_to_guest(void);
> > > --int lp_oplock_break_wait_time(void);
> > > --int lp_lock_spin_time(void);
> > > --int lp_usershare_max_shares(void);
> > > --const char *lp_socket_options(void);
> > > --int lp_config_backend(void);
> > > --int lp_smb2_max_read(void);
> > > --int lp_smb2_max_write(void);
> > > --int lp_smb2_max_trans(void);
> > > - int lp_smb2_max_credits(void);
> > > --char *lp_preexec(TALLOC_CTX *ctx, int );
> > > --char *lp_postexec(TALLOC_CTX *ctx, int );
> > > --char *lp_rootpreexec(TALLOC_CTX *ctx, int );
> > > --char *lp_rootpostexec(TALLOC_CTX *ctx, int );
> > > --char *lp_servicename(TALLOC_CTX *ctx, int );
> > > --const char *lp_const_servicename(int );
> > > --char *lp_pathname(TALLOC_CTX *ctx, int );
> > > --char *lp_dontdescend(TALLOC_CTX *ctx, int );
> > > --char *lp_username(TALLOC_CTX *ctx, int );
> > > --const char **lp_invalid_users(int );
> > > --const char **lp_valid_users(int );
> > > --const char **lp_admin_users(int );
> > > --const char **lp_svcctl_list(void);
> > > --char *lp_cups_options(TALLOC_CTX *ctx, int );
> > > --char *lp_cups_server(TALLOC_CTX *ctx);
> > > - int lp_cups_encrypt(void);
> > > --char *lp_iprint_server(TALLOC_CTX *ctx);
> > > --int lp_cups_connection_timeout(void);
> > > --const char *lp_ctdbd_socket(void);
> > > --const char *_lp_ctdbd_socket(void);
> > > --const char **lp_cluster_addresses(void);
> > > --bool lp_clustering(void);
> > > --int lp_ctdb_timeout(void);
> > > --int lp_ctdb_locktime_warn_threshold(void);
> > > --char *lp_printcommand(TALLOC_CTX *ctx, int );
> > > --char *lp_lpqcommand(TALLOC_CTX *ctx, int );
> > > --char *lp_lprmcommand(TALLOC_CTX *ctx, int );
> > > --char *lp_lppausecommand(TALLOC_CTX *ctx, int );
> > > --char *lp_lpresumecommand(TALLOC_CTX *ctx, int );
> > > --char *lp_queuepausecommand(TALLOC_CTX *ctx, int );
> > > --char *lp_queueresumecommand(TALLOC_CTX *ctx, int );
> > > --const char *lp_printjob_username(int );
> > > --const char **lp_hostsallow(int );
> > > --const char **lp_hostsdeny(int );
> > > --char *lp_magicscript(TALLOC_CTX *ctx, int );
> > > --char *lp_magicoutput(TALLOC_CTX *ctx, int );
> > > --char *lp_comment(TALLOC_CTX *ctx, int );
> > > --char *lp_force_user(TALLOC_CTX *ctx, int );
> > > --char *lp_force_group(TALLOC_CTX *ctx, int );
> > > --const char **lp_readlist(int );
> > > --const char **lp_writelist(int );
> > > --char *lp_fstype(TALLOC_CTX *ctx, int );
> > > --const char **lp_vfs_objects(int );
> > > --char *lp_msdfs_proxy(TALLOC_CTX *ctx, int );
> > > --char *lp_veto_files(TALLOC_CTX *ctx, int );
> > > --char *lp_hide_files(TALLOC_CTX *ctx, int );
> > > --char *lp_veto_oplocks(TALLOC_CTX *ctx, int );
> > > --bool lp_msdfs_root(int );
> > > --char *lp_aio_write_behind(TALLOC_CTX *ctx, int );
> > > --char *lp_dfree_command(TALLOC_CTX *ctx, int );
> > > --bool lp_autoloaded(int );
> > > --bool lp_preexec_close(int );
> > > --bool lp_rootpreexec_close(int );
> > > --int lp_casesensitive(int );
> > > --bool lp_preservecase(int );
> > > --bool lp_shortpreservecase(int );
> > > --bool lp_hide_dot_files(int );
> > > --bool lp_hide_special_files(int );
> > > --bool lp_hideunreadable(int );
> > > --bool lp_hideunwriteable_files(int );
> > > --bool lp_browseable(int );
> > > --bool lp_access_based_share_enum(int );
> > > --bool lp_readonly(int );
> > > --bool lp_guest_ok(int );
> > > --bool lp_guest_only(int );
> > > --bool lp_administrative_share(int );
> > > --bool lp_print_ok(int );
> > > --bool lp_print_notify_backchannel(int );
> > > --bool lp_map_hidden(int );
> > > --bool lp_map_archive(int );
> > > --bool lp_store_dos_attributes(int );
> > > --bool lp_dmapi_support(int );
> > > --bool lp_locking(const struct share_params *p );
> > > --int lp_strict_locking(const struct share_params *p );
> > > --bool lp_posix_locking(const struct share_params *p );
> > > --bool lp_oplocks(int );
> > > --bool lp_kernel_oplocks(int );
> > > --bool lp_level2_oplocks(int );
> > > --bool lp_kernel_share_modes(int);
> > > --bool lp_onlyuser(int );
> > > --bool lp_manglednames(const struct share_params *p );
> > > --bool lp_allow_insecure_widelinks(void);
> > > - bool lp_widelinks(int );
> > > --bool lp_symlinks(int );
> > > --bool lp_syncalways(int );
> > > --bool lp_strict_allocate(int );
> > > --bool lp_strict_sync(int );
> > > --bool lp_map_system(int );
> > > --bool lp_delete_readonly(int );
> > > --bool lp_fake_oplocks(int );
> > > --bool lp_recursive_veto_delete(int );
> > > --bool lp_dos_filemode(int );
> > > --bool lp_dos_filetimes(int );
> > > --bool lp_dos_filetime_resolution(int );
> > > --bool lp_fake_dir_create_times(int);
> > > --bool lp_async_smb_echo_handler(void);
> > > --bool lp_multicast_dns_register(void);
> > > --bool lp_blocking_locks(int );
> > > --bool lp_inherit_perms(int );
> > > --bool lp_inherit_acls(int );
> > > --bool lp_inherit_owner(int );
> > > --bool lp_use_client_driver(int );
> > > --bool lp_default_devmode(int );
> > > --bool lp_force_printername(int );
> > > --bool lp_nt_acl_support(int );
> > > --bool lp_force_unknown_acl_user(int );
> > > --bool lp_ea_support(int );
> > > --bool lp__use_sendfile(int );
> > > --bool lp_profile_acls(int );
> > > --bool lp_map_acl_inherit(int );
> > > --bool lp_afs_share(int );
> > > --bool lp_acl_check_permissions(int );
> > > --bool lp_acl_group_control(int );
> > > --bool lp_acl_map_full_control(int );
> > > --bool lp_acl_allow_execute_always(int);
> > > --bool lp_durable_handles(int);
> > > --int lp_create_mask(int );
> > > --int lp_force_create_mode(int );
> > > --int lp_dir_mask(int );
> > > --int lp_force_dir_mode(int );
> > > --int lp_max_connections(int );
> > > --int lp_defaultcase(int );
> > > --int lp_minprintspace(int );
> > > --int lp_printing(int );
> > > --int lp_max_reported_jobs(int );
> > > --int lp_oplock_contention_limit(int );
> > > --int lp_csc_policy(int );
> > > --int lp_write_cache_size(int );
> > > --int lp_block_size(int );
> > > --int lp_dfree_cache_time(int );
> > > --int lp_allocation_roundup_size(int );
> > > --int lp_aio_read_size(int );
> > > --int lp_aio_write_size(int );
> > > --int lp_map_readonly(int );
> > > --int lp_directory_name_cache_size(int );
> > > --int lp_smb_encrypt(int );
> > > --char lp_magicchar(const struct share_params *p );
> > > --int lp_winbind_cache_time(void);
> > > --int lp_winbind_reconnect_delay(void);
> > > --int lp_winbind_request_timeout(void);
> > > --int lp_winbind_max_clients(void);
> > > --const char **lp_winbind_nss_info(void);
> > > --int lp_algorithmic_rid_base(void);
> > > --int lp_name_cache_timeout(void);
> > > --int lp_client_signing(void);
> > > --int lp_server_signing(void);
> > > --int lp_client_ldap_sasl_wrapping(void);
> > > -+
> > > - char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def);
> > > - const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
> > > - struct loadparm_service;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 5d2278756b5a7372106cbdf9b8d66fb8a0cf5033 Mon Sep 17 00:00:00 2001
> > > -From: Andrew Bartlett <abartlet@samba.org>
> > > -Date: Wed, 16 Oct 2013 14:45:31 +1300
> > > -Subject: [PATCH 121/249] lib/param: Add documentation on how loadparm works
> > > -
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Volker Lendecke <vl@samba.org>
> > > ----
> > > - lib/param/README | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > - 1 file changed, 69 insertions(+)
> > > -
> > > -diff --git a/lib/param/README b/lib/param/README
> > > -index 403a217..b567d71 100644
> > > ---- a/lib/param/README
> > > -+++ b/lib/param/README
> > > -@@ -1,4 +1,73 @@
> > > -+libsamba-hostconfig
> > > -+-------------------
> > > -+
> > > - This directory contains "libsamba-hostconfig".
> > > -
> > > - The libsamba-hostconfig library provides access to all host-wide configuration
> > > - such as the configured shares, default parameter values and host secret keys.
> > > -+
> > > -+
> > > -+Adding a parameter
> > > -+------------------
> > > -+
> > > -+To add or change an smb.conf option, you only have to modify
> > > -+lib/param/param_table.c and lib/param/param_functions.c. The rest is
> > > -+generated for you.
> > > -+
> > > -+
> > > -+Using smb.conf parameters in the code
> > > -+-------------------------------------
> > > -+
> > > -+Call the lpcfg_*() function. To get the lp_ctx, have the caller pass
> > > -+it to you. To get a lp_ctx for the source3/param loadparm system, use:
> > > -+
> > > -+struct loadparm_context *lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
> > > -+
> > > -+Remember to talloc_unlink(tmp_ctx, lp_ctx) the result when you are done!
> > > -+
> > > -+To get a lp_ctx for the lib/param loadparm system, typically the
> > > -+pointer is already set up by popt at startup, and is passed down from
> > > -+cmdline_lp_ctx.
> > > -+
> > > -+In pure source3/ code, you may use lp_*() functions, but are
> > > -+encouraged to use the lpcfg_*() functions so that code can be made
> > > -+common.
> > > -+
> > > -+
> > > -+How does loadparm_init_s3() work?
> > > -+---------------------------------
> > > -+
> > > -+loadparm_s3_helpers() returns a initialised table of function
> > > -+pointers, pointing at all global lp_*() functions, except for those
> > > -+that return substituted strings (% macros). The lpcfg_*() function
> > > -+then calls this plugged in function, allowing the one function and
> > > -+pattern to use either loadparm system.
> > > -+
> > > -+
> > > -+There is a lot of generated code, here, what generates what?
> > > -+------------------------------------------------------------
> > > -+
> > > -+The regular format of the CPP macros in param_functions.c is used to
> > > -+generate up the prototypes (mkproto.pl, mks3param_proto.pl), the service
> > > -+and globals table (mkparamdefs.pl), the glue table (mmks3param.pl) and
> > > -+the initilisation of the glue table (mks3param_ctx_table.pl).
> > > -+
> > > -+I have tried combining some of these, but it just makes the scripts more
> > > -+complex.
> > > -+
> > > -+The CPP macros are defined in and expand in lib/param/loadparm.c and
> > > -+source3/param/loadparm.c to read the values from the generated
> > > -+stuctures. They are CPP #included into these files so that the same
> > > -+macro has two definitions, depending on the system it is loading into.
> > > -+
> > > -+
> > > -+Why was this done, rather than a 'proper' fix, or just using one system or the other?
> > > -+-------------------------------------------------------------------------------------
> > > -+
> > > -+This was done to allow merging from both ends - merging more parts of
> > > -+the loadparm handling, and merging code that needs to read the
> > > -+smb.conf, without having to do it all at once. Ideally
> > > -+param_functions.c would be generated from param_table.c or (even
> > > -+better) our XML manpage source, and the CPP macros would instead be
> > > -+generated expanded as generated C files, but this is a task nobody has
> > > -+taken on yet.
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 7734a867500f5b7415f818077229f74486101c51 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 12 Aug 2013 08:19:08 +0200
> > > -Subject: [PATCH 122/249] librpc/rpc: add dcerpc_binding_handle_auth_info()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - librpc/rpc/binding_handle.c | 25 +++++++++++++++++++++++++
> > > - librpc/rpc/rpc_common.h | 8 ++++++++
> > > - 2 files changed, 33 insertions(+)
> > > -
> > > -diff --git a/librpc/rpc/binding_handle.c b/librpc/rpc/binding_handle.c
> > > -index 9354bbd..714baa7 100644
> > > ---- a/librpc/rpc/binding_handle.c
> > > -+++ b/librpc/rpc/binding_handle.c
> > > -@@ -98,6 +98,31 @@ uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
> > > - return h->ops->set_timeout(h, timeout);
> > > - }
> > > -
> > > -+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
> > > -+ enum dcerpc_AuthType *auth_type,
> > > -+ enum dcerpc_AuthLevel *auth_level)
> > > -+{
> > > -+ enum dcerpc_AuthType _auth_type;
> > > -+ enum dcerpc_AuthLevel _auth_level;
> > > -+
> > > -+ if (auth_type == NULL) {
> > > -+ auth_type = &_auth_type;
> > > -+ }
> > > -+
> > > -+ if (auth_level == NULL) {
> > > -+ auth_level = &_auth_level;
> > > -+ }
> > > -+
> > > -+ *auth_type = DCERPC_AUTH_TYPE_NONE;
> > > -+ *auth_level = DCERPC_AUTH_LEVEL_NONE;
> > > -+
> > > -+ if (h->ops->auth_info == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ h->ops->auth_info(h, auth_type, auth_level);
> > > -+}
> > > -+
> > > - struct dcerpc_binding_handle_raw_call_state {
> > > - const struct dcerpc_binding_handle_ops *ops;
> > > - uint8_t *out_data;
> > > -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
> > > -index d2816f5..978229e 100644
> > > ---- a/librpc/rpc/rpc_common.h
> > > -+++ b/librpc/rpc/rpc_common.h
> > > -@@ -189,6 +189,10 @@ struct dcerpc_binding_handle_ops {
> > > - uint32_t (*set_timeout)(struct dcerpc_binding_handle *h,
> > > - uint32_t timeout);
> > > -
> > > -+ void (*auth_info)(struct dcerpc_binding_handle *h,
> > > -+ enum dcerpc_AuthType *auth_type,
> > > -+ enum dcerpc_AuthLevel *auth_level);
> > > -+
> > > - struct tevent_req *(*raw_call_send)(TALLOC_CTX *mem_ctx,
> > > - struct tevent_context *ev,
> > > - struct dcerpc_binding_handle *h,
> > > -@@ -259,6 +263,10 @@ bool dcerpc_binding_handle_is_connected(struct dcerpc_binding_handle *h);
> > > - uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
> > > - uint32_t timeout);
> > > -
> > > -+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
> > > -+ enum dcerpc_AuthType *auth_type,
> > > -+ enum dcerpc_AuthLevel *auth_level);
> > > -+
> > > - struct tevent_req *dcerpc_binding_handle_raw_call_send(TALLOC_CTX *mem_ctx,
> > > - struct tevent_context *ev,
> > > - struct dcerpc_binding_handle *h,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 04a9531474630c62c3f717e251d9f1469013f5ae Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 12 Aug 2013 08:19:35 +0200
> > > -Subject: [PATCH 123/249] s3:rpc_client: implement
> > > - dcerpc_binding_handle_auth_info()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 20 ++++++++++++++++++++
> > > - 1 file changed, 20 insertions(+)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 64e7f1c..a343997 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1867,6 +1867,25 @@ static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
> > > - return rpccli_set_timeout(hs->rpc_cli, timeout);
> > > - }
> > > -
> > > -+static void rpccli_bh_auth_info(struct dcerpc_binding_handle *h,
> > > -+ enum dcerpc_AuthType *auth_type,
> > > -+ enum dcerpc_AuthLevel *auth_level)
> > > -+{
> > > -+ struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
> > > -+ struct rpccli_bh_state);
> > > -+
> > > -+ if (hs->rpc_cli == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (hs->rpc_cli->auth == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ *auth_type = hs->rpc_cli->auth->auth_type;
> > > -+ *auth_level = hs->rpc_cli->auth->auth_level;
> > > -+}
> > > -+
> > > - struct rpccli_bh_raw_call_state {
> > > - DATA_BLOB in_data;
> > > - DATA_BLOB out_data;
> > > -@@ -2046,6 +2065,7 @@ static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
> > > - .name = "rpccli",
> > > - .is_connected = rpccli_bh_is_connected,
> > > - .set_timeout = rpccli_bh_set_timeout,
> > > -+ .auth_info = rpccli_bh_auth_info,
> > > - .raw_call_send = rpccli_bh_raw_call_send,
> > > - .raw_call_recv = rpccli_bh_raw_call_recv,
> > > - .disconnect_send = rpccli_bh_disconnect_send,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 1db891bac30bb6c3bb0a022c5d1529a9f001237d Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 12 Aug 2013 08:19:57 +0200
> > > -Subject: [PATCH 124/249] s4:librpc: implement
> > > - dcerpc_binding_handle_auth_info()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source4/librpc/rpc/dcerpc.c | 24 ++++++++++++++++++++++++
> > > - 1 file changed, 24 insertions(+)
> > > -
> > > -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
> > > -index 2826160..56b821e 100644
> > > ---- a/source4/librpc/rpc/dcerpc.c
> > > -+++ b/source4/librpc/rpc/dcerpc.c
> > > -@@ -200,6 +200,29 @@ static uint32_t dcerpc_bh_set_timeout(struct dcerpc_binding_handle *h,
> > > - return old;
> > > - }
> > > -
> > > -+static void dcerpc_bh_auth_info(struct dcerpc_binding_handle *h,
> > > -+ enum dcerpc_AuthType *auth_type,
> > > -+ enum dcerpc_AuthLevel *auth_level)
> > > -+{
> > > -+ struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
> > > -+ struct dcerpc_bh_state);
> > > -+
> > > -+ if (hs->p == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (hs->p->conn == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (hs->p->conn->security_state.auth_info == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ *auth_type = hs->p->conn->security_state.auth_info->auth_type;
> > > -+ *auth_level = hs->p->conn->security_state.auth_info->auth_level;
> > > -+}
> > > -+
> > > - struct dcerpc_bh_raw_call_state {
> > > - struct tevent_context *ev;
> > > - struct dcerpc_binding_handle *h;
> > > -@@ -552,6 +575,7 @@ static const struct dcerpc_binding_handle_ops dcerpc_bh_ops = {
> > > - .name = "dcerpc",
> > > - .is_connected = dcerpc_bh_is_connected,
> > > - .set_timeout = dcerpc_bh_set_timeout,
> > > -+ .auth_info = dcerpc_bh_auth_info,
> > > - .raw_call_send = dcerpc_bh_raw_call_send,
> > > - .raw_call_recv = dcerpc_bh_raw_call_recv,
> > > - .disconnect_send = dcerpc_bh_disconnect_send,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 76304ed57d561eb89dceb3881236a78209dd592c Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 17 Sep 2013 04:25:39 +0200
> > > -Subject: [PATCH 125/249] s3:winbindd: don't hide the error in cm_connect_lsa()
> > > -
> > > -We should not overwrite the error with NT_STATUS_PIPE_NOT_AVAILABLE.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/winbindd/winbindd_cm.c | 1 -
> > > - 1 file changed, 1 deletion(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > > -index d868826..c4f59d3 100644
> > > ---- a/source3/winbindd/winbindd_cm.c
> > > -+++ b/source3/winbindd/winbindd_cm.c
> > > -@@ -2677,7 +2677,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - &ndr_table_lsarpc,
> > > - &conn->lsa_pipe);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > -- result = NT_STATUS_PIPE_NOT_AVAILABLE;
> > > - goto done;
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 9948366e88b1d11127317008c79a2f7182a34d65 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 2 Sep 2013 09:24:42 +0200
> > > -Subject: [PATCH 126/249] s3:include: add forward declaration for struct
> > > - messaging_context; in g_lock.h
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/include/g_lock.h | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/source3/include/g_lock.h b/source3/include/g_lock.h
> > > -index 004c452..f513349 100644
> > > ---- a/source3/include/g_lock.h
> > > -+++ b/source3/include/g_lock.h
> > > -@@ -23,6 +23,7 @@
> > > - #include "dbwrap/dbwrap.h"
> > > -
> > > - struct g_lock_ctx;
> > > -+struct messaging_context;
> > > -
> > > - enum g_lock_type {
> > > - G_LOCK_READ = 0,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4c30267e3c26cb065b908ff396ca21937fc870c4 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 2 Sep 2013 19:29:05 +0200
> > > -Subject: [PATCH 127/249] s3:include: fix messaging_send_buf() protype in
> > > - messages.h
> > > -
> > > -The function already used 'uint8_t' instead of 'uint8'.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/include/messages.h | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/include/messages.h b/source3/include/messages.h
> > > -index 09c39cc..50b2a84 100644
> > > ---- a/source3/include/messages.h
> > > -+++ b/source3/include/messages.h
> > > -@@ -139,7 +139,7 @@ NTSTATUS messaging_send(struct messaging_context *msg_ctx,
> > > -
> > > - NTSTATUS messaging_send_buf(struct messaging_context *msg_ctx,
> > > - struct server_id server, uint32_t msg_type,
> > > -- const uint8 *buf, size_t len);
> > > -+ const uint8_t *buf, size_t len);
> > > - void messaging_dispatch_rec(struct messaging_context *msg_ctx,
> > > - struct messaging_rec *rec);
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From ff45e4d1ca6cff9b2f329d18e98ebd4883639ed9 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 27 Aug 2013 12:09:51 +0200
> > > -Subject: [PATCH 128/249] s3:auth_domain: remove dead code in
> > > - check_trustdomain_security()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/auth/auth_domain.c | 22 ----------------------
> > > - 1 file changed, 22 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > > -index 06078e2..9f88c4a 100644
> > > ---- a/source3/auth/auth_domain.c
> > > -+++ b/source3/auth/auth_domain.c
> > > -@@ -378,8 +378,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
> > > - struct auth_serversupplied_info **server_info)
> > > - {
> > > - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
> > > -- unsigned char trust_md4_password[16];
> > > -- char *trust_password;
> > > - fstring dc_name;
> > > - struct sockaddr_storage dc_ss;
> > > -
> > > -@@ -408,26 +406,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
> > > - if ( !is_trusted_domain( user_info->mapped.domain_name ) )
> > > - return NT_STATUS_NOT_IMPLEMENTED;
> > > -
> > > -- /*
> > > -- * Get the trusted account password for the trusted domain
> > > -- * No need to become_root() as secrets_init() is done at startup.
> > > -- */
> > > --
> > > -- if (!pdb_get_trusteddom_pw(user_info->mapped.domain_name, &trust_password,
> > > -- NULL, NULL)) {
> > > -- DEBUG(0, ("check_trustdomain_security: could not fetch trust "
> > > -- "account password for domain %s\n",
> > > -- user_info->mapped.domain_name));
> > > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > -- }
> > > --
> > > --#ifdef DEBUG_PASSWORD
> > > -- DEBUG(100, ("Trust password for domain %s is %s\n", user_info->mapped.domain_name,
> > > -- trust_password));
> > > --#endif
> > > -- E_md4hash(trust_password, trust_md4_password);
> > > -- SAFE_FREE(trust_password);
> > > --
> > > - /* use get_dc_name() for consistency even through we know that it will be
> > > - a netbios name */
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d9160b0834f74508b711eeec0354aa43d5a1b215 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 2 Sep 2013 20:18:39 +0200
> > > -Subject: [PATCH 129/249] s3:libsmb: remove unused
> > > - change_trust_account_password()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/include/proto.h | 1 -
> > > - source3/libsmb/trusts_util.c | 72 --------------------------------------------
> > > - 2 files changed, 73 deletions(-)
> > > -
> > > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > > -index 5e068d2..a40d3c1 100644
> > > ---- a/source3/include/proto.h
> > > -+++ b/source3/include/proto.h
> > > -@@ -989,7 +989,6 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> > > - NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > - TALLOC_CTX *mem_ctx,
> > > - const char *domain) ;
> > > --NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine);
> > > -
> > > - /* The following definitions come from param/loadparm.c */
> > > -
> > > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > > -index 6156ba0..8a0e53d 100644
> > > ---- a/source3/libsmb/trusts_util.c
> > > -+++ b/source3/libsmb/trusts_util.c
> > > -@@ -135,75 +135,3 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > - sec_channel_type);
> > > - }
> > > -
> > > --NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
> > > --{
> > > -- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
> > > -- struct sockaddr_storage pdc_ss;
> > > -- fstring dc_name;
> > > -- struct cli_state *cli = NULL;
> > > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > > --
> > > -- DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
> > > -- domain));
> > > --
> > > -- if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
> > > -- /* Use the PDC *only* for this */
> > > --
> > > -- if ( !get_pdc_ip(domain, &pdc_ss) ) {
> > > -- DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
> > > -- goto failed;
> > > -- }
> > > --
> > > -- if ( !name_status_find( domain, 0x1b, 0x20, &pdc_ss, dc_name) )
> > > -- goto failed;
> > > -- } else {
> > > -- /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
> > > -- fstrcpy( dc_name, remote_machine );
> > > -- }
> > > --
> > > -- /* if this next call fails, then give up. We can't do
> > > -- password changes on BDC's --jerry */
> > > --
> > > -- if (!NT_STATUS_IS_OK(cli_full_connection(&cli, lp_netbios_name(), dc_name,
> > > -- NULL, 0,
> > > -- "IPC$", "IPC",
> > > -- "", "",
> > > -- "", 0, SMB_SIGNING_DEFAULT))) {
> > > -- DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name));
> > > -- nt_status = NT_STATUS_UNSUCCESSFUL;
> > > -- goto failed;
> > > -- }
> > > --
> > > -- /*
> > > -- * Ok - we have an anonymous connection to the IPC$ share.
> > > -- * Now start the NT Domain stuff :-).
> > > -- */
> > > --
> > > -- /* Shouldn't we open this with schannel ? JRA. */
> > > --
> > > -- nt_status = cli_rpc_pipe_open_noauth(
> > > -- cli, &ndr_table_netlogon, &netlogon_pipe);
> > > -- if (!NT_STATUS_IS_OK(nt_status)) {
> > > -- DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
> > > -- dc_name, nt_errstr(nt_status)));
> > > -- cli_shutdown(cli);
> > > -- cli = NULL;
> > > -- goto failed;
> > > -- }
> > > --
> > > -- nt_status = trust_pw_find_change_and_store_it(
> > > -- netlogon_pipe, netlogon_pipe, domain);
> > > --
> > > -- cli_shutdown(cli);
> > > -- cli = NULL;
> > > --
> > > --failed:
> > > -- if (!NT_STATUS_IS_OK(nt_status)) {
> > > -- DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
> > > -- current_timestring(talloc_tos(), False), domain));
> > > -- }
> > > -- else
> > > -- DEBUG(5,("change_trust_account_password: sucess!\n"));
> > > --
> > > -- return nt_status;
> > > --}
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From c6b50a3d8c382f19a8ae16428d557928438be464 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 2 Sep 2013 20:19:28 +0200
> > > -Subject: [PATCH 130/249] s3:libsmb: inline trust_pw_change_and_store_it() into
> > > - trust_pw_find_change_and_store_it()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/include/proto.h | 5 -----
> > > - source3/libsmb/trusts_util.c | 50 +++++++++++++-------------------------------
> > > - 2 files changed, 15 insertions(+), 40 deletions(-)
> > > -
> > > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > > -index a40d3c1..216a377 100644
> > > ---- a/source3/include/proto.h
> > > -+++ b/source3/include/proto.h
> > > -@@ -981,11 +981,6 @@ void update_trustdom_cache( void );
> > > -
> > > - /* The following definitions come from libsmb/trusts_util.c */
> > > -
> > > --NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
> > > -- const char *domain,
> > > -- const char *account_name,
> > > -- unsigned char orig_trust_passwd_hash[16],
> > > -- enum netr_SchannelType sec_channel_type);
> > > - NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > - TALLOC_CTX *mem_ctx,
> > > - const char *domain) ;
> > > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > > -index 8a0e53d..428e0c1 100644
> > > ---- a/source3/libsmb/trusts_util.c
> > > -+++ b/source3/libsmb/trusts_util.c
> > > -@@ -29,20 +29,27 @@
> > > -
> > > - /*********************************************************
> > > - Change the domain password on the PDC.
> > > -- Store the password ourselves, but use the supplied password
> > > -- Caller must have already setup the connection to the NETLOGON pipe
> > > -+ Do most of the legwork ourselfs. Caller must have
> > > -+ already setup the connection to the NETLOGON pipe
> > > - **********************************************************/
> > > -
> > > --NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
> > > -- const char *domain,
> > > -- const char *account_name,
> > > -- unsigned char orig_trust_passwd_hash[16],
> > > -- enum netr_SchannelType sec_channel_type)
> > > -+NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ const char *domain)
> > > - {
> > > -+ unsigned char old_trust_passwd_hash[16];
> > > - unsigned char new_trust_passwd_hash[16];
> > > -+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> > > -+ const char *account_name;
> > > - char *new_trust_passwd;
> > > - NTSTATUS nt_status;
> > > -
> > > -+ if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
> > > -+ &sec_channel_type)) {
> > > -+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> > > -+ return NT_STATUS_UNSUCCESSFUL;
> > > -+ }
> > > -+
> > > - switch (sec_channel_type) {
> > > - case SEC_CHAN_WKSTA:
> > > - case SEC_CHAN_DOMAIN:
> > > -@@ -64,7 +71,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> > > -
> > > - nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
> > > - account_name,
> > > -- orig_trust_passwd_hash,
> > > -+ old_trust_passwd_hash,
> > > - new_trust_passwd,
> > > - new_trust_passwd_hash,
> > > - sec_channel_type);
> > > -@@ -108,30 +115,3 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> > > -
> > > - return nt_status;
> > > - }
> > > --
> > > --/*********************************************************
> > > -- Change the domain password on the PDC.
> > > -- Do most of the legwork ourselfs. Caller must have
> > > -- already setup the connection to the NETLOGON pipe
> > > --**********************************************************/
> > > --
> > > --NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const char *domain)
> > > --{
> > > -- unsigned char old_trust_passwd_hash[16];
> > > -- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> > > -- const char *account_name;
> > > --
> > > -- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
> > > -- &sec_channel_type)) {
> > > -- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> > > -- return NT_STATUS_UNSUCCESSFUL;
> > > -- }
> > > --
> > > -- return trust_pw_change_and_store_it(cli, mem_ctx, domain,
> > > -- account_name,
> > > -- old_trust_passwd_hash,
> > > -- sec_channel_type);
> > > --}
> > > --
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fdac5d6b0ed96f262830a3a923b9d2a42d7fd98d Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 20 Sep 2013 04:14:00 +0200
> > > -Subject: [PATCH 131/249] s4:librpc: make dcerpc_schannel_key_send/recv static
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source4/librpc/rpc/dcerpc_schannel.c | 4 ++--
> > > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
> > > -index 130ebeb..cd62508 100644
> > > ---- a/source4/librpc/rpc/dcerpc_schannel.c
> > > -+++ b/source4/librpc/rpc/dcerpc_schannel.c
> > > -@@ -306,7 +306,7 @@ static void continue_srv_auth2(struct tevent_req *subreq)
> > > - Initiate establishing a schannel key using netlogon challenge
> > > - on a secondary pipe
> > > - */
> > > --struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> > > -+static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> > > - struct dcerpc_pipe *p,
> > > - struct cli_credentials *credentials,
> > > - struct loadparm_context *lp_ctx)
> > > -@@ -369,7 +369,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> > > - /*
> > > - Receive result of schannel key request
> > > - */
> > > --NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
> > > -+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
> > > - {
> > > - NTSTATUS status = composite_wait(c);
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From de42a3f8b1a69a5abd5fb1a95e1c5f80ee68430e Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 20 Sep 2013 04:16:00 +0200
> > > -Subject: [PATCH 132/249] s4:librpc: let dcerpc_schannel_key_recv() return
> > > - netlogon_creds_CredentialState
> > > -
> > > -cli_credentials_set_netlogon_creds() should only be used directly before
> > > -a DCERPC bind in order to pass the session information to the
> > > -gensec layer.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source4/librpc/rpc/dcerpc_schannel.c | 24 +++++++++++++++---------
> > > - 1 file changed, 15 insertions(+), 9 deletions(-)
> > > -
> > > -diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
> > > -index cd62508..c4bedfa 100644
> > > ---- a/source4/librpc/rpc/dcerpc_schannel.c
> > > -+++ b/source4/librpc/rpc/dcerpc_schannel.c
> > > -@@ -296,9 +296,6 @@ static void continue_srv_auth2(struct tevent_req *subreq)
> > > - return;
> > > - }
> > > -
> > > -- /* setup current netlogon credentials */
> > > -- cli_credentials_set_netlogon_creds(s->credentials, s->creds);
> > > --
> > > - composite_done(c);
> > > - }
> > > -
> > > -@@ -369,10 +366,19 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
> > > - /*
> > > - Receive result of schannel key request
> > > - */
> > > --static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
> > > -+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState **creds)
> > > - {
> > > - NTSTATUS status = composite_wait(c);
> > > --
> > > -+
> > > -+ if (NT_STATUS_IS_OK(status)) {
> > > -+ struct schannel_key_state *s =
> > > -+ talloc_get_type_abort(c->private_data,
> > > -+ struct schannel_key_state);
> > > -+ *creds = talloc_move(mem_ctx, &s->creds);
> > > -+ }
> > > -+
> > > - talloc_free(c);
> > > - return status;
> > > - }
> > > -@@ -410,13 +416,15 @@ static void continue_schannel_key(struct composite_context *ctx)
> > > - NTSTATUS status;
> > > -
> > > - /* receive schannel key */
> > > -- status = c->status = dcerpc_schannel_key_recv(ctx);
> > > -+ status = c->status = dcerpc_schannel_key_recv(ctx, s, &s->creds_state);
> > > - if (!composite_is_ok(c)) {
> > > - DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
> > > - return;
> > > - }
> > > -
> > > - /* send bind auth request with received creds */
> > > -+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
> > > -+
> > > - auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
> > > - lpcfg_gensec_settings(c, s->lp_ctx),
> > > - DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
> > > -@@ -447,9 +455,6 @@ static void continue_bind_auth(struct composite_context *ctx)
> > > - &ndr_table_netlogon.syntax_id)) {
> > > - ZERO_STRUCT(s->return_auth);
> > > -
> > > -- s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
> > > -- if (composite_nomem(s->creds_state, c)) return;
> > > --
> > > - s->save_creds_state = *s->creds_state;
> > > - netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
> > > -
> > > -@@ -528,6 +533,7 @@ static void continue_get_capabilities(struct tevent_req *subreq)
> > > - }
> > > -
> > > - *s->creds_state = s->save_creds_state;
> > > -+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
> > > -
> > > - if (!NT_STATUS_IS_OK(s->c.out.result)) {
> > > - composite_error(c, s->c.out.result);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f6a6e4e91b676461dc8b6dd5abca4120d9bf920a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 20 Sep 2013 04:33:07 +0200
> > > -Subject: [PATCH 133/249] auth:credentials: avoid talloc_reference in
> > > - cli_credentials_set_netlogon_creds()
> > > -
> > > -Typically cli_credentials_set_netlogon_creds() should be used directly
> > > -before the DCERPC bind. And cli_credentials_get_netlogon_creds()
> > > -should be only used by the gensec layer, which only needs a copy.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - auth/credentials/credentials.c | 6 +++++-
> > > - 1 file changed, 5 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
> > > -index 57a7c0b..9ce38d0 100644
> > > ---- a/auth/credentials/credentials.c
> > > -+++ b/auth/credentials/credentials.c
> > > -@@ -814,7 +814,11 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
> > > - _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
> > > - struct netlogon_creds_CredentialState *netlogon_creds)
> > > - {
> > > -- cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
> > > -+ TALLOC_FREE(cred->netlogon_creds);
> > > -+ if (netlogon_creds == NULL) {
> > > -+ return;
> > > -+ }
> > > -+ cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds);
> > > - }
> > > -
> > > - /**
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 14b9bb276a798ad71776ebcb698afeeb44aa173a Mon Sep 17 00:00:00 2001
> > > -From: Volker Lendecke <vl@samba.org>
> > > -Date: Sat, 9 Nov 2013 19:14:15 +0100
> > > -Subject: [PATCH 134/249] libsmb: Fix CID 1127343 Dead default in switch
> > > -
> > > -We have checked sec_channel_type a few lines above already
> > > -
> > > -Signed-off-by: Volker Lendecke <vl@samba.org>
> > > -Reviewed-by: Ira Cooper <ira@samba.org>
> > > -(cherry picked from commit 1cae867f72b79995a02eed96265fe9f69ce945da)
> > > ----
> > > - source3/libsmb/trusts_util.c | 2 --
> > > - 1 file changed, 2 deletions(-)
> > > -
> > > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > > -index 428e0c1..52fb481 100644
> > > ---- a/source3/libsmb/trusts_util.c
> > > -+++ b/source3/libsmb/trusts_util.c
> > > -@@ -108,8 +108,6 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > - }
> > > - break;
> > > - }
> > > -- default:
> > > -- break;
> > > - }
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From efb32bbe25d534f69aca03e0945220cb5049c366 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 29 Nov 2013 09:46:01 +0100
> > > -Subject: [PATCH 135/249] s3:rpc_server: use make_session_info_guest() directly
> > > -
> > > -This removes the useless static auth_anonymous_session_info() wrapper.
> > > -
> > > -auth_anonymous_session_info() is also a public function in source4.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit ae6720117ae5fb3c922486ce46e2b0d51e020301)
> > > ----
> > > - source3/rpc_server/rpc_server.c | 22 ++++++----------------
> > > - 1 file changed, 6 insertions(+), 16 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
> > > -index de54ddc..c3a7f28 100644
> > > ---- a/source3/rpc_server/rpc_server.c
> > > -+++ b/source3/rpc_server/rpc_server.c
> > > -@@ -37,19 +37,6 @@
> > > - #define SERVER_TCP_LOW_PORT 1024
> > > - #define SERVER_TCP_HIGH_PORT 1300
> > > -
> > > --static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
> > > -- struct auth_session_info **session_info)
> > > --{
> > > -- NTSTATUS status;
> > > --
> > > -- status = make_session_info_guest(mem_ctx, session_info);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > - /* Creates a pipes_struct and initializes it with the information
> > > - * sent from the client */
> > > - static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
> > > -@@ -1067,11 +1054,14 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx,
> > > - }
> > > -
> > > - if (ncacn_conn->session_info == NULL) {
> > > -- status = auth_anonymous_session_info(ncacn_conn,
> > > -- &ncacn_conn->session_info);
> > > -+ /*
> > > -+ * TODO: use auth_anonymous_session_info() here?
> > > -+ */
> > > -+ status = make_session_info_guest(ncacn_conn,
> > > -+ &ncacn_conn->session_info);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(2, ("Failed to create "
> > > -- "auth_anonymous_session_info - %s\n",
> > > -+ "make_session_info_guest - %s\n",
> > > - nt_errstr(status)));
> > > - talloc_free(ncacn_conn);
> > > - return;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 215d591403e63b785308ff5d6b2e3c87ad9ee408 Mon Sep 17 00:00:00 2001
> > > -From: Garming Sam <garming@catalyst.net.nz>
> > > -Date: Fri, 29 Nov 2013 16:51:08 +1300
> > > -Subject: [PATCH 136/249] selftest: add new rpc client test
> > > -
> > > -Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> > > -Signed-off-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 0e46205ff83d137ca486868e4376b258b6dfa1a2)
> > > ----
> > > - source3/script/tests/test_rpcclient_samlogon.sh | 27 +++++++++++++++++++++++++
> > > - source3/selftest/tests.py | 2 ++
> > > - 2 files changed, 29 insertions(+)
> > > - create mode 100755 source3/script/tests/test_rpcclient_samlogon.sh
> > > -
> > > -diff --git a/source3/script/tests/test_rpcclient_samlogon.sh b/source3/script/tests/test_rpcclient_samlogon.sh
> > > -new file mode 100755
> > > -index 0000000..01af7f8
> > > ---- /dev/null
> > > -+++ b/source3/script/tests/test_rpcclient_samlogon.sh
> > > -@@ -0,0 +1,27 @@
> > > -+#!/bin/sh
> > > -+
> > > -+if [ $# -lt 3 ]; then
> > > -+cat <<EOF
> > > -+Usage: test_rpcclient_samlogon.sh USERNAME PASSWORD binding <rpcclient commands>
> > > -+EOF
> > > -+exit 1;
> > > -+fi
> > > -+
> > > -+USERNAME="$1"
> > > -+PASSWORD="$2"
> > > -+shift 2
> > > -+ADDARGS="$*"
> > > -+
> > > -+rpcclient_samlogon()
> > > -+{
> > > -+ $VALGRIND $BINDIR/rpcclient -U% -c "samlogon $USERNAME $PASSWORD;samlogon $USERNAME $PASSWORD" $@
> > > -+}
> > > -+
> > > -+
> > > -+incdir=`dirname $0`/../../../testprogs/blackbox
> > > -+. $incdir/subunit.sh
> > > -+testit "rpcclient dsenumdomtrusts" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "dsenumdomtrusts" || failed=`expr $failed + 1`
> > > -+testit "rpcclient getdcsitecoverage" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "getdcsitecoverage" || failed=`expr $failed + 1`
> > > -+testit "rpcclient samlogon" rpcclient_samlogon $ADDARGS || failed=`expr $failed +1`
> > > -+
> > > -+testok $0 $failed
> > > -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
> > > -index 85d67d6..f9cc3d1 100755
> > > ---- a/source3/selftest/tests.py
> > > -+++ b/source3/selftest/tests.py
> > > -@@ -394,6 +394,8 @@ for s in signseal_options:
> > > - plantestsuite("samba3.blackbox.rpcclient krb5 ncacn_np with [%s%s%s] " % (a, s, e), "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
> > > - "$PREFIX/ktest/krb5_ccache-3", binding_string, "-k", configuration])
> > > -
> > > -+plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
> > > -+ "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
> > > -
> > > - options_list = ["", "-e"]
> > > - for options in options_list:
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 05251d449931c29a0bb0c0b8ad194253dc5b66cb Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 29 Nov 2013 08:45:38 +0100
> > > -Subject: [PATCH 137/249] s3:rpcclient: close the connection if setting up the
> > > - netlogon secure channel fails
> > > -
> > > -This is based on a patch from Garming Sam <garming@catalyst.net.nz>.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 2fae806550f3355298541a344b217bf810bf92e4)
> > > ----
> > > - source3/rpcclient/rpcclient.c | 5 +++++
> > > - 1 file changed, 5 insertions(+)
> > > -
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index cb7b70f..0cbec20 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -768,6 +768,10 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - trust_password, &machine_account,
> > > - &sec_channel_type))
> > > - {
> > > -+ DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
> > > -+ get_cmdline_auth_info_domain(auth_info),
> > > -+ cmd_entry->table->name));
> > > -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> > > - talloc_free(mem_ctx);
> > > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > - }
> > > -@@ -784,6 +788,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - if (!NT_STATUS_IS_OK(ntresult)) {
> > > - DEBUG(0, ("Could not initialise credentials for %s.\n",
> > > - cmd_entry->table->name));
> > > -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> > > - talloc_free(mem_ctx);
> > > - return ntresult;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8d3336b9a61a185a4194313fec338321fed6b151 Mon Sep 17 00:00:00 2001
> > > -From: Garming Sam <garming@catalyst.net.nz>
> > > -Date: Mon, 2 Dec 2013 13:20:39 +1300
> > > -Subject: [PATCH 138/249] selftest: add new credential change test
> > > -
> > > -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 48820b95285f7dffd827143ba56f432f3e283a6f)
> > > ----
> > > - source3/script/tests/test_net_cred_change.sh | 16 ++++++++++++++++
> > > - source3/selftest/tests.py | 3 +++
> > > - 2 files changed, 19 insertions(+)
> > > - create mode 100755 source3/script/tests/test_net_cred_change.sh
> > > -
> > > -diff --git a/source3/script/tests/test_net_cred_change.sh b/source3/script/tests/test_net_cred_change.sh
> > > -new file mode 100755
> > > -index 0000000..9013d07
> > > ---- /dev/null
> > > -+++ b/source3/script/tests/test_net_cred_change.sh
> > > -@@ -0,0 +1,16 @@
> > > -+#!/bin/sh
> > > -+
> > > -+if [ $# -lt 1 ]; then
> > > -+cat <<EOF
> > > -+Usage: test_net_cred_change.sh CONFIGURATION
> > > -+EOF
> > > -+exit 1;
> > > -+fi
> > > -+
> > > -+incdir=`dirname $0`/../../../testprogs/blackbox
> > > -+. $incdir/subunit.sh
> > > -+testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
> > > -+testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed =`expr $failed + 1`
> > > -+testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
> > > -+
> > > -+testok $0 $failed
> > > -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
> > > -index f9cc3d1..aac1bbb 100755
> > > ---- a/source3/selftest/tests.py
> > > -+++ b/source3/selftest/tests.py
> > > -@@ -165,6 +165,9 @@ for env in ["s3dc", "member", "s3member"]:
> > > -
> > > - plantestsuite("samba3.ntlm_auth.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_s3.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
> > > -
> > > -+for env in ["member", "s3member"]:
> > > -+ plantestsuite("samba3.blackbox.net_cred_change.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_net_cred_change.sh"), configuration])
> > > -+
> > > - env = "s3member"
> > > - t = "--krb5auth=$DOMAIN\\\\$DC_USERNAME%$DC_PASSWORD"
> > > - plantestsuite("samba3.wbinfo_s3.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_wbinfo_s3.sh"), t])
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4b97cece12602437f3a2c9a395f5ed62cc00c0c4 Mon Sep 17 00:00:00 2001
> > > -From: Garming Sam <garming@catalyst.net.nz>
> > > -Date: Mon, 23 Dec 2013 17:12:39 +1300
> > > -Subject: [PATCH 139/249] selftest: add rodc and other env tests for wbinfo
> > > -
> > > -Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
> > > -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > > -Autobuild-Date(master): Mon Dec 23 17:17:39 CET 2013 on sn-devel-104
> > > -(cherry picked from commit 819e1f561df5074ae21db77c6558b34f4b0e1351)
> > > ----
> > > - source4/selftest/tests.py | 4 ++--
> > > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> > > -index e738d1d9..c3a33c7 100755
> > > ---- a/source4/selftest/tests.py
> > > -+++ b/source4/selftest/tests.py
> > > -@@ -309,8 +309,8 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
> > > - plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
> > > - plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
> > > - plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
> > > --plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"])
> > > --plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"])
> > > -+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
> > > -+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
> > > - plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
> > > - plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
> > > - plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 689deff949e8ce9b6aa900e7b0c714d5a025d516 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 17 Dec 2013 19:35:37 +0100
> > > -Subject: [PATCH 140/249] libcli/auth: set the return_authenticator->timestamp
> > > - = 0
> > > -
> > > -This is what windows returns, the value is ignored by the client anyway.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 202bcf9096e53d94b294936d6144ae77f1536b72)
> > > ----
> > > - libcli/auth/credentials.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > > -index 1f664d3..197db86 100644
> > > ---- a/libcli/auth/credentials.c
> > > -+++ b/libcli/auth/credentials.c
> > > -@@ -479,7 +479,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
> > > - netlogon_creds_step(creds);
> > > - if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
> > > - return_authenticator->cred = creds->server;
> > > -- return_authenticator->timestamp = creds->sequence;
> > > -+ return_authenticator->timestamp = 0;
> > > - return NT_STATUS_OK;
> > > - } else {
> > > - ZERO_STRUCTP(return_authenticator);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fe8a979787c9528bb3b403272be3dc6a313bbebd Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 17 Dec 2013 19:40:15 +0100
> > > -Subject: [PATCH 141/249] libcli/auth: remove bogus comment regarding replay
> > > - attacks
> > > -
> > > -creds->sequence (timestamp) is the value that is used to increment the internal
> > > -state, it's not a real sequence number. The sequence comes
> > > -from adding all timestamps of the whole session.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 636daac3b7b08ccb8845dab060157918d296ef67)
> > > ----
> > > - libcli/auth/credentials.c | 2 --
> > > - 1 file changed, 2 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > > -index 197db86..afb4a04 100644
> > > ---- a/libcli/auth/credentials.c
> > > -+++ b/libcli/auth/credentials.c
> > > -@@ -473,8 +473,6 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
> > > - return NT_STATUS_ACCESS_DENIED;
> > > - }
> > > -
> > > -- /* TODO: this may allow the a replay attack on a non-signed
> > > -- connection. Should we check that this is increasing? */
> > > - creds->sequence = received_authenticator->timestamp;
> > > - netlogon_creds_step(creds);
> > > - if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 1f6a52bb1f756be05e28dc9e16725ac73b005d00 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 17 Dec 2013 19:55:12 +0100
> > > -Subject: [PATCH 142/249] libcli/auth: try to use the current timestamp
> > > - creds->sequence
> > > -
> > > -If the last usage of netlogon_creds_client_authenticator()
> > > -is in the past try to use the current timestamp and increment
> > > -more than just 2.
> > > -
> > > -If we use netlogon_creds_client_authenticator() a lot within a
> > > -second, we increment keep incrementing by 2.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > > -Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
> > > -(cherry picked from commit e6afeae69537f55ed187b28b60ad29b9e237ec6e)
> > > ----
> > > - libcli/auth/credentials.c | 22 ++++++++++++++++++++++
> > > - 1 file changed, 22 insertions(+)
> > > -
> > > -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
> > > -index afb4a04..f52538a 100644
> > > ---- a/libcli/auth/credentials.c
> > > -+++ b/libcli/auth/credentials.c
> > > -@@ -344,7 +344,29 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
> > > - void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
> > > - struct netr_Authenticator *next)
> > > - {
> > > -+ uint32_t t32n = (uint32_t)time(NULL);
> > > -+
> > > -+ /*
> > > -+ * we always increment and ignore an overflow here
> > > -+ */
> > > - creds->sequence += 2;
> > > -+
> > > -+ if (t32n > creds->sequence) {
> > > -+ /*
> > > -+ * we may increment more
> > > -+ */
> > > -+ creds->sequence = t32n;
> > > -+ } else {
> > > -+ uint32_t d = creds->sequence - t32n;
> > > -+
> > > -+ if (d >= INT32_MAX) {
> > > -+ /*
> > > -+ * got an overflow of time_t vs. uint32_t
> > > -+ */
> > > -+ creds->sequence = t32n;
> > > -+ }
> > > -+ }
> > > -+
> > > - netlogon_creds_step(creds);
> > > -
> > > - next->cred = creds->client;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 1cc32f5bf176a6daba93603a5b9aa4fc4fe42479 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 3 Jan 2014 12:56:38 +0100
> > > -Subject: [PATCH 143/249] s4:selftest: run wbinfo tests at the end...
> > > -
> > > -This avoids flakey crashes in the promoted_dc environment.
> > > -
> > > -See the examples below, we had up to 50% of the daily build failing...
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -https://git.samba.org/autobuild.flakey/2013-12-23-1942/samba.stdout
> > > -
> > > - [1586/1594 in 1h39m20s] samba4.drs.fsmo.python(promoted_dc)
> > > - Testing for schema role transfer from localdc.samba.example.com to PROMOTEDVDC.samba.example.com
> > > - FSMO transfer of 'schema' role successful
> > > - Testing for schema role transfer from PROMOTEDVDC.samba.example.com to localdc.samba.example.com
> > > - ERROR: Failed to initiate transfer of 'schema' role: LDAP error 52 LDAP_UNAVAILABLE - <Failed FSMO transfer: WERR_DS_DRA_INTERNAL_ERROR> <>
> > > - UNEXPECTED(failure): samba4.drs.fsmo.python(promoted_dc).fsmo.DrsFsmoTestCase.test_SchemaMasterTransfer(promoted_dc)
> > > - REASON: _StringException: _StringException: Content-Type: text/x-traceback;charset=utf8,language=python
> > > - traceback
> > > - 380
> > > -
> > > -https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stdout
> > > -
> > > - [1583/1594 in 1h36m4s] samba.tests.blackbox.samba_tool_drs
> > > - ERROR: Testsuite[samba.tests.blackbox.samba_tool_drs]
> > > - REASON: unable to set up environment promoted_dc - exiting
> > > -
> > > -https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stderr
> > > -
> > > - Unable to convert 1.2.840.86419.1.5.9939 to an attid, and can_change_pfm=false!
> > > - Unable to convert governsID on CN=test-class30318,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com to DRS object - WERR_NOT_FOUND
> > > - ../source4/rpc_server/drsuapi/getncchanges.c:1646: DsGetNCChanges 2nd replication on different DN CN=Configuration,DC=samba,DC=example,DC=com CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com (last_dn CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com)
> > > - ===============================================================
> > > - INTERNAL ERROR: Signal 11 in pid 884274 (4.2.0pre1-DEVELOPERBUILD)
> > > - Please read the Trouble-Shooting section of the Samba HOWTO
> > > - ===============================================================
> > > - smb_panic(): calling panic action [/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274]
> > > - [Thread debugging using libthread_db enabled]
> > > - 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
> > > - stat_loc=0x7fff67c7709c, options=<value optimized out>)
> > > - at ../sysdeps/unix/sysv/linux/waitpid.c:32
> > > - 32 ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
> > > - in ../sysdeps/unix/sysv/linux/waitpid.c
> > > - #0 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
> > > - stat_loc=0x7fff67c7709c, options=<value optimized out>)
> > > - at ../sysdeps/unix/sysv/linux/waitpid.c:32
> > > - oldtype = <value optimized out>
> > > - result = <value optimized out>
> > > - #1 0x00002af6b5baeb39 in do_system (line=<value optimized out>)
> > > - at ../sysdeps/posix/system.c:149
> > > - __result = -512
> > > - _buffer = {__routine = 0x2af6b5baee90 <cancel_handler>,
> > > - __arg = 0x7fff67c77098, __canceltype = 0, __prev = 0x0}
> > > - _avail = 1
> > > - status = <value optimized out>
> > > - save = <value optimized out>
> > > - pid = 886733
> > > - sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1},
> > > - sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0,
> > > - sa_restorer = 0x2af6b5b730f0}
> > > - omask = {__val = {7808, 4294967295, 140734934511616, 1, 2195512, 0,
> > > - 0, 0, 47239032274944, 47239027992529, 140733193388033, 0, 0,
> > > - 47239099003120, 140734934511792, 47239558787328}}
> > > - #2 0x00002af6b311821f in smb_panic_default (
> > > - why=0x2af6b312a875 "internal error") at ../lib/util/fault.c:134
> > > - result = 32767
> > > - pidstr = "884274\000\000\001\375\376\320\366*\000\000\260\377\377\377"
> > > - cmdstring = "/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274\000\307g\377\177\000\000\001\000\000\000\000\000\000\000\320\301#", '\000' <repeats 30 times>"\240, \017\263\366*\000\000\321\247{\261\366*\000\000\001\000\000\000\005", '\000' <repeats 11 times>"\260, \016\v\321\366*\000\000X\351\017\263\366*\000\000\260q\307g\377\177\000\000\000\361\036\321\366*\000\000\020r\307g\377\177\000\000\240\301z\326\366*\000\000\000Z\304\320\366*\000"
> > > - __FUNCTION__ = "smb_panic_default"
> > > - #3 0x00002af6b31183b5 in smb_panic (why=0x2af6b312a875 "internal error")
> > > - at ../lib/util/fault.c:162
> > > - No locals.
> > > - #4 0x00002af6b311809f in fault_report (sig=11) at ../lib/util/fault.c:77
> > > - counter = 1
> > > - __FUNCTION__ = "fault_report"
> > > - #5 0x00002af6b31180b4 in sig_fault (sig=11) at ../lib/util/fault.c:88
> > > - No locals.
> > > - #6 <signal handler called>
> > > - No symbol table info available.
> > > - #7 0x00002af6cabef930 in replmd_check_urgent_objectclass (
> > > - objectclass_el=0x0, situation=REPL_URGENT_ON_UPDATE)
> > > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:205
> > > - i = 2
> > > - j = 0
> > > - #8 0x00002af6cabf29b6 in replmd_update_rpmd (module=0x2af6b17f2c20,
> > > - schema=0x2af6d05e5570, req=0x2af6d05e8ad0, rename_attrs=0x0,
> > > - msg=0x2af6d11ef100, seq_num=0x2af6d0c315b8, t=1387895162,
> > > - is_urgent=0x7fff67c778bf, rodc=0x7fff67c778be)
> > > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1432
> > > - omd_value = 0x7fff67c77810
> > > - ndr_err = 3508465920
> > > - omd = {version = 1741125552, reserved = 32767, ctr = {ctr1 = {
> > > - count = 3008684740, reserved = 10998, array = 0x7fff67c777b0}}}
> > > - i = 10998
> > > - now = 130323687620000000
> > > - our_invocation_id = 0x2af6d1796390
> > > - ret = 0
> > > - attrs = 0x7fff67c77750
> > > - attrs1 = {0x2af6cabff775 "replPropertyMetaData", 0x2af6cabffc8b "*",
> > > - 0x0}
> > > - attrs2 = {0x2af6cabff76a "uSNChanged", 0x2af6cabffa98 "objectClass",
> > > - 0x2af6cabffc8d "instanceType", 0x0}
> > > - res = 0x2af6d10b0eb0
> > > - ldb = 0x2af6b17f2470
> > > - objectclass_el = 0x0
> > > - situation = REPL_URGENT_ON_UPDATE
> > > - rmd_is_provided = false
> > > - __FUNCTION__ = "replmd_update_rpmd"
> > > - #9 0x00002af6cabf5a06 in replmd_modify (module=0x2af6b17f2c20,
> > > - req=0x2af6d05e8ad0)
> > > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:2455
> > > - msds_intid_struct = 0x2af6d05e8ad0
> > > - ldb = 0x2af6b17f2470
> > > - ac = 0x2af6d0c31580
> > > - down_req = 0x2af6d0e6a100
> > > - msg = 0x2af6d11ef100
> > > - t = 1387895162
> > > - ret = 1741125936
> > > - is_urgent = false
> > > - rodc = false
> > > - functional_level = 3
> > > - guid_blob = 0x0
> > > - sd_propagation_control = 0x0
> > > - #10 0x00002af6bf69f94d in dsdb_module_modify (module=0x2af6b17f2c20,
> > > - message=0x2af6d1183fe0, dsdb_flags=4194304, parent=0x2af6ce6ea980)
> > > - at ../source4/dsdb/samdb/ldb_modules/util.c:460
> > > - ops = 0x2af6cae06b40
> > > - mod_req = 0x2af6d05e8ad0
> > > - ret = 0
> > > - ldb = 0x2af6b17f2470
> > > - tmp_ctx = 0x2af6d0ed62f0
> > > - res = 0x2af6d0e6a100
> > > - __FUNCTION__ = "dsdb_module_modify"
> > > - #11 0x00002af6cabf7ebc in replmd_delete_internals (module=0x2af6b17f2c20,
> > > - req=0x2af6ce6ea980, re_delete=true)
> > > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3309
> > > - ret = 0
> > > - retb = true
> > > - disallow_move_on_delete = false
> > > - old_dn = 0x2af6d6a2a010
> > > - new_dn = 0x2af6d0794a90
> > > - rdn_name = 0x2af6d0885c10 "CN"
> > > - rdn_value = 0x2af6d10d7368
> > > - new_rdn_value = 0x2af6d0c45a00
> > > - guid = {time_low = 48, time_mid = 0, time_hi_and_version = 0,
> > > - clock_seq = "\200\251", node = "n\316\366*\000"}
> > > - ldb = 0x2af6b17f2470
> > > - schema = 0x2af6d05e5570
> > > - msg = 0x2af6d1183fe0
> > > - old_msg = 0x2af6d1902800
> > > - el = 0x2af6d0874900
> > > - tmp_ctx = 0x2af6d0b77560
> > > - res = 0x2af6d0d57980
> > > - parent_res = 0x30
> > > - preserved_attrs = {0x2af6cac00fe1 "nTSecurityDescriptor",
> > > - 0x2af6cac055c3 "attributeID", 0x2af6cac055cf "attributeSyntax",
> > > - 0x2af6cac055df "dNReferenceUpdate", 0x2af6cac055f1 "dNSHostName",
> > > - 0x2af6cac055fd "flatName", 0x2af6cac05606 "governsID",
> > > - 0x2af6cac05610 "groupType", 0x2af6cabffc8d "instanceType",
> > > - 0x2af6cac0561a "lDAPDisplayName",
> > > - 0x2af6cac0562a "legacyExchangeDN", 0x2af6cabfe94d "isDeleted",
> > > - 0x2af6cabfe957 "isRecycled", 0x2af6cac020f8 "lastKnownParent",
> > > - 0x2af6cac021e8 "msDS-LastKnownRDN",
> > > - 0x2af6cac0563b "mS-DS-CreatorSID", 0x2af6cac0564c "mSMQOwnerID",
> > > - 0x2af6cac05658 "nCName", 0x2af6cabffa98 "objectClass",
> > > - 0x2af6cac0565f "distinguishedName", 0x2af6cabff5b5 "objectGUID",
> > > - 0x2af6cac05671 "objectSid", 0x2af6cac0567b "oMSyntax",
> > > - 0x2af6cac05684 "proxiedObjectName", 0x2af6cac014d8 "name",
> > > - 0x2af6cabff775 "replPropertyMetaData",
> > > - 0x2af6cac05696 "sAMAccountName",
> > > - 0x2af6cac056a5 "securityIdentifier", 0x2af6cac056b8 "sIDHistory",
> > > - 0x2af6cac056c3 "subClassOf", 0x2af6cac01ba8 "systemFlags",
> > > - 0x2af6cac056ce "trustPartner", 0x2af6cac056db "trustDirection",
> > > - 0x2af6cac056ea "trustType", 0x2af6cac056f4 "trustAttributes",
> > > - 0x2af6cabfe9b8 "userAccountControl", 0x2af6cabff76a "uSNChanged",
> > > - 0x2af6cabff75f "uSNCreated", 0x2af6cabff747 "whenCreated",
> > > - 0x2af6cabff753 "whenChanged", 0x0}
> > > - i = 12
> > > - el_count = 1
> > > - deletion_state = OBJECT_TOMBSTONE
> > > - next_deletion_state = OBJECT_TOMBSTONE
> > > - __FUNCTION__ = "replmd_delete_internals"
> > > - #12 0x00002af6cabfbbe3 in replmd_replicated_apply_isDeleted (
> > > - ar=0x2af6d74c0b40)
> > > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4718
> > > - del_req = 0x2af6ce6ea980
> > > - res = 0x2af6d0cdebf0
> > > - tmp_ctx = 0x2af6d0949230
> > > - deleted_objects_dn = 0x2af6d1a49f00
> > > - msg = 0x2af6d0a39620
> > > - ret = 0
> > > - #13 0x00002af6cabf0766 in replmd_op_callback (req=0x2af6d05a21e0,
> > > - ares=0x2af6d0d715c0)
> > > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:526
> > > - ret = 10998
> > > - ac = 0x2af6d74c0b40
> > > - replmd_private = 0x2af6b188c7c0
> > > - modified_partition = 0x2af6d141b670
> > > - partition_ctrl = 0x2af6d1905f40
> > > - partition = 0x2af6ce6bdbe0
> > > - controls = 0x0
> > > - __FUNCTION__ = "replmd_op_callback"
> > > - #14 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
> > > - ctrls=0x2af6d1629aa0, response=0x0, error=0)
> > > - at ../lib/ldb/common/ldb_modules.c:832
> > > - ares = 0x2af6d0d715c0
> > > - #15 0x00002af6cabf896b in replmd_op_possible_conflict_callback (
> > > - req=0x2af6d05a21e0, ares=0x2af6b1883eb0,
> > > - callback=0x2af6cabf0334 <replmd_op_callback>)
> > > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3606
> > > - conflict_dn = 0x2af6cac03470
> > > - ar = 0x2af6d74c0b40
> > > - res = 0x2af6b354f89b
> > > - attrs = {0x2af6cabff775 "replPropertyMetaData",
> > > - 0x2af6cabff5b5 "objectGUID", 0x0}
> > > - ret = -682882240
> > > - omd_value = 0x7fff67c77e20
> > > - omd = {version = 1741127104, reserved = 32767, ctr = {ctr1 = {
> > > - count = 0, reserved = 0, array = 0x28}}}
> > > - rmd = 0x2af6d74c0ae0
> > > - ndr_err = 10998
> > > - rename_incoming_record = false
> > > - rodc = false
> > > - rmd_name = 0x7fff67c77e10
> > > - omd_name = 0x2af6d74c0b40
> > > - msg = 0x2af6b1883e50
> > > - __FUNCTION__ = "replmd_op_possible_conflict_callback"
> > > - #16 0x00002af6cabf93fb in replmd_op_add_callback (req=0x2af6d05a21e0,
> > > - ares=0x2af6b1883eb0)
> > > - at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3802
> > > - ar = 0x2af6d74c0b40
> > > - #17 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
> > > - ctrls=0x2af6d1629aa0, response=0x0, error=0)
> > > - at ../lib/ldb/common/ldb_modules.c:832
> > > - ares = 0x2af6b1883eb0
> > > - #18 0x00002af6ca3c8b6a in partition_req_callback (req=0x2af6d087a1e0,
> > > - ares=0x2af6d05a1fa0) at ../source4/dsdb/samdb/ldb_modules/partition.c:213
> > > - ac = 0x2af6d0949370
> > > - module = 0x2af6cd27bf12
> > > - nreq = 0x2af6d05b67b0
> > > - ret = 0
> > > - partition_ctrl = 0x2af6d0d71740
> > > - #19 0x00002af6cd2752ab in ltdb_request_done (ctx=0x2af6d1cd7ed0, error=0)
> > > - at ../lib/ldb/ldb_tdb/ldb_tdb.c:1280
> > > - ldb = 0x2af6b17f2470
> > > - req = 0x2af6d087a1e0
> > > - ares = 0x2af6d05a1fa0
> > > - #20 0x00002af6cd275597 in ltdb_callback (ev=0x2af6b17ef8c0,
> > > - te=0x2af6d17f75d0, t=..., private_data=0x2af6d1cd7ed0)
> > > - at ../lib/ldb/ldb_tdb/ldb_tdb.c:1390
> > > - ctx = 0x2af6d1cd7ed0
> > > - ret = 0
> > > - #21 0x00002af6b3343259 in tevent_common_loop_timer_delay (ev=0x2af6b17ef8c0)
> > > - at ../lib/tevent/tevent_timed.c:341
> > > - current_time = {tv_sec = 0, tv_usec = 0}
> > > - te = 0x2af6d17f75d0
> > > - #22 0x00002af6b334558a in epoll_event_loop_once (ev=0x2af6b17ef8c0,
> > > - location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
> > > - at ../lib/tevent/tevent_epoll.c:912
> > > - epoll_ev = 0x2af6b17efb00
> > > - tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
> > > - panic_triggered = false
> > > - #23 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
> > > - location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
> > > - at ../lib/tevent/tevent_standard.c:112
> > > - glue_ptr = 0x2af6b17ef9b0
> > > - glue = 0x2af6b17ef9b0
> > > - ret = 10998
> > > - #24 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
> > > - location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
> > > - at ../lib/tevent/tevent.c:530
> > > - ret = 0
> > > - nesting_stack_ptr = 0x0
> > > - #25 0x00002af6b1e154c4 in ldb_wait (handle=0x2af6d67624c0, type=LDB_WAIT_ALL)
> > > - at ../lib/ldb/common/ldb.c:621
> > > - ev = 0x2af6b17ef8c0
> > > - ret = 0
> > > - #26 0x00002af6b1e1786b in ldb_extended (ldb=0x2af6b17f2470,
> > > - oid=0x2af6b4c4f9ce "1.3.6.1.4.1.7165.4.4.1", data=0x2af6d0e2bc60,
> > > - _res=0x7fff67c78240) at ../lib/ldb/common/ldb.c:1506
> > > - req = 0x2af6d0c45a00
> > > - ret = 0
> > > - res = 0x2af6d69238f0
> > > - #27 0x00002af6b4c4a0d6 in dsdb_replicated_objects_commit (ldb=0x2af6b17f2470,
> > > - working_schema=0x0, objects=0x2af6d0e2bc60, notify_uSN=0x2af6d14a65f0)
> > > - at ../source4/dsdb/repl/replicated_objects.c:773
> > > - werr = {w = 0}
> > > - ext_res = 0x0
> > > - cur_schema = 0x0
> > > - new_schema = 0x0
> > > - ret = 0
> > > - seq_num1 = 5554
> > > - seq_num2 = 47239626746464
> > > - used_global_schema = false
> > > - tmp_ctx = 0x2af6d03c5860
> > > - __FUNCTION__ = "dsdb_replicated_objects_commit"
> > > - #28 0x00002af6c1c6babb in dreplsrv_op_pull_source_apply_changes_trigger (
> > > - req=0x2af6d17daed0, r=0x2af6d17db0d0, ctr_level=6, ctr1=0x0,
> > > - ctr6=0x2af6d1b02bb0) at ../source4/dsdb/repl/drepl_out_helpers.c:717
> > > - state = 0x2af6d17db050
> > > - rf1 = {blobsize = 274, consecutive_sync_failures = 0,
> > > - last_success = 130323684670000000,
> > > - last_attempt = 130323687610000000, result_last_attempt = {w = 0},
> > > - other_info = 0x2af6d0949910, other_info_length = 66,
> > > - replica_flags = 112, schedule = '\021' <repeats 84 times>,
> > > - reserved = 0, highwatermark = {tmp_highest_usn = 12398,
> > > - reserved_usn = 0, highest_usn = 12398}, source_dsa_obj_guid = {
> > > - time_low = 984092159, time_mid = 850,
> > > - time_hi_and_version = 18870, clock_seq = "\251X",
> > > - node = "UF\324\223\205\241"}, source_dsa_invocation_id = {
> > > - time_low = 1460694408, time_mid = 52035,
> > > - time_hi_and_version = 18738, clock_seq = "\204}",
> > > - node = "\264\365\276\372\256\303"}, transport_guid = {
> > > - time_low = 0, time_mid = 0, time_hi_and_version = 0,
> > > - clock_seq = "\000", node = "\000\000\000\000\000"}}
> > > - service = 0x2af6d0ff6b00
> > > - partition = 0x2af6d0b6f220
> > > - drsuapi = 0x2af6d1c8d480
> > > - schema = 0x2af6d05e5570
> > > - working_schema = 0x0
> > > - mapping_ctr = 0x2af6d1b02c10
> > > - object_count = 50
> > > - first_object = 0x2af6d0571800
> > > - linked_attributes_count = 0
> > > - linked_attributes = 0x2af6d5212140
> > > - uptodateness_vector = 0x2af6d1a741c0
> > > - objects = 0x2af6d0e2bc60
> > > - more_data = false
> > > - status = {w = 0}
> > > - nt_status = {v = 3006553120}
> > > - dsdb_repl_flags = 0
> > > - __FUNCTION__ = "dreplsrv_op_pull_source_apply_changes_trigger"
> > > - #29 0x00002af6c1c6b3e7 in dreplsrv_op_pull_source_get_changes_done (
> > > - subreq=0x0) at ../source4/dsdb/repl/drepl_out_helpers.c:599
> > > - req = 0x2af6d17daed0
> > > - state = 0x2af6d17db050
> > > - status = {v = 0}
> > > - r = 0x2af6d17db0d0
> > > - ctr_level = 6
> > > - ctr1 = 0x0
> > > - ctr6 = 0x2af6d1b02bb0
> > > - extended_ret = DRSUAPI_EXOP_ERR_NONE
> > > - #30 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d1a73f70,
> > > - location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
> > > - at ../lib/tevent/tevent_req.c:102
> > > - No locals.
> > > - #31 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d1a73f70,
> > > - state=TEVENT_REQ_DONE,
> > > - location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
> > > - at ../lib/tevent/tevent_req.c:117
> > > - No locals.
> > > - #32 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d1a73f70,
> > > - location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
> > > - at ../lib/tevent/tevent_req.c:123
> > > - No locals.
> > > - #33 0x00002af6c1c708df in dcerpc_drsuapi_DsGetNCChanges_r_done (
> > > - subreq=0x2af6d122f4c0) at default/librpc/gen_ndr/ndr_drsuapi_c.c:712
> > > - req = 0x2af6d1a73f70
> > > - status = {v = 0}
> > > - #34 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d122f4c0,
> > > - location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
> > > - at ../lib/tevent/tevent_req.c:102
> > > - No locals.
> > > - #35 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d122f4c0,
> > > - state=TEVENT_REQ_DONE,
> > > - location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
> > > - at ../lib/tevent/tevent_req.c:117
> > > - No locals.
> > > - #36 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d122f4c0,
> > > - location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
> > > - at ../lib/tevent/tevent_req.c:123
> > > - No locals.
> > > - #37 0x00002af6b5757ede in dcerpc_binding_handle_call_done (subreq=0x0)
> > > - at ../librpc/rpc/binding_handle.c:517
> > > - req = 0x2af6d122f4c0
> > > - state = 0x2af6d122f640
> > > - h = 0x2af6d0959d10
> > > - error = {v = 0}
> > > - out_flags = 0
> > > - ndr_err = NDR_ERR_SUCCESS
> > > - #38 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d522f7a0,
> > > - location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
> > > - at ../lib/tevent/tevent_req.c:102
> > > - No locals.
> > > - #39 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d522f7a0,
> > > - state=TEVENT_REQ_DONE,
> > > - location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
> > > - at ../lib/tevent/tevent_req.c:117
> > > - No locals.
> > > - #40 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d522f7a0,
> > > - location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
> > > - at ../lib/tevent/tevent_req.c:123
> > > - No locals.
> > > - #41 0x00002af6b5757398 in dcerpc_binding_handle_raw_call_done (subreq=0x0)
> > > - at ../librpc/rpc/binding_handle.c:188
> > > - req = 0x2af6d522f7a0
> > > - state = 0x2af6d522f920
> > > - error = {v = 0}
> > > - #42 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d0712430,
> > > - location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
> > > - at ../lib/tevent/tevent_req.c:102
> > > - No locals.
> > > - #43 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d0712430,
> > > - state=TEVENT_REQ_DONE,
> > > - location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
> > > - at ../lib/tevent/tevent_req.c:117
> > > - No locals.
> > > - #44 0x00002af6b333e472 in tevent_req_trigger (ev=0x2af6b17ef8c0,
> > > - im=0x2af6d0712500, private_data=0x2af6d0712430)
> > > - at ../lib/tevent/tevent_req.c:174
> > > - req = 0x2af6d0712430
> > > - #45 0x00002af6b333d6d4 in tevent_common_loop_immediate (ev=0x2af6b17ef8c0)
> > > - at ../lib/tevent/tevent_immediate.c:135
> > > - im = 0x2af6d0712500
> > > - handler = 0x2af6b333e423 <tevent_req_trigger>
> > > - private_data = 0x2af6d0712430
> > > - #46 0x00002af6b3345570 in epoll_event_loop_once (ev=0x2af6b17ef8c0,
> > > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > > - at ../lib/tevent/tevent_epoll.c:907
> > > - epoll_ev = 0x2af6b17efb00
> > > - tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
> > > - panic_triggered = false
> > > - #47 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
> > > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > > - at ../lib/tevent/tevent_standard.c:112
> > > - glue_ptr = 0x2af6b17ef9b0
> > > - glue = 0x2af6b17ef9b0
> > > - ret = 10998
> > > - #48 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
> > > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > > - at ../lib/tevent/tevent.c:530
> > > - ret = 0
> > > - nesting_stack_ptr = 0x0
> > > - #49 0x00002af6b333ca11 in tevent_common_loop_wait (ev=0x2af6b17ef8c0,
> > > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > > - at ../lib/tevent/tevent.c:634
> > > - ret = 0
> > > - #50 0x00002af6b3342405 in std_event_loop_wait (ev=0x2af6b17ef8c0,
> > > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > > - at ../lib/tevent/tevent_standard.c:138
> > > - glue_ptr = 0x2af6b17ef9b0
> > > - glue = 0x2af6b17ef9b0
> > > - ret = 10998
> > > - #51 0x00002af6b333cadc in _tevent_loop_wait (ev=0x2af6b17ef8c0,
> > > - location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
> > > - at ../lib/tevent/tevent.c:653
> > > - No locals.
> > > - #52 0x00002af6b15a37bc in binary_smbd_main (
> > > - binary_name=0x2af6b15a737b "samba", argc=6, argv=0x7fff67c78de8)
> > > - at ../source4/smbd/server.c:503
> > > - opt_daemon = false
> > > - opt_interactive = true
> > > - opt = -1
> > > - pc = 0x2af6b17d5040
> > > - static_init = {0x2af6b2ac7d8c <server_service_auth_init>,
> > > - 0x2af6b2aca9e7 <server_service_echo_init>, 0}
> > > - shared_init = 0x2af6b18143b0
> > > - event_ctx = 0x2af6b17ef8c0
> > > - stdin_event_flags = 1
> > > - status = {v = 0}
> > > - model = 0x2af6b17d5b90 "single"
> > > - max_runtime = 7500
> > > -
> > > -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
> > > -Autobuild-Date(master): Mon Jan 6 01:16:13 CET 2014 on sn-devel-104
> > > -(cherry picked from commit 056008df62cb66090b3e30cb09c0edacfbdb5720)
> > > ----
> > > - source4/selftest/tests.py | 6 ++++--
> > > - 1 file changed, 4 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> > > -index c3a33c7..9567a8e 100755
> > > ---- a/source4/selftest/tests.py
> > > -+++ b/source4/selftest/tests.py
> > > -@@ -309,8 +309,6 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
> > > - plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
> > > - plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
> > > - plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
> > > --for env in ["dc", "s4member", "rodc", "promoted_dc"]:
> > > -- plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
> > > - plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
> > > - plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
> > > - plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
> > > -@@ -502,6 +500,10 @@ for env in ['vampire_dc', 'promoted_dc']:
> > > - extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
> > > -
> > > - plantestsuite("samba4.blackbox.samba_tool_demote(%s)" % env, env, [os.path.join(samba4srcdir, "utils/tests/test_demote.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$DOMAIN', '$DC_SERVER', '$PREFIX/%s' % env, smbclient4])
> > > -+
> > > -+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
> > > -+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
> > > -+
> > > - # TODO: Verifying the databases really should be a part of the
> > > - # environment teardown.
> > > - # check the databases are all OK. PLEASE LEAVE THIS AS THE LAST TEST
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 3e44e7485dbfea37cb84034c4d13c96059bd9687 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 3 Jan 2014 08:35:27 +0100
> > > -Subject: [PATCH 144/249] s4:librpc: always try to negotiate
> > > - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
> > > -
> > > -If the gensec backend supports it there's no reason not sign the header.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 7db1dc13b0149441a2beebca65b75f6e11af13a3)
> > > ----
> > > - librpc/rpc/binding.c | 1 -
> > > - librpc/rpc/rpc_common.h | 5 ++++-
> > > - source4/librpc/rpc/dcerpc.c | 12 ++----------
> > > - source4/librpc/rpc/dcerpc_auth.c | 14 ++++++++++----
> > > - 4 files changed, 16 insertions(+), 16 deletions(-)
> > > -
> > > -diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
> > > -index 49651e8..52122cf 100644
> > > ---- a/librpc/rpc/binding.c
> > > -+++ b/librpc/rpc/binding.c
> > > -@@ -88,7 +88,6 @@ static const struct {
> > > - {"padcheck", DCERPC_DEBUG_PAD_CHECK},
> > > - {"bigendian", DCERPC_PUSH_BIGENDIAN},
> > > - {"smb2", DCERPC_SMB2},
> > > -- {"hdrsign", DCERPC_HEADER_SIGNING},
> > > - {"ndr64", DCERPC_NDR64},
> > > - {"localaddress", DCERPC_LOCALADDRESS}
> > > - };
> > > -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
> > > -index 978229e..93d3bb4 100644
> > > ---- a/librpc/rpc/rpc_common.h
> > > -+++ b/librpc/rpc/rpc_common.h
> > > -@@ -98,7 +98,7 @@ struct dcerpc_binding {
> > > - /* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */
> > > - #define DCERPC_CONCURRENT_MULTIPLEX (1<<19)
> > > -
> > > --/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
> > > -+/* this indicates DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag was negotiated */
> > > - #define DCERPC_HEADER_SIGNING (1<<20)
> > > -
> > > - /* use NDR64 transport */
> > > -@@ -113,6 +113,9 @@ struct dcerpc_binding {
> > > - /* use aes schannel with hmac-sh256 session key */
> > > - #define DCERPC_SCHANNEL_AES (1<<24)
> > > -
> > > -+/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
> > > -+#define DCERPC_PROPOSE_HEADER_SIGNING (1<<25)
> > > -+
> > > - /* The following definitions come from ../librpc/rpc/dcerpc_error.c */
> > > -
> > > - const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
> > > -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
> > > -index 56b821e..2f6c8dd 100644
> > > ---- a/source4/librpc/rpc/dcerpc.c
> > > -+++ b/source4/librpc/rpc/dcerpc.c
> > > -@@ -1162,7 +1162,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx,
> > > - pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
> > > - }
> > > -
> > > -- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
> > > -+ if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) {
> > > - pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > > - }
> > > -
> > > -@@ -1304,7 +1304,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq,
> > > - conn->flags |= DCERPC_CONCURRENT_MULTIPLEX;
> > > - }
> > > -
> > > -- if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) &&
> > > -+ if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) &&
> > > - (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
> > > - conn->flags |= DCERPC_HEADER_SIGNING;
> > > - }
> > > -@@ -1352,10 +1352,6 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
> > > - pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
> > > - }
> > > -
> > > -- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
> > > -- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > > -- }
> > > --
> > > - /* construct the NDR form of the packet */
> > > - status = ncacn_push_auth(&blob, mem_ctx,
> > > - &pkt,
> > > -@@ -2046,10 +2042,6 @@ struct tevent_req *dcerpc_alter_context_send(TALLOC_CTX *mem_ctx,
> > > - pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
> > > - }
> > > -
> > > -- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
> > > -- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > > -- }
> > > --
> > > - pkt.u.alter.max_xmit_frag = 5840;
> > > - pkt.u.alter.max_recv_frag = 5840;
> > > - pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;
> > > -diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
> > > -index d5e5620..9a5d04d 100644
> > > ---- a/source4/librpc/rpc/dcerpc_auth.c
> > > -+++ b/source4/librpc/rpc/dcerpc_auth.c
> > > -@@ -173,10 +173,6 @@ static void bind_auth_next_step(struct composite_context *c)
> > > -
> > > - if (!composite_is_ok(c)) return;
> > > -
> > > -- if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
> > > -- gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
> > > -- }
> > > --
> > > - if (state->credentials.length == 0) {
> > > - composite_done(c);
> > > - return;
> > > -@@ -234,6 +230,12 @@ static void bind_auth_recv_bindreply(struct tevent_req *subreq)
> > > - TALLOC_FREE(subreq);
> > > - if (!composite_is_ok(c)) return;
> > > -
> > > -+ if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
> > > -+ struct dcecli_security *sec = &state->pipe->conn->security_state;
> > > -+
> > > -+ gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
> > > -+ }
> > > -+
> > > - if (!state->more_processing) {
> > > - /* The first gensec_update has not requested a second run, so
> > > - * we're done here. */
> > > -@@ -395,6 +397,10 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
> > > -
> > > - sec->auth_info->credentials = state->credentials;
> > > -
> > > -+ if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
> > > -+ state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
> > > -+ }
> > > -+
> > > - /* The first request always is a dcerpc_bind. The subsequent ones
> > > - * depend on gensec results */
> > > - subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 6bdc135a63647fbbc31c7b2e673396231541641d Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 3 Jan 2014 08:39:12 +0100
> > > -Subject: [PATCH 145/249] s4:rpc_server: support
> > > - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default
> > > -
> > > -If the gensec backend supports it there's no reason to disable it.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 661fe3cf890b91f8750872b0f5a09da536f76ae2)
> > > ----
> > > - source4/rpc_server/dcerpc_server.c | 6 ------
> > > - source4/rpc_server/dcesrv_auth.c | 37 ++++++++++++++++++++++++++++++++-----
> > > - 2 files changed, 32 insertions(+), 11 deletions(-)
> > > -
> > > -diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
> > > -index ad53685..3b35703 100644
> > > ---- a/source4/rpc_server/dcerpc_server.c
> > > -+++ b/source4/rpc_server/dcerpc_server.c
> > > -@@ -610,12 +610,6 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
> > > - call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
> > > - }
> > > -
> > > -- if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
> > > -- lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
> > > -- call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
> > > -- extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > > -- }
> > > --
> > > - /* handle any authentication that is being requested */
> > > - if (!dcesrv_auth_bind(call)) {
> > > - talloc_free(call->context);
> > > -diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
> > > -index c891cc6..152715b 100644
> > > ---- a/source4/rpc_server/dcesrv_auth.c
> > > -+++ b/source4/rpc_server/dcesrv_auth.c
> > > -@@ -92,10 +92,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
> > > - return false;
> > > - }
> > > -
> > > -- if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
> > > -- gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER);
> > > -- }
> > > --
> > > - return true;
> > > - }
> > > -
> > > -@@ -107,11 +103,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
> > > - {
> > > - struct dcesrv_connection *dce_conn = call->conn;
> > > - NTSTATUS status;
> > > -+ bool want_header_signing = false;
> > > -
> > > - if (!call->conn->auth_state.gensec_security) {
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -+ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
> > > -+ want_header_signing = true;
> > > -+ }
> > > -+
> > > -+ if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
> > > -+ want_header_signing = false;
> > > -+ }
> > > -+
> > > - status = gensec_update(dce_conn->auth_state.gensec_security,
> > > - call, call->event_ctx,
> > > - dce_conn->auth_state.auth_info->credentials,
> > > -@@ -126,9 +131,17 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
> > > - return status;
> > > - }
> > > -
> > > -- if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
> > > -+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
> > > -+ GENSEC_FEATURE_SIGN_PKT_HEADER))
> > > -+ {
> > > -+ want_header_signing = false;
> > > -+ }
> > > -+
> > > -+ if (want_header_signing) {
> > > - gensec_want_feature(dce_conn->auth_state.gensec_security,
> > > - GENSEC_FEATURE_SIGN_PKT_HEADER);
> > > -+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
> > > -+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > > - }
> > > -
> > > - /* Now that we are authenticated, go back to the generic session key... */
> > > -@@ -137,6 +150,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
> > > - } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
> > > - dce_conn->auth_state.auth_info->auth_pad_length = 0;
> > > - dce_conn->auth_state.auth_info->auth_reserved = 0;
> > > -+
> > > -+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
> > > -+ GENSEC_FEATURE_SIGN_PKT_HEADER))
> > > -+ {
> > > -+ want_header_signing = false;
> > > -+ }
> > > -+
> > > -+ if (want_header_signing) {
> > > -+ gensec_want_feature(dce_conn->auth_state.gensec_security,
> > > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > > -+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
> > > -+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > > -+ }
> > > -+
> > > - return NT_STATUS_OK;
> > > - } else {
> > > - DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 868676160bb3bcfb4145a5c4b47fbb513c0bfac4 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 31 Dec 2013 09:53:55 +0100
> > > -Subject: [PATCH 146/249] auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is
> > > - always supported
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 64fc015a85f9b5ed74f3dabe05dbdff185093278)
> > > ----
> > > - auth/ntlmssp/gensec_ntlmssp.c | 4 ++++
> > > - 1 file changed, 4 insertions(+)
> > > -
> > > -diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
> > > -index 654c0e3..5672589 100644
> > > ---- a/auth/ntlmssp/gensec_ntlmssp.c
> > > -+++ b/auth/ntlmssp/gensec_ntlmssp.c
> > > -@@ -102,6 +102,10 @@ bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
> > > - return true;
> > > - }
> > > - }
> > > -+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > > -+ return true;
> > > -+ }
> > > -+
> > > - return false;
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e486316c74d3781413e66e451b51737fc194bdc2 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 31 Dec 2013 09:54:54 +0100
> > > -Subject: [PATCH 147/249] s4:auth/gensec_gssapi: handle
> > > - GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 14f6c41754960d73f46aca1bade2266b7e934d03)
> > > ----
> > > - source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
> > > - 1 file changed, 12 insertions(+)
> > > -
> > > -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> > > -index 63a53bf..ffdefcf 100644
> > > ---- a/source4/auth/gensec/gensec_gssapi.c
> > > -+++ b/source4/auth/gensec/gensec_gssapi.c
> > > -@@ -1275,6 +1275,18 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
> > > - if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
> > > - return true;
> > > - }
> > > -+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > > -+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
> > > -+ /* TODO: implement this using gss_wrap_iov() */
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
> > > -+ return true;
> > > -+ }
> > > -+
> > > -+ return false;
> > > -+ }
> > > - return false;
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fa8d0a7726240f8fc6648424d9724bcd65949bfd Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 3 Jan 2014 15:30:46 +0100
> > > -Subject: [PATCH 148/249] s4:gensec_gssapi: make sure
> > > - gensec_gssapi_[un]seal_packet() rejects header signing
> > > -
> > > -If header signing is requested we should error out instead of
> > > -silently ignoring it, our peer would hopefully reject it,
> > > -but we should also do that.
> > > -
> > > -TODO: we should implement header signing using gss_wrap_iov().
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 54b5b3067f5b7a0eb6dd9f1326c903f9fe4a5592)
> > > ----
> > > - source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
> > > - 1 file changed, 12 insertions(+)
> > > -
> > > -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
> > > -index ffdefcf..b8f007d 100644
> > > ---- a/source4/auth/gensec/gensec_gssapi.c
> > > -+++ b/source4/auth/gensec/gensec_gssapi.c
> > > -@@ -1028,6 +1028,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
> > > - int conf_state;
> > > - ssize_t sig_length;
> > > -
> > > -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > > -+ DEBUG(1, ("gensec_gssapi_seal_packet: "
> > > -+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
> > > -+ return NT_STATUS_ACCESS_DENIED;
> > > -+ }
> > > -+
> > > - input_token.length = length;
> > > - input_token.value = data;
> > > -
> > > -@@ -1082,6 +1088,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
> > > -
> > > - dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
> > > -
> > > -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > > -+ DEBUG(1, ("gensec_gssapi_unseal_packet: "
> > > -+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
> > > -+ return NT_STATUS_ACCESS_DENIED;
> > > -+ }
> > > -+
> > > - in = data_blob_talloc(gensec_security, NULL, sig->length + length);
> > > -
> > > - memcpy(in.data, sig->data, sig->length);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 2b1f62e3d99047e2981dcdd32c6820346917dc04 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 31 Dec 2013 09:42:36 +0100
> > > -Subject: [PATCH 149/249] auth/gensec: move libcli/auth/schannel_sign.c into
> > > - schannel.c
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 616cd009955b1722e6749019e2c1cac8bbb94e52)
> > > ----
> > > - auth/gensec/schannel.c | 380 ++++++++++++++++++++++++++++++++++++++++
> > > - libcli/auth/schannel_proto.h | 14 --
> > > - libcli/auth/schannel_sign.c | 404 -------------------------------------------
> > > - libcli/auth/wscript_build | 2 +-
> > > - 4 files changed, 381 insertions(+), 419 deletions(-)
> > > - delete mode 100644 libcli/auth/schannel_sign.c
> > > -
> > > -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
> > > -index eb2e100..c60ab4f 100644
> > > ---- a/auth/gensec/schannel.c
> > > -+++ b/auth/gensec/schannel.c
> > > -@@ -31,6 +31,386 @@
> > > - #include "librpc/gen_ndr/dcerpc.h"
> > > - #include "param/param.h"
> > > - #include "auth/gensec/gensec_toplevel_proto.h"
> > > -+#include "lib/crypto/crypto.h"
> > > -+
> > > -+struct schannel_state {
> > > -+ uint64_t seq_num;
> > > -+ bool initiator;
> > > -+ struct netlogon_creds_CredentialState *creds;
> > > -+};
> > > -+
> > > -+#define SETUP_SEQNUM(state, buf, initiator) do { \
> > > -+ uint8_t *_buf = buf; \
> > > -+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> > > -+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
> > > -+ if (initiator) { \
> > > -+ _seq_num_high |= 0x80000000; \
> > > -+ } \
> > > -+ RSIVAL(_buf, 0, _seq_num_low); \
> > > -+ RSIVAL(_buf, 4, _seq_num_high); \
> > > -+} while(0)
> > > -+
> > > -+static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState *creds,
> > > -+ bool initiator)
> > > -+{
> > > -+ struct schannel_state *state;
> > > -+
> > > -+ state = talloc(mem_ctx, struct schannel_state);
> > > -+ if (state == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ state->initiator = initiator;
> > > -+ state->seq_num = 0;
> > > -+ state->creds = netlogon_creds_copy(state, creds);
> > > -+ if (state->creds == NULL) {
> > > -+ talloc_free(state);
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ return state;
> > > -+}
> > > -+
> > > -+static void netsec_offset_and_sizes(struct schannel_state *state,
> > > -+ bool do_seal,
> > > -+ uint32_t *_min_sig_size,
> > > -+ uint32_t *_used_sig_size,
> > > -+ uint32_t *_checksum_length,
> > > -+ uint32_t *_confounder_ofs)
> > > -+{
> > > -+ uint32_t min_sig_size;
> > > -+ uint32_t used_sig_size;
> > > -+ uint32_t checksum_length;
> > > -+ uint32_t confounder_ofs;
> > > -+
> > > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ min_sig_size = 48;
> > > -+ used_sig_size = 56;
> > > -+ /*
> > > -+ * Note: windows has a bug here and uses the old values...
> > > -+ *
> > > -+ * checksum_length = 32;
> > > -+ * confounder_ofs = 48;
> > > -+ */
> > > -+ checksum_length = 8;
> > > -+ confounder_ofs = 24;
> > > -+ } else {
> > > -+ min_sig_size = 24;
> > > -+ used_sig_size = 32;
> > > -+ checksum_length = 8;
> > > -+ confounder_ofs = 24;
> > > -+ }
> > > -+
> > > -+ if (do_seal) {
> > > -+ min_sig_size += 8;
> > > -+ }
> > > -+
> > > -+ if (_min_sig_size) {
> > > -+ *_min_sig_size = min_sig_size;
> > > -+ }
> > > -+
> > > -+ if (_used_sig_size) {
> > > -+ *_used_sig_size = used_sig_size;
> > > -+ }
> > > -+
> > > -+ if (_checksum_length) {
> > > -+ *_checksum_length = checksum_length;
> > > -+ }
> > > -+
> > > -+ if (_confounder_ofs) {
> > > -+ *_confounder_ofs = confounder_ofs;
> > > -+ }
> > > -+}
> > > -+
> > > -+/*******************************************************************
> > > -+ Encode or Decode the sequence number (which is symmetric)
> > > -+ ********************************************************************/
> > > -+static void netsec_do_seq_num(struct schannel_state *state,
> > > -+ const uint8_t *checksum,
> > > -+ uint32_t checksum_length,
> > > -+ uint8_t seq_num[8])
> > > -+{
> > > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ AES_KEY key;
> > > -+ uint8_t iv[AES_BLOCK_SIZE];
> > > -+
> > > -+ AES_set_encrypt_key(state->creds->session_key, 128, &key);
> > > -+ ZERO_STRUCT(iv);
> > > -+ memcpy(iv+0, checksum, 8);
> > > -+ memcpy(iv+8, checksum, 8);
> > > -+
> > > -+ aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
> > > -+ } else {
> > > -+ static const uint8_t zeros[4];
> > > -+ uint8_t sequence_key[16];
> > > -+ uint8_t digest1[16];
> > > -+
> > > -+ hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
> > > -+ hmac_md5(digest1, checksum, checksum_length, sequence_key);
> > > -+ arcfour_crypt(seq_num, sequence_key, 8);
> > > -+ }
> > > -+
> > > -+ state->seq_num++;
> > > -+}
> > > -+
> > > -+static void netsec_do_seal(struct schannel_state *state,
> > > -+ const uint8_t seq_num[8],
> > > -+ uint8_t confounder[8],
> > > -+ uint8_t *data, uint32_t length,
> > > -+ bool forward)
> > > -+{
> > > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ AES_KEY key;
> > > -+ uint8_t iv[AES_BLOCK_SIZE];
> > > -+ uint8_t sess_kf0[16];
> > > -+ int i;
> > > -+
> > > -+ for (i = 0; i < 16; i++) {
> > > -+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> > > -+ }
> > > -+
> > > -+ AES_set_encrypt_key(sess_kf0, 128, &key);
> > > -+ ZERO_STRUCT(iv);
> > > -+ memcpy(iv+0, seq_num, 8);
> > > -+ memcpy(iv+8, seq_num, 8);
> > > -+
> > > -+ if (forward) {
> > > -+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
> > > -+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
> > > -+ } else {
> > > -+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
> > > -+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
> > > -+ }
> > > -+ } else {
> > > -+ uint8_t sealing_key[16];
> > > -+ static const uint8_t zeros[4];
> > > -+ uint8_t digest2[16];
> > > -+ uint8_t sess_kf0[16];
> > > -+ int i;
> > > -+
> > > -+ for (i = 0; i < 16; i++) {
> > > -+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> > > -+ }
> > > -+
> > > -+ hmac_md5(sess_kf0, zeros, 4, digest2);
> > > -+ hmac_md5(digest2, seq_num, 8, sealing_key);
> > > -+
> > > -+ arcfour_crypt(confounder, sealing_key, 8);
> > > -+ arcfour_crypt(data, sealing_key, length);
> > > -+ }
> > > -+}
> > > -+
> > > -+/*******************************************************************
> > > -+ Create a digest over the entire packet (including the data), and
> > > -+ MD5 it with the session key.
> > > -+ ********************************************************************/
> > > -+static void netsec_do_sign(struct schannel_state *state,
> > > -+ const uint8_t *confounder,
> > > -+ const uint8_t *data, size_t length,
> > > -+ uint8_t header[8],
> > > -+ uint8_t *checksum)
> > > -+{
> > > -+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ struct HMACSHA256Context ctx;
> > > -+
> > > -+ hmac_sha256_init(state->creds->session_key,
> > > -+ sizeof(state->creds->session_key),
> > > -+ &ctx);
> > > -+
> > > -+ if (confounder) {
> > > -+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> > > -+ SSVAL(header, 2, NL_SEAL_AES128);
> > > -+ SSVAL(header, 4, 0xFFFF);
> > > -+ SSVAL(header, 6, 0x0000);
> > > -+
> > > -+ hmac_sha256_update(header, 8, &ctx);
> > > -+ hmac_sha256_update(confounder, 8, &ctx);
> > > -+ } else {
> > > -+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> > > -+ SSVAL(header, 2, NL_SEAL_NONE);
> > > -+ SSVAL(header, 4, 0xFFFF);
> > > -+ SSVAL(header, 6, 0x0000);
> > > -+
> > > -+ hmac_sha256_update(header, 8, &ctx);
> > > -+ }
> > > -+
> > > -+ hmac_sha256_update(data, length, &ctx);
> > > -+
> > > -+ hmac_sha256_final(checksum, &ctx);
> > > -+ } else {
> > > -+ uint8_t packet_digest[16];
> > > -+ static const uint8_t zeros[4];
> > > -+ MD5_CTX ctx;
> > > -+
> > > -+ MD5Init(&ctx);
> > > -+ MD5Update(&ctx, zeros, 4);
> > > -+ if (confounder) {
> > > -+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> > > -+ SSVAL(header, 2, NL_SEAL_RC4);
> > > -+ SSVAL(header, 4, 0xFFFF);
> > > -+ SSVAL(header, 6, 0x0000);
> > > -+
> > > -+ MD5Update(&ctx, header, 8);
> > > -+ MD5Update(&ctx, confounder, 8);
> > > -+ } else {
> > > -+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> > > -+ SSVAL(header, 2, NL_SEAL_NONE);
> > > -+ SSVAL(header, 4, 0xFFFF);
> > > -+ SSVAL(header, 6, 0x0000);
> > > -+
> > > -+ MD5Update(&ctx, header, 8);
> > > -+ }
> > > -+ MD5Update(&ctx, data, length);
> > > -+ MD5Final(packet_digest, &ctx);
> > > -+
> > > -+ hmac_md5(state->creds->session_key,
> > > -+ packet_digest, sizeof(packet_digest),
> > > -+ checksum);
> > > -+ }
> > > -+}
> > > -+
> > > -+static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > > -+ bool do_unseal,
> > > -+ uint8_t *data, size_t length,
> > > -+ const DATA_BLOB *sig)
> > > -+{
> > > -+ uint32_t min_sig_size = 0;
> > > -+ uint8_t header[8];
> > > -+ uint8_t checksum[32];
> > > -+ uint32_t checksum_length = sizeof(checksum_length);
> > > -+ uint8_t _confounder[8];
> > > -+ uint8_t *confounder = NULL;
> > > -+ uint32_t confounder_ofs = 0;
> > > -+ uint8_t seq_num[8];
> > > -+ int ret;
> > > -+
> > > -+ netsec_offset_and_sizes(state,
> > > -+ do_unseal,
> > > -+ &min_sig_size,
> > > -+ NULL,
> > > -+ &checksum_length,
> > > -+ &confounder_ofs);
> > > -+
> > > -+ if (sig->length < min_sig_size) {
> > > -+ return NT_STATUS_ACCESS_DENIED;
> > > -+ }
> > > -+
> > > -+ if (do_unseal) {
> > > -+ confounder = _confounder;
> > > -+ memcpy(confounder, sig->data+confounder_ofs, 8);
> > > -+ } else {
> > > -+ confounder = NULL;
> > > -+ }
> > > -+
> > > -+ SETUP_SEQNUM(state, seq_num, !state->initiator);
> > > -+
> > > -+ if (do_unseal) {
> > > -+ netsec_do_seal(state, seq_num,
> > > -+ confounder,
> > > -+ data, length,
> > > -+ false);
> > > -+ }
> > > -+
> > > -+ netsec_do_sign(state, confounder,
> > > -+ data, length,
> > > -+ header, checksum);
> > > -+
> > > -+ ret = memcmp(checksum, sig->data+16, checksum_length);
> > > -+ if (ret != 0) {
> > > -+ dump_data_pw("calc digest:", checksum, checksum_length);
> > > -+ dump_data_pw("wire digest:", sig->data+16, checksum_length);
> > > -+ return NT_STATUS_ACCESS_DENIED;
> > > -+ }
> > > -+
> > > -+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> > > -+
> > > -+ ret = memcmp(seq_num, sig->data+8, 8);
> > > -+ if (ret != 0) {
> > > -+ dump_data_pw("calc seq num:", seq_num, 8);
> > > -+ dump_data_pw("wire seq num:", sig->data+8, 8);
> > > -+ return NT_STATUS_ACCESS_DENIED;
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+static uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
> > > -+{
> > > -+ uint32_t sig_size = 0;
> > > -+
> > > -+ netsec_offset_and_sizes(state,
> > > -+ true,
> > > -+ NULL,
> > > -+ &sig_size,
> > > -+ NULL,
> > > -+ NULL);
> > > -+
> > > -+ return sig_size;
> > > -+}
> > > -+
> > > -+static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ bool do_seal,
> > > -+ uint8_t *data, size_t length,
> > > -+ DATA_BLOB *sig)
> > > -+{
> > > -+ uint32_t min_sig_size = 0;
> > > -+ uint32_t used_sig_size = 0;
> > > -+ uint8_t header[8];
> > > -+ uint8_t checksum[32];
> > > -+ uint32_t checksum_length = sizeof(checksum_length);
> > > -+ uint8_t _confounder[8];
> > > -+ uint8_t *confounder = NULL;
> > > -+ uint32_t confounder_ofs = 0;
> > > -+ uint8_t seq_num[8];
> > > -+
> > > -+ netsec_offset_and_sizes(state,
> > > -+ do_seal,
> > > -+ &min_sig_size,
> > > -+ &used_sig_size,
> > > -+ &checksum_length,
> > > -+ &confounder_ofs);
> > > -+
> > > -+ SETUP_SEQNUM(state, seq_num, state->initiator);
> > > -+
> > > -+ if (do_seal) {
> > > -+ confounder = _confounder;
> > > -+ generate_random_buffer(confounder, 8);
> > > -+ } else {
> > > -+ confounder = NULL;
> > > -+ }
> > > -+
> > > -+ netsec_do_sign(state, confounder,
> > > -+ data, length,
> > > -+ header, checksum);
> > > -+
> > > -+ if (do_seal) {
> > > -+ netsec_do_seal(state, seq_num,
> > > -+ confounder,
> > > -+ data, length,
> > > -+ true);
> > > -+ }
> > > -+
> > > -+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> > > -+
> > > -+ (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
> > > -+
> > > -+ memcpy(sig->data, header, 8);
> > > -+ memcpy(sig->data+8, seq_num, 8);
> > > -+ memcpy(sig->data+16, checksum, checksum_length);
> > > -+
> > > -+ if (confounder) {
> > > -+ memcpy(sig->data+confounder_ofs, confounder, 8);
> > > -+ }
> > > -+
> > > -+ dump_data_pw("signature:", sig->data+ 0, 8);
> > > -+ dump_data_pw("seq_num :", sig->data+ 8, 8);
> > > -+ dump_data_pw("digest :", sig->data+16, checksum_length);
> > > -+ dump_data_pw("confound :", sig->data+confounder_ofs, 8);
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -
> > > - _PUBLIC_ NTSTATUS gensec_schannel_init(void);
> > > -
> > > -diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
> > > -index da76559..bce37c8 100644
> > > ---- a/libcli/auth/schannel_proto.h
> > > -+++ b/libcli/auth/schannel_proto.h
> > > -@@ -28,18 +28,4 @@ struct schannel_state;
> > > - struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
> > > - struct loadparm_context *lp_ctx);
> > > -
> > > --struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > > -- struct netlogon_creds_CredentialState *creds,
> > > -- bool initiator);
> > > --NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > > -- bool do_unseal,
> > > -- uint8_t *data, size_t length,
> > > -- const DATA_BLOB *sig);
> > > --uint32_t netsec_outgoing_sig_size(struct schannel_state *state);
> > > --NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- bool do_seal,
> > > -- uint8_t *data, size_t length,
> > > -- DATA_BLOB *sig);
> > > --
> > > - #endif
> > > -diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
> > > -deleted file mode 100644
> > > -index 9502cba..0000000
> > > ---- a/libcli/auth/schannel_sign.c
> > > -+++ /dev/null
> > > -@@ -1,404 +0,0 @@
> > > --/*
> > > -- Unix SMB/CIFS implementation.
> > > --
> > > -- schannel library code
> > > --
> > > -- Copyright (C) Andrew Tridgell 2004
> > > -- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
> > > --
> > > -- This program is free software; you can redistribute it and/or modify
> > > -- it under the terms of the GNU General Public License as published by
> > > -- the Free Software Foundation; either version 3 of the License, or
> > > -- (at your option) any later version.
> > > --
> > > -- This program is distributed in the hope that it will be useful,
> > > -- but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -- GNU General Public License for more details.
> > > --
> > > -- You should have received a copy of the GNU General Public License
> > > -- along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > --*/
> > > --
> > > --#include "includes.h"
> > > --#include "../libcli/auth/schannel.h"
> > > --#include "../lib/crypto/crypto.h"
> > > --
> > > --struct schannel_state {
> > > -- uint64_t seq_num;
> > > -- bool initiator;
> > > -- struct netlogon_creds_CredentialState *creds;
> > > --};
> > > --
> > > --#define SETUP_SEQNUM(state, buf, initiator) do { \
> > > -- uint8_t *_buf = buf; \
> > > -- uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
> > > -- uint32_t _seq_num_high = (state)->seq_num >> 32; \
> > > -- if (initiator) { \
> > > -- _seq_num_high |= 0x80000000; \
> > > -- } \
> > > -- RSIVAL(_buf, 0, _seq_num_low); \
> > > -- RSIVAL(_buf, 4, _seq_num_high); \
> > > --} while(0)
> > > --
> > > --struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > > -- struct netlogon_creds_CredentialState *creds,
> > > -- bool initiator)
> > > --{
> > > -- struct schannel_state *state;
> > > --
> > > -- state = talloc(mem_ctx, struct schannel_state);
> > > -- if (state == NULL) {
> > > -- return NULL;
> > > -- }
> > > --
> > > -- state->initiator = initiator;
> > > -- state->seq_num = 0;
> > > -- state->creds = netlogon_creds_copy(state, creds);
> > > -- if (state->creds == NULL) {
> > > -- talloc_free(state);
> > > -- return NULL;
> > > -- }
> > > --
> > > -- return state;
> > > --}
> > > --
> > > --static void netsec_offset_and_sizes(struct schannel_state *state,
> > > -- bool do_seal,
> > > -- uint32_t *_min_sig_size,
> > > -- uint32_t *_used_sig_size,
> > > -- uint32_t *_checksum_length,
> > > -- uint32_t *_confounder_ofs)
> > > --{
> > > -- uint32_t min_sig_size;
> > > -- uint32_t used_sig_size;
> > > -- uint32_t checksum_length;
> > > -- uint32_t confounder_ofs;
> > > --
> > > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- min_sig_size = 48;
> > > -- used_sig_size = 56;
> > > -- /*
> > > -- * Note: windows has a bug here and uses the old values...
> > > -- *
> > > -- * checksum_length = 32;
> > > -- * confounder_ofs = 48;
> > > -- */
> > > -- checksum_length = 8;
> > > -- confounder_ofs = 24;
> > > -- } else {
> > > -- min_sig_size = 24;
> > > -- used_sig_size = 32;
> > > -- checksum_length = 8;
> > > -- confounder_ofs = 24;
> > > -- }
> > > --
> > > -- if (do_seal) {
> > > -- min_sig_size += 8;
> > > -- }
> > > --
> > > -- if (_min_sig_size) {
> > > -- *_min_sig_size = min_sig_size;
> > > -- }
> > > --
> > > -- if (_used_sig_size) {
> > > -- *_used_sig_size = used_sig_size;
> > > -- }
> > > --
> > > -- if (_checksum_length) {
> > > -- *_checksum_length = checksum_length;
> > > -- }
> > > --
> > > -- if (_confounder_ofs) {
> > > -- *_confounder_ofs = confounder_ofs;
> > > -- }
> > > --}
> > > --
> > > --/*******************************************************************
> > > -- Encode or Decode the sequence number (which is symmetric)
> > > -- ********************************************************************/
> > > --static void netsec_do_seq_num(struct schannel_state *state,
> > > -- const uint8_t *checksum,
> > > -- uint32_t checksum_length,
> > > -- uint8_t seq_num[8])
> > > --{
> > > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- AES_KEY key;
> > > -- uint8_t iv[AES_BLOCK_SIZE];
> > > --
> > > -- AES_set_encrypt_key(state->creds->session_key, 128, &key);
> > > -- ZERO_STRUCT(iv);
> > > -- memcpy(iv+0, checksum, 8);
> > > -- memcpy(iv+8, checksum, 8);
> > > --
> > > -- aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
> > > -- } else {
> > > -- static const uint8_t zeros[4];
> > > -- uint8_t sequence_key[16];
> > > -- uint8_t digest1[16];
> > > --
> > > -- hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
> > > -- hmac_md5(digest1, checksum, checksum_length, sequence_key);
> > > -- arcfour_crypt(seq_num, sequence_key, 8);
> > > -- }
> > > --
> > > -- state->seq_num++;
> > > --}
> > > --
> > > --static void netsec_do_seal(struct schannel_state *state,
> > > -- const uint8_t seq_num[8],
> > > -- uint8_t confounder[8],
> > > -- uint8_t *data, uint32_t length,
> > > -- bool forward)
> > > --{
> > > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- AES_KEY key;
> > > -- uint8_t iv[AES_BLOCK_SIZE];
> > > -- uint8_t sess_kf0[16];
> > > -- int i;
> > > --
> > > -- for (i = 0; i < 16; i++) {
> > > -- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> > > -- }
> > > --
> > > -- AES_set_encrypt_key(sess_kf0, 128, &key);
> > > -- ZERO_STRUCT(iv);
> > > -- memcpy(iv+0, seq_num, 8);
> > > -- memcpy(iv+8, seq_num, 8);
> > > --
> > > -- if (forward) {
> > > -- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
> > > -- aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
> > > -- } else {
> > > -- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
> > > -- aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
> > > -- }
> > > -- } else {
> > > -- uint8_t sealing_key[16];
> > > -- static const uint8_t zeros[4];
> > > -- uint8_t digest2[16];
> > > -- uint8_t sess_kf0[16];
> > > -- int i;
> > > --
> > > -- for (i = 0; i < 16; i++) {
> > > -- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
> > > -- }
> > > --
> > > -- hmac_md5(sess_kf0, zeros, 4, digest2);
> > > -- hmac_md5(digest2, seq_num, 8, sealing_key);
> > > --
> > > -- arcfour_crypt(confounder, sealing_key, 8);
> > > -- arcfour_crypt(data, sealing_key, length);
> > > -- }
> > > --}
> > > --
> > > --/*******************************************************************
> > > -- Create a digest over the entire packet (including the data), and
> > > -- MD5 it with the session key.
> > > -- ********************************************************************/
> > > --static void netsec_do_sign(struct schannel_state *state,
> > > -- const uint8_t *confounder,
> > > -- const uint8_t *data, size_t length,
> > > -- uint8_t header[8],
> > > -- uint8_t *checksum)
> > > --{
> > > -- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- struct HMACSHA256Context ctx;
> > > --
> > > -- hmac_sha256_init(state->creds->session_key,
> > > -- sizeof(state->creds->session_key),
> > > -- &ctx);
> > > --
> > > -- if (confounder) {
> > > -- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> > > -- SSVAL(header, 2, NL_SEAL_AES128);
> > > -- SSVAL(header, 4, 0xFFFF);
> > > -- SSVAL(header, 6, 0x0000);
> > > --
> > > -- hmac_sha256_update(header, 8, &ctx);
> > > -- hmac_sha256_update(confounder, 8, &ctx);
> > > -- } else {
> > > -- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
> > > -- SSVAL(header, 2, NL_SEAL_NONE);
> > > -- SSVAL(header, 4, 0xFFFF);
> > > -- SSVAL(header, 6, 0x0000);
> > > --
> > > -- hmac_sha256_update(header, 8, &ctx);
> > > -- }
> > > --
> > > -- hmac_sha256_update(data, length, &ctx);
> > > --
> > > -- hmac_sha256_final(checksum, &ctx);
> > > -- } else {
> > > -- uint8_t packet_digest[16];
> > > -- static const uint8_t zeros[4];
> > > -- MD5_CTX ctx;
> > > --
> > > -- MD5Init(&ctx);
> > > -- MD5Update(&ctx, zeros, 4);
> > > -- if (confounder) {
> > > -- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> > > -- SSVAL(header, 2, NL_SEAL_RC4);
> > > -- SSVAL(header, 4, 0xFFFF);
> > > -- SSVAL(header, 6, 0x0000);
> > > --
> > > -- MD5Update(&ctx, header, 8);
> > > -- MD5Update(&ctx, confounder, 8);
> > > -- } else {
> > > -- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
> > > -- SSVAL(header, 2, NL_SEAL_NONE);
> > > -- SSVAL(header, 4, 0xFFFF);
> > > -- SSVAL(header, 6, 0x0000);
> > > --
> > > -- MD5Update(&ctx, header, 8);
> > > -- }
> > > -- MD5Update(&ctx, data, length);
> > > -- MD5Final(packet_digest, &ctx);
> > > --
> > > -- hmac_md5(state->creds->session_key,
> > > -- packet_digest, sizeof(packet_digest),
> > > -- checksum);
> > > -- }
> > > --}
> > > --
> > > --NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > > -- bool do_unseal,
> > > -- uint8_t *data, size_t length,
> > > -- const DATA_BLOB *sig)
> > > --{
> > > -- uint32_t min_sig_size = 0;
> > > -- uint8_t header[8];
> > > -- uint8_t checksum[32];
> > > -- uint32_t checksum_length = sizeof(checksum_length);
> > > -- uint8_t _confounder[8];
> > > -- uint8_t *confounder = NULL;
> > > -- uint32_t confounder_ofs = 0;
> > > -- uint8_t seq_num[8];
> > > -- int ret;
> > > --
> > > -- netsec_offset_and_sizes(state,
> > > -- do_unseal,
> > > -- &min_sig_size,
> > > -- NULL,
> > > -- &checksum_length,
> > > -- &confounder_ofs);
> > > --
> > > -- if (sig->length < min_sig_size) {
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -- }
> > > --
> > > -- if (do_unseal) {
> > > -- confounder = _confounder;
> > > -- memcpy(confounder, sig->data+confounder_ofs, 8);
> > > -- } else {
> > > -- confounder = NULL;
> > > -- }
> > > --
> > > -- SETUP_SEQNUM(state, seq_num, !state->initiator);
> > > --
> > > -- if (do_unseal) {
> > > -- netsec_do_seal(state, seq_num,
> > > -- confounder,
> > > -- data, length,
> > > -- false);
> > > -- }
> > > --
> > > -- netsec_do_sign(state, confounder,
> > > -- data, length,
> > > -- header, checksum);
> > > --
> > > -- ret = memcmp(checksum, sig->data+16, checksum_length);
> > > -- if (ret != 0) {
> > > -- dump_data_pw("calc digest:", checksum, checksum_length);
> > > -- dump_data_pw("wire digest:", sig->data+16, checksum_length);
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -- }
> > > --
> > > -- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> > > --
> > > -- ret = memcmp(seq_num, sig->data+8, 8);
> > > -- if (ret != 0) {
> > > -- dump_data_pw("calc seq num:", seq_num, 8);
> > > -- dump_data_pw("wire seq num:", sig->data+8, 8);
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -- }
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > --uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
> > > --{
> > > -- uint32_t sig_size = 0;
> > > --
> > > -- netsec_offset_and_sizes(state,
> > > -- true,
> > > -- NULL,
> > > -- &sig_size,
> > > -- NULL,
> > > -- NULL);
> > > --
> > > -- return sig_size;
> > > --}
> > > --
> > > --NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- bool do_seal,
> > > -- uint8_t *data, size_t length,
> > > -- DATA_BLOB *sig)
> > > --{
> > > -- uint32_t min_sig_size = 0;
> > > -- uint32_t used_sig_size = 0;
> > > -- uint8_t header[8];
> > > -- uint8_t checksum[32];
> > > -- uint32_t checksum_length = sizeof(checksum_length);
> > > -- uint8_t _confounder[8];
> > > -- uint8_t *confounder = NULL;
> > > -- uint32_t confounder_ofs = 0;
> > > -- uint8_t seq_num[8];
> > > --
> > > -- netsec_offset_and_sizes(state,
> > > -- do_seal,
> > > -- &min_sig_size,
> > > -- &used_sig_size,
> > > -- &checksum_length,
> > > -- &confounder_ofs);
> > > --
> > > -- SETUP_SEQNUM(state, seq_num, state->initiator);
> > > --
> > > -- if (do_seal) {
> > > -- confounder = _confounder;
> > > -- generate_random_buffer(confounder, 8);
> > > -- } else {
> > > -- confounder = NULL;
> > > -- }
> > > --
> > > -- netsec_do_sign(state, confounder,
> > > -- data, length,
> > > -- header, checksum);
> > > --
> > > -- if (do_seal) {
> > > -- netsec_do_seal(state, seq_num,
> > > -- confounder,
> > > -- data, length,
> > > -- true);
> > > -- }
> > > --
> > > -- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
> > > --
> > > -- (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
> > > --
> > > -- memcpy(sig->data, header, 8);
> > > -- memcpy(sig->data+8, seq_num, 8);
> > > -- memcpy(sig->data+16, checksum, checksum_length);
> > > --
> > > -- if (confounder) {
> > > -- memcpy(sig->data+confounder_ofs, confounder, 8);
> > > -- }
> > > --
> > > -- dump_data_pw("signature:", sig->data+ 0, 8);
> > > -- dump_data_pw("seq_num :", sig->data+ 8, 8);
> > > -- dump_data_pw("digest :", sig->data+16, checksum_length);
> > > -- dump_data_pw("confound :", sig->data+confounder_ofs, 8);
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
> > > -index df23058..ca2be2d 100755
> > > ---- a/libcli/auth/wscript_build
> > > -+++ b/libcli/auth/wscript_build
> > > -@@ -24,7 +24,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
> > > -
> > > -
> > > - bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
> > > -- source='schannel_state_tdb.c schannel_sign.c',
> > > -+ source='schannel_state_tdb.c',
> > > - deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
> > > - )
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 307627065568a259eb9e94953b872bf723477be6 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 31 Dec 2013 10:11:18 +0100
> > > -Subject: [PATCH 150/249] auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER
> > > - in schannel.c
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 03006d0e4471465f071517097145806fbe46fdba)
> > > ----
> > > - auth/gensec/schannel.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
> > > - 1 file changed, 46 insertions(+), 10 deletions(-)
> > > -
> > > -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
> > > -index c60ab4f..3d30e83 100644
> > > ---- a/auth/gensec/schannel.c
> > > -+++ b/auth/gensec/schannel.c
> > > -@@ -34,6 +34,7 @@
> > > - #include "lib/crypto/crypto.h"
> > > -
> > > - struct schannel_state {
> > > -+ struct gensec_security *gensec;
> > > - uint64_t seq_num;
> > > - bool initiator;
> > > - struct netlogon_creds_CredentialState *creds;
> > > -@@ -50,17 +51,19 @@ struct schannel_state {
> > > - RSIVAL(_buf, 4, _seq_num_high); \
> > > - } while(0)
> > > -
> > > --static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > > -+static struct schannel_state *netsec_create_state(
> > > -+ struct gensec_security *gensec,
> > > - struct netlogon_creds_CredentialState *creds,
> > > - bool initiator)
> > > - {
> > > - struct schannel_state *state;
> > > -
> > > -- state = talloc(mem_ctx, struct schannel_state);
> > > -+ state = talloc(gensec, struct schannel_state);
> > > - if (state == NULL) {
> > > - return NULL;
> > > - }
> > > -
> > > -+ state->gensec = gensec;
> > > - state->initiator = initiator;
> > > - state->seq_num = 0;
> > > - state->creds = netlogon_creds_copy(state, creds);
> > > -@@ -69,6 +72,8 @@ static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
> > > - return NULL;
> > > - }
> > > -
> > > -+ gensec->private_data = state;
> > > -+
> > > - return state;
> > > - }
> > > -
> > > -@@ -273,6 +278,7 @@ static void netsec_do_sign(struct schannel_state *state,
> > > - static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > > - bool do_unseal,
> > > - uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > - const DATA_BLOB *sig)
> > > - {
> > > - uint32_t min_sig_size = 0;
> > > -@@ -284,6 +290,8 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > > - uint32_t confounder_ofs = 0;
> > > - uint8_t seq_num[8];
> > > - int ret;
> > > -+ const uint8_t *sign_data = NULL;
> > > -+ size_t sign_length = 0;
> > > -
> > > - netsec_offset_and_sizes(state,
> > > - do_unseal,
> > > -@@ -312,8 +320,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
> > > - false);
> > > - }
> > > -
> > > -+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > > -+ sign_data = whole_pdu;
> > > -+ sign_length = pdu_length;
> > > -+ } else {
> > > -+ sign_data = data;
> > > -+ sign_length = length;
> > > -+ }
> > > -+
> > > - netsec_do_sign(state, confounder,
> > > -- data, length,
> > > -+ sign_data, sign_length,
> > > - header, checksum);
> > > -
> > > - ret = memcmp(checksum, sig->data+16, checksum_length);
> > > -@@ -353,6 +369,7 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > > - TALLOC_CTX *mem_ctx,
> > > - bool do_seal,
> > > - uint8_t *data, size_t length,
> > > -+ const uint8_t *whole_pdu, size_t pdu_length,
> > > - DATA_BLOB *sig)
> > > - {
> > > - uint32_t min_sig_size = 0;
> > > -@@ -364,6 +381,8 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > > - uint8_t *confounder = NULL;
> > > - uint32_t confounder_ofs = 0;
> > > - uint8_t seq_num[8];
> > > -+ const uint8_t *sign_data = NULL;
> > > -+ size_t sign_length = 0;
> > > -
> > > - netsec_offset_and_sizes(state,
> > > - do_seal,
> > > -@@ -381,8 +400,16 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
> > > - confounder = NULL;
> > > - }
> > > -
> > > -+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > > -+ sign_data = whole_pdu;
> > > -+ sign_length = pdu_length;
> > > -+ } else {
> > > -+ sign_data = data;
> > > -+ sign_length = length;
> > > -+ }
> > > -+
> > > - netsec_do_sign(state, confounder,
> > > -- data, length,
> > > -+ sign_data, sign_length,
> > > - header, checksum);
> > > -
> > > - if (do_seal) {
> > > -@@ -457,7 +484,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > > - if (state == NULL) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -- gensec_security->private_data = state;
> > > -
> > > - bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
> > > - #if 0
> > > -@@ -553,7 +579,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
> > > - if (state == NULL) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -- gensec_security->private_data = state;
> > > -
> > > - bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
> > > - bind_schannel_ack.Flags = 0;
> > > -@@ -608,6 +633,9 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
> > > - if (feature & GENSEC_FEATURE_DCE_STYLE) {
> > > - return true;
> > > - }
> > > -+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
> > > -+ return true;
> > > -+ }
> > > - return false;
> > > - }
> > > -
> > > -@@ -625,7 +653,9 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
> > > -
> > > - return netsec_incoming_packet(state, true,
> > > - discard_const_p(uint8_t, data),
> > > -- length, sig);
> > > -+ length,
> > > -+ whole_pdu, pdu_length,
> > > -+ sig);
> > > - }
> > > -
> > > - /*
> > > -@@ -642,7 +672,9 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
> > > -
> > > - return netsec_incoming_packet(state, false,
> > > - discard_const_p(uint8_t, data),
> > > -- length, sig);
> > > -+ length,
> > > -+ whole_pdu, pdu_length,
> > > -+ sig);
> > > - }
> > > - /*
> > > - seal a packet
> > > -@@ -658,7 +690,9 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
> > > - struct schannel_state);
> > > -
> > > - return netsec_outgoing_packet(state, mem_ctx, true,
> > > -- data, length, sig);
> > > -+ data, length,
> > > -+ whole_pdu, pdu_length,
> > > -+ sig);
> > > - }
> > > -
> > > - /*
> > > -@@ -676,7 +710,9 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
> > > -
> > > - return netsec_outgoing_packet(state, mem_ctx, false,
> > > - discard_const_p(uint8_t, data),
> > > -- length, sig);
> > > -+ length,
> > > -+ whole_pdu, pdu_length,
> > > -+ sig);
> > > - }
> > > -
> > > - static const struct gensec_security_ops gensec_schannel_security_ops = {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 5b457559dfaeaf8f3d9227a93e5b75e0e7464c23 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sun, 5 Jan 2014 06:16:03 +0100
> > > -Subject: [PATCH 151/249] s3:rpc_client: talloc_zero pipe_auth_data
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 5b39a351a8ceb3bec04236ceb4b2fe10651958a9)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 6 +++---
> > > - 1 file changed, 3 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index a343997..7d1e347 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -2101,7 +2101,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
> > > - {
> > > - struct pipe_auth_data *result;
> > > -
> > > -- result = talloc(mem_ctx, struct pipe_auth_data);
> > > -+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
> > > - if (result == NULL) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -@@ -2125,7 +2125,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
> > > - {
> > > - struct pipe_auth_data *result;
> > > -
> > > -- result = talloc(mem_ctx, struct pipe_auth_data);
> > > -+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
> > > - if (result == NULL) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -@@ -2160,7 +2160,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
> > > - struct pipe_auth_data *result;
> > > - NTSTATUS status;
> > > -
> > > -- result = talloc(mem_ctx, struct pipe_auth_data);
> > > -+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
> > > - if (result == NULL) {
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From dd35874efea280b91ccaadf14a9a18e8a9017ea4 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sun, 5 Jan 2014 06:31:44 +0100
> > > -Subject: [PATCH 152/249] s3:rpc_client: make rpc_api_pipe_req_send/recv static
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 946e29dbc148d40fadbee81d4d530a36c0f2f1e6)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 4 ++--
> > > - source3/rpc_client/cli_pipe.h | 10 ----------
> > > - 2 files changed, 2 insertions(+), 12 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 7d1e347..3d12454 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1153,7 +1153,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq);
> > > - static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > > - bool *is_last_frag);
> > > -
> > > --struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > > -+static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > > - struct tevent_context *ev,
> > > - struct rpc_pipe_client *cli,
> > > - uint8_t op_num,
> > > -@@ -1366,7 +1366,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
> > > - tevent_req_done(req);
> > > - }
> > > -
> > > --NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
> > > -+static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
> > > - DATA_BLOB *reply_pdu)
> > > - {
> > > - struct rpc_api_pipe_req_state *state = tevent_req_data(
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index ab99373..826f9bf 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -27,16 +27,6 @@
> > > -
> > > - /* The following definitions come from rpc_client/cli_pipe.c */
> > > -
> > > --struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > > -- struct tevent_context *ev,
> > > -- struct rpc_pipe_client *cli,
> > > -- uint8_t op_num,
> > > -- DATA_BLOB *req_data);
> > > --
> > > --NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- DATA_BLOB *reply_pdu);
> > > --
> > > - struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
> > > - struct tevent_context *ev,
> > > - struct rpc_pipe_client *cli,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 9ea586bbac52bf17e6a1147420bfc9648e697706 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sun, 5 Jan 2014 07:56:20 +0100
> > > -Subject: [PATCH 153/249] s3:rpc_client: add some const to
> > > - rpc_api_pipe_req_send()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 4d3376e919b5c33f272b3a584d8172729a7468e0)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 4 ++--
> > > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 3d12454..6b7fee2 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1142,7 +1142,7 @@ struct rpc_api_pipe_req_state {
> > > - struct rpc_pipe_client *cli;
> > > - uint8_t op_num;
> > > - uint32_t call_id;
> > > -- DATA_BLOB *req_data;
> > > -+ const DATA_BLOB *req_data;
> > > - uint32_t req_data_sent;
> > > - DATA_BLOB rpc_out;
> > > - DATA_BLOB reply_pdu;
> > > -@@ -1157,7 +1157,7 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > > - struct tevent_context *ev,
> > > - struct rpc_pipe_client *cli,
> > > - uint8_t op_num,
> > > -- DATA_BLOB *req_data)
> > > -+ const DATA_BLOB *req_data)
> > > - {
> > > - struct tevent_req *req, *subreq;
> > > - struct rpc_api_pipe_req_state *state;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From cc6303171f06ae26bce9d54013a63a6296563dd7 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sun, 5 Jan 2014 08:26:15 +0100
> > > -Subject: [PATCH 154/249] s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as
> > > - any other gensec backend
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit f7bf7e705e704d2f1702e42a8e400baff9521066)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 4 ++--
> > > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 6b7fee2..b142774 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1627,11 +1627,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> > > -
> > > - case DCERPC_AUTH_TYPE_NONE:
> > > - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
> > > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > > - /* Bind complete. */
> > > - tevent_req_done(req);
> > > - return;
> > > -
> > > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > - case DCERPC_AUTH_TYPE_KRB5:
> > > -@@ -1666,11 +1666,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> > > -
> > > - case DCERPC_AUTH_TYPE_NONE:
> > > - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
> > > -- case DCERPC_AUTH_TYPE_SCHANNEL:
> > > - /* Bind complete. */
> > > - tevent_req_done(req);
> > > - return;
> > > -
> > > -+ case DCERPC_AUTH_TYPE_SCHANNEL:
> > > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > > - case DCERPC_AUTH_TYPE_KRB5:
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 044ca24f9d8a3bf57d6981c89e6dcc5e4477059d Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 3 Jan 2014 22:41:33 +0100
> > > -Subject: [PATCH 155/249] s3:rpc_client: implement
> > > - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 61bdbc23cd09a594a63f49ff8626934c85a8e51a)
> > > ----
> > > - source3/librpc/rpc/dcerpc.h | 4 +++-
> > > - source3/rpc_client/cli_pipe.c | 44 +++++++++++++++++++++++++++++++++++++------
> > > - 2 files changed, 41 insertions(+), 7 deletions(-)
> > > -
> > > -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> > > -index b18b7ba..aaf8d68 100644
> > > ---- a/source3/librpc/rpc/dcerpc.h
> > > -+++ b/source3/librpc/rpc/dcerpc.h
> > > -@@ -39,7 +39,9 @@ struct NL_AUTH_MESSAGE;
> > > - struct pipe_auth_data {
> > > - enum dcerpc_AuthType auth_type;
> > > - enum dcerpc_AuthLevel auth_level;
> > > --
> > > -+ bool client_hdr_signing;
> > > -+ bool hdr_signing;
> > > -+
> > > - void *auth_ctx;
> > > -
> > > - /* Only the client code uses these 3 for now */
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index b142774..1cab580 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1002,16 +1002,31 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
> > > -
> > > - static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
> > > - TALLOC_CTX *mem_ctx,
> > > -- DATA_BLOB *auth_token)
> > > -+ DATA_BLOB *auth_token,
> > > -+ bool *client_hdr_signing)
> > > - {
> > > - struct gensec_security *gensec_security;
> > > - DATA_BLOB null_blob = data_blob_null;
> > > -+ NTSTATUS status;
> > > -
> > > - gensec_security = talloc_get_type_abort(cli->auth->auth_ctx,
> > > - struct gensec_security);
> > > -
> > > - DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
> > > -- return gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
> > > -+ status = gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
> > > -+
> > > -+ if (!NT_STATUS_IS_OK(status) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
> > > -+ {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ if (client_hdr_signing != NULL) {
> > > -+ *client_hdr_signing = gensec_have_feature(gensec_security,
> > > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > > -+ }
> > > -+
> > > -+ return status;
> > > - }
> > > -
> > > - /*******************************************************************
> > > -@@ -1024,17 +1039,23 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
> > > - const struct ndr_syntax_id *abstract,
> > > - const struct ndr_syntax_id *transfer,
> > > - const DATA_BLOB *auth_info,
> > > -+ bool client_hdr_signing,
> > > - DATA_BLOB *blob)
> > > - {
> > > - uint16 auth_len = auth_info->length;
> > > - NTSTATUS status;
> > > - union dcerpc_payload u;
> > > - struct dcerpc_ctx_list ctx_list;
> > > -+ uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
> > > -
> > > - if (auth_len) {
> > > - auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
> > > - }
> > > -
> > > -+ if (client_hdr_signing) {
> > > -+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > > -+ }
> > > -+
> > > - ctx_list.context_id = 0;
> > > - ctx_list.num_transfer_syntaxes = 1;
> > > - ctx_list.abstract_syntax = *abstract;
> > > -@@ -1048,9 +1069,7 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
> > > - u.bind.auth_info = *auth_info;
> > > -
> > > - status = dcerpc_push_ncacn_packet(mem_ctx,
> > > -- ptype,
> > > -- DCERPC_PFC_FLAG_FIRST |
> > > -- DCERPC_PFC_FLAG_LAST,
> > > -+ ptype, pfc_flags,
> > > - auth_len,
> > > - rpc_call_id,
> > > - &u,
> > > -@@ -1084,7 +1103,9 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
> > > - case DCERPC_AUTH_TYPE_NTLMSSP:
> > > - case DCERPC_AUTH_TYPE_KRB5:
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > -- ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
> > > -+ ret = create_generic_auth_rpc_bind_req(cli, mem_ctx,
> > > -+ &auth_token,
> > > -+ &auth->client_hdr_signing);
> > > -
> > > - if (!NT_STATUS_IS_OK(ret) &&
> > > - !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
> > > -@@ -1126,6 +1147,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
> > > - abstract,
> > > - transfer,
> > > - &auth_info,
> > > -+ auth->client_hdr_signing,
> > > - rpc_out);
> > > - return ret;
> > > - }
> > > -@@ -1507,6 +1529,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
> > > - abstract,
> > > - transfer,
> > > - &auth_info,
> > > -+ false, /* client_hdr_signing */
> > > - rpc_out);
> > > - data_blob_free(&auth_info);
> > > - return status;
> > > -@@ -1676,6 +1699,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
> > > - case DCERPC_AUTH_TYPE_SPNEGO:
> > > - gensec_security = talloc_get_type_abort(pauth->auth_ctx,
> > > - struct gensec_security);
> > > -+
> > > -+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
> > > -+ if (pauth->client_hdr_signing) {
> > > -+ pauth->hdr_signing = true;
> > > -+ gensec_want_feature(gensec_security,
> > > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > > -+ }
> > > -+ }
> > > -+
> > > - status = gensec_update(gensec_security, state, NULL,
> > > - auth.credentials, &auth_token);
> > > - if (NT_STATUS_EQUAL(status,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 472b11d1b0fdbb1ca61e64979e4b5fd7dc1756a5 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 3 Jan 2014 22:56:03 +0100
> > > -Subject: [PATCH 156/249] s3:rpc_server: add support for
> > > - DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
> > > -
> > > -If the backend supports it there's no reason to avoid it.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 523d616268af5f94e11c863f9acdebabace80608)
> > > ----
> > > - source3/rpc_server/srv_pipe.c | 25 ++++++++++++++++++++++---
> > > - 1 file changed, 22 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
> > > -index 5f834fb..f572819 100644
> > > ---- a/source3/rpc_server/srv_pipe.c
> > > -+++ b/source3/rpc_server/srv_pipe.c
> > > -@@ -42,6 +42,7 @@
> > > - #include "rpc_server/rpc_contexts.h"
> > > - #include "lib/param/param.h"
> > > - #include "librpc/ndr/ndr_table.h"
> > > -+#include "auth/gensec/gensec.h"
> > > -
> > > - #undef DBGC_CLASS
> > > - #define DBGC_CLASS DBGC_RPC_SRV
> > > -@@ -418,10 +419,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
> > > - *******************************************************************/
> > > -
> > > - static bool pipe_auth_generic_bind(struct pipes_struct *p,
> > > -- TALLOC_CTX *mem_ctx,
> > > -+ struct ncacn_packet *pkt,
> > > - struct dcerpc_auth *auth_info,
> > > - DATA_BLOB *response)
> > > - {
> > > -+ TALLOC_CTX *mem_ctx = pkt;
> > > - struct gensec_security *gensec_security = NULL;
> > > - NTSTATUS status;
> > > -
> > > -@@ -444,6 +446,17 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
> > > - p->auth.auth_ctx = gensec_security;
> > > - p->auth.auth_type = auth_info->auth_type;
> > > -
> > > -+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
> > > -+ p->auth.client_hdr_signing = true;
> > > -+ p->auth.hdr_signing = gensec_have_feature(gensec_security,
> > > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > > -+ }
> > > -+
> > > -+ if (p->auth.hdr_signing) {
> > > -+ gensec_want_feature(gensec_security,
> > > -+ GENSEC_FEATURE_SIGN_PKT_HEADER);
> > > -+ }
> > > -+
> > > - return true;
> > > - }
> > > -
> > > -@@ -548,6 +561,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > > - unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
> > > - NTSTATUS status;
> > > - struct ndr_syntax_id id;
> > > -+ uint8_t pfc_flags = 0;
> > > - union dcerpc_payload u;
> > > - struct dcerpc_ack_ctx bind_ack_ctx;
> > > - DATA_BLOB auth_resp = data_blob_null;
> > > -@@ -792,10 +806,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
> > > - * header and are never sending more than one PDU here.
> > > - */
> > > -
> > > -+ pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
> > > -+
> > > -+ if (p->auth.hdr_signing) {
> > > -+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
> > > -+ }
> > > -+
> > > - status = dcerpc_push_ncacn_packet(p->mem_ctx,
> > > - DCERPC_PKT_BIND_ACK,
> > > -- DCERPC_PFC_FLAG_FIRST |
> > > -- DCERPC_PFC_FLAG_LAST,
> > > -+ pfc_flags,
> > > - auth_resp.length,
> > > - pkt->call_id,
> > > - &u,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4e6bea89ffcca074e0320b98e65485f348a469a5 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 3 Jan 2014 09:25:23 +0100
> > > -Subject: [PATCH 157/249] librpc/ndr: add
> > > - LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
> > > -
> > > -This lets ndr_pull_subcontext_end() make sure that all
> > > -subcontext bytes are consumed otherwise it returns NDR_ERR_UNREAD_BYTES.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit b62308ed994e9734dfd934d230531010d9e7cefa)
> > > ----
> > > - librpc/idl/idl_types.h | 2 ++
> > > - librpc/ndr/libndr.h | 6 ++++++
> > > - librpc/ndr/ndr.c | 20 ++++++++++++++++++++
> > > - 3 files changed, 28 insertions(+)
> > > -
> > > -diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h
> > > -index c50efac..838c219 100644
> > > ---- a/librpc/idl/idl_types.h
> > > -+++ b/librpc/idl/idl_types.h
> > > -@@ -53,3 +53,5 @@
> > > -
> > > - #define NDR_RELATIVE_REVERSE LIBNDR_FLAG_RELATIVE_REVERSE
> > > - #define NDR_NO_RELATIVE_REVERSE LIBNDR_FLAG_NO_RELATIVE_REVERSE
> > > -+
> > > -+#define NDR_SUBCONTEXT_NO_UNREAD_BYTES LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
> > > -diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
> > > -index a950519..8070c3c 100644
> > > ---- a/librpc/ndr/libndr.h
> > > -+++ b/librpc/ndr/libndr.h
> > > -@@ -123,6 +123,12 @@ struct ndr_print {
> > > - #define LIBNDR_FLAG_STR_RAW8 (1<<13)
> > > - #define LIBNDR_STRING_FLAGS (0x7FFC)
> > > -
> > > -+/*
> > > -+ * This lets ndr_pull_subcontext_end() return
> > > -+ * NDR_ERR_UNREAD_BYTES.
> > > -+ */
> > > -+#define LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES (1<<17)
> > > -+
> > > - /* set if relative pointers should *not* be marshalled in reverse order */
> > > - #define LIBNDR_FLAG_NO_RELATIVE_REVERSE (1<<18)
> > > -
> > > -diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
> > > -index e86cf2f..15a7f12 100644
> > > ---- a/librpc/ndr/ndr.c
> > > -+++ b/librpc/ndr/ndr.c
> > > -@@ -638,6 +638,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
> > > - ssize_t size_is)
> > > - {
> > > - uint32_t advance;
> > > -+ uint32_t highest_ofs;
> > > -+
> > > - if (size_is >= 0) {
> > > - advance = size_is;
> > > - } else if (header_size > 0) {
> > > -@@ -645,6 +647,24 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
> > > - } else {
> > > - advance = subndr->offset;
> > > - }
> > > -+
> > > -+ if (subndr->offset > ndr->relative_highest_offset) {
> > > -+ highest_ofs = subndr->offset;
> > > -+ } else {
> > > -+ highest_ofs = subndr->relative_highest_offset;
> > > -+ }
> > > -+ if (!(subndr->flags & LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES)) {
> > > -+ /*
> > > -+ * avoid an error unless SUBCONTEXT_NO_UNREAD_BYTES is specified
> > > -+ */
> > > -+ highest_ofs = advance;
> > > -+ }
> > > -+ if (highest_ofs < advance) {
> > > -+ return ndr_pull_error(subndr, NDR_ERR_UNREAD_BYTES,
> > > -+ "not all bytes consumed ofs[%u] advance[%u]",
> > > -+ highest_ofs, advance);
> > > -+ }
> > > -+
> > > - NDR_CHECK(ndr_pull_advance(ndr, advance));
> > > - return NDR_ERR_SUCCESS;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 5960d93d9cddca327ad8d24a41c64421ac6bb561 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 3 Jan 2014 15:06:23 +0100
> > > -Subject: [PATCH 158/249] dcerpc.idl: add documentation references
> > > -
> > > -To [C706 - DCE 1.1: Remote Procedure Call] and [MS-RPCE].
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 66c39420e29e7c257d9cdc5d04c061472bbefd19)
> > > ----
> > > - librpc/idl/dcerpc.idl | 13 +++++++++++--
> > > - 1 file changed, 11 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
> > > -index 86f22a4..23cac89 100644
> > > ---- a/librpc/idl/dcerpc.idl
> > > -+++ b/librpc/idl/dcerpc.idl
> > > -@@ -5,8 +5,17 @@
> > > - but given that pidl can handle it nicely it simplifies things a lot
> > > - to do it this way
> > > -
> > > -- see http://www.opengroup.org/onlinepubs/9629399/chap12.htm for packet
> > > -- layouts
> > > -+ See [C706 - DCE 1.1: Remote Procedure Call] for the OpenGroup
> > > -+ DCERPC specification:
> > > -+ http://pubs.opengroup.org/onlinepubs/9629399/toc.htm
> > > -+
> > > -+ See C706 - Chapter 12: RPC PDU Encodings for packet layouts:
> > > -+ http://www.opengroup.org/onlinepubs/9629399/chap12.htm
> > > -+
> > > -+ See also [MS-RPCE] for the Microsoft
> > > -+ "Remote Procedure Call Protocol Extensions".
> > > -+ http://msdn.microsoft.com/en-us/library/cc243560.aspx
> > > -+
> > > - */
> > > - import "misc.idl";
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 812cb7e6010b39fb752cf85026fd8d8a5dccbb39 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 2 Jan 2014 11:18:38 +0100
> > > -Subject: [PATCH 159/249] dcerpc.idl: add dcerpc_sec_verification_trailer
> > > -
> > > -See [MS-RPCE] 2.2.2.13 Verification Trailer for details.
> > > -
> > > -Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
> > > -
> > > -Signed-off-by: Gregor Beck <gbeck@sernet.de>
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit c0dc2fb7e1dadcef35a132040448cb27ff1d5bfa)
> > > ----
> > > - librpc/idl/dcerpc.idl | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
> > > - librpc/ndr/ndr_dcerpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
> > > - librpc/wscript_build | 2 +-
> > > - 3 files changed, 134 insertions(+), 1 deletion(-)
> > > - create mode 100644 librpc/ndr/ndr_dcerpc.c
> > > -
> > > -diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
> > > -index 23cac89..8e9be0e 100644
> > > ---- a/librpc/idl/dcerpc.idl
> > > -+++ b/librpc/idl/dcerpc.idl
> > > -@@ -19,6 +19,8 @@
> > > - */
> > > - import "misc.idl";
> > > -
> > > -+cpp_quote("extern const uint8_t DCERPC_SEC_VT_MAGIC[8];")
> > > -+
> > > - interface dcerpc
> > > - {
> > > - typedef struct {
> > > -@@ -514,4 +516,69 @@ interface dcerpc
> > > - uint8 serial_low;
> > > - [switch_is(ptype)] dcerpc_payload u;
> > > - } ncadg_packet;
> > > -+
> > > -+ typedef [bitmap16bit] bitmap {
> > > -+ DCERPC_SEC_VT_COMMAND_ENUM = 0x3FFF,
> > > -+ DCERPC_SEC_VT_COMMAND_END = 0x4000,
> > > -+ DCERPC_SEC_VT_MUST_PROCESS = 0x8000
> > > -+ } dcerpc_sec_vt_command;
> > > -+
> > > -+ typedef [enum16bit] enum {
> > > -+ DCERPC_SEC_VT_COMMAND_BITMASK1 = 0x0001,
> > > -+ DCERPC_SEC_VT_COMMAND_PCONTEXT = 0x0002,
> > > -+ DCERPC_SEC_VT_COMMAND_HEADER2 = 0x0003
> > > -+ } dcerpc_sec_vt_command_enum;
> > > -+
> > > -+ typedef [bitmap32bit] bitmap {
> > > -+ DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING = 0x00000001
> > > -+ } dcerpc_sec_vt_bitmask1;
> > > -+
> > > -+ typedef struct {
> > > -+ ndr_syntax_id abstract_syntax;
> > > -+ ndr_syntax_id transfer_syntax;
> > > -+ } dcerpc_sec_vt_pcontext;
> > > -+
> > > -+ typedef struct {
> > > -+ dcerpc_pkt_type ptype; /* Packet type */
> > > -+ [value(0)] uint8 reserved1;
> > > -+ [value(0)] uint16 reserved2;
> > > -+ uint8 drep[4]; /* NDR data representation */
> > > -+ uint32 call_id; /* Call identifier */
> > > -+ uint16 context_id;
> > > -+ uint16 opnum;
> > > -+ } dcerpc_sec_vt_header2;
> > > -+
> > > -+ typedef [switch_type(dcerpc_sec_vt_command_enum),nodiscriminant] union {
> > > -+ [case(DCERPC_SEC_VT_COMMAND_BITMASK1)] dcerpc_sec_vt_bitmask1 bitmask1;
> > > -+ [case(DCERPC_SEC_VT_COMMAND_PCONTEXT)] dcerpc_sec_vt_pcontext pcontext;
> > > -+ [case(DCERPC_SEC_VT_COMMAND_HEADER2)] dcerpc_sec_vt_header2 header2;
> > > -+ [default,flag(NDR_REMAINING)] DATA_BLOB _unknown;
> > > -+ } dcerpc_sec_vt_union;
> > > -+
> > > -+ typedef struct {
> > > -+ dcerpc_sec_vt_command command;
> > > -+ [switch_is(command & DCERPC_SEC_VT_COMMAND_ENUM)]
> > > -+ [subcontext(2),flag(NDR_SUBCONTEXT_NO_UNREAD_BYTES)]
> > > -+ dcerpc_sec_vt_union u;
> > > -+ } dcerpc_sec_vt;
> > > -+
> > > -+ typedef [public,nopush,nopull] struct {
> > > -+ uint16 count;
> > > -+ } dcerpc_sec_vt_count;
> > > -+
> > > -+ /*
> > > -+ * We assume that the whole verification trailer fits into
> > > -+ * the last 1024 bytes after the stub data.
> > > -+ *
> > > -+ * There're currently only 3 commands defined and each should
> > > -+ * only be used once.
> > > -+ */
> > > -+ const uint16 DCERPC_SEC_VT_MAX_SIZE = 1024;
> > > -+
> > > -+ typedef [public,flag(NDR_PAHEX)] struct {
> > > -+ [flag(NDR_ALIGN4)] DATA_BLOB _pad;
> > > -+ [value(DCERPC_SEC_VT_MAGIC)] uint8 magic[8];
> > > -+ dcerpc_sec_vt_count count;
> > > -+ dcerpc_sec_vt commands[count.count];
> > > -+ } dcerpc_sec_verification_trailer;
> > > - }
> > > -diff --git a/librpc/ndr/ndr_dcerpc.c b/librpc/ndr/ndr_dcerpc.c
> > > -new file mode 100644
> > > -index 0000000..88a7f38
> > > ---- /dev/null
> > > -+++ b/librpc/ndr/ndr_dcerpc.c
> > > -@@ -0,0 +1,66 @@
> > > -+/*
> > > -+ Unix SMB/CIFS implementation.
> > > -+
> > > -+ Manually parsed structures found in the DCERPC protocol
> > > -+
> > > -+ Copyright (C) Stefan Metzmacher 2014
> > > -+ Copyright (C) Gregor Beck 2014
> > > -+
> > > -+ This program is free software; you can redistribute it and/or modify
> > > -+ it under the terms of the GNU General Public License as published by
> > > -+ the Free Software Foundation; either version 3 of the License, or
> > > -+ (at your option) any later version.
> > > -+
> > > -+ This program is distributed in the hope that it will be useful,
> > > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -+ GNU General Public License for more details.
> > > -+
> > > -+ You should have received a copy of the GNU General Public License
> > > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > -+*/
> > > -+
> > > -+#include "includes.h"
> > > -+#include "bin/default/librpc/gen_ndr/ndr_dcerpc.h"
> > > -+
> > > -+#include "librpc/gen_ndr/ndr_misc.h"
> > > -+
> > > -+const uint8_t DCERPC_SEC_VT_MAGIC[] = {0x8a,0xe3,0x13,0x71,0x02,0xf4,0x36,0x71};
> > > -+
> > > -+_PUBLIC_ enum ndr_err_code ndr_push_dcerpc_sec_vt_count(struct ndr_push *ndr, int ndr_flags, const struct dcerpc_sec_vt_count *r)
> > > -+{
> > > -+ NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
> > > -+ /* nothing */
> > > -+ return NDR_ERR_SUCCESS;
> > > -+}
> > > -+
> > > -+_PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_sec_vt_count(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_sec_vt_count *r)
> > > -+{
> > > -+ uint32_t _saved_ofs = ndr->offset;
> > > -+
> > > -+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
> > > -+
> > > -+ if (!(ndr_flags & NDR_SCALARS)) {
> > > -+ return NDR_ERR_SUCCESS;
> > > -+ }
> > > -+
> > > -+ r->count = 0;
> > > -+
> > > -+ while (true) {
> > > -+ uint16_t command;
> > > -+ uint16_t length;
> > > -+
> > > -+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &command));
> > > -+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &length));
> > > -+ NDR_CHECK(ndr_pull_advance(ndr, length));
> > > -+
> > > -+ r->count += 1;
> > > -+
> > > -+ if (command & DCERPC_SEC_VT_COMMAND_END) {
> > > -+ break;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ ndr->offset = _saved_ofs;
> > > -+ return NDR_ERR_SUCCESS;
> > > -+}
> > > -diff --git a/librpc/wscript_build b/librpc/wscript_build
> > > -index 2017a29..a5cf687 100644
> > > ---- a/librpc/wscript_build
> > > -+++ b/librpc/wscript_build
> > > -@@ -301,7 +301,7 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP',
> > > - )
> > > -
> > > - bld.SAMBA_SUBSYSTEM('NDR_DCERPC',
> > > -- source='gen_ndr/ndr_dcerpc.c',
> > > -+ source='gen_ndr/ndr_dcerpc.c ndr/ndr_dcerpc.c',
> > > - public_deps='ndr',
> > > - public_headers='gen_ndr/ndr_dcerpc.h gen_ndr/dcerpc.h',
> > > - header_path= [ ('*gen_ndr*', 'gen_ndr') ],
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 3480b809bd9426ce6b976b9965a54de32d246a66 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sun, 5 Jan 2014 07:57:51 +0100
> > > -Subject: [PATCH 160/249] s3:rpc_client: fill alloc_hint with the remaining
> > > - data not the total data.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit f0532fe0cd69aeb161088ca990d376f119102e61)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 1cab580..5edd897 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1277,7 +1277,7 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > > -
> > > - ZERO_STRUCT(u.request);
> > > -
> > > -- u.request.alloc_hint = state->req_data->length;
> > > -+ u.request.alloc_hint = data_left;
> > > - u.request.context_id = 0;
> > > - u.request.opnum = state->op_num;
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From bd675cd6e4848bee8798dacf1768556de48f3112 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sun, 5 Jan 2014 08:12:45 +0100
> > > -Subject: [PATCH 161/249] s3:rpc_client: send a dcerpc_sec_verification_trailer
> > > - if needed
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > > -Autobuild-Date(master): Tue Jan 7 02:24:42 CET 2014 on sn-devel-104
> > > -(cherry picked from commit 6ab9164c74e0ad57bdde8abb568953026b644e27)
> > > ----
> > > - source3/librpc/rpc/dcerpc.h | 1 +
> > > - source3/rpc_client/cli_pipe.c | 202 ++++++++++++++++++++++++++++++++++++++--
> > > - source3/rpc_client/rpc_client.h | 1 +
> > > - 3 files changed, 194 insertions(+), 10 deletions(-)
> > > -
> > > -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
> > > -index aaf8d68..9d0f861 100644
> > > ---- a/source3/librpc/rpc/dcerpc.h
> > > -+++ b/source3/librpc/rpc/dcerpc.h
> > > -@@ -41,6 +41,7 @@ struct pipe_auth_data {
> > > - enum dcerpc_AuthLevel auth_level;
> > > - bool client_hdr_signing;
> > > - bool hdr_signing;
> > > -+ bool verified_bitmask1;
> > > -
> > > - void *auth_ctx;
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 5edd897..a45023f 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -1166,12 +1166,17 @@ struct rpc_api_pipe_req_state {
> > > - uint32_t call_id;
> > > - const DATA_BLOB *req_data;
> > > - uint32_t req_data_sent;
> > > -+ DATA_BLOB req_trailer;
> > > -+ uint32_t req_trailer_sent;
> > > -+ bool verify_bitmask1;
> > > -+ bool verify_pcontext;
> > > - DATA_BLOB rpc_out;
> > > - DATA_BLOB reply_pdu;
> > > - };
> > > -
> > > - static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
> > > - static void rpc_api_pipe_req_done(struct tevent_req *subreq);
> > > -+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
> > > - static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > > - bool *is_last_frag);
> > > -
> > > -@@ -1207,6 +1212,11 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > > - goto post_status;
> > > - }
> > > -
> > > -+ status = prepare_verification_trailer(state);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ goto post_status;
> > > -+ }
> > > -+
> > > - status = prepare_next_frag(state, &is_last_frag);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - goto post_status;
> > > -@@ -1241,25 +1251,164 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
> > > - return NULL;
> > > - }
> > > -
> > > -+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
> > > -+{
> > > -+ struct pipe_auth_data *a = state->cli->auth;
> > > -+ struct dcerpc_sec_verification_trailer *t;
> > > -+ struct dcerpc_sec_vt *c = NULL;
> > > -+ struct ndr_push *ndr = NULL;
> > > -+ enum ndr_err_code ndr_err;
> > > -+ size_t align = 0;
> > > -+ size_t pad = 0;
> > > -+
> > > -+ if (a == NULL) {
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
> > > -+ if (t == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ if (!a->verified_bitmask1) {
> > > -+ t->commands = talloc_realloc(t, t->commands,
> > > -+ struct dcerpc_sec_vt,
> > > -+ t->count.count + 1);
> > > -+ if (t->commands == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ c = &t->commands[t->count.count++];
> > > -+ ZERO_STRUCTP(c);
> > > -+
> > > -+ c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
> > > -+ if (a->client_hdr_signing) {
> > > -+ c->u.bitmask1 = DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING;
> > > -+ }
> > > -+ state->verify_bitmask1 = true;
> > > -+ }
> > > -+
> > > -+ if (!state->cli->verified_pcontext) {
> > > -+ t->commands = talloc_realloc(t, t->commands,
> > > -+ struct dcerpc_sec_vt,
> > > -+ t->count.count + 1);
> > > -+ if (t->commands == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ c = &t->commands[t->count.count++];
> > > -+ ZERO_STRUCTP(c);
> > > -+
> > > -+ c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
> > > -+ c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
> > > -+ c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
> > > -+
> > > -+ state->verify_pcontext = true;
> > > -+ }
> > > -+
> > > -+ if (!a->hdr_signing) {
> > > -+ t->commands = talloc_realloc(t, t->commands,
> > > -+ struct dcerpc_sec_vt,
> > > -+ t->count.count + 1);
> > > -+ if (t->commands == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ c = &t->commands[t->count.count++];
> > > -+ ZERO_STRUCTP(c);
> > > -+
> > > -+ c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
> > > -+ c->u.header2.ptype = DCERPC_PKT_REQUEST;
> > > -+ c->u.header2.drep[0] = DCERPC_DREP_LE;
> > > -+ c->u.header2.drep[1] = 0;
> > > -+ c->u.header2.drep[2] = 0;
> > > -+ c->u.header2.drep[3] = 0;
> > > -+ c->u.header2.call_id = state->call_id;
> > > -+ c->u.header2.context_id = 0;
> > > -+ c->u.header2.opnum = state->op_num;
> > > -+ }
> > > -+
> > > -+ if (t->count.count == 0) {
> > > -+ TALLOC_FREE(t);
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ c = &t->commands[t->count.count - 1];
> > > -+ c->command |= DCERPC_SEC_VT_COMMAND_END;
> > > -+
> > > -+ if (DEBUGLEVEL >= 10) {
> > > -+ NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
> > > -+ }
> > > -+
> > > -+ ndr = ndr_push_init_ctx(state);
> > > -+ if (ndr == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
> > > -+ NDR_SCALARS | NDR_BUFFERS,
> > > -+ t);
> > > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -+ return ndr_map_error2ntstatus(ndr_err);
> > > -+ }
> > > -+ state->req_trailer = ndr_push_blob(ndr);
> > > -+
> > > -+ align = state->req_data->length & 0x3;
> > > -+ if (align > 0) {
> > > -+ pad = 4 - align;
> > > -+ }
> > > -+ if (pad > 0) {
> > > -+ bool ok;
> > > -+ uint8_t *p;
> > > -+ const uint8_t zeros[4] = { 0, };
> > > -+
> > > -+ ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
> > > -+ if (!ok) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ /* move the padding to the start */
> > > -+ p = state->req_trailer.data;
> > > -+ memmove(p + pad, p, state->req_trailer.length - pad);
> > > -+ memset(p, 0, pad);
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > - static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > > - bool *is_last_frag)
> > > - {
> > > -- size_t data_sent_thistime;
> > > - size_t auth_len;
> > > - size_t frag_len;
> > > - uint8_t flags = 0;
> > > - size_t pad_len;
> > > - size_t data_left;
> > > -+ size_t data_thistime;
> > > -+ size_t trailer_left;
> > > -+ size_t trailer_thistime = 0;
> > > -+ size_t total_left;
> > > -+ size_t total_thistime;
> > > - NTSTATUS status;
> > > -+ bool ok;
> > > - union dcerpc_payload u;
> > > -
> > > - data_left = state->req_data->length - state->req_data_sent;
> > > -+ trailer_left = state->req_trailer.length - state->req_trailer_sent;
> > > -+ total_left = data_left + trailer_left;
> > > -+ if ((total_left < data_left) || (total_left < trailer_left)) {
> > > -+ /*
> > > -+ * overflow
> > > -+ */
> > > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > > -+ }
> > > -
> > > - status = dcerpc_guess_sizes(state->cli->auth,
> > > -- DCERPC_REQUEST_LENGTH, data_left,
> > > -+ DCERPC_REQUEST_LENGTH, total_left,
> > > - state->cli->max_xmit_frag,
> > > - CLIENT_NDR_PADDING_SIZE,
> > > -- &data_sent_thistime,
> > > -+ &total_thistime,
> > > - &frag_len, &auth_len, &pad_len);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > -@@ -1269,15 +1418,20 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > > - flags = DCERPC_PFC_FLAG_FIRST;
> > > - }
> > > -
> > > -- if (data_sent_thistime == data_left) {
> > > -+ if (total_thistime == total_left) {
> > > - flags |= DCERPC_PFC_FLAG_LAST;
> > > - }
> > > -
> > > -+ data_thistime = MIN(total_thistime, data_left);
> > > -+ if (data_thistime < total_thistime) {
> > > -+ trailer_thistime = total_thistime - data_thistime;
> > > -+ }
> > > -+
> > > - data_blob_free(&state->rpc_out);
> > > -
> > > - ZERO_STRUCT(u.request);
> > > -
> > > -- u.request.alloc_hint = data_left;
> > > -+ u.request.alloc_hint = total_left;
> > > - u.request.context_id = 0;
> > > - u.request.opnum = state->op_num;
> > > -
> > > -@@ -1297,11 +1451,26 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > > - * at this stage */
> > > - dcerpc_set_frag_length(&state->rpc_out, frag_len);
> > > -
> > > -- /* Copy in the data. */
> > > -- if (!data_blob_append(NULL, &state->rpc_out,
> > > -+ if (data_thistime > 0) {
> > > -+ /* Copy in the data. */
> > > -+ ok = data_blob_append(NULL, &state->rpc_out,
> > > - state->req_data->data + state->req_data_sent,
> > > -- data_sent_thistime)) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -+ data_thistime);
> > > -+ if (!ok) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ state->req_data_sent += data_thistime;
> > > -+ }
> > > -+
> > > -+ if (trailer_thistime > 0) {
> > > -+ /* Copy in the verification trailer. */
> > > -+ ok = data_blob_append(NULL, &state->rpc_out,
> > > -+ state->req_trailer.data + state->req_trailer_sent,
> > > -+ trailer_thistime);
> > > -+ if (!ok) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ state->req_trailer_sent += trailer_thistime;
> > > - }
> > > -
> > > - switch (state->cli->auth->auth_level) {
> > > -@@ -1321,7 +1490,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > -
> > > -- state->req_data_sent += data_sent_thistime;
> > > - *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
> > > -
> > > - return status;
> > > -@@ -1385,6 +1553,20 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
> > > - tevent_req_nterror(req, status);
> > > - return;
> > > - }
> > > -+
> > > -+ if (state->cli->auth == NULL) {
> > > -+ tevent_req_done(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (state->verify_bitmask1) {
> > > -+ state->cli->auth->verified_bitmask1 = true;
> > > -+ }
> > > -+
> > > -+ if (state->verify_pcontext) {
> > > -+ state->cli->verified_pcontext = true;
> > > -+ }
> > > -+
> > > - tevent_req_done(req);
> > > - }
> > > -
> > > -diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
> > > -index 6561b28..8024f01 100644
> > > ---- a/source3/rpc_client/rpc_client.h
> > > -+++ b/source3/rpc_client/rpc_client.h
> > > -@@ -39,6 +39,7 @@ struct rpc_pipe_client {
> > > -
> > > - struct ndr_syntax_id abstract_syntax;
> > > - struct ndr_syntax_id transfer_syntax;
> > > -+ bool verified_pcontext;
> > > -
> > > - char *desthost;
> > > - char *srv_name_slash;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 3df8f8c1dda254a85e4fa02b74d23a4802bc595c Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 18 Apr 2013 19:16:42 +0200
> > > -Subject: [PATCH 162/249] libcli/auth: add netlogon_creds_cli* infrastructure
> > > -
> > > -This provides an abstraction to hide netlogon_creds_CredentialState,
> > > -which is stored in a node local tdb.
> > > -
> > > -Where the global state (netlogon_creds_CredentialState) between client and
> > > -server was only kept in memory (on the client side), we now use
> > > -the abstracted netlogon_creds_cli_context.
> > > -
> > > -We now use a node specific computer name in order to establish
> > > -individual netlogon sessions per node.
> > > -
> > > -If the caller wants to use some netlogon calls with credential chain
> > > -(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
> > > -to get the current netlogon_creds_CredentialState in a g_lock'ed
> > > -fashion, a talloc_free() will release the lock.
> > > -
> > > -The locking is needed as there might be more than one process
> > > -(multiple winbindd child, cmdline tools) which want to talk
> > > -to a specific domain controller. The usage of netlogon_creds_CredentialState
> > > -needs to be serialized as it uses sequence numbers.
> > > -
> > > -LogonSamLogonEx doesn't use the credential chain, but for some operations
> > > -it needs the global session in order to de/encrypt individual fields.
> > > -It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
> > > -functions, which just make sure the session hasn't changed between
> > > -get and validate.
> > > -
> > > -This is prepares the proper fix for a large number of bugs:
> > > -https://bugzilla.samba.org/show_bug.cgi?id=6563
> > > -https://bugzilla.samba.org/show_bug.cgi?id=7944
> > > -https://bugzilla.samba.org/show_bug.cgi?id=7945
> > > -https://bugzilla.samba.org/show_bug.cgi?id=7568
> > > -https://bugzilla.samba.org/show_bug.cgi?id=8599
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 6e6d9f9f12284ed06a21cc02080e436b7326065f)
> > > ----
> > > - libcli/auth/netlogon_creds_cli.c | 2596 ++++++++++++++++++++++++++++++++++++++
> > > - libcli/auth/netlogon_creds_cli.h | 138 ++
> > > - libcli/auth/wscript_build | 4 +
> > > - 3 files changed, 2738 insertions(+)
> > > - create mode 100644 libcli/auth/netlogon_creds_cli.c
> > > - create mode 100644 libcli/auth/netlogon_creds_cli.h
> > > -
> > > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > > -new file mode 100644
> > > -index 0000000..75d6b2c
> > > ---- /dev/null
> > > -+++ b/libcli/auth/netlogon_creds_cli.c
> > > -@@ -0,0 +1,2596 @@
> > > -+/*
> > > -+ Unix SMB/CIFS implementation.
> > > -+
> > > -+ module to store/fetch session keys for the schannel client
> > > -+
> > > -+ Copyright (C) Stefan Metzmacher 2013
> > > -+
> > > -+ This program is free software; you can redistribute it and/or modify
> > > -+ it under the terms of the GNU General Public License as published by
> > > -+ the Free Software Foundation; either version 3 of the License, or
> > > -+ (at your option) any later version.
> > > -+
> > > -+ This program is distributed in the hope that it will be useful,
> > > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -+ GNU General Public License for more details.
> > > -+
> > > -+ You should have received a copy of the GNU General Public License
> > > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > -+*/
> > > -+
> > > -+#include "includes.h"
> > > -+#include "system/filesys.h"
> > > -+#include <tevent.h>
> > > -+#include "lib/util/tevent_ntstatus.h"
> > > -+#include "lib/dbwrap/dbwrap.h"
> > > -+#include "lib/dbwrap/dbwrap_rbt.h"
> > > -+#include "lib/util/util_tdb.h"
> > > -+#include "libcli/security/security.h"
> > > -+#include "../lib/param/param.h"
> > > -+#include "../libcli/auth/schannel.h"
> > > -+#include "../librpc/gen_ndr/ndr_schannel.h"
> > > -+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > > -+#include "../librpc/gen_ndr/server_id.h"
> > > -+#include "netlogon_creds_cli.h"
> > > -+#include "source3/include/messages.h"
> > > -+#include "source3/include/g_lock.h"
> > > -+
> > > -+struct netlogon_creds_cli_locked_state;
> > > -+
> > > -+struct netlogon_creds_cli_context {
> > > -+ struct {
> > > -+ const char *computer;
> > > -+ const char *account;
> > > -+ uint32_t proposed_flags;
> > > -+ uint32_t required_flags;
> > > -+ enum netr_SchannelType type;
> > > -+ enum dcerpc_AuthLevel auth_level;
> > > -+ } client;
> > > -+
> > > -+ struct {
> > > -+ const char *computer;
> > > -+ const char *netbios_domain;
> > > -+ uint32_t cached_flags;
> > > -+ bool try_validation6;
> > > -+ bool try_logon_ex;
> > > -+ bool try_logon_with;
> > > -+ } server;
> > > -+
> > > -+ struct {
> > > -+ const char *key_name;
> > > -+ TDB_DATA key_data;
> > > -+ struct db_context *ctx;
> > > -+ struct g_lock_ctx *g_ctx;
> > > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > > -+ } db;
> > > -+};
> > > -+
> > > -+struct netlogon_creds_cli_locked_state {
> > > -+ struct netlogon_creds_cli_context *context;
> > > -+ bool is_glocked;
> > > -+ struct netlogon_creds_CredentialState *creds;
> > > -+};
> > > -+
> > > -+static int netlogon_creds_cli_locked_state_destructor(
> > > -+ struct netlogon_creds_cli_locked_state *state)
> > > -+{
> > > -+ struct netlogon_creds_cli_context *context = state->context;
> > > -+
> > > -+ if (context == NULL) {
> > > -+ return 0;
> > > -+ }
> > > -+
> > > -+ if (context->db.locked_state == state) {
> > > -+ context->db.locked_state = NULL;
> > > -+ }
> > > -+
> > > -+ if (state->is_glocked) {
> > > -+ g_lock_unlock(context->db.g_ctx,
> > > -+ context->db.key_name);
> > > -+ }
> > > -+
> > > -+ return 0;
> > > -+}
> > > -+
> > > -+static NTSTATUS netlogon_creds_cli_context_common(
> > > -+ const char *client_computer,
> > > -+ const char *client_account,
> > > -+ enum netr_SchannelType type,
> > > -+ enum dcerpc_AuthLevel auth_level,
> > > -+ uint32_t proposed_flags,
> > > -+ uint32_t required_flags,
> > > -+ const char *server_computer,
> > > -+ const char *server_netbios_domain,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **_context)
> > > -+{
> > > -+ struct netlogon_creds_cli_context *context = NULL;
> > > -+
> > > -+ *_context = NULL;
> > > -+
> > > -+ context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> > > -+ if (context == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ context->client.computer = talloc_strdup(context, client_computer);
> > > -+ if (context->client.computer == NULL) {
> > > -+ talloc_free(context);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ context->client.account = talloc_strdup(context, client_account);
> > > -+ if (context->client.account == NULL) {
> > > -+ talloc_free(context);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ context->client.proposed_flags = proposed_flags;
> > > -+ context->client.required_flags = required_flags;
> > > -+ context->client.type = type;
> > > -+ context->client.auth_level = auth_level;
> > > -+
> > > -+ context->server.computer = talloc_strdup(context, server_computer);
> > > -+ if (context->server.computer == NULL) {
> > > -+ talloc_free(context);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
> > > -+ if (context->server.netbios_domain == NULL) {
> > > -+ talloc_free(context);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
> > > -+ client_computer,
> > > -+ client_account,
> > > -+ server_computer,
> > > -+ server_netbios_domain);
> > > -+ if (context->db.key_name == NULL) {
> > > -+ talloc_free(context);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ context->db.key_data = string_term_tdb_data(context->db.key_name);
> > > -+
> > > -+ *_context = context;
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+static struct db_context *netlogon_creds_cli_global_db;
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
> > > -+{
> > > -+ char *fname;
> > > -+ struct db_context *global_db;
> > > -+
> > > -+ if (netlogon_creds_cli_global_db != NULL) {
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ fname = lpcfg_private_db_path(talloc_autofree_context(), lp_ctx, "netlogon_creds_cli");
> > > -+ if (fname == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ global_db = dbwrap_local_open(talloc_autofree_context(), lp_ctx,
> > > -+ fname, 0,
> > > -+ TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > > -+ O_RDWR|O_CREAT,
> > > -+ 0600, DBWRAP_LOCK_ORDER_2);
> > > -+ if (global_db == NULL) {
> > > -+ DEBUG(0,("netlogon_creds_cli_open_global_db: Failed to open %s - %s\n",
> > > -+ fname, strerror(errno)));
> > > -+ talloc_free(fname);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ TALLOC_FREE(fname);
> > > -+
> > > -+ netlogon_creds_cli_global_db = global_db;
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > > -+ struct messaging_context *msg_ctx,
> > > -+ const char *client_account,
> > > -+ enum netr_SchannelType type,
> > > -+ const char *server_computer,
> > > -+ const char *server_netbios_domain,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **_context)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ NTSTATUS status;
> > > -+ struct netlogon_creds_cli_context *context = NULL;
> > > -+ const char *client_computer;
> > > -+ uint32_t proposed_flags;
> > > -+ uint32_t required_flags = 0;
> > > -+ bool reject_md5_servers = false;
> > > -+ bool require_strong_key = false;
> > > -+ int require_sign_or_seal = true;
> > > -+ bool seal_secure_channel = true;
> > > -+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
> > > -+ bool neutralize_nt4_emulation = false;
> > > -+ struct server_id self = {
> > > -+ .vnn = NONCLUSTER_VNN,
> > > -+ .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
> > > -+ };
> > > -+
> > > -+ if (msg_ctx != NULL) {
> > > -+ self = messaging_server_id(msg_ctx);
> > > -+ }
> > > -+
> > > -+ *_context = NULL;
> > > -+
> > > -+ if (self.vnn != NONCLUSTER_VNN) {
> > > -+ client_computer = talloc_asprintf(frame,
> > > -+ "%s_cluster_vnn_%u",
> > > -+ lpcfg_netbios_name(lp_ctx),
> > > -+ (unsigned)self.vnn);
> > > -+ if (client_computer == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ } else {
> > > -+ client_computer = lpcfg_netbios_name(lp_ctx);
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * allow overwrite per domain
> > > -+ * reject md5 servers:<netbios_domain>
> > > -+ */
> > > -+ //TODO: add lpcfp_reject_md5_servers()
> > > -+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> > > -+ "__default__",
> > > -+ "reject md5 servers",
> > > -+ reject_md5_servers);
> > > -+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> > > -+ "reject md5 servers",
> > > -+ server_netbios_domain,
> > > -+ reject_md5_servers);
> > > -+
> > > -+ /*
> > > -+ * allow overwrite per domain
> > > -+ * require strong key:<netbios_domain>
> > > -+ */
> > > -+ //TODO: add lpcfp_require_strong_key()
> > > -+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> > > -+ "__default__",
> > > -+ "require strong key",
> > > -+ require_strong_key);
> > > -+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> > > -+ "require strong key",
> > > -+ server_netbios_domain,
> > > -+ require_strong_key);
> > > -+
> > > -+ /*
> > > -+ * allow overwrite per domain
> > > -+ * client schannel:<netbios_domain>
> > > -+ */
> > > -+ require_sign_or_seal = lpcfg_client_schannel(lp_ctx);
> > > -+ require_sign_or_seal = lpcfg_parm_int(lp_ctx, NULL,
> > > -+ "client schannel",
> > > -+ server_netbios_domain,
> > > -+ require_sign_or_seal);
> > > -+
> > > -+ /*
> > > -+ * allow overwrite per domain
> > > -+ * winbind sealed pipes:<netbios_domain>
> > > -+ */
> > > -+ seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
> > > -+ seal_secure_channel = lpcfg_parm_bool(lp_ctx, NULL,
> > > -+ "winbind sealed pipes",
> > > -+ server_netbios_domain,
> > > -+ seal_secure_channel);
> > > -+
> > > -+ /*
> > > -+ * allow overwrite per domain
> > > -+ * neutralize nt4 emulation:<netbios_domain>
> > > -+ */
> > > -+ //TODO: add lpcfp_neutralize_nt4_emulation()
> > > -+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> > > -+ "__default__",
> > > -+ "neutralize nt4 emulation",
> > > -+ neutralize_nt4_emulation);
> > > -+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> > > -+ "neutralize nt4 emulation",
> > > -+ server_netbios_domain,
> > > -+ neutralize_nt4_emulation);
> > > -+
> > > -+ proposed_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> > > -+ proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
> > > -+
> > > -+ switch (type) {
> > > -+ case SEC_CHAN_WKSTA:
> > > -+ if (lpcfg_security(lp_ctx) == SEC_ADS) {
> > > -+ /*
> > > -+ * AD domains should be secure
> > > -+ */
> > > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > > -+ require_sign_or_seal = true;
> > > -+ require_strong_key = true;
> > > -+ }
> > > -+ break;
> > > -+
> > > -+ case SEC_CHAN_DOMAIN:
> > > -+ break;
> > > -+
> > > -+ case SEC_CHAN_DNS_DOMAIN:
> > > -+ /*
> > > -+ * AD domains should be secure
> > > -+ */
> > > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > > -+ require_sign_or_seal = true;
> > > -+ require_strong_key = true;
> > > -+ neutralize_nt4_emulation = true;
> > > -+ break;
> > > -+
> > > -+ case SEC_CHAN_BDC:
> > > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > > -+ require_sign_or_seal = true;
> > > -+ require_strong_key = true;
> > > -+ break;
> > > -+
> > > -+ case SEC_CHAN_RODC:
> > > -+ required_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
> > > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > > -+ require_sign_or_seal = true;
> > > -+ require_strong_key = true;
> > > -+ neutralize_nt4_emulation = true;
> > > -+ break;
> > > -+
> > > -+ default:
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > -+ }
> > > -+
> > > -+ if (neutralize_nt4_emulation) {
> > > -+ proposed_flags |= NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
> > > -+ }
> > > -+
> > > -+ if (require_sign_or_seal == false) {
> > > -+ proposed_flags &= ~NETLOGON_NEG_AUTHENTICATED_RPC;
> > > -+ } else {
> > > -+ required_flags |= NETLOGON_NEG_ARCFOUR;
> > > -+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
> > > -+ }
> > > -+
> > > -+ if (reject_md5_servers) {
> > > -+ required_flags |= NETLOGON_NEG_ARCFOUR;
> > > -+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
> > > -+ required_flags |= NETLOGON_NEG_SUPPORTS_AES;
> > > -+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
> > > -+ }
> > > -+
> > > -+ if (require_strong_key) {
> > > -+ required_flags |= NETLOGON_NEG_ARCFOUR;
> > > -+ required_flags |= NETLOGON_NEG_STRONG_KEYS;
> > > -+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
> > > -+ }
> > > -+
> > > -+ proposed_flags |= required_flags;
> > > -+
> > > -+ if (seal_secure_channel) {
> > > -+ auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> > > -+ } else {
> > > -+ auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_context_common(client_computer,
> > > -+ client_account,
> > > -+ type,
> > > -+ auth_level,
> > > -+ proposed_flags,
> > > -+ required_flags,
> > > -+ server_computer,
> > > -+ server_netbios_domain,
> > > -+ mem_ctx,
> > > -+ &context);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ if (msg_ctx != NULL) {
> > > -+ context->db.g_ctx = g_lock_ctx_init(context, msg_ctx);
> > > -+ if (context->db.g_ctx == NULL) {
> > > -+ TALLOC_FREE(context);
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ if (netlogon_creds_cli_global_db != NULL) {
> > > -+ context->db.ctx = netlogon_creds_cli_global_db;
> > > -+ *_context = context;
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_open_global_db(lp_ctx);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(context);
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ context->db.ctx = netlogon_creds_cli_global_db;
> > > -+ *_context = context;
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> > > -+ const char *client_account,
> > > -+ enum netr_SchannelType type,
> > > -+ uint32_t proposed_flags,
> > > -+ uint32_t required_flags,
> > > -+ enum dcerpc_AuthLevel auth_level,
> > > -+ const char *server_computer,
> > > -+ const char *server_netbios_domain,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **_context)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+ struct netlogon_creds_cli_context *context = NULL;
> > > -+
> > > -+ *_context = NULL;
> > > -+
> > > -+ status = netlogon_creds_cli_context_common(client_computer,
> > > -+ client_account,
> > > -+ type,
> > > -+ auth_level,
> > > -+ proposed_flags,
> > > -+ required_flags,
> > > -+ server_computer,
> > > -+ server_netbios_domain,
> > > -+ mem_ctx,
> > > -+ &context);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ context->db.ctx = db_open_rbt(context);
> > > -+ if (context->db.ctx == NULL) {
> > > -+ talloc_free(context);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ *_context = context;
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_context_copy(
> > > -+ const struct netlogon_creds_cli_context *src,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **_dst)
> > > -+{
> > > -+ struct netlogon_creds_cli_context *dst;
> > > -+
> > > -+ dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> > > -+ if (dst == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ *dst = *src;
> > > -+
> > > -+ dst->client.computer = talloc_strdup(dst, src->client.computer);
> > > -+ if (dst->client.computer == NULL) {
> > > -+ TALLOC_FREE(dst);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ dst->client.account = talloc_strdup(dst, src->client.account);
> > > -+ if (dst->client.account == NULL) {
> > > -+ TALLOC_FREE(dst);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ dst->server.computer = talloc_strdup(dst, src->server.computer);
> > > -+ if (dst->server.computer == NULL) {
> > > -+ TALLOC_FREE(dst);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
> > > -+ if (dst->server.netbios_domain == NULL) {
> > > -+ TALLOC_FREE(dst);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ dst->db.key_name = talloc_strdup(dst, src->db.key_name);
> > > -+ if (dst->db.key_name == NULL) {
> > > -+ TALLOC_FREE(dst);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ dst->db.key_data = string_term_tdb_data(dst->db.key_name);
> > > -+
> > > -+ *_dst = dst;
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> > > -+ struct netlogon_creds_cli_context *context)
> > > -+{
> > > -+ return context->client.auth_level;
> > > -+}
> > > -+
> > > -+struct netlogon_creds_cli_fetch_state {
> > > -+ TALLOC_CTX *mem_ctx;
> > > -+ struct netlogon_creds_CredentialState *creds;
> > > -+ uint32_t required_flags;
> > > -+ NTSTATUS status;
> > > -+};
> > > -+
> > > -+static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
> > > -+ void *private_data)
> > > -+{
> > > -+ struct netlogon_creds_cli_fetch_state *state =
> > > -+ (struct netlogon_creds_cli_fetch_state *)private_data;
> > > -+ enum ndr_err_code ndr_err;
> > > -+ DATA_BLOB blob;
> > > -+ uint32_t tmp_flags;
> > > -+
> > > -+ state->creds = talloc_zero(state->mem_ctx,
> > > -+ struct netlogon_creds_CredentialState);
> > > -+ if (state->creds == NULL) {
> > > -+ state->status = NT_STATUS_NO_MEMORY;
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ blob.data = data.dptr;
> > > -+ blob.length = data.dsize;
> > > -+
> > > -+ ndr_err = ndr_pull_struct_blob(&blob, state->creds, state->creds,
> > > -+ (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
> > > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -+ TALLOC_FREE(state->creds);
> > > -+ state->status = ndr_map_error2ntstatus(ndr_err);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ tmp_flags = state->creds->negotiate_flags;
> > > -+ tmp_flags &= state->required_flags;
> > > -+ if (tmp_flags != state->required_flags) {
> > > -+ TALLOC_FREE(state->creds);
> > > -+ state->status = NT_STATUS_DOWNGRADE_DETECTED;
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ state->status = NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState **_creds)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+ struct netlogon_creds_cli_fetch_state fstate = {
> > > -+ .mem_ctx = mem_ctx,
> > > -+ .status = NT_STATUS_INTERNAL_ERROR,
> > > -+ .required_flags = context->client.required_flags,
> > > -+ };
> > > -+ static const struct netr_Credential zero_creds;
> > > -+
> > > -+ *_creds = NULL;
> > > -+
> > > -+ status = dbwrap_parse_record(context->db.ctx,
> > > -+ context->db.key_data,
> > > -+ netlogon_creds_cli_fetch_parser,
> > > -+ &fstate);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+ status = fstate.status;
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * mark it as invalid for step operations.
> > > -+ */
> > > -+ fstate.creds->sequence = 0;
> > > -+ fstate.creds->seed = zero_creds;
> > > -+ fstate.creds->client = zero_creds;
> > > -+ fstate.creds->server = zero_creds;
> > > -+
> > > -+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
> > > -+ *_creds = fstate.creds;
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * It is really important to try SamLogonEx here,
> > > -+ * because multiple processes can talk to the same
> > > -+ * domain controller, without using the credential
> > > -+ * chain.
> > > -+ *
> > > -+ * With a normal SamLogon call, we must keep the
> > > -+ * credentials chain updated and intact between all
> > > -+ * users of the machine account (which would imply
> > > -+ * cross-node communication for every NTLM logon).
> > > -+ *
> > > -+ * The credentials chain is not per NETLOGON pipe
> > > -+ * connection, but globally on the server/client pair
> > > -+ * by computer name, while the client is free to use
> > > -+ * any computer name. We include the cluster node number
> > > -+ * in our computer name in order to avoid cross node
> > > -+ * coordination of the credential chain.
> > > -+ *
> > > -+ * It's also important to use NetlogonValidationSamInfo4 (6),
> > > -+ * because it relies on the rpc transport encryption
> > > -+ * and avoids using the global netlogon schannel
> > > -+ * session key to en/decrypt secret information
> > > -+ * like the user_session_key for network logons.
> > > -+ *
> > > -+ * [MS-APDS] 3.1.5.2 NTLM Network Logon
> > > -+ * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
> > > -+ * NETLOGON_NEG_AUTHENTICATED_RPC set together
> > > -+ * are the indication that the server supports
> > > -+ * NetlogonValidationSamInfo4 (6). And it must only
> > > -+ * be used if "SealSecureChannel" is used.
> > > -+ *
> > > -+ * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
> > > -+ * check is done in netlogon_creds_cli_LogonSamLogon*().
> > > -+ */
> > > -+ context->server.cached_flags = fstate.creds->negotiate_flags;
> > > -+ context->server.try_validation6 = true;
> > > -+ context->server.try_logon_ex = true;
> > > -+ context->server.try_logon_with = true;
> > > -+
> > > -+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > > -+ context->server.try_validation6 = false;
> > > -+ context->server.try_logon_ex = false;
> > > -+ }
> > > -+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
> > > -+ context->server.try_validation6 = false;
> > > -+ }
> > > -+
> > > -+ *_creds = fstate.creds;
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
> > > -+ const struct netlogon_creds_CredentialState *creds1)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct netlogon_creds_CredentialState *creds2;
> > > -+ DATA_BLOB blob1;
> > > -+ DATA_BLOB blob2;
> > > -+ NTSTATUS status;
> > > -+ enum ndr_err_code ndr_err;
> > > -+ int cmp;
> > > -+
> > > -+ status = netlogon_creds_cli_get(context, frame, &creds2);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ ndr_err = ndr_push_struct_blob(&blob1, frame, creds1,
> > > -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> > > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ ndr_err = ndr_push_struct_blob(&blob2, frame, creds2,
> > > -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> > > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ if (blob1.length != blob2.length) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ cmp = memcmp(blob1.data, blob2.data, blob1.length);
> > > -+ if (cmp != 0) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ TALLOC_FREE(frame);
> > > -+ return true;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
> > > -+ struct netlogon_creds_CredentialState **_creds)
> > > -+{
> > > -+ struct netlogon_creds_CredentialState *creds = *_creds;
> > > -+ NTSTATUS status;
> > > -+ enum ndr_err_code ndr_err;
> > > -+ DATA_BLOB blob;
> > > -+ TDB_DATA data;
> > > -+
> > > -+ *_creds = NULL;
> > > -+
> > > -+ if (context->db.locked_state == NULL) {
> > > -+ /*
> > > -+ * this was not the result of netlogon_creds_cli_lock*()
> > > -+ */
> > > -+ TALLOC_FREE(creds);
> > > -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> > > -+ }
> > > -+
> > > -+ if (context->db.locked_state->creds != creds) {
> > > -+ /*
> > > -+ * this was not the result of netlogon_creds_cli_lock*()
> > > -+ */
> > > -+ TALLOC_FREE(creds);
> > > -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> > > -+ }
> > > -+
> > > -+ ndr_err = ndr_push_struct_blob(&blob, creds, creds,
> > > -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> > > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -+ TALLOC_FREE(creds);
> > > -+ status = ndr_map_error2ntstatus(ndr_err);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ data.dptr = blob.data;
> > > -+ data.dsize = blob.length;
> > > -+
> > > -+ status = dbwrap_store(context->db.ctx,
> > > -+ context->db.key_data,
> > > -+ data, TDB_REPLACE);
> > > -+ TALLOC_FREE(creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
> > > -+ struct netlogon_creds_CredentialState **_creds)
> > > -+{
> > > -+ struct netlogon_creds_CredentialState *creds = *_creds;
> > > -+ NTSTATUS status;
> > > -+
> > > -+ *_creds = NULL;
> > > -+
> > > -+ if (context->db.locked_state == NULL) {
> > > -+ /*
> > > -+ * this was not the result of netlogon_creds_cli_lock*()
> > > -+ */
> > > -+ TALLOC_FREE(creds);
> > > -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> > > -+ }
> > > -+
> > > -+ if (context->db.locked_state->creds != creds) {
> > > -+ /*
> > > -+ * this was not the result of netlogon_creds_cli_lock*()
> > > -+ */
> > > -+ TALLOC_FREE(creds);
> > > -+ return NT_STATUS_INVALID_PAGE_PROTECTION;
> > > -+ }
> > > -+
> > > -+ status = dbwrap_delete(context->db.ctx,
> > > -+ context->db.key_data);
> > > -+ TALLOC_FREE(creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+struct netlogon_creds_cli_lock_state {
> > > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > > -+ struct netlogon_creds_CredentialState *creds;
> > > -+};
> > > -+
> > > -+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
> > > -+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context)
> > > -+{
> > > -+ struct tevent_req *req;
> > > -+ struct netlogon_creds_cli_lock_state *state;
> > > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > > -+ struct tevent_req *subreq;
> > > -+
> > > -+ req = tevent_req_create(mem_ctx, &state,
> > > -+ struct netlogon_creds_cli_lock_state);
> > > -+ if (req == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ if (context->db.locked_state != NULL) {
> > > -+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
> > > -+ if (tevent_req_nomem(locked_state, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+ talloc_set_destructor(locked_state,
> > > -+ netlogon_creds_cli_locked_state_destructor);
> > > -+ locked_state->context = context;
> > > -+
> > > -+ context->db.locked_state = locked_state;
> > > -+ state->locked_state = locked_state;
> > > -+
> > > -+ if (context->db.g_ctx == NULL) {
> > > -+ netlogon_creds_cli_lock_fetch(req);
> > > -+ if (!tevent_req_is_in_progress(req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ return req;
> > > -+ }
> > > -+
> > > -+ subreq = g_lock_lock_send(state, ev,
> > > -+ context->db.g_ctx,
> > > -+ context->db.key_name,
> > > -+ G_LOCK_WRITE);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+ tevent_req_set_callback(subreq, netlogon_creds_cli_lock_done, req);
> > > -+
> > > -+ return req;
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct netlogon_creds_cli_lock_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_lock_state);
> > > -+ NTSTATUS status;
> > > -+
> > > -+ status = g_lock_lock_recv(subreq);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+ state->locked_state->is_glocked = true;
> > > -+
> > > -+ netlogon_creds_cli_lock_fetch(req);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
> > > -+{
> > > -+ struct netlogon_creds_cli_lock_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_lock_state);
> > > -+ struct netlogon_creds_cli_context *context = state->locked_state->context;
> > > -+ struct netlogon_creds_cli_fetch_state fstate = {
> > > -+ .status = NT_STATUS_INTERNAL_ERROR,
> > > -+ .required_flags = context->client.required_flags,
> > > -+ };
> > > -+ NTSTATUS status;
> > > -+
> > > -+ fstate.mem_ctx = state;
> > > -+ status = dbwrap_parse_record(context->db.ctx,
> > > -+ context->db.key_data,
> > > -+ netlogon_creds_cli_fetch_parser,
> > > -+ &fstate);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+ status = fstate.status;
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
> > > -+ state->creds = fstate.creds;
> > > -+ tevent_req_done(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ context->server.cached_flags = fstate.creds->negotiate_flags;
> > > -+ context->server.try_validation6 = true;
> > > -+ context->server.try_logon_ex = true;
> > > -+ context->server.try_logon_with = true;
> > > -+
> > > -+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > > -+ context->server.try_validation6 = false;
> > > -+ context->server.try_logon_ex = false;
> > > -+ }
> > > -+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
> > > -+ context->server.try_validation6 = false;
> > > -+ }
> > > -+
> > > -+ state->creds = fstate.creds;
> > > -+ tevent_req_done(req);
> > > -+ return;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState **creds)
> > > -+{
> > > -+ struct netlogon_creds_cli_lock_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_lock_state);
> > > -+ NTSTATUS status;
> > > -+
> > > -+ if (tevent_req_is_nterror(req, &status)) {
> > > -+ tevent_req_received(req);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ talloc_steal(state->creds, state->locked_state);
> > > -+ state->locked_state->creds = state->creds;
> > > -+ *creds = talloc_move(mem_ctx, &state->creds);
> > > -+ tevent_req_received(req);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState **creds)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct tevent_context *ev;
> > > -+ struct tevent_req *req;
> > > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > > -+
> > > -+ ev = samba_tevent_context_init(frame);
> > > -+ if (ev == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ req = netlogon_creds_cli_lock_send(frame, ev, context);
> > > -+ if (req == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > > -+ goto fail;
> > > -+ }
> > > -+ status = netlogon_creds_cli_lock_recv(req, mem_ctx, creds);
> > > -+ fail:
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+}
> > > -+
> > > -+struct netlogon_creds_cli_auth_state {
> > > -+ struct tevent_context *ev;
> > > -+ struct netlogon_creds_cli_context *context;
> > > -+ struct dcerpc_binding_handle *binding_handle;
> > > -+ struct samr_Password current_nt_hash;
> > > -+ struct samr_Password previous_nt_hash;
> > > -+ struct samr_Password used_nt_hash;
> > > -+ char *srv_name_slash;
> > > -+ uint32_t current_flags;
> > > -+ struct netr_Credential client_challenge;
> > > -+ struct netr_Credential server_challenge;
> > > -+ struct netlogon_creds_CredentialState *creds;
> > > -+ struct netr_Credential client_credential;
> > > -+ struct netr_Credential server_credential;
> > > -+ uint32_t rid;
> > > -+ bool try_auth3;
> > > -+ bool try_auth2;
> > > -+ bool require_auth2;
> > > -+ bool try_previous_nt_hash;
> > > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > > -+};
> > > -+
> > > -+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq);
> > > -+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ struct samr_Password current_nt_hash,
> > > -+ const struct samr_Password *previous_nt_hash)
> > > -+{
> > > -+ struct tevent_req *req;
> > > -+ struct netlogon_creds_cli_auth_state *state;
> > > -+ struct netlogon_creds_cli_locked_state *locked_state;
> > > -+ NTSTATUS status;
> > > -+
> > > -+ req = tevent_req_create(mem_ctx, &state,
> > > -+ struct netlogon_creds_cli_auth_state);
> > > -+ if (req == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ state->ev = ev;
> > > -+ state->context = context;
> > > -+ state->binding_handle = b;
> > > -+ state->current_nt_hash = current_nt_hash;
> > > -+ if (previous_nt_hash != NULL) {
> > > -+ state->previous_nt_hash = *previous_nt_hash;
> > > -+ state->try_previous_nt_hash = true;
> > > -+ }
> > > -+
> > > -+ if (context->db.locked_state != NULL) {
> > > -+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
> > > -+ if (tevent_req_nomem(locked_state, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+ talloc_set_destructor(locked_state,
> > > -+ netlogon_creds_cli_locked_state_destructor);
> > > -+ locked_state->context = context;
> > > -+
> > > -+ context->db.locked_state = locked_state;
> > > -+ state->locked_state = locked_state;
> > > -+
> > > -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> > > -+ context->server.computer);
> > > -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ state->try_auth3 = true;
> > > -+ state->try_auth2 = true;
> > > -+
> > > -+ if (context->client.required_flags != 0) {
> > > -+ state->require_auth2 = true;
> > > -+ }
> > > -+
> > > -+ state->used_nt_hash = state->current_nt_hash;
> > > -+ state->current_flags = context->client.proposed_flags;
> > > -+
> > > -+ if (context->db.g_ctx != NULL) {
> > > -+ struct tevent_req *subreq;
> > > -+
> > > -+ subreq = g_lock_lock_send(state, ev,
> > > -+ context->db.g_ctx,
> > > -+ context->db.key_name,
> > > -+ G_LOCK_WRITE);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_auth_locked,
> > > -+ req);
> > > -+
> > > -+ return req;
> > > -+ }
> > > -+
> > > -+ status = dbwrap_delete(state->context->db.ctx,
> > > -+ state->context->db.key_data);
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
> > > -+ status = NT_STATUS_OK;
> > > -+ }
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ netlogon_creds_cli_auth_challenge_start(req);
> > > -+ if (!tevent_req_is_in_progress(req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ return req;
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct netlogon_creds_cli_auth_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_auth_state);
> > > -+ NTSTATUS status;
> > > -+
> > > -+ status = g_lock_lock_recv(subreq);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+ state->locked_state->is_glocked = true;
> > > -+
> > > -+ status = dbwrap_delete(state->context->db.ctx,
> > > -+ state->context->db.key_data);
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
> > > -+ status = NT_STATUS_OK;
> > > -+ }
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_cli_auth_challenge_start(req);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq);
> > > -+
> > > -+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
> > > -+{
> > > -+ struct netlogon_creds_cli_auth_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_auth_state);
> > > -+ struct tevent_req *subreq;
> > > -+
> > > -+ TALLOC_FREE(state->creds);
> > > -+
> > > -+ generate_random_buffer(state->client_challenge.data,
> > > -+ sizeof(state->client_challenge.data));
> > > -+
> > > -+ subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->context->client.computer,
> > > -+ &state->client_challenge,
> > > -+ &state->server_challenge);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ return;
> > > -+ }
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_auth_challenge_done,
> > > -+ req);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq);
> > > -+
> > > -+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct netlogon_creds_cli_auth_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_auth_state);
> > > -+ NTSTATUS status;
> > > -+ NTSTATUS result;
> > > -+
> > > -+ status = dcerpc_netr_ServerReqChallenge_recv(subreq, state, &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+ if (tevent_req_nterror(req, result)) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (!state->try_auth3 && !state->try_auth2) {
> > > -+ state->current_flags = 0;
> > > -+ }
> > > -+
> > > -+ /* Calculate the session key and client credentials */
> > > -+
> > > -+ state->creds = netlogon_creds_client_init(state,
> > > -+ state->context->client.account,
> > > -+ state->context->client.computer,
> > > -+ state->context->client.type,
> > > -+ &state->client_challenge,
> > > -+ &state->server_challenge,
> > > -+ &state->used_nt_hash,
> > > -+ &state->client_credential,
> > > -+ state->current_flags);
> > > -+ if (tevent_req_nomem(state->creds, req)) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (state->try_auth3) {
> > > -+ subreq = dcerpc_netr_ServerAuthenticate3_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->context->client.account,
> > > -+ state->context->client.type,
> > > -+ state->context->client.computer,
> > > -+ &state->client_credential,
> > > -+ &state->server_credential,
> > > -+ &state->creds->negotiate_flags,
> > > -+ &state->rid);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ return;
> > > -+ }
> > > -+ } else if (state->try_auth2) {
> > > -+ state->rid = 0;
> > > -+
> > > -+ subreq = dcerpc_netr_ServerAuthenticate2_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->context->client.account,
> > > -+ state->context->client.type,
> > > -+ state->context->client.computer,
> > > -+ &state->client_credential,
> > > -+ &state->server_credential,
> > > -+ &state->creds->negotiate_flags);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ return;
> > > -+ }
> > > -+ } else {
> > > -+ state->rid = 0;
> > > -+
> > > -+ subreq = dcerpc_netr_ServerAuthenticate_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->context->client.account,
> > > -+ state->context->client.type,
> > > -+ state->context->client.computer,
> > > -+ &state->client_credential,
> > > -+ &state->server_credential);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ return;
> > > -+ }
> > > -+ }
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_auth_srvauth_done,
> > > -+ req);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct netlogon_creds_cli_auth_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_auth_state);
> > > -+ NTSTATUS status;
> > > -+ NTSTATUS result;
> > > -+ bool ok;
> > > -+ enum ndr_err_code ndr_err;
> > > -+ DATA_BLOB blob;
> > > -+ TDB_DATA data;
> > > -+ uint32_t tmp_flags;
> > > -+
> > > -+ if (state->try_auth3) {
> > > -+ status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
> > > -+ &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -+ state->try_auth3 = false;
> > > -+ netlogon_creds_cli_auth_challenge_start(req);
> > > -+ return;
> > > -+ }
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+ } else if (state->try_auth2) {
> > > -+ status = dcerpc_netr_ServerAuthenticate2_recv(subreq, state,
> > > -+ &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -+ state->try_auth2 = false;
> > > -+ if (state->require_auth2) {
> > > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ return;
> > > -+ }
> > > -+ netlogon_creds_cli_auth_challenge_start(req);
> > > -+ return;
> > > -+ }
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+ } else {
> > > -+ status = dcerpc_netr_ServerAuthenticate_recv(subreq, state,
> > > -+ &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ if (!NT_STATUS_IS_OK(result) &&
> > > -+ !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
> > > -+ {
> > > -+ tevent_req_nterror(req, result);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ tmp_flags = state->creds->negotiate_flags;
> > > -+ tmp_flags &= state->context->client.required_flags;
> > > -+ if (tmp_flags != state->context->client.required_flags) {
> > > -+ if (NT_STATUS_IS_OK(result)) {
> > > -+ tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
> > > -+ return;
> > > -+ }
> > > -+ tevent_req_nterror(req, result);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
> > > -+
> > > -+ tmp_flags = state->context->client.proposed_flags;
> > > -+ if ((state->current_flags == tmp_flags) &&
> > > -+ (state->creds->negotiate_flags != tmp_flags))
> > > -+ {
> > > -+ /*
> > > -+ * lets retry with the negotiated flags
> > > -+ */
> > > -+ state->current_flags = state->creds->negotiate_flags;
> > > -+ netlogon_creds_cli_auth_challenge_start(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (!state->try_previous_nt_hash) {
> > > -+ /*
> > > -+ * we already retried, giving up...
> > > -+ */
> > > -+ tevent_req_nterror(req, result);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * lets retry with the old nt hash.
> > > -+ */
> > > -+ state->try_previous_nt_hash = false;
> > > -+ state->used_nt_hash = state->previous_nt_hash;
> > > -+ state->current_flags = state->context->client.proposed_flags;
> > > -+ netlogon_creds_cli_auth_challenge_start(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ ok = netlogon_creds_client_check(state->creds,
> > > -+ &state->server_credential);
> > > -+ if (!ok) {
> > > -+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ ndr_err = ndr_push_struct_blob(&blob, state, state->creds,
> > > -+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> > > -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > -+ status = ndr_map_error2ntstatus(ndr_err);
> > > -+ tevent_req_nterror(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ data.dptr = blob.data;
> > > -+ data.dsize = blob.length;
> > > -+
> > > -+ status = dbwrap_store(state->context->db.ctx,
> > > -+ state->context->db.key_data,
> > > -+ data, TDB_REPLACE);
> > > -+ TALLOC_FREE(state->locked_state);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ tevent_req_done(req);
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+
> > > -+ if (tevent_req_is_nterror(req, &status)) {
> > > -+ tevent_req_received(req);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ tevent_req_received(req);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ struct samr_Password current_nt_hash,
> > > -+ const struct samr_Password *previous_nt_hash)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct tevent_context *ev;
> > > -+ struct tevent_req *req;
> > > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > > -+
> > > -+ ev = samba_tevent_context_init(frame);
> > > -+ if (ev == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ req = netlogon_creds_cli_auth_send(frame, ev, context, b,
> > > -+ current_nt_hash,
> > > -+ previous_nt_hash);
> > > -+ if (req == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > > -+ goto fail;
> > > -+ }
> > > -+ status = netlogon_creds_cli_auth_recv(req);
> > > -+ fail:
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+}
> > > -+
> > > -+struct netlogon_creds_cli_check_state {
> > > -+ struct tevent_context *ev;
> > > -+ struct netlogon_creds_cli_context *context;
> > > -+ struct dcerpc_binding_handle *binding_handle;
> > > -+
> > > -+ char *srv_name_slash;
> > > -+
> > > -+ union netr_Capabilities caps;
> > > -+
> > > -+ struct netlogon_creds_CredentialState *creds;
> > > -+ struct netlogon_creds_CredentialState tmp_creds;
> > > -+ struct netr_Authenticator req_auth;
> > > -+ struct netr_Authenticator rep_auth;
> > > -+};
> > > -+
> > > -+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
> > > -+ NTSTATUS status);
> > > -+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b)
> > > -+{
> > > -+ struct tevent_req *req;
> > > -+ struct netlogon_creds_cli_check_state *state;
> > > -+ struct tevent_req *subreq;
> > > -+ enum dcerpc_AuthType auth_type;
> > > -+ enum dcerpc_AuthLevel auth_level;
> > > -+
> > > -+ req = tevent_req_create(mem_ctx, &state,
> > > -+ struct netlogon_creds_cli_check_state);
> > > -+ if (req == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ state->ev = ev;
> > > -+ state->context = context;
> > > -+ state->binding_handle = b;
> > > -+
> > > -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> > > -+ context->server.computer);
> > > -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ dcerpc_binding_handle_auth_info(state->binding_handle,
> > > -+ &auth_type, &auth_level);
> > > -+
> > > -+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
> > > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ switch (auth_level) {
> > > -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> > > -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> > > -+ break;
> > > -+ default:
> > > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
> > > -+ state->context);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_check_locked,
> > > -+ req);
> > > -+
> > > -+ return req;
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
> > > -+ NTSTATUS status)
> > > -+{
> > > -+ struct netlogon_creds_cli_check_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_check_state);
> > > -+
> > > -+ if (state->creds == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
> > > -+ TALLOC_FREE(state->creds);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_cli_delete(state->context, &state->creds);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq);
> > > -+
> > > -+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct netlogon_creds_cli_check_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_check_state);
> > > -+ NTSTATUS status;
> > > -+
> > > -+ status = netlogon_creds_cli_lock_recv(subreq, state,
> > > -+ &state->creds);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * we defer all callbacks in order to cleanup
> > > -+ * the database record.
> > > -+ */
> > > -+ tevent_req_defer_callback(req, state->ev);
> > > -+
> > > -+ state->tmp_creds = *state->creds;
> > > -+ netlogon_creds_client_authenticator(&state->tmp_creds,
> > > -+ &state->req_auth);
> > > -+ ZERO_STRUCT(state->rep_auth);
> > > -+
> > > -+ subreq = dcerpc_netr_LogonGetCapabilities_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->context->client.computer,
> > > -+ &state->req_auth,
> > > -+ &state->rep_auth,
> > > -+ 1,
> > > -+ &state->caps);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_check_caps,
> > > -+ req);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct netlogon_creds_cli_check_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_check_state);
> > > -+ NTSTATUS status;
> > > -+ NTSTATUS result;
> > > -+ bool ok;
> > > -+
> > > -+ status = dcerpc_netr_LogonGetCapabilities_recv(subreq, state,
> > > -+ &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -+ /*
> > > -+ * Note that the negotiated flags are already checked
> > > -+ * for our required flags after the ServerAuthenticate3/2 call.
> > > -+ */
> > > -+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
> > > -+
> > > -+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ /*
> > > -+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
> > > -+ * already, we expect this to work!
> > > -+ */
> > > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (negotiated & NETLOGON_NEG_STRONG_KEYS) {
> > > -+ /*
> > > -+ * If we have negotiated NETLOGON_NEG_STRONG_KEYS
> > > -+ * we expect this to work at least as far as the
> > > -+ * NOT_SUPPORTED error handled below!
> > > -+ *
> > > -+ * NT 4.0 and Old Samba servers are not
> > > -+ * allowed without "require strong key = no"
> > > -+ */
> > > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * If we not require NETLOGON_NEG_SUPPORTS_AES or
> > > -+ * NETLOGON_NEG_STRONG_KEYS, it's ok to ignore
> > > -+ * NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> > > -+ *
> > > -+ * This is needed against NT 4.0 and old Samba servers.
> > > -+ *
> > > -+ * As we're using DCERPC_AUTH_TYPE_SCHANNEL with
> > > -+ * DCERPC_AUTH_LEVEL_INTEGRITY or DCERPC_AUTH_LEVEL_PRIVACY
> > > -+ * we should detect a faked NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
> > > -+ * with the next request as the sequence number processing
> > > -+ * gets out of sync.
> > > -+ */
> > > -+ netlogon_creds_cli_check_cleanup(req, result);
> > > -+ tevent_req_done(req);
> > > -+ return;
> > > -+ }
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
> > > -+ /*
> > > -+ * Note that the negotiated flags are already checked
> > > -+ * for our required flags after the ServerAuthenticate3/2 call.
> > > -+ */
> > > -+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
> > > -+
> > > -+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ /*
> > > -+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
> > > -+ * already, we expect this to work!
> > > -+ */
> > > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * This is ok, the server does not support
> > > -+ * NETLOGON_NEG_SUPPORTS_AES.
> > > -+ *
> > > -+ * netr_LogonGetCapabilities() was
> > > -+ * netr_LogonDummyRoutine1() before
> > > -+ * NETLOGON_NEG_SUPPORTS_AES was invented.
> > > -+ */
> > > -+ netlogon_creds_cli_check_cleanup(req, result);
> > > -+ tevent_req_done(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ ok = netlogon_creds_client_check(&state->tmp_creds,
> > > -+ &state->rep_auth.cred);
> > > -+ if (!ok) {
> > > -+ status = NT_STATUS_ACCESS_DENIED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (tevent_req_nterror(req, result)) {
> > > -+ netlogon_creds_cli_check_cleanup(req, result);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (state->caps.server_capabilities != state->tmp_creds.negotiate_flags) {
> > > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * This is the key check that makes this check secure. If we
> > > -+ * get OK here (rather than NOT_SUPPORTED), then the server
> > > -+ * did support AES. If the server only proposed STRONG_KEYS
> > > -+ * and not AES, then it should have failed with
> > > -+ * NOT_IMPLEMENTED. We always send AES as a client, so the
> > > -+ * server should always have returned it.
> > > -+ */
> > > -+ if (!(state->caps.server_capabilities & NETLOGON_NEG_SUPPORTS_AES)) {
> > > -+ status = NT_STATUS_DOWNGRADE_DETECTED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ *state->creds = state->tmp_creds;
> > > -+ status = netlogon_creds_cli_store(state->context,
> > > -+ &state->creds);
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ tevent_req_done(req);
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+
> > > -+ if (tevent_req_is_nterror(req, &status)) {
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > -+ tevent_req_received(req);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ tevent_req_received(req);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct tevent_context *ev;
> > > -+ struct tevent_req *req;
> > > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > > -+
> > > -+ ev = samba_tevent_context_init(frame);
> > > -+ if (ev == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ req = netlogon_creds_cli_check_send(frame, ev, context, b);
> > > -+ if (req == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > > -+ goto fail;
> > > -+ }
> > > -+ status = netlogon_creds_cli_check_recv(req);
> > > -+ fail:
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+}
> > > -+
> > > -+struct netlogon_creds_cli_ServerPasswordSet_state {
> > > -+ struct tevent_context *ev;
> > > -+ struct netlogon_creds_cli_context *context;
> > > -+ struct dcerpc_binding_handle *binding_handle;
> > > -+ uint32_t old_timeout;
> > > -+
> > > -+ char *srv_name_slash;
> > > -+ enum dcerpc_AuthType auth_type;
> > > -+ enum dcerpc_AuthLevel auth_level;
> > > -+
> > > -+ struct samr_CryptPassword samr_crypt_password;
> > > -+ struct netr_CryptPassword netr_crypt_password;
> > > -+ struct samr_Password samr_password;
> > > -+
> > > -+ struct netlogon_creds_CredentialState *creds;
> > > -+ struct netlogon_creds_CredentialState tmp_creds;
> > > -+ struct netr_Authenticator req_auth;
> > > -+ struct netr_Authenticator rep_auth;
> > > -+};
> > > -+
> > > -+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
> > > -+ NTSTATUS status);
> > > -+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ const char *new_password,
> > > -+ const uint32_t *new_version)
> > > -+{
> > > -+ struct tevent_req *req;
> > > -+ struct netlogon_creds_cli_ServerPasswordSet_state *state;
> > > -+ struct tevent_req *subreq;
> > > -+ bool ok;
> > > -+
> > > -+ req = tevent_req_create(mem_ctx, &state,
> > > -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> > > -+ if (req == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ state->ev = ev;
> > > -+ state->context = context;
> > > -+ state->binding_handle = b;
> > > -+
> > > -+ /*
> > > -+ * netr_ServerPasswordSet
> > > -+ */
> > > -+ E_md4hash(new_password, state->samr_password.hash);
> > > -+
> > > -+ /*
> > > -+ * netr_ServerPasswordSet2
> > > -+ */
> > > -+ ok = encode_pw_buffer(state->samr_crypt_password.data,
> > > -+ new_password, STR_UNICODE);
> > > -+ if (!ok) {
> > > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ if (new_version != NULL) {
> > > -+ struct NL_PASSWORD_VERSION version;
> > > -+ uint32_t len = IVAL(state->samr_crypt_password.data, 512);
> > > -+ uint32_t ofs = 512 - len;
> > > -+ uint8_t *p;
> > > -+
> > > -+ if (ofs < 12) {
> > > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+ ofs -= 12;
> > > -+
> > > -+ version.ReservedField = 0;
> > > -+ version.PasswordVersionNumber = *new_version;
> > > -+ version.PasswordVersionPresent =
> > > -+ NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT;
> > > -+
> > > -+ p = state->samr_crypt_password.data + ofs;
> > > -+ SIVAL(p, 0, version.ReservedField);
> > > -+ SIVAL(p, 4, version.PasswordVersionNumber);
> > > -+ SIVAL(p, 8, version.PasswordVersionPresent);
> > > -+ }
> > > -+
> > > -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> > > -+ context->server.computer);
> > > -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ dcerpc_binding_handle_auth_info(state->binding_handle,
> > > -+ &state->auth_type,
> > > -+ &state->auth_level);
> > > -+
> > > -+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
> > > -+ state->context);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_ServerPasswordSet_locked,
> > > -+ req);
> > > -+
> > > -+ return req;
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
> > > -+ NTSTATUS status)
> > > -+{
> > > -+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> > > -+
> > > -+ if (state->creds == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ dcerpc_binding_handle_set_timeout(state->binding_handle,
> > > -+ state->old_timeout);
> > > -+
> > > -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
> > > -+ TALLOC_FREE(state->creds);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_cli_delete(state->context, &state->creds);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq);
> > > -+
> > > -+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> > > -+ NTSTATUS status;
> > > -+
> > > -+ status = netlogon_creds_cli_lock_recv(subreq, state,
> > > -+ &state->creds);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
> > > -+ switch (state->auth_level) {
> > > -+ case DCERPC_AUTH_LEVEL_INTEGRITY:
> > > -+ case DCERPC_AUTH_LEVEL_PRIVACY:
> > > -+ break;
> > > -+ default:
> > > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > > -+ return;
> > > -+ }
> > > -+ } else {
> > > -+ uint32_t tmp = state->creds->negotiate_flags;
> > > -+
> > > -+ if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
> > > -+ /*
> > > -+ * if DCERPC_AUTH_TYPE_SCHANNEL is supported
> > > -+ * it should be used, which means
> > > -+ * we had a chance to verify no downgrade
> > > -+ * happened.
> > > -+ *
> > > -+ * This relies on netlogon_creds_cli_check*
> > > -+ * being called before, as first request after
> > > -+ * the DCERPC bind.
> > > -+ */
> > > -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > > -+ return;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ state->old_timeout = dcerpc_binding_handle_set_timeout(
> > > -+ state->binding_handle, 600000);
> > > -+
> > > -+ /*
> > > -+ * we defer all callbacks in order to cleanup
> > > -+ * the database record.
> > > -+ */
> > > -+ tevent_req_defer_callback(req, state->ev);
> > > -+
> > > -+ state->tmp_creds = *state->creds;
> > > -+ netlogon_creds_client_authenticator(&state->tmp_creds,
> > > -+ &state->req_auth);
> > > -+ ZERO_STRUCT(state->rep_auth);
> > > -+
> > > -+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
> > > -+
> > > -+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ netlogon_creds_aes_encrypt(&state->tmp_creds,
> > > -+ state->samr_crypt_password.data,
> > > -+ 516);
> > > -+ } else {
> > > -+ netlogon_creds_arcfour_crypt(&state->tmp_creds,
> > > -+ state->samr_crypt_password.data,
> > > -+ 516);
> > > -+ }
> > > -+
> > > -+ memcpy(state->netr_crypt_password.data,
> > > -+ state->samr_crypt_password.data, 512);
> > > -+ state->netr_crypt_password.length =
> > > -+ IVAL(state->samr_crypt_password.data, 512);
> > > -+
> > > -+ subreq = dcerpc_netr_ServerPasswordSet2_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->tmp_creds.account_name,
> > > -+ state->tmp_creds.secure_channel_type,
> > > -+ state->tmp_creds.computer_name,
> > > -+ &state->req_auth,
> > > -+ &state->rep_auth,
> > > -+ &state->netr_crypt_password);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ } else {
> > > -+ netlogon_creds_des_encrypt(&state->tmp_creds,
> > > -+ &state->samr_password);
> > > -+
> > > -+ subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->tmp_creds.account_name,
> > > -+ state->tmp_creds.secure_channel_type,
> > > -+ state->tmp_creds.computer_name,
> > > -+ &state->req_auth,
> > > -+ &state->rep_auth,
> > > -+ &state->samr_password);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_ServerPasswordSet_done,
> > > -+ req);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_ServerPasswordSet_state);
> > > -+ NTSTATUS status;
> > > -+ NTSTATUS result;
> > > -+ bool ok;
> > > -+
> > > -+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
> > > -+ status = dcerpc_netr_ServerPasswordSet2_recv(subreq, state,
> > > -+ &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ } else {
> > > -+ status = dcerpc_netr_ServerPasswordSet_recv(subreq, state,
> > > -+ &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ ok = netlogon_creds_client_check(&state->tmp_creds,
> > > -+ &state->rep_auth.cred);
> > > -+ if (!ok) {
> > > -+ status = NT_STATUS_ACCESS_DENIED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (tevent_req_nterror(req, result)) {
> > > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, result);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ dcerpc_binding_handle_set_timeout(state->binding_handle,
> > > -+ state->old_timeout);
> > > -+
> > > -+ *state->creds = state->tmp_creds;
> > > -+ status = netlogon_creds_cli_store(state->context,
> > > -+ &state->creds);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ tevent_req_done(req);
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+
> > > -+ if (tevent_req_is_nterror(req, &status)) {
> > > -+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
> > > -+ tevent_req_received(req);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ tevent_req_received(req);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ const char *new_password,
> > > -+ const uint32_t *new_version)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct tevent_context *ev;
> > > -+ struct tevent_req *req;
> > > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > > -+
> > > -+ ev = samba_tevent_context_init(frame);
> > > -+ if (ev == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ req = netlogon_creds_cli_ServerPasswordSet_send(frame, ev, context, b,
> > > -+ new_password,
> > > -+ new_version);
> > > -+ if (req == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > > -+ goto fail;
> > > -+ }
> > > -+ status = netlogon_creds_cli_ServerPasswordSet_recv(req);
> > > -+ fail:
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+}
> > > -+
> > > -+struct netlogon_creds_cli_LogonSamLogon_state {
> > > -+ struct tevent_context *ev;
> > > -+ struct netlogon_creds_cli_context *context;
> > > -+ struct dcerpc_binding_handle *binding_handle;
> > > -+
> > > -+ char *srv_name_slash;
> > > -+
> > > -+ enum netr_LogonInfoClass logon_level;
> > > -+ const union netr_LogonLevel *const_logon;
> > > -+ union netr_LogonLevel *logon;
> > > -+ uint32_t flags;
> > > -+
> > > -+ uint16_t validation_level;
> > > -+ union netr_Validation *validation;
> > > -+ uint8_t authoritative;
> > > -+
> > > -+ /*
> > > -+ * do we need encryption at the application layer?
> > > -+ */
> > > -+ bool user_encrypt;
> > > -+ bool try_logon_ex;
> > > -+ bool try_validation6;
> > > -+
> > > -+ /*
> > > -+ * the read only credentials before we started the operation
> > > -+ */
> > > -+ struct netlogon_creds_CredentialState *ro_creds;
> > > -+
> > > -+ struct netlogon_creds_CredentialState *lk_creds;
> > > -+
> > > -+ struct netlogon_creds_CredentialState tmp_creds;
> > > -+ struct netr_Authenticator req_auth;
> > > -+ struct netr_Authenticator rep_auth;
> > > -+};
> > > -+
> > > -+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req);
> > > -+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
> > > -+ NTSTATUS status);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ enum netr_LogonInfoClass logon_level,
> > > -+ const union netr_LogonLevel *logon,
> > > -+ uint32_t flags)
> > > -+{
> > > -+ struct tevent_req *req;
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state *state;
> > > -+
> > > -+ req = tevent_req_create(mem_ctx, &state,
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > > -+ if (req == NULL) {
> > > -+ return NULL;
> > > -+ }
> > > -+
> > > -+ state->ev = ev;
> > > -+ state->context = context;
> > > -+ state->binding_handle = b;
> > > -+
> > > -+ state->logon_level = logon_level;
> > > -+ state->const_logon = logon;
> > > -+ state->flags = flags;
> > > -+
> > > -+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
> > > -+ context->server.computer);
> > > -+ if (tevent_req_nomem(state->srv_name_slash, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ switch (logon_level) {
> > > -+ case NetlogonInteractiveInformation:
> > > -+ case NetlogonInteractiveTransitiveInformation:
> > > -+ case NetlogonServiceInformation:
> > > -+ case NetlogonServiceTransitiveInformation:
> > > -+ case NetlogonGenericInformation:
> > > -+ state->user_encrypt = true;
> > > -+ break;
> > > -+
> > > -+ case NetlogonNetworkInformation:
> > > -+ case NetlogonNetworkTransitiveInformation:
> > > -+ break;
> > > -+ }
> > > -+
> > > -+ state->validation = talloc_zero(state, union netr_Validation);
> > > -+ if (tevent_req_nomem(state->validation, req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > > -+ if (!tevent_req_is_in_progress(req)) {
> > > -+ return tevent_req_post(req, ev);
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * we defer all callbacks in order to cleanup
> > > -+ * the database record.
> > > -+ */
> > > -+ tevent_req_defer_callback(req, state->ev);
> > > -+ return req;
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
> > > -+ NTSTATUS status)
> > > -+{
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > > -+
> > > -+ if (state->lk_creds == NULL) {
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -+ /*
> > > -+ * This is a hack to recover from a bug in old
> > > -+ * Samba servers, when LogonSamLogonEx() fails:
> > > -+ *
> > > -+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
> > > -+ *
> > > -+ * All following request will get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> > > -+ *
> > > -+ * A second bug generates NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE,
> > > -+ * instead of NT_STATUS_ACCESS_DENIED or NT_STATUS_RPC_SEC_PKG_ERROR
> > > -+ * If the sign/seal check fails.
> > > -+ *
> > > -+ * In that case we need to cleanup the netlogon session.
> > > -+ *
> > > -+ * It's the job of the caller to disconnect the current
> > > -+ * connection, if netlogon_creds_cli_LogonSamLogon()
> > > -+ * returns NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> > > -+ */
> > > -+ if (!state->context->server.try_logon_with) {
> > > -+ status = NT_STATUS_NETWORK_ACCESS_DENIED;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
> > > -+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
> > > -+ TALLOC_FREE(state->lk_creds);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_cli_delete(state->context, &state->lk_creds);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq);
> > > -+
> > > -+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
> > > -+{
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > > -+ struct tevent_req *subreq;
> > > -+ NTSTATUS status;
> > > -+ enum dcerpc_AuthType auth_type;
> > > -+ enum dcerpc_AuthLevel auth_level;
> > > -+
> > > -+ TALLOC_FREE(state->ro_creds);
> > > -+ TALLOC_FREE(state->logon);
> > > -+ ZERO_STRUCTP(state->validation);
> > > -+
> > > -+ dcerpc_binding_handle_auth_info(state->binding_handle,
> > > -+ &auth_type, &auth_level);
> > > -+
> > > -+ state->try_logon_ex = state->context->server.try_logon_ex;
> > > -+ state->try_validation6 = state->context->server.try_validation6;
> > > -+
> > > -+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
> > > -+ state->try_logon_ex = false;
> > > -+ }
> > > -+
> > > -+ if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
> > > -+ state->try_validation6 = false;
> > > -+ }
> > > -+
> > > -+ if (state->try_logon_ex) {
> > > -+ if (state->try_validation6) {
> > > -+ state->validation_level = 6;
> > > -+ } else {
> > > -+ state->validation_level = 3;
> > > -+ state->user_encrypt = true;
> > > -+ }
> > > -+
> > > -+ state->logon = netlogon_creds_shallow_copy_logon(state,
> > > -+ state->logon_level,
> > > -+ state->const_logon);
> > > -+ if (tevent_req_nomem(state->logon, req)) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (state->user_encrypt) {
> > > -+ status = netlogon_creds_cli_get(state->context,
> > > -+ state,
> > > -+ &state->ro_creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ status = NT_STATUS_ACCESS_DENIED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
> > > -+ state->logon_level,
> > > -+ state->logon);
> > > -+ }
> > > -+
> > > -+ subreq = dcerpc_netr_LogonSamLogonEx_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->context->client.computer,
> > > -+ state->logon_level,
> > > -+ state->logon,
> > > -+ state->validation_level,
> > > -+ state->validation,
> > > -+ &state->authoritative,
> > > -+ &state->flags);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_LogonSamLogon_done,
> > > -+ req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (state->lk_creds == NULL) {
> > > -+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
> > > -+ state->context);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_LogonSamLogon_done,
> > > -+ req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ state->tmp_creds = *state->lk_creds;
> > > -+ netlogon_creds_client_authenticator(&state->tmp_creds,
> > > -+ &state->req_auth);
> > > -+ ZERO_STRUCT(state->rep_auth);
> > > -+
> > > -+ state->logon = netlogon_creds_shallow_copy_logon(state,
> > > -+ state->logon_level,
> > > -+ state->const_logon);
> > > -+ if (tevent_req_nomem(state->logon, req)) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
> > > -+ state->logon_level,
> > > -+ state->logon);
> > > -+
> > > -+ state->validation_level = 3;
> > > -+
> > > -+ if (state->context->server.try_logon_with) {
> > > -+ subreq = dcerpc_netr_LogonSamLogonWithFlags_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->context->client.computer,
> > > -+ &state->req_auth,
> > > -+ &state->rep_auth,
> > > -+ state->logon_level,
> > > -+ state->logon,
> > > -+ state->validation_level,
> > > -+ state->validation,
> > > -+ &state->authoritative,
> > > -+ &state->flags);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ } else {
> > > -+ state->flags = 0;
> > > -+
> > > -+ subreq = dcerpc_netr_LogonSamLogon_send(state, state->ev,
> > > -+ state->binding_handle,
> > > -+ state->srv_name_slash,
> > > -+ state->context->client.computer,
> > > -+ &state->req_auth,
> > > -+ &state->rep_auth,
> > > -+ state->logon_level,
> > > -+ state->logon,
> > > -+ state->validation_level,
> > > -+ state->validation,
> > > -+ &state->authoritative);
> > > -+ if (tevent_req_nomem(subreq, req)) {
> > > -+ status = NT_STATUS_NO_MEMORY;
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ tevent_req_set_callback(subreq,
> > > -+ netlogon_creds_cli_LogonSamLogon_done,
> > > -+ req);
> > > -+}
> > > -+
> > > -+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
> > > -+{
> > > -+ struct tevent_req *req =
> > > -+ tevent_req_callback_data(subreq,
> > > -+ struct tevent_req);
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > > -+ NTSTATUS status;
> > > -+ NTSTATUS result;
> > > -+ bool ok;
> > > -+
> > > -+ if (state->try_logon_ex) {
> > > -+ status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
> > > -+ state->validation,
> > > -+ &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -+ state->context->server.try_validation6 = false;
> > > -+ state->context->server.try_logon_ex = false;
> > > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > > -+ return;
> > > -+ }
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if ((state->validation_level == 6) &&
> > > -+ (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
> > > -+ NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
> > > -+ NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)))
> > > -+ {
> > > -+ state->context->server.try_validation6 = false;
> > > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (tevent_req_nterror(req, result)) {
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (state->ro_creds == NULL) {
> > > -+ tevent_req_done(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ ok = netlogon_creds_cli_validate(state->context, state->ro_creds);
> > > -+ if (!ok) {
> > > -+ /*
> > > -+ * We got a race, lets retry with on authenticator
> > > -+ * protection.
> > > -+ */
> > > -+ TALLOC_FREE(state->ro_creds);
> > > -+ state->try_logon_ex = false;
> > > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
> > > -+ state->validation_level,
> > > -+ state->validation);
> > > -+
> > > -+ tevent_req_done(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (state->lk_creds == NULL) {
> > > -+ status = netlogon_creds_cli_lock_recv(subreq, state,
> > > -+ &state->lk_creds);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (state->context->server.try_logon_with) {
> > > -+ status = dcerpc_netr_LogonSamLogonWithFlags_recv(subreq,
> > > -+ state->validation,
> > > -+ &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -+ state->context->server.try_logon_with = false;
> > > -+ netlogon_creds_cli_LogonSamLogon_start(req);
> > > -+ return;
> > > -+ }
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ } else {
> > > -+ status = dcerpc_netr_LogonSamLogon_recv(subreq,
> > > -+ state->validation,
> > > -+ &result);
> > > -+ TALLOC_FREE(subreq);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ ok = netlogon_creds_client_check(&state->tmp_creds,
> > > -+ &state->rep_auth.cred);
> > > -+ if (!ok) {
> > > -+ status = NT_STATUS_ACCESS_DENIED;
> > > -+ tevent_req_nterror(req, status);
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ *state->lk_creds = state->tmp_creds;
> > > -+ status = netlogon_creds_cli_store(state->context,
> > > -+ &state->lk_creds);
> > > -+ if (tevent_req_nterror(req, status)) {
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ if (tevent_req_nterror(req, result)) {
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
> > > -+ state->validation_level,
> > > -+ state->validation);
> > > -+
> > > -+ tevent_req_done(req);
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ uint16_t *validation_level,
> > > -+ union netr_Validation **validation,
> > > -+ uint8_t *authoritative,
> > > -+ uint32_t *flags)
> > > -+{
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state *state =
> > > -+ tevent_req_data(req,
> > > -+ struct netlogon_creds_cli_LogonSamLogon_state);
> > > -+ NTSTATUS status;
> > > -+
> > > -+ /* authoritative is also returned on error */
> > > -+ *authoritative = state->authoritative;
> > > -+
> > > -+ if (tevent_req_is_nterror(req, &status)) {
> > > -+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
> > > -+ tevent_req_received(req);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ *validation_level = state->validation_level;
> > > -+ *validation = talloc_move(mem_ctx, &state->validation);
> > > -+ *flags = state->flags;
> > > -+
> > > -+ tevent_req_received(req);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_LogonSamLogon(
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ enum netr_LogonInfoClass logon_level,
> > > -+ const union netr_LogonLevel *logon,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ uint16_t *validation_level,
> > > -+ union netr_Validation **validation,
> > > -+ uint8_t *authoritative,
> > > -+ uint32_t *flags)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct tevent_context *ev;
> > > -+ struct tevent_req *req;
> > > -+ NTSTATUS status = NT_STATUS_NO_MEMORY;
> > > -+
> > > -+ ev = samba_tevent_context_init(frame);
> > > -+ if (ev == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ req = netlogon_creds_cli_LogonSamLogon_send(frame, ev, context, b,
> > > -+ logon_level, logon,
> > > -+ *flags);
> > > -+ if (req == NULL) {
> > > -+ goto fail;
> > > -+ }
> > > -+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
> > > -+ goto fail;
> > > -+ }
> > > -+ status = netlogon_creds_cli_LogonSamLogon_recv(req, mem_ctx,
> > > -+ validation_level,
> > > -+ validation,
> > > -+ authoritative,
> > > -+ flags);
> > > -+ fail:
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+}
> > > -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
> > > -new file mode 100644
> > > -index 0000000..f8f2bef
> > > ---- /dev/null
> > > -+++ b/libcli/auth/netlogon_creds_cli.h
> > > -@@ -0,0 +1,138 @@
> > > -+/*
> > > -+ Unix SMB/CIFS implementation.
> > > -+
> > > -+ module to store/fetch session keys for the schannel client
> > > -+
> > > -+ Copyright (C) Stefan Metzmacher 2013
> > > -+
> > > -+ This program is free software; you can redistribute it and/or modify
> > > -+ it under the terms of the GNU General Public License as published by
> > > -+ the Free Software Foundation; either version 3 of the License, or
> > > -+ (at your option) any later version.
> > > -+
> > > -+ This program is distributed in the hope that it will be useful,
> > > -+ but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > -+ GNU General Public License for more details.
> > > -+
> > > -+ You should have received a copy of the GNU General Public License
> > > -+ along with this program. If not, see <http://www.gnu.org/licenses/>.
> > > -+*/
> > > -+
> > > -+#ifndef NETLOGON_CREDS_CLI_H
> > > -+#define NETLOGON_CREDS_CLI_H
> > > -+
> > > -+#include "librpc/gen_ndr/dcerpc.h"
> > > -+#include "librpc/gen_ndr/schannel.h"
> > > -+
> > > -+struct netlogon_creds_cli_context;
> > > -+struct messaging_context;
> > > -+struct dcerpc_binding_handle;
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > > -+ struct messaging_context *msg_ctx,
> > > -+ const char *client_account,
> > > -+ enum netr_SchannelType type,
> > > -+ const char *server_computer,
> > > -+ const char *server_netbios_domain,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **_context);
> > > -+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> > > -+ const char *client_account,
> > > -+ enum netr_SchannelType type,
> > > -+ enum dcerpc_AuthLevel auth_level,
> > > -+ uint32_t proposed_flags,
> > > -+ uint32_t required_flags,
> > > -+ const char *server_computer,
> > > -+ const char *server_netbios_domain,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **_context);
> > > -+NTSTATUS netlogon_creds_cli_context_copy(
> > > -+ const struct netlogon_creds_cli_context *src,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **_dst);
> > > -+
> > > -+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> > > -+ struct netlogon_creds_cli_context *context);
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState **_creds);
> > > -+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
> > > -+ const struct netlogon_creds_CredentialState *creds1);
> > > -+
> > > -+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
> > > -+ struct netlogon_creds_CredentialState **_creds);
> > > -+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
> > > -+ struct netlogon_creds_CredentialState **_creds);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context);
> > > -+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState **creds);
> > > -+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_CredentialState **creds);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ struct samr_Password current_nt_hash,
> > > -+ const struct samr_Password *previous_nt_hash);
> > > -+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
> > > -+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ struct samr_Password current_nt_hash,
> > > -+ const struct samr_Password *previous_nt_hash);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b);
> > > -+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req);
> > > -+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ const char *new_password,
> > > -+ const uint32_t *new_version);
> > > -+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
> > > -+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ const char *new_password,
> > > -+ const uint32_t *new_version);
> > > -+
> > > -+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
> > > -+ struct tevent_context *ev,
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ enum netr_LogonInfoClass logon_level,
> > > -+ const union netr_LogonLevel *logon,
> > > -+ uint32_t flags);
> > > -+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ uint16_t *validation_level,
> > > -+ union netr_Validation **validation,
> > > -+ uint8_t *authoritative,
> > > -+ uint32_t *flags);
> > > -+NTSTATUS netlogon_creds_cli_LogonSamLogon(
> > > -+ struct netlogon_creds_cli_context *context,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ enum netr_LogonInfoClass logon_level,
> > > -+ const union netr_LogonLevel *logon,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ uint16_t *validation_level,
> > > -+ union netr_Validation **validation,
> > > -+ uint8_t *authoritative,
> > > -+ uint32_t *flags);
> > > -+
> > > -+#endif /* NETLOGON_CREDS_CLI_H */
> > > -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
> > > -index ca2be2d..51eb293 100755
> > > ---- a/libcli/auth/wscript_build
> > > -+++ b/libcli/auth/wscript_build
> > > -@@ -28,6 +28,10 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
> > > - deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
> > > - )
> > > -
> > > -+bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
> > > -+ source='netlogon_creds_cli.c',
> > > -+ deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
> > > -+ )
> > > -
> > > - bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
> > > - source='pam_errors.c',
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e4a4e18ea7f9a9742de16e477917da6ae11ac42e Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 13 Dec 2013 17:31:45 +0100
> > > -Subject: [PATCH 163/249] libcli/auth: use unique key_name values in
> > > - netlogon_creds_cli_context_common()
> > > -
> > > -Until all callers are fixed to pass the same 'server_computer'
> > > -value, we try to calculate a server_netbios_name and use this
> > > -as unique identifier for a specific domain controller.
> > > -
> > > -Otherwise winbind would use 'hostname.example.com'
> > > -while 'net rpc testjoin' would use 'HOSTNAME',
> > > -which leads to 2 records in netlogon_creds_cli.tdb
> > > -for the same domain controller.
> > > -
> > > -Once all callers are fixed we can think about reverting this
> > > -commit.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit dc96b1ddccfe8eb1a631355f9471ee0b620d682c)
> > > ----
> > > - libcli/auth/netlogon_creds_cli.c | 58 +++++++++++++++++++++++++++++++++-------
> > > - 1 file changed, 48 insertions(+), 10 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > > -index 75d6b2c..a872b31 100644
> > > ---- a/libcli/auth/netlogon_creds_cli.c
> > > -+++ b/libcli/auth/netlogon_creds_cli.c
> > > -@@ -106,23 +106,30 @@ static NTSTATUS netlogon_creds_cli_context_common(
> > > - struct netlogon_creds_cli_context **_context)
> > > - {
> > > - struct netlogon_creds_cli_context *context = NULL;
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ char *_key_name = NULL;
> > > -+ char *server_netbios_name = NULL;
> > > -+ char *p = NULL;
> > > -
> > > - *_context = NULL;
> > > -
> > > - context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> > > - if (context == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > - context->client.computer = talloc_strdup(context, client_computer);
> > > - if (context->client.computer == NULL) {
> > > -- talloc_free(context);
> > > -+ TALLOC_FREE(context);
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > - context->client.account = talloc_strdup(context, client_account);
> > > - if (context->client.account == NULL) {
> > > -- talloc_free(context);
> > > -+ TALLOC_FREE(context);
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -@@ -133,29 +140,60 @@ static NTSTATUS netlogon_creds_cli_context_common(
> > > -
> > > - context->server.computer = talloc_strdup(context, server_computer);
> > > - if (context->server.computer == NULL) {
> > > -- talloc_free(context);
> > > -+ TALLOC_FREE(context);
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > - context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
> > > - if (context->server.netbios_domain == NULL) {
> > > -- talloc_free(context);
> > > -+ TALLOC_FREE(context);
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
> > > -- client_computer,
> > > -- client_account,
> > > -- server_computer,
> > > -- server_netbios_domain);
> > > -+ /*
> > > -+ * TODO:
> > > -+ * Force the callers to provide a unique
> > > -+ * value for server_computer and use this directly.
> > > -+ *
> > > -+ * For now we have to deal with
> > > -+ * "HOSTNAME" vs. "hostname.example.com".
> > > -+ */
> > > -+ server_netbios_name = talloc_strdup(frame, server_computer);
> > > -+ if (server_netbios_name == NULL) {
> > > -+ TALLOC_FREE(context);
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ p = strchr(server_netbios_name, '.');
> > > -+ if (p != NULL) {
> > > -+ p[0] = '\0';
> > > -+ }
> > > -+
> > > -+ _key_name = talloc_asprintf(frame, "CLI[%s/%s]/SRV[%s/%s]",
> > > -+ client_computer,
> > > -+ client_account,
> > > -+ server_netbios_name,
> > > -+ server_netbios_domain);
> > > -+ if (_key_name == NULL) {
> > > -+ TALLOC_FREE(context);
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ context->db.key_name = talloc_strdup_upper(context, _key_name);
> > > - if (context->db.key_name == NULL) {
> > > -- talloc_free(context);
> > > -+ TALLOC_FREE(context);
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > - context->db.key_data = string_term_tdb_data(context->db.key_name);
> > > -
> > > - *_context = context;
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 29bc7cb7a1c0ef62c923ce859cdd07de2846c5f5 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 17 Oct 2013 19:01:28 +0200
> > > -Subject: [PATCH 164/249] s3:param: set Globals.bWinbindSealedPipes = true
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 99d8653d83aa2e2e3a0ea097ab7cb65d62d76daf)
> > > ----
> > > - source3/param/loadparm.c | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> > > -index 40f3242..7d95256 100644
> > > ---- a/source3/param/loadparm.c
> > > -+++ b/source3/param/loadparm.c
> > > -@@ -834,6 +834,7 @@ static void init_globals(bool reinit_globals)
> > > - Globals.security = SEC_USER;
> > > - Globals.bEncryptPasswords = true;
> > > - Globals.clientSchannel = Auto;
> > > -+ Globals.bWinbindSealedPipes = true;
> > > - Globals.serverSchannel = Auto;
> > > - Globals.bReadRaw = true;
> > > - Globals.bWriteRaw = true;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 21b9d9847ba236d78156de07dd24032e64f2124d Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 17 Oct 2013 18:39:56 +0200
> > > -Subject: [PATCH 165/249] lib/param: add "neutralize nt4 emulation" option,
> > > - defaulting to false
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit b39ca3a2aefdd43a55b9cdd8fa5136254b283927)
> > > ----
> > > - .../smbdotconf/winbind/netutralizent4emulation.xml | 19 +++++++++++++++++++
> > > - lib/param/param_functions.c | 1 +
> > > - lib/param/param_table.c | 9 +++++++++
> > > - 3 files changed, 29 insertions(+)
> > > - create mode 100644 docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
> > > -
> > > -diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
> > > -new file mode 100644
> > > -index 0000000..8294a90
> > > ---- /dev/null
> > > -+++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
> > > -@@ -0,0 +1,19 @@
> > > -+<samba:parameter name="neutralize nt4 emulation"
> > > -+ context="G"
> > > -+ type="boolean"
> > > -+ advanced="1" developer="1"
> > > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > > -+<description>
> > > -+ <para>This option controls whether winbindd sends
> > > -+ the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
> > > -+ the NT4 emulation of a domain controller.</para>
> > > -+
> > > -+ <para>Typically you should not need set this.
> > > -+ It can be useful for upgrades from NT4 to AD domains.</para>
> > > -+
> > > -+ <para>The behavior can be controlled per netbios domain
> > > -+ by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
> > > -+</description>
> > > -+
> > > -+<value type="default">no</value>
> > > -+</samba:parameter>
> > > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > > -index 60f9c07..aef091b 100644
> > > ---- a/lib/param/param_functions.c
> > > -+++ b/lib/param/param_functions.c
> > > -@@ -192,6 +192,7 @@ FN_GLOBAL_BOOL(log_writeable_files_on_exit, bLogWriteableFilesOnExit)
> > > - FN_GLOBAL_BOOL(map_untrusted_to_domain, bMapUntrustedToDomain)
> > > - FN_GLOBAL_BOOL(ms_add_printer_wizard, bMsAddPrinterWizard)
> > > - FN_GLOBAL_BOOL(multicast_dns_register, bMulticastDnsRegister)
> > > -+FN_GLOBAL_BOOL(neutralize_nt4_emulation, bNeutralizeNT4Emulation)
> > > - FN_GLOBAL_BOOL(nis_home_map, bNISHomeMap)
> > > - FN_GLOBAL_BOOL(nmbd_bind_explicit_broadcast, bNmbdBindExplicitBroadcast)
> > > - FN_GLOBAL_BOOL(ntlm_auth, bNTLMAuth)
> > > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > > -index 8e3f952..edf6829 100644
> > > ---- a/lib/param/param_table.c
> > > -+++ b/lib/param/param_table.c
> > > -@@ -4188,6 +4188,15 @@ static struct parm_struct parm_table[] = {
> > > - .enum_list = NULL,
> > > - .flags = FLAG_ADVANCED,
> > > - },
> > > -+ {
> > > -+ .label = "neutralize nt4 emulation",
> > > -+ .type = P_BOOL,
> > > -+ .p_class = P_GLOBAL,
> > > -+ .offset = GLOBAL_VAR(bNeutralizeNT4Emulation),
> > > -+ .special = NULL,
> > > -+ .enum_list = NULL,
> > > -+ .flags = FLAG_ADVANCED,
> > > -+ },
> > > -
> > > - {N_("DNS options"), P_SEP, P_SEPARATOR},
> > > - {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d1cfe2d0f3f72e8b7700eee01e47b0bb9d3b9ca3 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 17 Oct 2013 18:39:56 +0200
> > > -Subject: [PATCH 166/249] lib/param: add "reject md5 servers" option,
> > > - defaulting to false
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit de4f8f0825790452455a9d51e9d84d4d4a5c0d3b)
> > > ----
> > > - docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 23 +++++++++++++++++++++++
> > > - lib/param/param_functions.c | 1 +
> > > - lib/param/param_table.c | 9 +++++++++
> > > - 3 files changed, 33 insertions(+)
> > > - create mode 100644 docs-xml/smbdotconf/winbind/rejectmd5servers.xml
> > > -
> > > -diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
> > > -new file mode 100644
> > > -index 0000000..18f8bcb
> > > ---- /dev/null
> > > -+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
> > > -@@ -0,0 +1,23 @@
> > > -+<samba:parameter name="reject md5 servers"
> > > -+ context="G"
> > > -+ type="boolean"
> > > -+ advanced="1"
> > > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > > -+<description>
> > > -+ <para>This option controls whether winbindd requires support
> > > -+ for aes support for the netlogon secure channel.</para>
> > > -+
> > > -+ <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
> > > -+ NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
> > > -+
> > > -+ <para>You can set this to yes if all domain controllers support aes.
> > > -+ This will prevent downgrade attacks.</para>
> > > -+
> > > -+ <para>The behavior can be controlled per netbios domain
> > > -+ by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
> > > -+
> > > -+ <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
> > > -+</description>
> > > -+
> > > -+<value type="default">no</value>
> > > -+</samba:parameter>
> > > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > > -index aef091b..ecd7f8e 100644
> > > ---- a/lib/param/param_functions.c
> > > -+++ b/lib/param/param_functions.c
> > > -@@ -204,6 +204,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
> > > - FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
> > > - FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
> > > - FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
> > > -+FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
> > > - FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
> > > - FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
> > > - FN_GLOBAL_BOOL(stat_cache, bStatCache)
> > > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > > -index edf6829..b53f850 100644
> > > ---- a/lib/param/param_table.c
> > > -+++ b/lib/param/param_table.c
> > > -@@ -4197,6 +4197,15 @@ static struct parm_struct parm_table[] = {
> > > - .enum_list = NULL,
> > > - .flags = FLAG_ADVANCED,
> > > - },
> > > -+ {
> > > -+ .label = "reject md5 servers",
> > > -+ .type = P_BOOL,
> > > -+ .p_class = P_GLOBAL,
> > > -+ .offset = GLOBAL_VAR(bRejectMD5Servers),
> > > -+ .special = NULL,
> > > -+ .enum_list = NULL,
> > > -+ .flags = FLAG_ADVANCED,
> > > -+ },
> > > -
> > > - {N_("DNS options"), P_SEP, P_SEPARATOR},
> > > - {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 2545090f09da279655510f87d02c631c74409eb1 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 17 Oct 2013 18:39:56 +0200
> > > -Subject: [PATCH 167/249] lib/param: add "require strong key" option,
> > > - defaulting to true
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 6630c68cce8fbbd700e7d4cd92ec3ebb2a268f06)
> > > ----
> > > - docs-xml/smbdotconf/winbind/requirestrongkey.xml | 27 ++++++++++++++++++++++++
> > > - lib/param/loadparm.c | 1 +
> > > - lib/param/param_functions.c | 1 +
> > > - lib/param/param_table.c | 9 ++++++++
> > > - 4 files changed, 38 insertions(+)
> > > - create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml
> > > -
> > > -diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
> > > -new file mode 100644
> > > -index 0000000..de749bb
> > > ---- /dev/null
> > > -+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
> > > -@@ -0,0 +1,27 @@
> > > -+<samba:parameter name="require strong key"
> > > -+ context="G"
> > > -+ type="boolean"
> > > -+ advanced="1"
> > > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > > -+<description>
> > > -+ <para>This option controls whether winbindd requires support
> > > -+ for md5 strong key support for the netlogon secure channel.</para>
> > > -+
> > > -+ <para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
> > > -+ NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
> > > -+
> > > -+ <para>You can set this to no if some domain controllers only support des.
> > > -+ This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
> > > -+
> > > -+ <para>The behavior can be controlled per netbios domain
> > > -+ by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
> > > -+
> > > -+ <para>Note for active directory domain this option is hardcoded to 'yes'</para>
> > > -+
> > > -+ <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
> > > -+
> > > -+ <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
> > > -+</description>
> > > -+
> > > -+<value type="default">yes</value>
> > > -+</samba:parameter>
> > > -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> > > -index 23b45e2..a84a166 100644
> > > ---- a/lib/param/loadparm.c
> > > -+++ b/lib/param/loadparm.c
> > > -@@ -2183,6 +2183,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
> > > -
> > > - lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
> > > - lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
> > > -+ lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
> > > - lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
> > > - lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
> > > - lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
> > > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > > -index ecd7f8e..41b137f 100644
> > > ---- a/lib/param/param_functions.c
> > > -+++ b/lib/param/param_functions.c
> > > -@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
> > > - FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
> > > - FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
> > > - FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
> > > -+FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
> > > - FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
> > > - FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
> > > - FN_GLOBAL_BOOL(stat_cache, bStatCache)
> > > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > > -index b53f850..36e8554 100644
> > > ---- a/lib/param/param_table.c
> > > -+++ b/lib/param/param_table.c
> > > -@@ -4206,6 +4206,15 @@ static struct parm_struct parm_table[] = {
> > > - .enum_list = NULL,
> > > - .flags = FLAG_ADVANCED,
> > > - },
> > > -+ {
> > > -+ .label = "require strong key",
> > > -+ .type = P_BOOL,
> > > -+ .p_class = P_GLOBAL,
> > > -+ .offset = GLOBAL_VAR(bRequireStrongKey),
> > > -+ .special = NULL,
> > > -+ .enum_list = NULL,
> > > -+ .flags = FLAG_ADVANCED,
> > > -+ },
> > > -
> > > - {N_("DNS options"), P_SEP, P_SEPARATOR},
> > > - {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4e604cc566b2854045c5b794a846c1ab1ef4a35f Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 17 Oct 2013 19:01:47 +0200
> > > -Subject: [PATCH 168/249] s3:param: set Globals.bRequireStrongKey = true
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit e7954bcc04ec6761b2ed6dad08b90c65efafa948)
> > > ----
> > > - source3/param/loadparm.c | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> > > -index 7d95256..ed46e53 100644
> > > ---- a/source3/param/loadparm.c
> > > -+++ b/source3/param/loadparm.c
> > > -@@ -835,6 +835,7 @@ static void init_globals(bool reinit_globals)
> > > - Globals.bEncryptPasswords = true;
> > > - Globals.clientSchannel = Auto;
> > > - Globals.bWinbindSealedPipes = true;
> > > -+ Globals.bRequireStrongKey = true;
> > > - Globals.serverSchannel = Auto;
> > > - Globals.bReadRaw = true;
> > > - Globals.bWriteRaw = true;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 382f69a0f3762947a3e8cc02e8e9817533073195 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 17 Oct 2013 18:48:15 +0200
> > > -Subject: [PATCH 169/249] libcli/auth: make use of real options in
> > > - netlogon_creds_cli_context_global()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit fa3af7c2e8f1bf292e190ba3d933b6e1d552595d)
> > > ----
> > > - libcli/auth/netlogon_creds_cli.c | 18 +++---------------
> > > - 1 file changed, 3 insertions(+), 15 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > > -index a872b31..6590b21 100644
> > > ---- a/libcli/auth/netlogon_creds_cli.c
> > > -+++ b/libcli/auth/netlogon_creds_cli.c
> > > -@@ -279,11 +279,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > > - * allow overwrite per domain
> > > - * reject md5 servers:<netbios_domain>
> > > - */
> > > -- //TODO: add lpcfp_reject_md5_servers()
> > > -- reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> > > -- "__default__",
> > > -- "reject md5 servers",
> > > -- reject_md5_servers);
> > > -+ reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
> > > - reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
> > > - "reject md5 servers",
> > > - server_netbios_domain,
> > > -@@ -293,11 +289,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > > - * allow overwrite per domain
> > > - * require strong key:<netbios_domain>
> > > - */
> > > -- //TODO: add lpcfp_require_strong_key()
> > > -- require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> > > -- "__default__",
> > > -- "require strong key",
> > > -- require_strong_key);
> > > -+ require_strong_key = lpcfg_require_strong_key(lp_ctx);
> > > - require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
> > > - "require strong key",
> > > - server_netbios_domain,
> > > -@@ -327,11 +319,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > > - * allow overwrite per domain
> > > - * neutralize nt4 emulation:<netbios_domain>
> > > - */
> > > -- //TODO: add lpcfp_neutralize_nt4_emulation()
> > > -- neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> > > -- "__default__",
> > > -- "neutralize nt4 emulation",
> > > -- neutralize_nt4_emulation);
> > > -+ neutralize_nt4_emulation = lpcfg_neutralize_nt4_emulation(lp_ctx);
> > > - neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
> > > - "neutralize nt4 emulation",
> > > - server_netbios_domain,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 79e8c0c97591ed8bc129561e44b0d94757fcc4e1 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 23 Dec 2013 10:45:27 +0100
> > > -Subject: [PATCH 170/249] docs-xml: explain the interaction between security =
> > > - ads and other options.
> > > -
> > > -It implies 'require strong key = yes' and 'client schannel = yes'.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit f703a37a56e215827dbb2a7ec8da6738bf17f600)
> > > ----
> > > - docs-xml/smbdotconf/security/security.xml | 5 ++++-
> > > - 1 file changed, 4 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
> > > -index 406089f..2f5c3f7 100644
> > > ---- a/docs-xml/smbdotconf/security/security.xml
> > > -+++ b/docs-xml/smbdotconf/security/security.xml
> > > -@@ -99,7 +99,10 @@
> > > -
> > > - <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
> > > - Controller. </para>
> > > --
> > > -+
> > > -+ <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
> > > -+ and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
> > > -+
> > > - <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
> > > - </description>
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 27ea332df51e3cd8ed9601633282b688e6f288a7 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 23 Dec 2013 10:46:57 +0100
> > > -Subject: [PATCH 171/249] docs-xml: explain the interaction of 'client
> > > - schannel' with 'require strong key = yes'
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 1d69fdddd5287757c2e67b0982d00241a6d75d26)
> > > ----
> > > - docs-xml/smbdotconf/security/clientschannel.xml | 5 +++++
> > > - 1 file changed, 5 insertions(+)
> > > -
> > > -diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
> > > -index e229182..ac4cc59 100644
> > > ---- a/docs-xml/smbdotconf/security/clientschannel.xml
> > > -+++ b/docs-xml/smbdotconf/security/clientschannel.xml
> > > -@@ -12,6 +12,11 @@
> > > - enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access
> > > - if the server is not able to speak netlogon schannel.
> > > - </para>
> > > -+
> > > -+ <para>Note that for active directory domains this is hardcoded to
> > > -+ <smbconfoption name="client schannel">yes</smbconfoption>.</para>
> > > -+
> > > -+ <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
> > > - </description>
> > > - <value type="default">auto</value>
> > > - <value type="example">yes</value>
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4853daeffb1916db3b92dc6ba9e5776652ec5f4e Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 17 Oct 2013 19:31:58 +0200
> > > -Subject: [PATCH 172/249] s3:winbindd: make use of the "winbind sealed pipes"
> > > - option for all connections
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 225982e1cb6276ed5c6a47c0e4827d75e8ab2fb1)
> > > ----
> > > - source3/winbindd/winbindd.h | 3 +++
> > > - source3/winbindd/winbindd_cm.c | 20 +++++++++++++++++---
> > > - 2 files changed, 20 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
> > > -index 72eb3ec..afde685 100644
> > > ---- a/source3/winbindd/winbindd.h
> > > -+++ b/source3/winbindd/winbindd.h
> > > -@@ -25,6 +25,7 @@
> > > -
> > > - #include "nsswitch/winbind_struct_protocol.h"
> > > - #include "nsswitch/libwbclient/wbclient.h"
> > > -+#include "librpc/gen_ndr/dcerpc.h"
> > > - #include "librpc/gen_ndr/wbint.h"
> > > -
> > > - #include "talloc_dict.h"
> > > -@@ -105,6 +106,8 @@ struct getpwent_user {
> > > - struct winbindd_cm_conn {
> > > - struct cli_state *cli;
> > > -
> > > -+ enum dcerpc_AuthLevel auth_level;
> > > -+
> > > - struct rpc_pipe_client *samr_pipe;
> > > - struct policy_handle sam_connect_handle, sam_domain_handle;
> > > -
> > > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > > -index c4f59d3..6c1244e 100644
> > > ---- a/source3/winbindd/winbindd_cm.c
> > > -+++ b/source3/winbindd/winbindd_cm.c
> > > -@@ -1722,6 +1722,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
> > > - }
> > > -
> > > - if (NT_STATUS_IS_OK(result)) {
> > > -+ bool seal_pipes = true;
> > > -
> > > - winbindd_set_locator_kdc_envs(domain);
> > > -
> > > -@@ -1741,6 +1742,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
> > > - */
> > > - store_current_dc_in_gencache(domain->name, domain->dcname,
> > > - new_conn->cli);
> > > -+
> > > -+ seal_pipes = lp_winbind_sealed_pipes();
> > > -+ seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
> > > -+ domain->name,
> > > -+ seal_pipes);
> > > -+
> > > -+ if (seal_pipes) {
> > > -+ new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> > > -+ } else {
> > > -+ new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
> > > -+ }
> > > - } else {
> > > - /* Ensure we setup the retry handler. */
> > > - set_domain_offline(domain);
> > > -@@ -1813,6 +1825,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
> > > - }
> > > - }
> > > -
> > > -+ conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> > > -+
> > > - if (conn->cli) {
> > > - cli_shutdown(conn->cli);
> > > - }
> > > -@@ -2363,7 +2377,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - &ndr_table_samr,
> > > - NCACN_NP,
> > > - GENSEC_OID_NTLMSSP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > > -+ conn->auth_level,
> > > - smbXcli_conn_remote_name(conn->cli->conn),
> > > - domain_name,
> > > - machine_account,
> > > -@@ -2534,7 +2548,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > > -
> > > - if (conn->lsa_pipe_tcp &&
> > > - conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
> > > -- conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
> > > -+ conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
> > > - rpccli_is_connected(conn->lsa_pipe_tcp)) {
> > > - goto done;
> > > - }
> > > -@@ -2602,7 +2616,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - result = cli_rpc_pipe_open_spnego
> > > - (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> > > - GENSEC_OID_NTLMSSP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > > -+ conn->auth_level,
> > > - smbXcli_conn_remote_name(conn->cli->conn),
> > > - conn->cli->domain, conn->cli->user_name, conn->cli->password,
> > > - &conn->lsa_pipe);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From c2116e6a1ee32ff36942091287e90b08d1ecf6d1 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 14 Nov 2013 18:53:06 +0100
> > > -Subject: [PATCH 173/249] docs-xml: update 'winbind sealed pipes' description
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 11aed7cd3dbd967593b34a206f0802fd0002bf27)
> > > ----
> > > - docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 6 +++---
> > > - 1 file changed, 3 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
> > > -index 26f446e..63f5588 100644
> > > ---- a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
> > > -+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
> > > -@@ -4,12 +4,12 @@
> > > - advanced="1" developer="1"
> > > - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > > - <description>
> > > -- <para>This option controls whether any requests made over the Samba 4 winbind
> > > -+ <para>This option controls whether any requests from winbindd to domain controllers
> > > - pipe will be sealed. Disabling sealing can be useful for debugging
> > > - purposes.</para>
> > > -
> > > -- <para>Note that this option only applies to the Samba 4 winbind and not
> > > -- to the standard winbind.</para>
> > > -+ <para>The behavior can be controlled per netbios domain
> > > -+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
> > > - </description>
> > > -
> > > - <value type="default">yes</value>
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From ea14b4a713a85a2d87cba6ad88127020e1d5e813 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 27 Jul 2013 11:30:13 +0200
> > > -Subject: [PATCH 174/249] s3:rpc_client: make use of the new
> > > - netlogon_creds_cli_context
> > > -
> > > -This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
> > > -and lets the secure channel session state be stored in node local database.
> > > -
> > > -This is the proper fix for a large number of bugs:
> > > -https://bugzilla.samba.org/show_bug.cgi?id=6563
> > > -https://bugzilla.samba.org/show_bug.cgi?id=7944
> > > -https://bugzilla.samba.org/show_bug.cgi?id=7945
> > > -https://bugzilla.samba.org/show_bug.cgi?id=7568
> > > -https://bugzilla.samba.org/show_bug.cgi?id=8599
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 38d4dba37406515181e4d6f1a1faffc18e652e27)
> > > ----
> > > - source3/libnet/libnet_join.c | 3 +-
> > > - source3/libnet/libnet_samsync.c | 19 +-
> > > - source3/rpc_client/cli_netlogon.c | 436 ++++++++-------------------------
> > > - source3/rpc_client/cli_pipe.c | 139 +++--------
> > > - source3/rpc_client/cli_pipe.h | 2 +-
> > > - source3/rpc_client/cli_pipe_schannel.c | 3 +-
> > > - source3/rpc_client/rpc_client.h | 2 +-
> > > - source3/rpcclient/cmd_netlogon.c | 57 ++++-
> > > - source3/winbindd/winbindd.h | 9 -
> > > - source3/winbindd/winbindd_cm.c | 36 +--
> > > - source3/winbindd/winbindd_pam.c | 136 ++--------
> > > - source3/wscript_build | 6 +-
> > > - 12 files changed, 250 insertions(+), 598 deletions(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index c1eccda..5dc620f 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -1279,7 +1279,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > - cli, &ndr_table_netlogon, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY,
> > > -- netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
> > > -+ netbios_domain_name,
> > > -+ netlogon_pipe->netlogon_creds, &pipe_hnd);
> > > -
> > > - cli_shutdown(cli);
> > > -
> > > -diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
> > > -index a103785..02d3fc6 100644
> > > ---- a/source3/libnet/libnet_samsync.c
> > > -+++ b/source3/libnet/libnet_samsync.c
> > > -@@ -30,6 +30,7 @@
> > > - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > > - #include "../libcli/security/security.h"
> > > - #include "messages.h"
> > > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > > -
> > > - /**
> > > - * Fix up the delta, dealing with encryption issues so that the final
> > > -@@ -213,8 +214,15 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
> > > -
> > > - do {
> > > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -
> > > -- netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
> > > -+ status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
> > > -+ mem_ctx, &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_client_authenticator(creds, &credential);
> > > -
> > > - if (ctx->single_object_replication &&
> > > - !ctx->force_full_replication) {
> > > -@@ -254,28 +262,33 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
> > > - }
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(creds);
> > > - return status;
> > > - }
> > > -
> > > - /* Check returned credentials. */
> > > -- if (!netlogon_creds_client_check(ctx->cli->dc,
> > > -+ if (!netlogon_creds_client_check(creds,
> > > - &return_authenticator.cred)) {
> > > -+ TALLOC_FREE(creds);
> > > - DEBUG(0,("credentials chain check failed\n"));
> > > - return NT_STATUS_ACCESS_DENIED;
> > > - }
> > > -
> > > - if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
> > > -+ TALLOC_FREE(creds);
> > > - return result;
> > > - }
> > > -
> > > - if (NT_STATUS_IS_ERR(result)) {
> > > -+ TALLOC_FREE(creds);
> > > - break;
> > > - }
> > > -
> > > - samsync_fix_delta_array(mem_ctx,
> > > -- ctx->cli->dc,
> > > -+ creds,
> > > - database_id,
> > > - delta_enum_array);
> > > -+ TALLOC_FREE(creds);
> > > -
> > > - /* Process results */
> > > - callback_status = ctx->ops->process_objects(mem_ctx, database_id,
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 5e8a2fc..fcd24d6 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -23,11 +23,13 @@
> > > - #include "includes.h"
> > > - #include "rpc_client/rpc_client.h"
> > > - #include "../libcli/auth/libcli_auth.h"
> > > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > > - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > > - #include "rpc_client/cli_netlogon.h"
> > > - #include "rpc_client/init_netlogon.h"
> > > - #include "rpc_client/util_netlogon.h"
> > > - #include "../libcli/security/security.h"
> > > -+#include "lib/param/param.h"
> > > -
> > > - /****************************************************************************
> > > - Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
> > > -@@ -44,113 +46,81 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > > - enum netr_SchannelType sec_chan_type,
> > > - uint32_t *neg_flags_inout)
> > > - {
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct loadparm_context *lp_ctx;
> > > - NTSTATUS status;
> > > -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > > -- struct netr_Credential clnt_chal_send;
> > > -- struct netr_Credential srv_chal_recv;
> > > - struct samr_Password password;
> > > -- bool retried = false;
> > > - fstring mach_acct;
> > > -- uint32_t neg_flags = *neg_flags_inout;
> > > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -
> > > - if (!ndr_syntax_id_equal(&cli->abstract_syntax,
> > > - &ndr_table_netlogon.syntax_id)) {
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > -
> > > -- TALLOC_FREE(cli->dc);
> > > --
> > > -- /* Store the machine account password we're going to use. */
> > > -- memcpy(password.hash, machine_pwd, 16);
> > > --
> > > -- fstr_sprintf( mach_acct, "%s$", machine_account);
> > > --
> > > -- again:
> > > -- /* Create the client challenge. */
> > > -- generate_random_buffer(clnt_chal_send.data, 8);
> > > --
> > > -- /* Get the server challenge. */
> > > -- status = dcerpc_netr_ServerReqChallenge(b, talloc_tos(),
> > > -- cli->srv_name_slash,
> > > -- clnt_name,
> > > -- &clnt_chal_send,
> > > -- &srv_chal_recv,
> > > -- &result);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- return result;
> > > -+ if (!strequal(lp_netbios_name(), clnt_name)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > -
> > > -- /* Calculate the session key and client credentials */
> > > -+ TALLOC_FREE(cli->netlogon_creds);
> > > -
> > > -- cli->dc = netlogon_creds_client_init(cli,
> > > -- mach_acct,
> > > -- clnt_name,
> > > -- sec_chan_type,
> > > -- &clnt_chal_send,
> > > -- &srv_chal_recv,
> > > -- &password,
> > > -- &clnt_chal_send,
> > > -- neg_flags);
> > > -+ fstr_sprintf( mach_acct, "%s$", machine_account);
> > > -
> > > -- if (!cli->dc) {
> > > -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > > -+ if (lp_ctx == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > --
> > > -- /*
> > > -- * Send client auth-2 challenge and receive server repy.
> > > -- */
> > > --
> > > -- status = dcerpc_netr_ServerAuthenticate2(b, talloc_tos(),
> > > -- cli->srv_name_slash,
> > > -- cli->dc->account_name,
> > > -- sec_chan_type,
> > > -- cli->dc->computer_name,
> > > -- &clnt_chal_send, /* input. */
> > > -- &srv_chal_recv, /* output. */
> > > -- &neg_flags,
> > > -- &result);
> > > -+ status = netlogon_creds_cli_context_global(lp_ctx,
> > > -+ NULL, /* msg_ctx */
> > > -+ mach_acct,
> > > -+ sec_chan_type,
> > > -+ server_name,
> > > -+ domain,
> > > -+ cli, &cli->netlogon_creds);
> > > -+ talloc_unlink(frame, lp_ctx);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > - return status;
> > > - }
> > > -- /* we might be talking to NT4, so let's downgrade in that case and retry
> > > -- * with the returned neg_flags - gd */
> > > -
> > > -- if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
> > > -- retried = true;
> > > -- TALLOC_FREE(cli->dc);
> > > -- goto again;
> > > -+ status = netlogon_creds_cli_get(cli->netlogon_creds,
> > > -+ frame, &creds);
> > > -+ if (NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
> > > -+ "cached credential\n",
> > > -+ cli->desthost));
> > > -+ *neg_flags_inout = creds->negotiate_flags;
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_OK;
> > > - }
> > > -
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- return result;
> > > -- }
> > > --
> > > -- /*
> > > -- * Check the returned value using the initial
> > > -- * server received challenge.
> > > -- */
> > > --
> > > -- if (!netlogon_creds_client_check(cli->dc, &srv_chal_recv)) {
> > > -- /*
> > > -- * Server replied with bad credential. Fail.
> > > -- */
> > > -- DEBUG(0,("rpccli_netlogon_setup_creds: server %s "
> > > -- "replied with bad credential\n",
> > > -- cli->desthost ));
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -- }
> > > -+ /* Store the machine account password we're going to use. */
> > > -+ memcpy(password.hash, machine_pwd, 16);
> > > -
> > > - DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
> > > - "chain established.\n",
> > > - cli->desthost ));
> > > -
> > > -- cli->dc->negotiate_flags = neg_flags;
> > > -- *neg_flags_inout = neg_flags;
> > > -+ status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
> > > -+ password, NULL);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_get(cli->netlogon_creds,
> > > -+ frame, &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_INTERNAL_ERROR;
> > > -+ }
> > > -
> > > -+ *neg_flags_inout = creds->negotiate_flags;
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -@@ -163,20 +133,16 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > - const char *username,
> > > - const char *password,
> > > - const char *workstation,
> > > -- uint16_t validation_level,
> > > -+ uint16_t _ignored_validation_level,
> > > - int logon_type)
> > > - {
> > > -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > > - NTSTATUS status;
> > > -- struct netr_Authenticator clnt_creds;
> > > -- struct netr_Authenticator ret_creds;
> > > - union netr_LogonLevel *logon;
> > > -- union netr_Validation validation;
> > > -- uint8_t authoritative;
> > > -+ uint16_t validation_level = 0;
> > > -+ union netr_Validation *validation = NULL;
> > > -+ uint8_t authoritative = 0;
> > > -+ uint32_t flags = 0;
> > > - fstring clnt_name_slash;
> > > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > > --
> > > -- ZERO_STRUCT(ret_creds);
> > > -
> > > - logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > > - if (!logon) {
> > > -@@ -191,8 +157,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > -
> > > - /* Initialise input parameters */
> > > -
> > > -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> > > --
> > > - switch (logon_type) {
> > > - case NetlogonInteractiveInformation: {
> > > -
> > > -@@ -208,17 +172,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > -
> > > - nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
> > > -
> > > -- if (cli->dc->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- netlogon_creds_aes_encrypt(cli->dc, lmpassword.hash, 16);
> > > -- netlogon_creds_aes_encrypt(cli->dc, ntpassword.hash, 16);
> > > -- } else if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
> > > -- netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16);
> > > -- netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16);
> > > -- } else {
> > > -- netlogon_creds_des_encrypt(cli->dc, &lmpassword);
> > > -- netlogon_creds_des_encrypt(cli->dc, &ntpassword);
> > > -- }
> > > --
> > > - password_info->identity_info.domain_name.string = domain;
> > > - password_info->identity_info.parameter_control = logon_parameters;
> > > - password_info->identity_info.logon_id_low = 0xdead;
> > > -@@ -281,28 +234,20 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > - return NT_STATUS_INVALID_INFO_CLASS;
> > > - }
> > > -
> > > -- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
> > > -- cli->srv_name_slash,
> > > -- lp_netbios_name(),
> > > -- &clnt_creds,
> > > -- &ret_creds,
> > > -- logon_type,
> > > -- logon,
> > > -- validation_level,
> > > -- &validation,
> > > -- &authoritative,
> > > -- &result);
> > > -+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> > > -+ cli->binding_handle,
> > > -+ logon_type,
> > > -+ logon,
> > > -+ mem_ctx,
> > > -+ &validation_level,
> > > -+ &validation,
> > > -+ &authoritative,
> > > -+ &flags);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -
> > > -- /* Always check returned credentials */
> > > -- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
> > > -- DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n"));
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -- }
> > > --
> > > -- return result;
> > > -+ return NT_STATUS_OK;
> > > - }
> > > -
> > > - static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > > -@@ -366,29 +311,24 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > - const char *domain,
> > > - const char *workstation,
> > > - const uint8 chal[8],
> > > -- uint16_t validation_level,
> > > -+ uint16_t _ignored_validation_level,
> > > - DATA_BLOB lm_response,
> > > - DATA_BLOB nt_response,
> > > - struct netr_SamInfo3 **info3)
> > > - {
> > > -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > > - NTSTATUS status;
> > > - const char *workstation_name_slash;
> > > -- const char *server_name_slash;
> > > -- struct netr_Authenticator clnt_creds;
> > > -- struct netr_Authenticator ret_creds;
> > > - union netr_LogonLevel *logon = NULL;
> > > - struct netr_NetworkInfo *network_info;
> > > -- uint8_t authoritative;
> > > -- union netr_Validation validation;
> > > -+ uint16_t validation_level = 0;
> > > -+ union netr_Validation *validation = NULL;
> > > -+ uint8_t authoritative = 0;
> > > -+ uint32_t flags = 0;
> > > - struct netr_ChallengeResponse lm;
> > > - struct netr_ChallengeResponse nt;
> > > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > > -
> > > - *info3 = NULL;
> > > -
> > > -- ZERO_STRUCT(ret_creds);
> > > --
> > > - ZERO_STRUCT(lm);
> > > - ZERO_STRUCT(nt);
> > > -
> > > -@@ -402,21 +342,13 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> > > --
> > > -- if (server[0] != '\\' && server[1] != '\\') {
> > > -- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
> > > -- } else {
> > > -- server_name_slash = server;
> > > -- }
> > > --
> > > - if (workstation[0] != '\\' && workstation[1] != '\\') {
> > > - workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> > > - } else {
> > > - workstation_name_slash = workstation;
> > > - }
> > > -
> > > -- if (!workstation_name_slash || !server_name_slash) {
> > > -+ if (!workstation_name_slash) {
> > > - DEBUG(0, ("talloc_asprintf failed!\n"));
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -@@ -443,40 +375,27 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > -
> > > - /* Marshall data and send request */
> > > -
> > > -- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
> > > -- server_name_slash,
> > > -- lp_netbios_name(),
> > > -- &clnt_creds,
> > > -- &ret_creds,
> > > -- NetlogonNetworkInformation,
> > > -- logon,
> > > -- validation_level,
> > > -- &validation,
> > > -- &authoritative,
> > > -- &result);
> > > -+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> > > -+ cli->binding_handle,
> > > -+ NetlogonNetworkInformation,
> > > -+ logon,
> > > -+ mem_ctx,
> > > -+ &validation_level,
> > > -+ &validation,
> > > -+ &authoritative,
> > > -+ &flags);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -
> > > -- /* Always check returned credentials. */
> > > -- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
> > > -- DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n"));
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -- }
> > > --
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- return result;
> > > -- }
> > > --
> > > -- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
> > > -- &validation);
> > > --
> > > -- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- return result;
> > > -+ status = map_validation_to_info3(mem_ctx,
> > > -+ validation_level, validation,
> > > -+ info3);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > - }
> > > -
> > > -- return result;
> > > -+ return NT_STATUS_OK;
> > > - }
> > > -
> > > - NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> > > -@@ -492,100 +411,18 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> > > - DATA_BLOB nt_response,
> > > - struct netr_SamInfo3 **info3)
> > > - {
> > > -- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > > -- NTSTATUS status;
> > > -- const char *workstation_name_slash;
> > > -- const char *server_name_slash;
> > > -- union netr_LogonLevel *logon = NULL;
> > > -- struct netr_NetworkInfo *network_info;
> > > -- uint8_t authoritative;
> > > -- union netr_Validation validation;
> > > -- struct netr_ChallengeResponse lm;
> > > -- struct netr_ChallengeResponse nt;
> > > -- uint32_t flags = 0;
> > > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > > --
> > > -- *info3 = NULL;
> > > --
> > > -- ZERO_STRUCT(lm);
> > > -- ZERO_STRUCT(nt);
> > > --
> > > -- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > > -- if (!logon) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> > > -- if (!network_info) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- if (server[0] != '\\' && server[1] != '\\') {
> > > -- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
> > > -- } else {
> > > -- server_name_slash = server;
> > > -- }
> > > --
> > > -- if (workstation[0] != '\\' && workstation[1] != '\\') {
> > > -- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> > > -- } else {
> > > -- workstation_name_slash = workstation;
> > > -- }
> > > --
> > > -- if (!workstation_name_slash || !server_name_slash) {
> > > -- DEBUG(0, ("talloc_asprintf failed!\n"));
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- /* Initialise input parameters */
> > > --
> > > -- lm.data = lm_response.data;
> > > -- lm.length = lm_response.length;
> > > -- nt.data = nt_response.data;
> > > -- nt.length = nt_response.length;
> > > --
> > > -- network_info->identity_info.domain_name.string = domain;
> > > -- network_info->identity_info.parameter_control = logon_parameters;
> > > -- network_info->identity_info.logon_id_low = 0xdead;
> > > -- network_info->identity_info.logon_id_high = 0xbeef;
> > > -- network_info->identity_info.account_name.string = username;
> > > -- network_info->identity_info.workstation.string = workstation_name_slash;
> > > --
> > > -- memcpy(network_info->challenge, chal, 8);
> > > -- network_info->nt = nt;
> > > -- network_info->lm = lm;
> > > --
> > > -- logon->network = network_info;
> > > --
> > > -- /* Marshall data and send request */
> > > --
> > > -- status = dcerpc_netr_LogonSamLogonEx(b, mem_ctx,
> > > -- server_name_slash,
> > > -- lp_netbios_name(),
> > > -- NetlogonNetworkInformation,
> > > -- logon,
> > > -- validation_level,
> > > -- &validation,
> > > -- &authoritative,
> > > -- &flags,
> > > -- &result);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- return result;
> > > -- }
> > > --
> > > -- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
> > > -- &validation);
> > > --
> > > -- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- return result;
> > > -- }
> > > --
> > > -- return result;
> > > -+ return rpccli_netlogon_sam_network_logon(cli,
> > > -+ mem_ctx,
> > > -+ logon_parameters,
> > > -+ server,
> > > -+ username,
> > > -+ domain,
> > > -+ workstation,
> > > -+ chal,
> > > -+ validation_level,
> > > -+ lm_response,
> > > -+ nt_response,
> > > -+ info3);
> > > - }
> > > -
> > > - /*********************************************************
> > > -@@ -605,11 +442,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > > - const unsigned char new_trust_passwd_hash[16],
> > > - enum netr_SchannelType sec_channel_type)
> > > - {
> > > -- NTSTATUS result, status;
> > > -- struct netr_Authenticator clnt_creds, srv_cred;
> > > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > > -+ NTSTATUS result;
> > > -
> > > -- if (!cli->dc) {
> > > -+ if (cli->netlogon_creds == NULL) {
> > > - uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > - NETLOGON_NEG_SUPPORTS_AES;
> > > - result = rpccli_netlogon_setup_creds(cli,
> > > -@@ -627,77 +462,16 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > > - }
> > > - }
> > > -
> > > -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> > > --
> > > -- if (cli->dc->negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
> > > --
> > > -- struct netr_CryptPassword new_password;
> > > -- uint32_t old_timeout;
> > > --
> > > -- init_netr_CryptPassword(new_trust_pwd_cleartext,
> > > -- cli->dc,
> > > -- &new_password);
> > > --
> > > -- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
> > > --
> > > -- status = dcerpc_netr_ServerPasswordSet2(b, mem_ctx,
> > > -- cli->srv_name_slash,
> > > -- cli->dc->account_name,
> > > -- sec_channel_type,
> > > -- cli->dc->computer_name,
> > > -- &clnt_creds,
> > > -- &srv_cred,
> > > -- &new_password,
> > > -- &result);
> > > --
> > > -- dcerpc_binding_handle_set_timeout(b, old_timeout);
> > > --
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0,("dcerpc_netr_ServerPasswordSet2 failed: %s\n",
> > > -- nt_errstr(status)));
> > > -- return status;
> > > -- }
> > > -- } else {
> > > --
> > > -- struct samr_Password new_password;
> > > -- uint32_t old_timeout;
> > > --
> > > -- memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash));
> > > -- netlogon_creds_des_encrypt(cli->dc, &new_password);
> > > --
> > > -- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
> > > --
> > > -- status = dcerpc_netr_ServerPasswordSet(b, mem_ctx,
> > > -- cli->srv_name_slash,
> > > -- cli->dc->account_name,
> > > -- sec_channel_type,
> > > -- cli->dc->computer_name,
> > > -- &clnt_creds,
> > > -- &srv_cred,
> > > -- &new_password,
> > > -- &result);
> > > --
> > > -- dcerpc_binding_handle_set_timeout(b, old_timeout);
> > > --
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0,("dcerpc_netr_ServerPasswordSet failed: %s\n",
> > > -- nt_errstr(status)));
> > > -- return status;
> > > -- }
> > > -- }
> > > --
> > > -- /* Always check returned credentials. */
> > > -- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
> > > -- DEBUG(0,("credentials chain check failed\n"));
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -- }
> > > --
> > > -+ result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
> > > -+ cli->binding_handle,
> > > -+ new_trust_pwd_cleartext,
> > > -+ NULL); /* new_version */
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > -- DEBUG(0,("dcerpc_netr_ServerPasswordSet{2} failed: %s\n",
> > > -+ DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
> > > - nt_errstr(result)));
> > > - return result;
> > > - }
> > > -
> > > -- return result;
> > > -+ return NT_STATUS_OK;
> > > - }
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index a45023f..fe1613d 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -24,6 +24,7 @@
> > > - #include "librpc/gen_ndr/ndr_epmapper_c.h"
> > > - #include "../librpc/gen_ndr/ndr_dssetup.h"
> > > - #include "../libcli/auth/schannel.h"
> > > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > > - #include "auth_generic.h"
> > > - #include "librpc/gen_ndr/ndr_dcerpc.h"
> > > - #include "librpc/gen_ndr/ndr_netlogon_c.h"
> > > -@@ -3024,34 +3025,39 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -- struct netlogon_creds_CredentialState **pdc,
> > > -+ struct netlogon_creds_cli_context *netlogon_creds,
> > > - struct rpc_pipe_client **_rpccli)
> > > - {
> > > - struct rpc_pipe_client *rpccli;
> > > - struct pipe_auth_data *rpcauth;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > - NTSTATUS status;
> > > -- NTSTATUS result;
> > > -- struct netlogon_creds_CredentialState save_creds;
> > > -- struct netr_Authenticator auth;
> > > -- struct netr_Authenticator return_auth;
> > > -- union netr_Capabilities capabilities;
> > > - const char *target_service = table->authservices->names[0];
> > > -+ int rpc_pipe_bind_dbglvl = 0;
> > > -
> > > - status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -
> > > -+ status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
> > > -+ nt_errstr(status)));
> > > -+ TALLOC_FREE(rpccli);
> > > -+ return status;
> > > -+ }
> > > -+
> > > - status = rpccli_generic_bind_data(rpccli,
> > > - DCERPC_AUTH_TYPE_SCHANNEL,
> > > - auth_level,
> > > - NULL,
> > > - target_service,
> > > - domain,
> > > -- (*pdc)->computer_name,
> > > -+ creds->computer_name,
> > > - NULL,
> > > - CRED_AUTO_USE_KERBEROS,
> > > -- *pdc,
> > > -+ creds,
> > > - &rpcauth);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
> > > -@@ -3060,120 +3066,43 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - return status;
> > > - }
> > > -
> > > -- /*
> > > -- * The credentials on a new netlogon pipe are the ones we are passed
> > > -- * in - copy them over
> > > -- *
> > > -- * This may get overwritten... in rpc_pipe_bind()...
> > > -- */
> > > -- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
> > > -- if (rpccli->dc == NULL) {
> > > -- TALLOC_FREE(rpccli);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > - status = rpc_pipe_bind(rpccli, rpcauth);
> > > -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
> > > -+ rpc_pipe_bind_dbglvl = 1;
> > > -+ netlogon_creds_cli_delete(netlogon_creds, &creds);
> > > -+ }
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
> > > -- "cli_rpc_pipe_bind failed with error %s\n",
> > > -- nt_errstr(status) ));
> > > -+ DEBUG(rpc_pipe_bind_dbglvl,
> > > -+ ("cli_rpc_pipe_open_schannel_with_key: "
> > > -+ "rpc_pipe_bind failed with error %s\n",
> > > -+ nt_errstr(status)));
> > > - TALLOC_FREE(rpccli);
> > > - return status;
> > > - }
> > > -
> > > -- if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
> > > -- goto done;
> > > -- }
> > > --
> > > -- save_creds = *rpccli->dc;
> > > -- ZERO_STRUCT(return_auth);
> > > -- ZERO_STRUCT(capabilities);
> > > -+ TALLOC_FREE(creds);
> > > -
> > > -- netlogon_creds_client_authenticator(&save_creds, &auth);
> > > --
> > > -- status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
> > > -- talloc_tos(),
> > > -- rpccli->srv_name_slash,
> > > -- save_creds.computer_name,
> > > -- &auth, &return_auth,
> > > -- 1, &capabilities,
> > > -- &result);
> > > -- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- DEBUG(5, ("AES was negotiated and the error was %s - "
> > > -- "downgrade detected\n",
> > > -- nt_errstr(status)));
> > > -- TALLOC_FREE(rpccli);
> > > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -- }
> > > --
> > > -- /* This is probably an old Samba Version */
> > > -- DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
> > > -- nt_errstr(status)));
> > > -+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
> > > - goto done;
> > > - }
> > > -
> > > -+ status = netlogon_creds_cli_check(netlogon_creds,
> > > -+ rpccli->binding_handle);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> > > -+ DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
> > > - nt_errstr(status)));
> > > - TALLOC_FREE(rpccli);
> > > - return status;
> > > - }
> > > -
> > > -- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
> > > -- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- /* This means AES isn't supported. */
> > > -- DEBUG(5, ("AES was negotiated and the result was %s - "
> > > -- "downgrade detected\n",
> > > -- nt_errstr(result)));
> > > -- TALLOC_FREE(rpccli);
> > > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -- }
> > > --
> > > -- /* This is probably an old Windows version */
> > > -- DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
> > > -- nt_errstr(result)));
> > > -- goto done;
> > > -- }
> > > --
> > > -- /*
> > > -- * We need to check the credential state here, cause win2k3 and earlier
> > > -- * returns NT_STATUS_NOT_IMPLEMENTED
> > > -- */
> > > -- if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
> > > -- /*
> > > -- * Server replied with bad credential. Fail.
> > > -- */
> > > -- DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
> > > -- "replied with bad credential\n",
> > > -- rpccli->desthost));
> > > -- TALLOC_FREE(rpccli);
> > > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -- }
> > > -- *rpccli->dc = save_creds;
> > > --
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
> > > -- nt_errstr(result)));
> > > -- TALLOC_FREE(rpccli);
> > > -- return result;
> > > -- }
> > > --
> > > -- if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
> > > -- /* This means AES isn't supported. */
> > > -- DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
> > > -- "was OK - downgrade detected\n"));
> > > -- TALLOC_FREE(rpccli);
> > > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -- }
> > > --
> > > -- if (save_creds.negotiate_flags != capabilities.server_capabilities) {
> > > -- DEBUG(0, ("The client capabilities don't match the server "
> > > -- "capabilities: local[0x%08X] remote[0x%08X]\n",
> > > -- save_creds.negotiate_flags,
> > > -- capabilities.server_capabilities));
> > > -+ status = netlogon_creds_cli_context_copy(netlogon_creds,
> > > -+ rpccli,
> > > -+ &rpccli->netlogon_creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
> > > -+ nt_errstr(status)));
> > > - TALLOC_FREE(rpccli);
> > > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -+ return status;
> > > - }
> > > -
> > > - done:
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index 826f9bf..cf0c5c6 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -96,7 +96,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -- struct netlogon_creds_CredentialState **pdc,
> > > -+ struct netlogon_creds_cli_context *netlogon_creds,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index aaae44b..e3d65c8 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -112,7 +112,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
> > > -+ cli, table, transport, auth_level, domain,
> > > -+ netlogon_pipe->netlogon_creds,
> > > - &result);
> > > -
> > > - /* Now we've bound using the session key we can close the netlog pipe. */
> > > -diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
> > > -index 8024f01..7c4cceb 100644
> > > ---- a/source3/rpc_client/rpc_client.h
> > > -+++ b/source3/rpc_client/rpc_client.h
> > > -@@ -50,7 +50,7 @@ struct rpc_pipe_client {
> > > - struct pipe_auth_data *auth;
> > > -
> > > - /* The following is only non-null on a netlogon client pipe. */
> > > -- struct netlogon_creds_CredentialState *dc;
> > > -+ struct netlogon_creds_cli_context *netlogon_creds;
> > > - };
> > > -
> > > - #endif /* _RPC_CLIENT_H */
> > > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > > -index d92434b..2e0b5e5 100644
> > > ---- a/source3/rpcclient/cmd_netlogon.c
> > > -+++ b/source3/rpcclient/cmd_netlogon.c
> > > -@@ -26,6 +26,7 @@
> > > - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > > - #include "rpc_client/cli_netlogon.h"
> > > - #include "secrets.h"
> > > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > > -
> > > - static WERROR cmd_netlogon_logon_ctrl2(struct rpc_pipe_client *cli,
> > > - TALLOC_CTX *mem_ctx, int argc,
> > > -@@ -630,8 +631,15 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
> > > -
> > > - do {
> > > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -
> > > -- netlogon_creds_client_authenticator(cli->dc, &credential);
> > > -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > > -+ mem_ctx, &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_client_authenticator(creds, &credential);
> > > -
> > > - status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
> > > - logon_server,
> > > -@@ -645,15 +653,18 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
> > > - 0xffff,
> > > - &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(creds);
> > > - return status;
> > > - }
> > > -
> > > - /* Check returned credentials. */
> > > -- if (!netlogon_creds_client_check(cli->dc,
> > > -+ if (!netlogon_creds_client_check(creds,
> > > - &return_authenticator.cred)) {
> > > - DEBUG(0,("credentials chain check failed\n"));
> > > -+ TALLOC_FREE(creds);
> > > - return NT_STATUS_ACCESS_DENIED;
> > > - }
> > > -+ TALLOC_FREE(creds);
> > > -
> > > - if (NT_STATUS_IS_ERR(result)) {
> > > - break;
> > > -@@ -699,8 +710,15 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
> > > -
> > > - do {
> > > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -+
> > > -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > > -+ mem_ctx, &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -
> > > -- netlogon_creds_client_authenticator(cli->dc, &credential);
> > > -+ netlogon_creds_client_authenticator(creds, &credential);
> > > -
> > > - status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
> > > - logon_server,
> > > -@@ -713,15 +731,18 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
> > > - 0xffff,
> > > - &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(creds);
> > > - return status;
> > > - }
> > > -
> > > - /* Check returned credentials. */
> > > -- if (!netlogon_creds_client_check(cli->dc,
> > > -+ if (!netlogon_creds_client_check(creds,
> > > - &return_authenticator.cred)) {
> > > - DEBUG(0,("credentials chain check failed\n"));
> > > -+ TALLOC_FREE(creds);
> > > - return NT_STATUS_ACCESS_DENIED;
> > > - }
> > > -+ TALLOC_FREE(creds);
> > > -
> > > - if (NT_STATUS_IS_ERR(result)) {
> > > - break;
> > > -@@ -1129,6 +1150,7 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > > - struct netr_ChangeLogEntry e;
> > > - uint32_t rid = 500;
> > > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -
> > > - if (argc > 2) {
> > > - fprintf(stderr, "Usage: %s <user rid>\n", argv[0]);
> > > -@@ -1158,7 +1180,13 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > > - return status;
> > > - }
> > > -
> > > -- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
> > > -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > > -+ mem_ctx, &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_client_authenticator(creds, &clnt_creds);
> > > -
> > > - ZERO_STRUCT(e);
> > > -
> > > -@@ -1176,13 +1204,16 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > > - &delta_enum_array,
> > > - &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(creds);
> > > - return status;
> > > - }
> > > -
> > > -- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
> > > -+ if (!netlogon_creds_client_check(creds, &srv_cred.cred)) {
> > > - DEBUG(0,("credentials chain check failed\n"));
> > > -+ TALLOC_FREE(creds);
> > > - return NT_STATUS_ACCESS_DENIED;
> > > - }
> > > -+ TALLOC_FREE(creds);
> > > -
> > > - return result;
> > > - }
> > > -@@ -1198,6 +1229,7 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> > > - union netr_Capabilities capabilities;
> > > - uint32_t level = 1;
> > > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -
> > > - if (argc > 2) {
> > > - fprintf(stderr, "Usage: %s <level>\n", argv[0]);
> > > -@@ -1210,7 +1242,13 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> > > -
> > > - ZERO_STRUCT(return_authenticator);
> > > -
> > > -- netlogon_creds_client_authenticator(cli->dc, &credential);
> > > -+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > > -+ mem_ctx, &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_client_authenticator(creds, &credential);
> > > -
> > > - status = dcerpc_netr_LogonGetCapabilities(b, mem_ctx,
> > > - cli->desthost,
> > > -@@ -1221,14 +1259,17 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> > > - &capabilities,
> > > - &result);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(creds);
> > > - return status;
> > > - }
> > > -
> > > -- if (!netlogon_creds_client_check(cli->dc,
> > > -+ if (!netlogon_creds_client_check(creds,
> > > - &return_authenticator.cred)) {
> > > - DEBUG(0,("credentials chain check failed\n"));
> > > -+ TALLOC_FREE(creds);
> > > - return NT_STATUS_ACCESS_DENIED;
> > > - }
> > > -+ TALLOC_FREE(creds);
> > > -
> > > - printf("capabilities: 0x%08x\n", capabilities.server_capabilities);
> > > -
> > > -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
> > > -index afde685..b5fc010 100644
> > > ---- a/source3/winbindd/winbindd.h
> > > -+++ b/source3/winbindd/winbindd.h
> > > -@@ -165,16 +165,7 @@ struct winbindd_domain {
> > > - time_t startup_time; /* When we set "startup" true. monotonic clock */
> > > - bool startup; /* are we in the first 30 seconds after startup_time ? */
> > > -
> > > -- bool can_do_samlogon_ex; /* Due to the lack of finer control what type
> > > -- * of DC we have, let us try to do a
> > > -- * credential-chain less samlogon_ex call
> > > -- * with AD and schannel. If this fails with
> > > -- * DCERPC_FAULT_OP_RNG_ERROR, then set this
> > > -- * to False. This variable is around so that
> > > -- * we don't have to try _ex every time. */
> > > --
> > > - bool can_do_ncacn_ip_tcp;
> > > -- bool can_do_validation6;
> > > -
> > > - /* Lookup methods for this domain (LDAP or RPC) */
> > > - struct winbindd_methods *methods;
> > > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > > -index 6c1244e..e0d1d0c 100644
> > > ---- a/source3/winbindd/winbindd_cm.c
> > > -+++ b/source3/winbindd/winbindd_cm.c
> > > -@@ -2047,7 +2047,6 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
> > > - domain->active_directory ? "" : "NOT "));
> > > -
> > > - domain->can_do_ncacn_ip_tcp = domain->active_directory;
> > > -- domain->can_do_validation6 = domain->active_directory;
> > > -
> > > - domain->initialized = True;
> > > -
> > > -@@ -2248,7 +2247,6 @@ done:
> > > - domain->name, domain->active_directory ? "" : "NOT "));
> > > -
> > > - domain->can_do_ncacn_ip_tcp = domain->active_directory;
> > > -- domain->can_do_validation6 = domain->active_directory;
> > > -
> > > - TALLOC_FREE(cli);
> > > -
> > > -@@ -2289,7 +2287,7 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
> > > - ***********************************************************************/
> > > -
> > > - static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> > > -- struct netlogon_creds_CredentialState **ppdc)
> > > -+ struct netlogon_creds_cli_context **ppdc)
> > > - {
> > > - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > > - struct rpc_pipe_client *netlogon_pipe;
> > > -@@ -2306,11 +2304,11 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> > > - /* Return a pointer to the struct netlogon_creds_CredentialState from the
> > > - netlogon pipe. */
> > > -
> > > -- if (!domain->conn.netlogon_pipe->dc) {
> > > -+ if (!domain->conn.netlogon_pipe->netlogon_creds) {
> > > - return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
> > > - }
> > > -
> > > -- *ppdc = domain->conn.netlogon_pipe->dc;
> > > -+ *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -@@ -2319,7 +2317,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - {
> > > - struct winbindd_cm_conn *conn;
> > > - NTSTATUS status, result;
> > > -- struct netlogon_creds_CredentialState *p_creds;
> > > -+ struct netlogon_creds_cli_context *p_creds;
> > > - char *machine_password = NULL;
> > > - char *machine_account = NULL;
> > > - const char *domain_name = NULL;
> > > -@@ -2431,7 +2429,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - status = cli_rpc_pipe_open_schannel_with_key
> > > - (conn->cli, &ndr_table_samr, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY,
> > > -- domain->name, &p_creds, &conn->samr_pipe);
> > > -+ domain->name, p_creds, &conn->samr_pipe);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
> > > -@@ -2534,7 +2532,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > > - struct rpc_pipe_client **cli)
> > > - {
> > > - struct winbindd_cm_conn *conn;
> > > -- struct netlogon_creds_CredentialState *creds;
> > > -+ struct netlogon_creds_cli_context *creds;
> > > - NTSTATUS status;
> > > -
> > > - DEBUG(10,("cm_connect_lsa_tcp\n"));
> > > -@@ -2565,7 +2563,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > > - NCACN_IP_TCP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY,
> > > - domain->name,
> > > -- &creds,
> > > -+ creds,
> > > - &conn->lsa_pipe_tcp);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
> > > -@@ -2589,7 +2587,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - {
> > > - struct winbindd_cm_conn *conn;
> > > - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > > -- struct netlogon_creds_CredentialState *p_creds;
> > > -+ struct netlogon_creds_cli_context *p_creds;
> > > -
> > > - result = init_dc_connection_rpc(domain);
> > > - if (!NT_STATUS_IS_OK(result))
> > > -@@ -2662,7 +2660,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - result = cli_rpc_pipe_open_schannel_with_key
> > > - (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY,
> > > -- domain->name, &p_creds, &conn->lsa_pipe);
> > > -+ domain->name, p_creds, &conn->lsa_pipe);
> > > -
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
> > > -@@ -2826,10 +2824,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > > - no_schannel:
> > > - if ((lp_client_schannel() == False) ||
> > > - ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
> > > -- /*
> > > -- * NetSamLogonEx only works for schannel
> > > -- */
> > > -- domain->can_do_samlogon_ex = False;
> > > -
> > > - /* We're done - just keep the existing connection to NETLOGON
> > > - * open */
> > > -@@ -2845,7 +2839,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > > -
> > > - result = cli_rpc_pipe_open_schannel_with_key(
> > > - conn->cli, &ndr_table_netlogon, NCACN_NP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
> > > -+ DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
> > > -+ netlogon_pipe->netlogon_creds,
> > > - &conn->netlogon_pipe);
> > > -
> > > - /* We can now close the initial netlogon pipe. */
> > > -@@ -2859,15 +2854,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > > - return result;
> > > - }
> > > -
> > > -- /*
> > > -- * Always try netr_LogonSamLogonEx. We will fall back for NT4
> > > -- * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
> > > -- * supported). We used to only try SamLogonEx for AD, but
> > > -- * Samba DCs can also do it. And because we don't distinguish
> > > -- * between Samba and NT4, always try it once.
> > > -- */
> > > -- domain->can_do_samlogon_ex = true;
> > > --
> > > - *cli = conn->netlogon_pipe;
> > > - return NT_STATUS_OK;
> > > - }
> > > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > > -index c356686..39483a5 100644
> > > ---- a/source3/winbindd/winbindd_pam.c
> > > -+++ b/source3/winbindd/winbindd_pam.c
> > > -@@ -1228,8 +1228,6 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > > -
> > > - do {
> > > - struct rpc_pipe_client *netlogon_pipe;
> > > -- const struct pipe_auth_data *auth;
> > > -- uint32_t neg_flags = 0;
> > > -
> > > - ZERO_STRUCTP(info3);
> > > - retry = false;
> > > -@@ -1278,75 +1276,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > > - }
> > > - netr_attempts = 0;
> > > -
> > > -- auth = netlogon_pipe->auth;
> > > -- if (netlogon_pipe->dc) {
> > > -- neg_flags = netlogon_pipe->dc->negotiate_flags;
> > > -- }
> > > --
> > > -- /* It is really important to try SamLogonEx here,
> > > -- * because in a clustered environment, we want to use
> > > -- * one machine account from multiple physical
> > > -- * computers.
> > > -- *
> > > -- * With a normal SamLogon call, we must keep the
> > > -- * credentials chain updated and intact between all
> > > -- * users of the machine account (which would imply
> > > -- * cross-node communication for every NTLM logon).
> > > -- *
> > > -- * (The credentials chain is not per NETLOGON pipe
> > > -- * connection, but globally on the server/client pair
> > > -- * by machine name).
> > > -- *
> > > -- * When using SamLogonEx, the credentials are not
> > > -- * supplied, but the session key is implied by the
> > > -- * wrapping SamLogon context.
> > > -- *
> > > -- * -- abartlet 21 April 2008
> > > -- *
> > > -- * It's also important to use NetlogonValidationSamInfo4 (6),
> > > -- * because it relies on the rpc transport encryption
> > > -- * and avoids using the global netlogon schannel
> > > -- * session key to en/decrypt secret information
> > > -- * like the user_session_key for network logons.
> > > -- *
> > > -- * [MS-APDS] 3.1.5.2 NTLM Network Logon
> > > -- * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
> > > -- * NETLOGON_NEG_AUTHENTICATED_RPC set together
> > > -- * are the indication that the server supports
> > > -- * NetlogonValidationSamInfo4 (6). And it must only
> > > -- * be used if "SealSecureChannel" is used.
> > > -- *
> > > -- * -- metze 4 February 2011
> > > -- */
> > > --
> > > -- if (auth == NULL) {
> > > -- domain->can_do_validation6 = false;
> > > -- } else if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
> > > -- domain->can_do_validation6 = false;
> > > -- } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
> > > -- domain->can_do_validation6 = false;
> > > -- } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
> > > -- domain->can_do_validation6 = false;
> > > -- } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > > -- domain->can_do_validation6 = false;
> > > -- }
> > > --
> > > -- if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
> > > -- result = rpccli_netlogon_sam_network_logon_ex(
> > > -- netlogon_pipe,
> > > -- mem_ctx,
> > > -- logon_parameters,
> > > -- server, /* server name */
> > > -- username, /* user name */
> > > -- domainname, /* target domain */
> > > -- workstation, /* workstation */
> > > -- chal,
> > > -- 6,
> > > -- lm_response,
> > > -- nt_response,
> > > -- info3);
> > > -- } else {
> > > -- result = rpccli_netlogon_sam_network_logon(
> > > -+ result = rpccli_netlogon_sam_network_logon(
> > > - netlogon_pipe,
> > > - mem_ctx,
> > > - logon_parameters,
> > > -@@ -1355,48 +1285,10 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > > - domainname, /* target domain */
> > > - workstation, /* workstation */
> > > - chal,
> > > -- domain->can_do_validation6 ? 6 : 3,
> > > -+ -1, /* ignored */
> > > - lm_response,
> > > - nt_response,
> > > - info3);
> > > -- }
> > > --
> > > -- if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > --
> > > -- /*
> > > -- * It's likely that the server also does not support
> > > -- * validation level 6
> > > -- */
> > > -- domain->can_do_validation6 = false;
> > > --
> > > -- if (domain->can_do_samlogon_ex) {
> > > -- DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
> > > -- "retrying with NetSamLogon\n"));
> > > -- domain->can_do_samlogon_ex = false;
> > > -- retry = true;
> > > -- continue;
> > > -- }
> > > --
> > > --
> > > -- /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
> > > -- * (no Ex). This happens against old Samba
> > > -- * DCs. Drop the connection.
> > > -- */
> > > -- invalidate_cm_connection(&domain->conn);
> > > -- result = NT_STATUS_LOGON_FAILURE;
> > > -- break;
> > > -- }
> > > --
> > > -- if (domain->can_do_validation6 &&
> > > -- (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
> > > -- NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
> > > -- NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
> > > -- DEBUG(3,("Got a DC that can not do validation level 6, "
> > > -- "retrying with level 3\n"));
> > > -- domain->can_do_validation6 = false;
> > > -- retry = true;
> > > -- continue;
> > > -- }
> > > -
> > > - /*
> > > - * we increment this after the "feature negotiation"
> > > -@@ -1428,6 +1320,30 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > > - retry = true;
> > > - }
> > > -
> > > -+ if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
> > > -+ /*
> > > -+ * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
> > > -+ * (no Ex). This happens against old Samba
> > > -+ * DCs, if LogonSamLogonEx() fails with an error
> > > -+ * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
> > > -+ *
> > > -+ * The server will log something like this:
> > > -+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
> > > -+ *
> > > -+ * This sets the whole connection into a fault_state mode
> > > -+ * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
> > > -+ *
> > > -+ * This also happens to our retry with LogonSamLogonWithFlags()
> > > -+ * and LogonSamLogon().
> > > -+ *
> > > -+ * In order to recover from this situation, we need to
> > > -+ * drop the connection.
> > > -+ */
> > > -+ invalidate_cm_connection(&domain->conn);
> > > -+ result = NT_STATUS_LOGON_FAILURE;
> > > -+ break;
> > > -+ }
> > > -+
> > > - } while ( (attempts < 2) && retry );
> > > -
> > > - if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
> > > -diff --git a/source3/wscript_build b/source3/wscript_build
> > > -index 13d15c3..0d3ba8e 100755
> > > ---- a/source3/wscript_build
> > > -+++ b/source3/wscript_build
> > > -@@ -671,8 +671,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
> > > - deps='''ndr ndr-standard
> > > - RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
> > > - LIBTSOCKET gse dcerpc-binding
> > > -- libsmb
> > > -- ndr-table''',
> > > -+ libsmb ndr-table NETLOGON_CREDS_CLI
> > > -+ ''',
> > > - vars=locals(),
> > > - private_library=True)
> > > -
> > > -@@ -1114,7 +1114,7 @@ bld.SAMBA3_LIBRARY('libcli_lsa3',
> > > -
> > > - bld.SAMBA3_LIBRARY('libcli_netlogon3',
> > > - source=LIBCLI_NETLOGON_SRC,
> > > -- deps='RPC_NDR_NETLOGON INIT_NETLOGON cliauth param',
> > > -+ deps='msrpc3 RPC_NDR_NETLOGON INIT_NETLOGON cliauth param NETLOGON_CREDS_CLI',
> > > - private_library=True)
> > > -
> > > - bld.SAMBA3_LIBRARY('cli_spoolss',
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 0b489bffb452e05d595abc2894532100162a4e8c Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 17 Oct 2013 17:03:00 +0200
> > > -Subject: [PATCH 175/249] s3:rpc_client: use netlogon_creds_cli_auth_level() in
> > > - cli_rpc_pipe_open_schannel_with_key()
> > > -
> > > -This means the auth level is now based on the "winbindd sealed pipes" option,
> > > -defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 5adfc5f9f737c003b84b0187fa17b9fc3784442e)
> > > ----
> > > - source3/libnet/libnet_join.c | 1 -
> > > - source3/rpc_client/cli_pipe.c | 4 +++-
> > > - source3/rpc_client/cli_pipe.h | 1 -
> > > - source3/rpc_client/cli_pipe_schannel.c | 2 +-
> > > - source3/winbindd/winbindd_cm.c | 5 +----
> > > - 5 files changed, 5 insertions(+), 8 deletions(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index 5dc620f..b2805ee 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -1278,7 +1278,6 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > - cli, &ndr_table_netlogon, NCACN_NP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > > - netbios_domain_name,
> > > - netlogon_pipe->netlogon_creds, &pipe_hnd);
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index fe1613d..31cd7f5 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -3023,7 +3023,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
> > > - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > - struct netlogon_creds_cli_context *netlogon_creds,
> > > - struct rpc_pipe_client **_rpccli)
> > > -@@ -3031,6 +3030,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - struct rpc_pipe_client *rpccli;
> > > - struct pipe_auth_data *rpcauth;
> > > - struct netlogon_creds_CredentialState *creds = NULL;
> > > -+ enum dcerpc_AuthLevel auth_level;
> > > - NTSTATUS status;
> > > - const char *target_service = table->authservices->names[0];
> > > - int rpc_pipe_bind_dbglvl = 0;
> > > -@@ -3048,6 +3048,8 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - return status;
> > > - }
> > > -
> > > -+ auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
> > > -+
> > > - status = rpccli_generic_bind_data(rpccli,
> > > - DCERPC_AUTH_TYPE_SCHANNEL,
> > > - auth_level,
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index cf0c5c6..c21c55d 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -94,7 +94,6 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
> > > - NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > -- enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > - struct netlogon_creds_cli_context *netlogon_creds,
> > > - struct rpc_pipe_client **presult);
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index e3d65c8..8f9161f 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -112,7 +112,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > -- cli, table, transport, auth_level, domain,
> > > -+ cli, table, transport, domain,
> > > - netlogon_pipe->netlogon_creds,
> > > - &result);
> > > -
> > > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > > -index e0d1d0c..1546002 100644
> > > ---- a/source3/winbindd/winbindd_cm.c
> > > -+++ b/source3/winbindd/winbindd_cm.c
> > > -@@ -2428,7 +2428,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - }
> > > - status = cli_rpc_pipe_open_schannel_with_key
> > > - (conn->cli, &ndr_table_samr, NCACN_NP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > > - domain->name, p_creds, &conn->samr_pipe);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -@@ -2561,7 +2560,6 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
> > > - status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
> > > - &ndr_table_lsarpc,
> > > - NCACN_IP_TCP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > > - domain->name,
> > > - creds,
> > > - &conn->lsa_pipe_tcp);
> > > -@@ -2659,7 +2657,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
> > > - }
> > > - result = cli_rpc_pipe_open_schannel_with_key
> > > - (conn->cli, &ndr_table_lsarpc, NCACN_NP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY,
> > > - domain->name, p_creds, &conn->lsa_pipe);
> > > -
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > -@@ -2839,7 +2836,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > > -
> > > - result = cli_rpc_pipe_open_schannel_with_key(
> > > - conn->cli, &ndr_table_netlogon, NCACN_NP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
> > > -+ domain->name,
> > > - netlogon_pipe->netlogon_creds,
> > > - &conn->netlogon_pipe);
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 0f19f3b64e4f0b969eec4f2048df7c40be661e82 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 7 Aug 2013 11:27:25 +0200
> > > -Subject: [PATCH 176/249] s3:rpc_client: add
> > > - rpccli_{create,setup}_netlogon_creds()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 14ceb7b501fce6623be284cbcceb573fd2e10d3a)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 105 ++++++++++++++++++++++++++++++++++++++
> > > - source3/rpc_client/cli_netlogon.h | 16 ++++++
> > > - 2 files changed, 121 insertions(+)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index fcd24d6..89aec37 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -21,15 +21,19 @@
> > > - */
> > > -
> > > - #include "includes.h"
> > > -+#include "libsmb/libsmb.h"
> > > - #include "rpc_client/rpc_client.h"
> > > -+#include "rpc_client/cli_pipe.h"
> > > - #include "../libcli/auth/libcli_auth.h"
> > > - #include "../libcli/auth/netlogon_creds_cli.h"
> > > - #include "../librpc/gen_ndr/ndr_netlogon_c.h"
> > > -+#include "../librpc/gen_ndr/schannel.h"
> > > - #include "rpc_client/cli_netlogon.h"
> > > - #include "rpc_client/init_netlogon.h"
> > > - #include "rpc_client/util_netlogon.h"
> > > - #include "../libcli/security/security.h"
> > > - #include "lib/param/param.h"
> > > -+#include "libcli/smb/smbXcli_base.h"
> > > -
> > > - /****************************************************************************
> > > - Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
> > > -@@ -124,6 +128,107 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > > -+ const char *server_netbios_domain,
> > > -+ const char *client_account,
> > > -+ enum netr_SchannelType sec_chan_type,
> > > -+ struct messaging_context *msg_ctx,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **netlogon_creds)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct loadparm_context *lp_ctx;
> > > -+ NTSTATUS status;
> > > -+
> > > -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > > -+ if (lp_ctx == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ status = netlogon_creds_cli_context_global(lp_ctx,
> > > -+ msg_ctx,
> > > -+ client_account,
> > > -+ sec_chan_type,
> > > -+ server_computer,
> > > -+ server_netbios_domain,
> > > -+ mem_ctx, netlogon_creds);
> > > -+ TALLOC_FREE(frame);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > > -+ struct netlogon_creds_cli_context *netlogon_creds,
> > > -+ bool force_reauth,
> > > -+ struct samr_Password current_nt_hash,
> > > -+ const struct samr_Password *previous_nt_hash)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -+ NTSTATUS status;
> > > -+
> > > -+ status = netlogon_creds_cli_get(netlogon_creds,
> > > -+ frame, &creds);
> > > -+ if (NT_STATUS_IS_OK(status)) {
> > > -+ const char *action = "using";
> > > -+
> > > -+ if (force_reauth) {
> > > -+ action = "overwrite";
> > > -+ }
> > > -+
> > > -+ DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
> > > -+ __FUNCTION__, action,
> > > -+ creds->account_name, creds->computer_name,
> > > -+ smbXcli_conn_remote_name(cli->conn)));
> > > -+ if (!force_reauth) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+ TALLOC_FREE(creds);
> > > -+ }
> > > -+
> > > -+ status = cli_rpc_pipe_open_noauth(cli,
> > > -+ &ndr_table_netlogon,
> > > -+ &netlogon_pipe);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
> > > -+ __FUNCTION__,
> > > -+ smbXcli_conn_remote_name(cli->conn),
> > > -+ nt_errstr(status)));
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+ talloc_steal(frame, netlogon_pipe);
> > > -+
> > > -+ status = netlogon_creds_cli_auth(netlogon_creds,
> > > -+ netlogon_pipe->binding_handle,
> > > -+ current_nt_hash,
> > > -+ previous_nt_hash);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_get(netlogon_creds,
> > > -+ frame, &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_INTERNAL_ERROR;
> > > -+ }
> > > -+
> > > -+ DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
> > > -+ __FUNCTION__,
> > > -+ creds->account_name, creds->computer_name,
> > > -+ smbXcli_conn_remote_name(cli->conn)));
> > > -+
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > - /* Logon domain user */
> > > -
> > > - NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index ad59d5b..82e0923 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -23,6 +23,10 @@
> > > - #ifndef _RPC_CLIENT_CLI_NETLOGON_H_
> > > - #define _RPC_CLIENT_CLI_NETLOGON_H_
> > > -
> > > -+struct cli_state;
> > > -+struct messaging_context;
> > > -+struct netlogon_creds_cli_context;
> > > -+
> > > - /* The following definitions come from rpc_client/cli_netlogon.c */
> > > -
> > > - NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > > -@@ -33,6 +37,18 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > > - const unsigned char machine_pwd[16],
> > > - enum netr_SchannelType sec_chan_type,
> > > - uint32_t *neg_flags_inout);
> > > -+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > > -+ const char *server_netbios_domain,
> > > -+ const char *client_account,
> > > -+ enum netr_SchannelType sec_chan_type,
> > > -+ struct messaging_context *msg_ctx,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **netlogon_creds);
> > > -+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > > -+ struct netlogon_creds_cli_context *netlogon_creds,
> > > -+ bool force_reauth,
> > > -+ struct samr_Password current_nt_hash,
> > > -+ const struct samr_Password *previous_nt_hash);
> > > - NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > - TALLOC_CTX *mem_ctx,
> > > - uint32 logon_parameters,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From de0ed0882a458e52ef232e7d44234bf393311fc0 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 17 Dec 2013 20:05:56 +0100
> > > -Subject: [PATCH 177/249] s3:rpc_client: add rpccli_pre_open_netlogon_creds()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3c025af657899c9a2ff14f868c03ff72ab74cf8e)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 21 +++++++++++++++++++++
> > > - source3/rpc_client/cli_netlogon.h | 1 +
> > > - 2 files changed, 22 insertions(+)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 89aec37..9342fc3 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -128,6 +128,27 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -+NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct loadparm_context *lp_ctx;
> > > -+ NTSTATUS status;
> > > -+
> > > -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > > -+ if (lp_ctx == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_open_global_db(lp_ctx);
> > > -+ TALLOC_FREE(frame);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > - NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > > - const char *server_netbios_domain,
> > > - const char *client_account,
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index 82e0923..3096c48 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -37,6 +37,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > > - const unsigned char machine_pwd[16],
> > > - enum netr_SchannelType sec_chan_type,
> > > - uint32_t *neg_flags_inout);
> > > -+NTSTATUS rpccli_pre_open_netlogon_creds(void);
> > > - NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > > - const char *server_netbios_domain,
> > > - const char *client_account,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f4f7df785d1641f1e21ad8374140715fd41be07a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 27 Aug 2013 14:07:43 +0200
> > > -Subject: [PATCH 178/249] s3:rpc_client: remove unused
> > > - rpccli_netlogon_sam_network_logon_ex()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a07cc9a1c6ab8fee516e069a6f90bb48a7abf875)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 27 ---------------------------
> > > - source3/rpc_client/cli_netlogon.h | 12 ------------
> > > - 2 files changed, 39 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 9342fc3..253d060 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -524,33 +524,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > --NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- uint32 logon_parameters,
> > > -- const char *server,
> > > -- const char *username,
> > > -- const char *domain,
> > > -- const char *workstation,
> > > -- const uint8 chal[8],
> > > -- uint16_t validation_level,
> > > -- DATA_BLOB lm_response,
> > > -- DATA_BLOB nt_response,
> > > -- struct netr_SamInfo3 **info3)
> > > --{
> > > -- return rpccli_netlogon_sam_network_logon(cli,
> > > -- mem_ctx,
> > > -- logon_parameters,
> > > -- server,
> > > -- username,
> > > -- domain,
> > > -- workstation,
> > > -- chal,
> > > -- validation_level,
> > > -- lm_response,
> > > -- nt_response,
> > > -- info3);
> > > --}
> > > --
> > > - /*********************************************************
> > > - Change the domain password on the PDC.
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index 3096c48..f10e5c7 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -71,18 +71,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > - DATA_BLOB lm_response,
> > > - DATA_BLOB nt_response,
> > > - struct netr_SamInfo3 **info3);
> > > --NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- uint32 logon_parameters,
> > > -- const char *server,
> > > -- const char *username,
> > > -- const char *domain,
> > > -- const char *workstation,
> > > -- const uint8 chal[8],
> > > -- uint16_t validation_level,
> > > -- DATA_BLOB lm_response,
> > > -- DATA_BLOB nt_response,
> > > -- struct netr_SamInfo3 **info3);
> > > - NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > > - TALLOC_CTX *mem_ctx,
> > > - const char *account_name,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From b250859baf6c720e636c2435b0593af83acf6acc Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 27 Aug 2013 14:36:24 +0200
> > > -Subject: [PATCH 179/249] s3:rpc_client: add rpccli_netlogon_network_logon()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 5196493c9e599b741417b119b48188ba0d646a37)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 103 ++++++++++++++++++++++++++++++++++++++
> > > - source3/rpc_client/cli_netlogon.h | 14 ++++++
> > > - 2 files changed, 117 insertions(+)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 253d060..e335423 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -524,6 +524,109 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > > -+ struct dcerpc_binding_handle *binding_handle,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ uint32_t logon_parameters,
> > > -+ const char *username,
> > > -+ const char *domain,
> > > -+ const char *workstation,
> > > -+ const uint8 chal[8],
> > > -+ DATA_BLOB lm_response,
> > > -+ DATA_BLOB nt_response,
> > > -+ uint8_t *authoritative,
> > > -+ uint32_t *flags,
> > > -+ struct netr_SamInfo3 **info3)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+ const char *workstation_name_slash;
> > > -+ union netr_LogonLevel *logon = NULL;
> > > -+ struct netr_NetworkInfo *network_info;
> > > -+ uint16_t validation_level = 0;
> > > -+ union netr_Validation *validation = NULL;
> > > -+ uint8_t _authoritative = 0;
> > > -+ uint32_t _flags = 0;
> > > -+ struct netr_ChallengeResponse lm;
> > > -+ struct netr_ChallengeResponse nt;
> > > -+
> > > -+ *info3 = NULL;
> > > -+
> > > -+ if (authoritative == NULL) {
> > > -+ authoritative = &_authoritative;
> > > -+ }
> > > -+ if (flags == NULL) {
> > > -+ flags = &_flags;
> > > -+ }
> > > -+
> > > -+ ZERO_STRUCT(lm);
> > > -+ ZERO_STRUCT(nt);
> > > -+
> > > -+ logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > > -+ if (!logon) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> > > -+ if (!network_info) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ if (workstation[0] != '\\' && workstation[1] != '\\') {
> > > -+ workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> > > -+ } else {
> > > -+ workstation_name_slash = workstation;
> > > -+ }
> > > -+
> > > -+ if (!workstation_name_slash) {
> > > -+ DEBUG(0, ("talloc_asprintf failed!\n"));
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ /* Initialise input parameters */
> > > -+
> > > -+ lm.data = lm_response.data;
> > > -+ lm.length = lm_response.length;
> > > -+ nt.data = nt_response.data;
> > > -+ nt.length = nt_response.length;
> > > -+
> > > -+ network_info->identity_info.domain_name.string = domain;
> > > -+ network_info->identity_info.parameter_control = logon_parameters;
> > > -+ network_info->identity_info.logon_id_low = 0xdead;
> > > -+ network_info->identity_info.logon_id_high = 0xbeef;
> > > -+ network_info->identity_info.account_name.string = username;
> > > -+ network_info->identity_info.workstation.string = workstation_name_slash;
> > > -+
> > > -+ memcpy(network_info->challenge, chal, 8);
> > > -+ network_info->nt = nt;
> > > -+ network_info->lm = lm;
> > > -+
> > > -+ logon->network = network_info;
> > > -+
> > > -+ /* Marshall data and send request */
> > > -+
> > > -+ status = netlogon_creds_cli_LogonSamLogon(creds,
> > > -+ binding_handle,
> > > -+ NetlogonNetworkInformation,
> > > -+ logon,
> > > -+ mem_ctx,
> > > -+ &validation_level,
> > > -+ &validation,
> > > -+ authoritative,
> > > -+ flags);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ status = map_validation_to_info3(mem_ctx,
> > > -+ validation_level, validation,
> > > -+ info3);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > - /*********************************************************
> > > - Change the domain password on the PDC.
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index f10e5c7..54ed7ae 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -26,6 +26,7 @@
> > > - struct cli_state;
> > > - struct messaging_context;
> > > - struct netlogon_creds_cli_context;
> > > -+struct dcerpc_binding_handle;
> > > -
> > > - /* The following definitions come from rpc_client/cli_netlogon.c */
> > > -
> > > -@@ -71,6 +72,19 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > - DATA_BLOB lm_response,
> > > - DATA_BLOB nt_response,
> > > - struct netr_SamInfo3 **info3);
> > > -+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > > -+ struct dcerpc_binding_handle *binding_handle,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ uint32_t logon_parameters,
> > > -+ const char *username,
> > > -+ const char *domain,
> > > -+ const char *workstation,
> > > -+ const uint8 chal[8],
> > > -+ DATA_BLOB lm_response,
> > > -+ DATA_BLOB nt_response,
> > > -+ uint8_t *authoritative,
> > > -+ uint32_t *flags,
> > > -+ struct netr_SamInfo3 **info3);
> > > - NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > > - TALLOC_CTX *mem_ctx,
> > > - const char *account_name,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 2488e78fdf3058bf3a48c2086afd0f3248a43417 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 27 Aug 2013 14:56:06 +0200
> > > -Subject: [PATCH 180/249] s3:rpc_client: add rpccli_netlogon_password_logon()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit b7dc3fb20468aa67ea7ddc1cea21fbe458e74565)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 133 ++++++++++++++++++++++++++++++++++++++
> > > - source3/rpc_client/cli_netlogon.h | 8 +++
> > > - 2 files changed, 141 insertions(+)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index e335423..a9f8604 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -376,6 +376,139 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > > -+ struct dcerpc_binding_handle *binding_handle,
> > > -+ uint32_t logon_parameters,
> > > -+ const char *domain,
> > > -+ const char *username,
> > > -+ const char *password,
> > > -+ const char *workstation,
> > > -+ enum netr_LogonInfoClass logon_type)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ NTSTATUS status;
> > > -+ union netr_LogonLevel *logon;
> > > -+ uint16_t validation_level = 0;
> > > -+ union netr_Validation *validation = NULL;
> > > -+ uint8_t authoritative = 0;
> > > -+ uint32_t flags = 0;
> > > -+ char *workstation_slash = NULL;
> > > -+
> > > -+ logon = talloc_zero(frame, union netr_LogonLevel);
> > > -+ if (logon == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ if (workstation == NULL) {
> > > -+ workstation = lp_netbios_name();
> > > -+ }
> > > -+
> > > -+ workstation_slash = talloc_asprintf(frame, "\\\\%s", workstation);
> > > -+ if (workstation_slash == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ /* Initialise input parameters */
> > > -+
> > > -+ switch (logon_type) {
> > > -+ case NetlogonInteractiveInformation: {
> > > -+
> > > -+ struct netr_PasswordInfo *password_info;
> > > -+
> > > -+ struct samr_Password lmpassword;
> > > -+ struct samr_Password ntpassword;
> > > -+
> > > -+ password_info = talloc_zero(frame, struct netr_PasswordInfo);
> > > -+ if (password_info == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
> > > -+
> > > -+ password_info->identity_info.domain_name.string = domain;
> > > -+ password_info->identity_info.parameter_control = logon_parameters;
> > > -+ password_info->identity_info.logon_id_low = 0xdead;
> > > -+ password_info->identity_info.logon_id_high = 0xbeef;
> > > -+ password_info->identity_info.account_name.string = username;
> > > -+ password_info->identity_info.workstation.string = workstation_slash;
> > > -+
> > > -+ password_info->lmpassword = lmpassword;
> > > -+ password_info->ntpassword = ntpassword;
> > > -+
> > > -+ logon->password = password_info;
> > > -+
> > > -+ break;
> > > -+ }
> > > -+ case NetlogonNetworkInformation: {
> > > -+ struct netr_NetworkInfo *network_info;
> > > -+ uint8 chal[8];
> > > -+ unsigned char local_lm_response[24];
> > > -+ unsigned char local_nt_response[24];
> > > -+ struct netr_ChallengeResponse lm;
> > > -+ struct netr_ChallengeResponse nt;
> > > -+
> > > -+ ZERO_STRUCT(lm);
> > > -+ ZERO_STRUCT(nt);
> > > -+
> > > -+ network_info = talloc_zero(frame, struct netr_NetworkInfo);
> > > -+ if (network_info == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ generate_random_buffer(chal, 8);
> > > -+
> > > -+ SMBencrypt(password, chal, local_lm_response);
> > > -+ SMBNTencrypt(password, chal, local_nt_response);
> > > -+
> > > -+ lm.length = 24;
> > > -+ lm.data = local_lm_response;
> > > -+
> > > -+ nt.length = 24;
> > > -+ nt.data = local_nt_response;
> > > -+
> > > -+ network_info->identity_info.domain_name.string = domain;
> > > -+ network_info->identity_info.parameter_control = logon_parameters;
> > > -+ network_info->identity_info.logon_id_low = 0xdead;
> > > -+ network_info->identity_info.logon_id_high = 0xbeef;
> > > -+ network_info->identity_info.account_name.string = username;
> > > -+ network_info->identity_info.workstation.string = workstation_slash;
> > > -+
> > > -+ memcpy(network_info->challenge, chal, 8);
> > > -+ network_info->nt = nt;
> > > -+ network_info->lm = lm;
> > > -+
> > > -+ logon->network = network_info;
> > > -+
> > > -+ break;
> > > -+ }
> > > -+ default:
> > > -+ DEBUG(0, ("switch value %d not supported\n",
> > > -+ logon_type));
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_INVALID_INFO_CLASS;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_LogonSamLogon(creds,
> > > -+ binding_handle,
> > > -+ logon_type,
> > > -+ logon,
> > > -+ frame,
> > > -+ &validation_level,
> > > -+ &validation,
> > > -+ &authoritative,
> > > -+ &flags);
> > > -+ TALLOC_FREE(frame);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > - static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > > - uint16_t validation_level,
> > > - union netr_Validation *validation,
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index 54ed7ae..d4c6670 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -60,6 +60,14 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > - const char *workstation,
> > > - uint16_t validation_level,
> > > - int logon_type);
> > > -+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > > -+ struct dcerpc_binding_handle *binding_handle,
> > > -+ uint32_t logon_parameters,
> > > -+ const char *domain,
> > > -+ const char *username,
> > > -+ const char *password,
> > > -+ const char *workstation,
> > > -+ enum netr_LogonInfoClass logon_type);
> > > - NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > - TALLOC_CTX *mem_ctx,
> > > - uint32 logon_parameters,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 10c272f991643913358efd5fefb28fc1ce307c70 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 17 Dec 2013 20:06:14 +0100
> > > -Subject: [PATCH 181/249] s3:winbindd: call rpccli_pre_open_netlogon_creds() in
> > > - the parent
> > > -
> > > -This opens the CLEAR_IF_FIRST tdb in the long living parent.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 07126b6fb22cebce660d1d1a4f0f9fb905064aa0)
> > > ----
> > > - source3/winbindd/winbindd.c | 8 ++++++++
> > > - 1 file changed, 8 insertions(+)
> > > -
> > > -diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
> > > -index 69a17bf..a90c8fe 100644
> > > ---- a/source3/winbindd/winbindd.c
> > > -+++ b/source3/winbindd/winbindd.c
> > > -@@ -31,6 +31,7 @@
> > > - #include "../librpc/gen_ndr/srv_lsa.h"
> > > - #include "../librpc/gen_ndr/srv_samr.h"
> > > - #include "secrets.h"
> > > -+#include "rpc_client/cli_netlogon.h"
> > > - #include "idmap.h"
> > > - #include "lib/addrchange.h"
> > > - #include "serverid.h"
> > > -@@ -1538,6 +1539,13 @@ int main(int argc, char **argv, char **envp)
> > > - return False;
> > > - }
> > > -
> > > -+ status = rpccli_pre_open_netlogon_creds();
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(0, ("rpccli_pre_open_netlogon_creds() - %s\n",
> > > -+ nt_errstr(status)));
> > > -+ exit(1);
> > > -+ }
> > > -+
> > > - /* Unblock all signals we are interested in as they may have been
> > > - blocked by the parent process. */
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4cb4ec2065f1f8b3598eb37ca24ce0f8fdf567aa Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 7 Aug 2013 11:32:44 +0200
> > > -Subject: [PATCH 182/249] s3:winbindd: make use of
> > > - rpccli_{create,setup}_netlogon_creds()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 22e4e2c1d1252e434cb928d4530c378a62a64138)
> > > ----
> > > - source3/winbindd/winbindd.h | 3 +
> > > - source3/winbindd/winbindd_cm.c | 125 ++++++++++++++++++++---------------
> > > - source3/winbindd/winbindd_dual_srv.c | 1 +
> > > - 3 files changed, 77 insertions(+), 52 deletions(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
> > > -index b5fc010..8f89e27 100644
> > > ---- a/source3/winbindd/winbindd.h
> > > -+++ b/source3/winbindd/winbindd.h
> > > -@@ -116,6 +116,9 @@ struct winbindd_cm_conn {
> > > - struct policy_handle lsa_policy;
> > > -
> > > - struct rpc_pipe_client *netlogon_pipe;
> > > -+ struct netlogon_creds_cli_context *netlogon_creds;
> > > -+ uint32_t netlogon_flags;
> > > -+ bool netlogon_force_reauth;
> > > - };
> > > -
> > > - /* Async child */
> > > -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
> > > -index 1546002..7b6cc96 100644
> > > ---- a/source3/winbindd/winbindd_cm.c
> > > -+++ b/source3/winbindd/winbindd_cm.c
> > > -@@ -79,6 +79,7 @@
> > > - #include "auth/gensec/gensec.h"
> > > - #include "../libcli/smb/smbXcli_base.h"
> > > - #include "lib/param/loadparm.h"
> > > -+#include "libcli/auth/netlogon_creds_cli.h"
> > > -
> > > - #undef DBGC_CLASS
> > > - #define DBGC_CLASS DBGC_WINBIND
> > > -@@ -1826,6 +1827,9 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
> > > - }
> > > -
> > > - conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
> > > -+ conn->netlogon_force_reauth = false;
> > > -+ conn->netlogon_flags = 0;
> > > -+ TALLOC_FREE(conn->netlogon_creds);
> > > -
> > > - if (conn->cli) {
> > > - cli_shutdown(conn->cli);
> > > -@@ -2292,8 +2296,18 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> > > - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > > - struct rpc_pipe_client *netlogon_pipe;
> > > -
> > > -- if (lp_client_schannel() == False) {
> > > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > -+ *ppdc = NULL;
> > > -+
> > > -+ if ((!IS_DC) && (!domain->primary)) {
> > > -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> > > -+ }
> > > -+
> > > -+ if (domain->conn.netlogon_creds != NULL) {
> > > -+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > > -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> > > -+ }
> > > -+ *ppdc = domain->conn.netlogon_creds;
> > > -+ return NT_STATUS_OK;
> > > - }
> > > -
> > > - result = cm_connect_netlogon(domain, &netlogon_pipe);
> > > -@@ -2301,14 +2315,15 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
> > > - return result;
> > > - }
> > > -
> > > -- /* Return a pointer to the struct netlogon_creds_CredentialState from the
> > > -- netlogon pipe. */
> > > -+ if (domain->conn.netlogon_creds == NULL) {
> > > -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> > > -+ }
> > > -
> > > -- if (!domain->conn.netlogon_pipe->netlogon_creds) {
> > > -- return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
> > > -+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > > -+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
> > > - }
> > > -
> > > -- *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
> > > -+ *ppdc = domain->conn.netlogon_creds;
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -@@ -2747,14 +2762,16 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
> > > - NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > > - struct rpc_pipe_client **cli)
> > > - {
> > > -+ struct messaging_context *msg_ctx = winbind_messaging_context();
> > > - struct winbindd_cm_conn *conn;
> > > - NTSTATUS result;
> > > --
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
> > > -- uint8_t mach_pwd[16];
> > > - enum netr_SchannelType sec_chan_type;
> > > -+ const char *_account_name;
> > > - const char *account_name;
> > > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -+ struct samr_Password current_nt_hash;
> > > -+ struct samr_Password *previous_nt_hash = NULL;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -+ bool ok;
> > > -
> > > - *cli = NULL;
> > > -
> > > -@@ -2771,60 +2788,68 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > > - }
> > > -
> > > - TALLOC_FREE(conn->netlogon_pipe);
> > > --
> > > -- result = cli_rpc_pipe_open_noauth(conn->cli,
> > > -- &ndr_table_netlogon,
> > > -- &netlogon_pipe);
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- return result;
> > > -- }
> > > -+ conn->netlogon_flags = 0;
> > > -+ TALLOC_FREE(conn->netlogon_creds);
> > > -
> > > - if ((!IS_DC) && (!domain->primary)) {
> > > -- /* Clear the schannel request bit and drop down */
> > > -- neg_flags &= ~NETLOGON_NEG_SCHANNEL;
> > > - goto no_schannel;
> > > - }
> > > -
> > > -- if (lp_client_schannel() != False) {
> > > -- neg_flags |= NETLOGON_NEG_SCHANNEL;
> > > -+ ok = get_trust_pw_hash(domain->name,
> > > -+ current_nt_hash.hash,
> > > -+ &_account_name,
> > > -+ &sec_chan_type);
> > > -+ if (!ok) {
> > > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > - }
> > > -
> > > -- if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
> > > -- &sec_chan_type))
> > > -- {
> > > -- TALLOC_FREE(netlogon_pipe);
> > > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > -+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
> > > -+ if (account_name == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- result = rpccli_netlogon_setup_creds(
> > > -- netlogon_pipe,
> > > -- domain->dcname, /* server name. */
> > > -- domain->name, /* domain name */
> > > -- lp_netbios_name(), /* client name */
> > > -- account_name, /* machine account */
> > > -- mach_pwd, /* machine password */
> > > -- sec_chan_type, /* from get_trust_pw */
> > > -- &neg_flags);
> > > -+ result = rpccli_create_netlogon_creds(domain->dcname,
> > > -+ domain->name,
> > > -+ account_name,
> > > -+ sec_chan_type,
> > > -+ msg_ctx,
> > > -+ domain,
> > > -+ &conn->netlogon_creds);
> > > -+ if (!NT_STATUS_IS_OK(result)) {
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ return result;
> > > -+ }
> > > -
> > > -+ result = rpccli_setup_netlogon_creds(conn->cli,
> > > -+ conn->netlogon_creds,
> > > -+ conn->netlogon_force_reauth,
> > > -+ current_nt_hash,
> > > -+ previous_nt_hash);
> > > -+ conn->netlogon_force_reauth = false;
> > > -+ SAFE_FREE(previous_nt_hash);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > -- TALLOC_FREE(netlogon_pipe);
> > > - return result;
> > > - }
> > > -
> > > -- if ((lp_client_schannel() == True) &&
> > > -- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
> > > -- DEBUG(3, ("Server did not offer schannel\n"));
> > > -- TALLOC_FREE(netlogon_pipe);
> > > -- return NT_STATUS_ACCESS_DENIED;
> > > -+ result = netlogon_creds_cli_get(conn->netlogon_creds,
> > > -+ talloc_tos(),
> > > -+ &creds);
> > > -+ if (!NT_STATUS_IS_OK(result)) {
> > > -+ return result;
> > > - }
> > > -+ conn->netlogon_flags = creds->negotiate_flags;
> > > -+ TALLOC_FREE(creds);
> > > -
> > > - no_schannel:
> > > -- if ((lp_client_schannel() == False) ||
> > > -- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
> > > -+ if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > > -+ result = cli_rpc_pipe_open_noauth(conn->cli,
> > > -+ &ndr_table_netlogon,
> > > -+ &conn->netlogon_pipe);
> > > -+ if (!NT_STATUS_IS_OK(result)) {
> > > -+ invalidate_cm_connection(conn);
> > > -+ return result;
> > > -+ }
> > > -
> > > -- /* We're done - just keep the existing connection to NETLOGON
> > > -- * open */
> > > -- conn->netlogon_pipe = netlogon_pipe;
> > > - *cli = conn->netlogon_pipe;
> > > - return NT_STATUS_OK;
> > > - }
> > > -@@ -2837,12 +2862,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
> > > - result = cli_rpc_pipe_open_schannel_with_key(
> > > - conn->cli, &ndr_table_netlogon, NCACN_NP,
> > > - domain->name,
> > > -- netlogon_pipe->netlogon_creds,
> > > -+ conn->netlogon_creds,
> > > - &conn->netlogon_pipe);
> > > --
> > > -- /* We can now close the initial netlogon pipe. */
> > > -- TALLOC_FREE(netlogon_pipe);
> > > --
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
> > > - "was %s\n", nt_errstr(result)));
> > > -diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
> > > -index b873655..001591a 100644
> > > ---- a/source3/winbindd/winbindd_dual_srv.c
> > > -+++ b/source3/winbindd/winbindd_dual_srv.c
> > > -@@ -580,6 +580,7 @@ NTSTATUS _wbint_CheckMachineAccount(struct pipes_struct *p,
> > > -
> > > - again:
> > > - invalidate_cm_connection(&domain->conn);
> > > -+ domain->conn.netlogon_force_reauth = true;
> > > -
> > > - {
> > > - struct rpc_pipe_client *netlogon_pipe;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From dc77edf0b74a88950f4de2472c05a73fcc629dc1 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 27 Aug 2013 13:07:45 +0200
> > > -Subject: [PATCH 183/249] s3:auth_domain: simplify
> > > - connect_to_domain_password_server()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit d9d55f5406949187901476d673c7d6ff0fc165c2)
> > > ----
> > > - source3/auth/auth_domain.c | 31 ++++++++++++-------------------
> > > - 1 file changed, 12 insertions(+), 19 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > > -index 9f88c4a..ae27bf0 100644
> > > ---- a/source3/auth/auth_domain.c
> > > -+++ b/source3/auth/auth_domain.c
> > > -@@ -47,16 +47,17 @@ static struct named_mutex *mutex;
> > > - *
> > > - **/
> > > -
> > > --static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > > -+static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > > - const char *domain,
> > > - const char *dc_name,
> > > - const struct sockaddr_storage *dc_ss,
> > > - struct rpc_pipe_client **pipe_ret)
> > > - {
> > > -- NTSTATUS result;
> > > -+ NTSTATUS result;
> > > -+ struct cli_state *cli = NULL;
> > > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -
> > > -- *cli = NULL;
> > > -+ *cli_ret = NULL;
> > > -
> > > - *pipe_ret = NULL;
> > > -
> > > -@@ -80,7 +81,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > > - }
> > > -
> > > - /* Attempt connection */
> > > -- result = cli_full_connection(cli, lp_netbios_name(), dc_name, dc_ss, 0,
> > > -+ result = cli_full_connection(&cli, lp_netbios_name(), dc_name, dc_ss, 0,
> > > - "IPC$", "IPC", "", "", "", 0, SMB_SIGNING_DEFAULT);
> > > -
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > -@@ -89,11 +90,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > > - result = NT_STATUS_NO_LOGON_SERVERS;
> > > - }
> > > -
> > > -- if (*cli) {
> > > -- cli_shutdown(*cli);
> > > -- *cli = NULL;
> > > -- }
> > > --
> > > - TALLOC_FREE(mutex);
> > > - return result;
> > > - }
> > > -@@ -115,18 +111,17 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
> > > - if (lp_client_schannel()) {
> > > - /* We also setup the creds chain in the open_schannel call. */
> > > - result = cli_rpc_pipe_open_schannel(
> > > -- *cli, &ndr_table_netlogon, NCACN_NP,
> > > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> > > - } else {
> > > - result = cli_rpc_pipe_open_noauth(
> > > -- *cli, &ndr_table_netlogon, &netlogon_pipe);
> > > -+ cli, &ndr_table_netlogon, &netlogon_pipe);
> > > - }
> > > -
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
> > > - machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > > -- cli_shutdown(*cli);
> > > -- *cli = NULL;
> > > -+ cli_shutdown(cli);
> > > - TALLOC_FREE(mutex);
> > > - return result;
> > > - }
> > > -@@ -145,8 +140,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > > - DEBUG(0, ("connect_to_domain_password_server: could not fetch "
> > > - "trust account password for domain '%s'\n",
> > > - domain));
> > > -- cli_shutdown(*cli);
> > > -- *cli = NULL;
> > > -+ cli_shutdown(cli);
> > > - TALLOC_FREE(mutex);
> > > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > - }
> > > -@@ -161,8 +155,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > > - &neg_flags);
> > > -
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > -- cli_shutdown(*cli);
> > > -- *cli = NULL;
> > > -+ cli_shutdown(cli);
> > > - TALLOC_FREE(mutex);
> > > - return result;
> > > - }
> > > -@@ -172,14 +165,14 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > > - DEBUG(0, ("connect_to_domain_password_server: unable to open "
> > > - "the domain client session to machine %s. Error "
> > > - "was : %s.\n", dc_name, nt_errstr(result)));
> > > -- cli_shutdown(*cli);
> > > -- *cli = NULL;
> > > -+ cli_shutdown(cli);
> > > - TALLOC_FREE(mutex);
> > > - return NT_STATUS_NO_LOGON_SERVERS;
> > > - }
> > > -
> > > - /* We exit here with the mutex *locked*. JRA */
> > > -
> > > -+ *cli_ret = cli;
> > > - *pipe_ret = netlogon_pipe;
> > > -
> > > - return NT_STATUS_OK;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8fc2ffafd545dbc4af4c1ebab5fb631da18cade4 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 27 Aug 2013 15:01:10 +0200
> > > -Subject: [PATCH 184/249] s3:auth_domain: make use of
> > > - rpccli_{create,setup}_netlogon_creds()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 34e66780e573bebf4b971fb96e1ed8680c1488a9)
> > > ----
> > > - source3/auth/auth_domain.c | 136 ++++++++++++++++++++++++++++-----------------
> > > - 1 file changed, 85 insertions(+), 51 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > > -index ae27bf0..bf2671c 100644
> > > ---- a/source3/auth/auth_domain.c
> > > -+++ b/source3/auth/auth_domain.c
> > > -@@ -27,6 +27,7 @@
> > > - #include "secrets.h"
> > > - #include "passdb.h"
> > > - #include "libsmb/libsmb.h"
> > > -+#include "libcli/auth/netlogon_creds_cli.h"
> > > -
> > > - #undef DBGC_CLASS
> > > - #define DBGC_CLASS DBGC_AUTH
> > > -@@ -53,9 +54,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > > - const struct sockaddr_storage *dc_ss,
> > > - struct rpc_pipe_client **pipe_ret)
> > > - {
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct messaging_context *msg_ctx = server_messaging_context();
> > > - NTSTATUS result;
> > > - struct cli_state *cli = NULL;
> > > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -+ uint32_t netlogon_flags = 0;
> > > -+ enum netr_SchannelType sec_chan_type = 0;
> > > -+ const char *_account_name = NULL;
> > > -+ const char *account_name = NULL;
> > > -+ struct samr_Password current_nt_hash;
> > > -+ struct samr_Password *previous_nt_hash = NULL;
> > > -+ bool ok;
> > > -
> > > - *cli_ret = NULL;
> > > -
> > > -@@ -77,6 +89,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > > -
> > > - mutex = grab_named_mutex(NULL, dc_name, 10);
> > > - if (mutex == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_LOGON_SERVERS;
> > > - }
> > > -
> > > -@@ -91,6 +104,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > > - }
> > > -
> > > - TALLOC_FREE(mutex);
> > > -+ TALLOC_FREE(frame);
> > > - return result;
> > > - }
> > > -
> > > -@@ -98,67 +112,85 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > > - * We now have an anonymous connection to IPC$ on the domain password server.
> > > - */
> > > -
> > > -- /*
> > > -- * Even if the connect succeeds we need to setup the netlogon
> > > -- * pipe here. We do this as we may just have changed the domain
> > > -- * account password on the PDC and yet we may be talking to
> > > -- * a BDC that doesn't have this replicated yet. In this case
> > > -- * a successful connect to a DC needs to take the netlogon connect
> > > -- * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
> > > -- */
> > > -+ ok = get_trust_pw_hash(domain,
> > > -+ current_nt_hash.hash,
> > > -+ &_account_name,
> > > -+ &sec_chan_type);
> > > -+ if (!ok) {
> > > -+ cli_shutdown(cli);
> > > -+ TALLOC_FREE(mutex);
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > -+ }
> > > -
> > > -- /* open the netlogon pipe. */
> > > -- if (lp_client_schannel()) {
> > > -- /* We also setup the creds chain in the open_schannel call. */
> > > -- result = cli_rpc_pipe_open_schannel(
> > > -- cli, &ndr_table_netlogon, NCACN_NP,
> > > -- DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
> > > -- } else {
> > > -- result = cli_rpc_pipe_open_noauth(
> > > -- cli, &ndr_table_netlogon, &netlogon_pipe);
> > > -+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
> > > -+ if (account_name == NULL) {
> > > -+ cli_shutdown(cli);
> > > -+ TALLOC_FREE(mutex);
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -+ result = rpccli_create_netlogon_creds(dc_name,
> > > -+ domain,
> > > -+ account_name,
> > > -+ sec_chan_type,
> > > -+ msg_ctx,
> > > -+ talloc_tos(),
> > > -+ &netlogon_creds);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > -- DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
> > > --machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > > - cli_shutdown(cli);
> > > - TALLOC_FREE(mutex);
> > > -+ TALLOC_FREE(frame);
> > > -+ SAFE_FREE(previous_nt_hash);
> > > - return result;
> > > - }
> > > -
> > > -- if (!lp_client_schannel()) {
> > > -- /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -- NETLOGON_NEG_SUPPORTS_AES;
> > > -- enum netr_SchannelType sec_chan_type = 0;
> > > -- unsigned char machine_pwd[16];
> > > -- const char *account_name;
> > > --
> > > -- if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
> > > -- &sec_chan_type))
> > > -- {
> > > -- DEBUG(0, ("connect_to_domain_password_server: could not fetch "
> > > -- "trust account password for domain '%s'\n",
> > > -- domain));
> > > -- cli_shutdown(cli);
> > > -- TALLOC_FREE(mutex);
> > > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > -- }
> > > -+ result = rpccli_setup_netlogon_creds(cli,
> > > -+ netlogon_creds,
> > > -+ false, /* force_reauth */
> > > -+ current_nt_hash,
> > > -+ previous_nt_hash);
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ if (!NT_STATUS_IS_OK(result)) {
> > > -+ cli_shutdown(cli);
> > > -+ TALLOC_FREE(mutex);
> > > -+ TALLOC_FREE(frame);
> > > -+ return result;
> > > -+ }
> > > -
> > > -- result = rpccli_netlogon_setup_creds(netlogon_pipe,
> > > -- dc_name, /* server name */
> > > -- domain, /* domain */
> > > -- lp_netbios_name(), /* client name */
> > > -- account_name, /* machine account name */
> > > -- machine_pwd,
> > > -- sec_chan_type,
> > > -- &neg_flags);
> > > --
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- cli_shutdown(cli);
> > > -- TALLOC_FREE(mutex);
> > > -- return result;
> > > -- }
> > > -+ result = netlogon_creds_cli_get(netlogon_creds,
> > > -+ talloc_tos(),
> > > -+ &creds);
> > > -+ if (!NT_STATUS_IS_OK(result)) {
> > > -+ cli_shutdown(cli);
> > > -+ TALLOC_FREE(mutex);
> > > -+ TALLOC_FREE(frame);
> > > -+ return result;
> > > -+ }
> > > -+ netlogon_flags = creds->negotiate_flags;
> > > -+ TALLOC_FREE(creds);
> > > -+
> > > -+ if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
> > > -+ result = cli_rpc_pipe_open_schannel_with_key(
> > > -+ cli, &ndr_table_netlogon, NCACN_NP,
> > > -+ domain, netlogon_creds, &netlogon_pipe);
> > > -+ } else {
> > > -+ result = cli_rpc_pipe_open_noauth(cli,
> > > -+ &ndr_table_netlogon,
> > > -+ &netlogon_pipe);
> > > -+ }
> > > -+
> > > -+ if (!NT_STATUS_IS_OK(result)) {
> > > -+ DEBUG(0,("connect_to_domain_password_server: "
> > > -+ "unable to open the domain client session to "
> > > -+ "machine %s. Flags[0x%08X] Error was : %s.\n",
> > > -+ dc_name, (unsigned)netlogon_flags,
> > > -+ nt_errstr(result)));
> > > -+ cli_shutdown(cli);
> > > -+ TALLOC_FREE(mutex);
> > > -+ TALLOC_FREE(frame);
> > > -+ return result;
> > > - }
> > > -
> > > - if(!netlogon_pipe) {
> > > -@@ -167,6 +199,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > > - "was : %s.\n", dc_name, nt_errstr(result)));
> > > - cli_shutdown(cli);
> > > - TALLOC_FREE(mutex);
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_LOGON_SERVERS;
> > > - }
> > > -
> > > -@@ -175,6 +208,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> > > - *cli_ret = cli;
> > > - *pipe_ret = netlogon_pipe;
> > > -
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 5cc57e577bc7d144176ffe6f21ed24a95661a861 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 27 Aug 2013 15:02:26 +0200
> > > -Subject: [PATCH 185/249] s3:auth_domain: make use of
> > > - rpccli_netlogon_network_logon()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 531bbf3aff3fb08aaf112b21038f20544db60b69)
> > > ----
> > > - source3/auth/auth_domain.c | 36 ++++++++++++++++++++++--------------
> > > - 1 file changed, 22 insertions(+), 14 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
> > > -index bf2671c..937841c 100644
> > > ---- a/source3/auth/auth_domain.c
> > > -+++ b/source3/auth/auth_domain.c
> > > -@@ -52,7 +52,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > > - const char *domain,
> > > - const char *dc_name,
> > > - const struct sockaddr_storage *dc_ss,
> > > -- struct rpc_pipe_client **pipe_ret)
> > > -+ struct rpc_pipe_client **pipe_ret,
> > > -+ struct netlogon_creds_cli_context **creds_ret)
> > > - {
> > > - TALLOC_CTX *frame = talloc_stackframe();
> > > - struct messaging_context *msg_ctx = server_messaging_context();
> > > -@@ -72,6 +73,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > > - *cli_ret = NULL;
> > > -
> > > - *pipe_ret = NULL;
> > > -+ *creds_ret = NULL;
> > > -
> > > - /* TODO: Send a SAMLOGON request to determine whether this is a valid
> > > - logonserver. We can avoid a 30-second timeout if the DC is down
> > > -@@ -207,6 +209,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
> > > -
> > > - *cli_ret = cli;
> > > - *pipe_ret = netlogon_pipe;
> > > -+ *creds_ret = netlogon_creds;
> > > -
> > > - TALLOC_FREE(frame);
> > > - return NT_STATUS_OK;
> > > -@@ -230,8 +233,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
> > > - struct netr_SamInfo3 *info3 = NULL;
> > > - struct cli_state *cli = NULL;
> > > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > > - NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
> > > - int i;
> > > -+ uint8_t authoritative = 0;
> > > -+ uint32_t flags = 0;
> > > -
> > > - /*
> > > - * At this point, smb_apasswd points to the lanman response to
> > > -@@ -248,7 +254,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
> > > - domain,
> > > - dc_name,
> > > - dc_ss,
> > > -- &netlogon_pipe);
> > > -+ &netlogon_pipe,
> > > -+ &netlogon_creds);
> > > - }
> > > -
> > > - if ( !NT_STATUS_IS_OK(nt_status) ) {
> > > -@@ -268,18 +275,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
> > > - * in the info3 structure.
> > > - */
> > > -
> > > -- nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
> > > -- mem_ctx,
> > > -- user_info->logon_parameters, /* flags such as 'allow workstation logon' */
> > > -- dc_name, /* server name */
> > > -- user_info->client.account_name, /* user name logging on. */
> > > -- user_info->client.domain_name, /* domain name */
> > > -- user_info->workstation_name, /* workstation name */
> > > -- chal, /* 8 byte challenge. */
> > > -- 3, /* validation level */
> > > -- user_info->password.response.lanman, /* lanman 24 byte response */
> > > -- user_info->password.response.nt, /* nt 24 byte response */
> > > -- &info3); /* info3 out */
> > > -+ nt_status = rpccli_netlogon_network_logon(netlogon_creds,
> > > -+ netlogon_pipe->binding_handle,
> > > -+ mem_ctx,
> > > -+ user_info->logon_parameters, /* flags such as 'allow workstation logon' */
> > > -+ user_info->client.account_name, /* user name logging on. */
> > > -+ user_info->client.domain_name, /* domain name */
> > > -+ user_info->workstation_name, /* workstation name */
> > > -+ chal, /* 8 byte challenge. */
> > > -+ user_info->password.response.lanman, /* lanman 24 byte response */
> > > -+ user_info->password.response.nt, /* nt 24 byte response */
> > > -+ &authoritative,
> > > -+ &flags,
> > > -+ &info3); /* info3 out */
> > > -
> > > - /* Let go as soon as possible so we avoid any potential deadlocks
> > > - with winbind lookup up users or groups. */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 5da4eca4d30b3894426a4f7cb0512ae61c097cbc Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 2 Sep 2013 19:32:23 +0200
> > > -Subject: [PATCH 186/249] s3:libnet_join: make use of
> > > - rpccli_{create,setup}_netlogon_creds()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 963800539cea7487fc6258f8ac8f7cacc3426b83)
> > > ----
> > > - source3/libnet/libnet_join.c | 110 +++++++++++++++++++++++++++++++------------
> > > - source3/libnet/libnet_join.h | 5 +-
> > > - source3/utils/net_rpc.c | 4 +-
> > > - 3 files changed, 86 insertions(+), 33 deletions(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index b2805ee..6e653c3 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -40,6 +40,8 @@
> > > - #include "libsmb/libsmb.h"
> > > - #include "../libcli/smb/smbXcli_base.h"
> > > - #include "lib/param/loadparm.h"
> > > -+#include "libcli/auth/netlogon_creds_cli.h"
> > > -+#include "auth/credentials/credentials.h"
> > > -
> > > - /****************************************************************
> > > - ****************************************************************/
> > > -@@ -1189,38 +1191,52 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
> > > - /****************************************************************
> > > - ****************************************************************/
> > > -
> > > --NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > > -- const char *machine_name,
> > > -+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
> > > -+ const char *netbios_domain_name,
> > > - const char *dc_name,
> > > - const bool use_kerberos)
> > > - {
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -- NETLOGON_NEG_SUPPORTS_AES;
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > - struct cli_state *cli = NULL;
> > > -- struct rpc_pipe_client *pipe_hnd = NULL;
> > > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -+ uint32_t netlogon_flags = 0;
> > > -+ enum netr_SchannelType sec_chan_type = 0;
> > > - NTSTATUS status;
> > > - char *machine_password = NULL;
> > > -- char *machine_account = NULL;
> > > -+ const char *machine_name = NULL;
> > > -+ const char *machine_account = NULL;
> > > - int flags = 0;
> > > -+ struct samr_Password current_nt_hash;
> > > -+ struct samr_Password *previous_nt_hash = NULL;
> > > -+ bool ok;
> > > -
> > > - if (!dc_name) {
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_INVALID_PARAMETER;
> > > - }
> > > -
> > > - if (!secrets_init()) {
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > - }
> > > -
> > > -- machine_password = secrets_fetch_machine_password(netbios_domain_name,
> > > -- NULL, NULL);
> > > -- if (!machine_password) {
> > > -- return NT_STATUS_NO_TRUST_LSA_SECRET;
> > > -+ ok = get_trust_pw_clear(netbios_domain_name,
> > > -+ &machine_password,
> > > -+ &machine_name,
> > > -+ &sec_chan_type);
> > > -+ if (!ok) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > - }
> > > -
> > > -- if (asprintf(&machine_account, "%s$", machine_name) == -1) {
> > > -+ machine_account = talloc_asprintf(frame, "%s$", machine_name);
> > > -+ if (machine_account == NULL) {
> > > - SAFE_FREE(machine_password);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > - }
> > > -
> > > - if (use_kerberos) {
> > > -@@ -1232,12 +1248,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > > - NULL, 0,
> > > - "IPC$", "IPC",
> > > - machine_account,
> > > -- NULL,
> > > -+ netbios_domain_name,
> > > - machine_password,
> > > - flags,
> > > - SMB_SIGNING_DEFAULT);
> > > -- free(machine_account);
> > > -- free(machine_password);
> > > -+
> > > -+ E_md4hash(machine_password, current_nt_hash.hash);
> > > -+ SAFE_FREE(machine_password);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - status = cli_full_connection(&cli, NULL,
> > > -@@ -1252,36 +1269,65 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > > - }
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ TALLOC_FREE(frame);
> > > - return status;
> > > - }
> > > -
> > > -- status = get_schannel_session_key(cli, netbios_domain_name,
> > > -- &neg_flags, &netlogon_pipe);
> > > -+ status = rpccli_create_netlogon_creds(dc_name,
> > > -+ netbios_domain_name,
> > > -+ machine_account,
> > > -+ sec_chan_type,
> > > -+ msg_ctx,
> > > -+ frame,
> > > -+ &netlogon_creds);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
> > > -- cli_shutdown(cli);
> > > -- return NT_STATUS_OK;
> > > -- }
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ cli_shutdown(cli);
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -
> > > -- DEBUG(0,("libnet_join_ok: failed to get schannel session "
> > > -- "key from server %s for domain %s. Error was %s\n",
> > > -- smbXcli_conn_remote_name(cli->conn),
> > > -- netbios_domain_name, nt_errstr(status)));
> > > -+ status = rpccli_setup_netlogon_creds(cli,
> > > -+ netlogon_creds,
> > > -+ true, /* force_reauth */
> > > -+ current_nt_hash,
> > > -+ previous_nt_hash);
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(0,("connect_to_domain_password_server: "
> > > -+ "unable to open the domain client session to "
> > > -+ "machine %s. Flags[0x%08X] Error was : %s.\n",
> > > -+ dc_name, (unsigned)netlogon_flags,
> > > -+ nt_errstr(status)));
> > > -+ cli_shutdown(cli);
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_get(netlogon_creds,
> > > -+ talloc_tos(),
> > > -+ &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > - cli_shutdown(cli);
> > > -+ TALLOC_FREE(frame);
> > > - return status;
> > > - }
> > > -+ netlogon_flags = creds->negotiate_flags;
> > > -+ TALLOC_FREE(creds);
> > > -
> > > -- if (!lp_client_schannel()) {
> > > -+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > > - cli_shutdown(cli);
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > - cli, &ndr_table_netlogon, NCACN_NP,
> > > - netbios_domain_name,
> > > -- netlogon_pipe->netlogon_creds, &pipe_hnd);
> > > -+ netlogon_creds, &netlogon_pipe);
> > > -
> > > -- cli_shutdown(cli);
> > > -+ TALLOC_FREE(netlogon_pipe);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(0,("libnet_join_ok: failed to open schannel session "
> > > -@@ -1289,9 +1335,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > > - "Error was %s\n",
> > > - smbXcli_conn_remote_name(cli->conn),
> > > - netbios_domain_name, nt_errstr(status)));
> > > -+ cli_shutdown(cli);
> > > -+ TALLOC_FREE(frame);
> > > - return status;
> > > - }
> > > -
> > > -+ cli_shutdown(cli);
> > > -+ TALLOC_FREE(frame);
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -@@ -1303,8 +1353,8 @@ static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
> > > - {
> > > - NTSTATUS status;
> > > -
> > > -- status = libnet_join_ok(r->out.netbios_domain_name,
> > > -- r->in.machine_name,
> > > -+ status = libnet_join_ok(r->in.msg_ctx,
> > > -+ r->out.netbios_domain_name,
> > > - r->in.dc_name,
> > > - r->in.use_kerberos);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -diff --git a/source3/libnet/libnet_join.h b/source3/libnet/libnet_join.h
> > > -index 58c33b2..b7e2f0b 100644
> > > ---- a/source3/libnet/libnet_join.h
> > > -+++ b/source3/libnet/libnet_join.h
> > > -@@ -23,8 +23,9 @@
> > > -
> > > - /* The following definitions come from libnet/libnet_join.c */
> > > -
> > > --NTSTATUS libnet_join_ok(const char *netbios_domain_name,
> > > -- const char *machine_name,
> > > -+struct messaging_context;
> > > -+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
> > > -+ const char *netbios_domain_name,
> > > - const char *dc_name,
> > > - const bool use_kerberos);
> > > - WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index dff8801..9de74c0 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -493,7 +493,9 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
> > > - }
> > > -
> > > - /* Display success or failure */
> > > -- status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
> > > -+ status = libnet_join_ok(c->msg_ctx,
> > > -+ c->opt_workgroup,
> > > -+ dc,
> > > - c->opt_kerberos);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 0da8c0a71d08de50b614e5df69a61e00d0a9cd99 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 5 Sep 2013 20:57:02 +0200
> > > -Subject: [PATCH 187/249] s3:libnet: use rpccli_{create,setup}_netlogon_creds()
> > > - in libnet_join_joindomain_rpc_unsecure
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3a89eee03a95d4b142bf0830f40debc75bfa2e26)
> > > ----
> > > - source3/libnet/libnet_join.c | 66 ++++++++++++++++++++++++++++++++++----------
> > > - 1 file changed, 51 insertions(+), 15 deletions(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index 6e653c3..a87eb38 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -817,14 +817,17 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > > - struct libnet_JoinCtx *r,
> > > - struct cli_state *cli)
> > > - {
> > > -- struct rpc_pipe_client *pipe_hnd = NULL;
> > > -- unsigned char orig_trust_passwd_hash[16];
> > > -- unsigned char new_trust_passwd_hash[16];
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > > -+ struct samr_Password current_nt_hash;
> > > -+ const char *account_name = NULL;
> > > - NTSTATUS status;
> > > -
> > > - status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > > -- &pipe_hnd);
> > > -+ &netlogon_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > - return status;
> > > - }
> > > -
> > > -@@ -832,22 +835,55 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> > > - r->in.machine_password = generate_random_password(mem_ctx,
> > > - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
> > > - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
> > > -- NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
> > > -+ if (r->in.machine_password == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > - }
> > > -
> > > -- E_md4hash(r->in.machine_password, new_trust_passwd_hash);
> > > --
> > > - /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
> > > -- E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
> > > -+ E_md4hash(r->in.admin_password, current_nt_hash.hash);
> > > -
> > > -- status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
> > > -- r->in.machine_name,
> > > -- orig_trust_passwd_hash,
> > > -- r->in.machine_password,
> > > -- new_trust_passwd_hash,
> > > -- r->in.secure_channel_type);
> > > -+ account_name = talloc_asprintf(frame, "%s$",
> > > -+ r->in.machine_name);
> > > -+ if (account_name == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -
> > > -- return status;
> > > -+ status = rpccli_create_netlogon_creds(netlogon_pipe->desthost,
> > > -+ r->in.domain_name,
> > > -+ account_name,
> > > -+ r->in.secure_channel_type,
> > > -+ r->in.msg_ctx,
> > > -+ frame,
> > > -+ &netlogon_creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ status = rpccli_setup_netlogon_creds(cli,
> > > -+ netlogon_creds,
> > > -+ true, /* force_reauth */
> > > -+ current_nt_hash,
> > > -+ NULL); /* previous_nt_hash */
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
> > > -+ netlogon_pipe->binding_handle,
> > > -+ r->in.machine_password,
> > > -+ NULL); /* new_version */
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_OK;
> > > - }
> > > -
> > > - /****************************************************************
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 9d192bc1d2dd06efada55792203aaed58b349ab9 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 11 Sep 2013 10:06:41 +0200
> > > -Subject: [PATCH 188/249] s3:rpc_client: use
> > > - rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 94caf7e190563423914b653d0c2fc4a4abf1f899)
> > > ----
> > > - source3/rpc_client/cli_pipe.h | 7 --
> > > - source3/rpc_client/cli_pipe_schannel.c | 162 ++++++++++++++-------------------
> > > - 2 files changed, 66 insertions(+), 103 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index c21c55d..2a76130 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -109,13 +109,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > > - struct rpc_pipe_client *cli,
> > > - DATA_BLOB *session_key);
> > > -
> > > --/* The following definitions come from rpc_client/cli_pipe_schannel.c */
> > > --
> > > --NTSTATUS get_schannel_session_key(struct cli_state *cli,
> > > -- const char *domain,
> > > -- uint32 *pneg_flags,
> > > -- struct rpc_pipe_client **presult);
> > > --
> > > - #endif /* _CLI_PIPE_H */
> > > -
> > > - /* vim: set ts=8 sw=8 noet cindent ft=c.doxygen: */
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index 8f9161f..1fcf62e 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -23,67 +23,15 @@
> > > - #include "../libcli/auth/schannel.h"
> > > - #include "rpc_client/cli_netlogon.h"
> > > - #include "rpc_client/cli_pipe.h"
> > > --#include "librpc/gen_ndr/ndr_dcerpc.h"
> > > - #include "librpc/rpc/dcerpc.h"
> > > - #include "passdb.h"
> > > - #include "libsmb/libsmb.h"
> > > --#include "auth/gensec/gensec.h"
> > > - #include "../libcli/smb/smbXcli_base.h"
> > > -+#include "libcli/auth/netlogon_creds_cli.h"
> > > -
> > > - #undef DBGC_CLASS
> > > - #define DBGC_CLASS DBGC_RPC_CLI
> > > -
> > > --
> > > --/****************************************************************************
> > > -- Get a the schannel session key out of an already opened netlogon pipe.
> > > -- ****************************************************************************/
> > > --static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
> > > -- struct cli_state *cli,
> > > -- const char *domain,
> > > -- uint32 *pneg_flags)
> > > --{
> > > -- enum netr_SchannelType sec_chan_type = 0;
> > > -- unsigned char machine_pwd[16];
> > > -- const char *machine_account;
> > > -- NTSTATUS status;
> > > --
> > > -- /* Get the machine account credentials from secrets.tdb. */
> > > -- if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
> > > -- &sec_chan_type))
> > > -- {
> > > -- DEBUG(0, ("get_schannel_session_key: could not fetch "
> > > -- "trust account password for domain '%s'\n",
> > > -- domain));
> > > -- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > -- }
> > > --
> > > -- status = rpccli_netlogon_setup_creds(netlogon_pipe,
> > > -- smbXcli_conn_remote_name(cli->conn), /* server name */
> > > -- domain, /* domain */
> > > -- lp_netbios_name(), /* client name */
> > > -- machine_account, /* machine account name */
> > > -- machine_pwd,
> > > -- sec_chan_type,
> > > -- pneg_flags);
> > > --
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(3, ("get_schannel_session_key_common: "
> > > -- "rpccli_netlogon_setup_creds failed with result %s "
> > > -- "to server %s, domain %s, machine account %s.\n",
> > > -- nt_errstr(status), smbXcli_conn_remote_name(cli->conn), domain,
> > > -- machine_account ));
> > > -- return status;
> > > -- }
> > > --
> > > -- if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
> > > -- DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
> > > -- smbXcli_conn_remote_name(cli->conn)));
> > > -- return NT_STATUS_INVALID_NETWORK_RESPONSE;
> > > -- }
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > - /****************************************************************************
> > > - Open a named pipe to an SMB server and bind using schannel (bind type 68).
> > > - Fetch the session key ourselves using a temporary netlogon pipe.
> > > -@@ -96,63 +44,85 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > - const char *domain,
> > > - struct rpc_pipe_client **presult)
> > > - {
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -- NETLOGON_NEG_SUPPORTS_AES;
> > > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct messaging_context *msg_ctx = NULL;
> > > -+ const char *dc_name = smbXcli_conn_remote_name(cli->conn);
> > > - struct rpc_pipe_client *result = NULL;
> > > - NTSTATUS status;
> > > -+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
> > > -+ struct netlogon_creds_CredentialState *creds = NULL;
> > > -+ uint32_t netlogon_flags = 0;
> > > -+ enum netr_SchannelType sec_chan_type = 0;
> > > -+ const char *_account_name = NULL;
> > > -+ const char *account_name = NULL;
> > > -+ struct samr_Password current_nt_hash;
> > > -+ struct samr_Password *previous_nt_hash = NULL;
> > > -+ bool ok;
> > > -+
> > > -+ ok = get_trust_pw_hash(domain,
> > > -+ current_nt_hash.hash,
> > > -+ &_account_name,
> > > -+ &sec_chan_type);
> > > -+ if (!ok) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > -+ }
> > > -+
> > > -+ account_name = talloc_asprintf(frame, "%s$", _account_name);
> > > -+ if (account_name == NULL) {
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ status = rpccli_create_netlogon_creds(dc_name,
> > > -+ domain,
> > > -+ account_name,
> > > -+ sec_chan_type,
> > > -+ msg_ctx,
> > > -+ frame,
> > > -+ &netlogon_creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -
> > > -- status = get_schannel_session_key(cli, domain, &neg_flags,
> > > -- &netlogon_pipe);
> > > -+ status = rpccli_setup_netlogon_creds(cli,
> > > -+ netlogon_creds,
> > > -+ false, /* force_reauth */
> > > -+ current_nt_hash,
> > > -+ previous_nt_hash);
> > > -+ SAFE_FREE(previous_nt_hash);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
> > > -- "key from server %s for domain %s.\n",
> > > -- smbXcli_conn_remote_name(cli->conn), domain ));
> > > -+ TALLOC_FREE(frame);
> > > - return status;
> > > - }
> > > -
> > > -+ status = netlogon_creds_cli_get(netlogon_creds,
> > > -+ frame,
> > > -+ &creds);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+ netlogon_flags = creds->negotiate_flags;
> > > -+ TALLOC_FREE(creds);
> > > -+
> > > -+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_DOWNGRADE_DETECTED;
> > > -+ }
> > > -+
> > > - status = cli_rpc_pipe_open_schannel_with_key(
> > > - cli, table, transport, domain,
> > > -- netlogon_pipe->netlogon_creds,
> > > -+ netlogon_creds,
> > > - &result);
> > > -
> > > -- /* Now we've bound using the session key we can close the netlog pipe. */
> > > -- TALLOC_FREE(netlogon_pipe);
> > > --
> > > - if (NT_STATUS_IS_OK(status)) {
> > > - *presult = result;
> > > - }
> > > -
> > > -+ TALLOC_FREE(frame);
> > > - return status;
> > > - }
> > > --
> > > --/****************************************************************************
> > > -- Open a netlogon pipe and get the schannel session key.
> > > -- Now exposed to external callers.
> > > -- ****************************************************************************/
> > > --
> > > --
> > > --NTSTATUS get_schannel_session_key(struct cli_state *cli,
> > > -- const char *domain,
> > > -- uint32 *pneg_flags,
> > > -- struct rpc_pipe_client **presult)
> > > --{
> > > -- struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -- NTSTATUS status;
> > > --
> > > -- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> > > -- &netlogon_pipe);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
> > > -- pneg_flags);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- TALLOC_FREE(netlogon_pipe);
> > > -- return status;
> > > -- }
> > > --
> > > -- *presult = netlogon_pipe;
> > > -- return NT_STATUS_OK;
> > > --}
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 5fba6641f79a14c208c5947886c005a87b9f3256 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 18:24:44 +0200
> > > -Subject: [PATCH 189/249] s3:rpcclient: add rpcclient_msg_ctx
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a1c468e1d75d490f0e531feb08188ddc3f0d77b5)
> > > ----
> > > - source3/rpcclient/rpcclient.c | 5 +++++
> > > - source3/rpcclient/rpcclient.h | 2 ++
> > > - 2 files changed, 7 insertions(+)
> > > -
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index 0cbec20..39bf613 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -33,6 +33,7 @@
> > > - #include "libsmb/libsmb.h"
> > > - #include "auth/gensec/gensec.h"
> > > - #include "../libcli/smb/smbXcli_base.h"
> > > -+#include "messages.h"
> > > -
> > > - enum pipe_auth_type_spnego {
> > > - PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
> > > -@@ -48,6 +49,7 @@ static enum dcerpc_AuthLevel pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
> > > - static unsigned int timeout = 0;
> > > - static enum dcerpc_transport_t default_transport = NCACN_NP;
> > > -
> > > -+struct messaging_context *rpcclient_msg_ctx;
> > > - struct user_auth_info *rpcclient_auth_info;
> > > -
> > > - /* List to hold groups of commands.
> > > -@@ -985,6 +987,9 @@ out_free:
> > > - /* We must load interfaces after we load the smb.conf */
> > > - load_interfaces();
> > > -
> > > -+ rpcclient_msg_ctx = messaging_init(talloc_autofree_context(),
> > > -+ samba_tevent_context_init(talloc_autofree_context()));
> > > -+
> > > - /*
> > > - * Get password
> > > - * from stdin if necessary
> > > -diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
> > > -index 762c54a..219da2a 100644
> > > ---- a/source3/rpcclient/rpcclient.h
> > > -+++ b/source3/rpcclient/rpcclient.h
> > > -@@ -41,4 +41,6 @@ struct cmd_set {
> > > - const char *usage;
> > > - };
> > > -
> > > -+extern struct messaging_context *rpcclient_msg_ctx;
> > > -+
> > > - #endif /* RPCCLIENT_H */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From c6e02d60ef12431cd1a5615fcf514548e86d6dc8 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 18:29:30 +0200
> > > -Subject: [PATCH 190/249] s3:rpcclient: add rpcclient_netlogon_creds
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 1696b127c61fea76fce3d992632a822ed78de07c)
> > > ----
> > > - source3/rpcclient/rpcclient.c | 3 +++
> > > - source3/rpcclient/rpcclient.h | 1 +
> > > - 2 files changed, 4 insertions(+)
> > > -
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index 39bf613..a875ff5 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -51,6 +51,7 @@ static enum dcerpc_transport_t default_transport = NCACN_NP;
> > > -
> > > - struct messaging_context *rpcclient_msg_ctx;
> > > - struct user_auth_info *rpcclient_auth_info;
> > > -+struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
> > > -
> > > - /* List to hold groups of commands.
> > > - *
> > > -@@ -797,6 +798,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - }
> > > - }
> > > -
> > > -+ rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
> > > -+
> > > - /* Run command */
> > > -
> > > - if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
> > > -diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
> > > -index 219da2a..9288249 100644
> > > ---- a/source3/rpcclient/rpcclient.h
> > > -+++ b/source3/rpcclient/rpcclient.h
> > > -@@ -42,5 +42,6 @@ struct cmd_set {
> > > - };
> > > -
> > > - extern struct messaging_context *rpcclient_msg_ctx;
> > > -+extern struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
> > > -
> > > - #endif /* RPCCLIENT_H */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 849cb578d3aa38e7d6508353914d39501cd6b2c8 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 18:57:09 +0200
> > > -Subject: [PATCH 191/249] s3:rpcclient: remove unused
> > > - rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
> > > -
> > > -rpccli_netlogon_setup_creds() is already called in the main do_cmd()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit fb13b002d599049f229d2014e1b94f82952b7150)
> > > ----
> > > - source3/rpcclient/cmd_netlogon.c | 21 +--------------------
> > > - 1 file changed, 1 insertion(+), 20 deletions(-)
> > > -
> > > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > > -index 2e0b5e5..8a865a9 100644
> > > ---- a/source3/rpcclient/cmd_netlogon.c
> > > -+++ b/source3/rpcclient/cmd_netlogon.c
> > > -@@ -1141,12 +1141,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > > - NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
> > > - NTSTATUS result;
> > > - const char *server_name = cli->desthost;
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -- NETLOGON_NEG_SUPPORTS_AES;
> > > - struct netr_Authenticator clnt_creds, srv_cred;
> > > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > > -- unsigned char trust_passwd_hash[16];
> > > -- enum netr_SchannelType sec_channel_type = 0;
> > > - struct netr_ChangeLogEntry e;
> > > - uint32_t rid = 500;
> > > - struct dcerpc_binding_handle *b = cli->binding_handle;
> > > -@@ -1161,25 +1157,10 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > > - sscanf(argv[1], "%d", &rid);
> > > - }
> > > -
> > > -- if (!secrets_fetch_trust_account_password(lp_workgroup(),
> > > -- trust_passwd_hash,
> > > -- NULL, &sec_channel_type)) {
> > > -+ if (cli->netlogon_creds == NULL) {
> > > - return NT_STATUS_UNSUCCESSFUL;
> > > - }
> > > -
> > > -- status = rpccli_netlogon_setup_creds(cli,
> > > -- server_name, /* server name */
> > > -- lp_workgroup(), /* domain */
> > > -- lp_netbios_name(), /* client name */
> > > -- lp_netbios_name(), /* machine account name */
> > > -- trust_passwd_hash,
> > > -- sec_channel_type,
> > > -- &neg_flags);
> > > --
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > - status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > > - mem_ctx, &creds);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From df5ce2ceb4c41e2a952cd9f011626028f8d230ff Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 19:00:22 +0200
> > > -Subject: [PATCH 192/249] s3:rpcclient: make use of rpcclient_netlogon_creds
> > > - instead of cli->netlogon_creds
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3bf77812e80b50f254af64e4935301719f78987e)
> > > ----
> > > - source3/rpcclient/cmd_netlogon.c | 22 +++++++++++++++++-----
> > > - 1 file changed, 17 insertions(+), 5 deletions(-)
> > > -
> > > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > > -index 8a865a9..59e1e4e 100644
> > > ---- a/source3/rpcclient/cmd_netlogon.c
> > > -+++ b/source3/rpcclient/cmd_netlogon.c
> > > -@@ -633,7 +633,11 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
> > > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > > - struct netlogon_creds_CredentialState *creds = NULL;
> > > -
> > > -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > > -+ if (rpcclient_netlogon_creds == NULL) {
> > > -+ return NT_STATUS_UNSUCCESSFUL;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> > > - mem_ctx, &creds);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > -@@ -712,7 +716,11 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
> > > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > > - struct netlogon_creds_CredentialState *creds = NULL;
> > > -
> > > -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > > -+ if (rpcclient_netlogon_creds == NULL) {
> > > -+ return NT_STATUS_UNSUCCESSFUL;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> > > - mem_ctx, &creds);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > -@@ -1157,11 +1165,11 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
> > > - sscanf(argv[1], "%d", &rid);
> > > - }
> > > -
> > > -- if (cli->netlogon_creds == NULL) {
> > > -+ if (rpcclient_netlogon_creds == NULL) {
> > > - return NT_STATUS_UNSUCCESSFUL;
> > > - }
> > > -
> > > -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > > -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> > > - mem_ctx, &creds);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > -@@ -1223,7 +1231,11 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
> > > -
> > > - ZERO_STRUCT(return_authenticator);
> > > -
> > > -- status = netlogon_creds_cli_lock(cli->netlogon_creds,
> > > -+ if (rpcclient_netlogon_creds == NULL) {
> > > -+ return NT_STATUS_UNSUCCESSFUL;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
> > > - mem_ctx, &creds);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4e9d9abc0bae5ca08c3a91cc5d1b2bacffc6cbfc Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 19:59:11 +0200
> > > -Subject: [PATCH 193/249] s3:net_rpc: add net_context->netlogon_creds
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit d1340c20b0900f54e2c73c4a363f45988b1ba097)
> > > ----
> > > - source3/utils/net.h | 1 +
> > > - source3/utils/net_rpc.c | 1 +
> > > - 2 files changed, 2 insertions(+)
> > > -
> > > -diff --git a/source3/utils/net.h b/source3/utils/net.h
> > > -index e97734a..ce19c57 100644
> > > ---- a/source3/utils/net.h
> > > -+++ b/source3/utils/net.h
> > > -@@ -90,6 +90,7 @@ struct net_context {
> > > - bool smb_encrypt;
> > > - struct libnetapi_ctx *netapi_ctx;
> > > - struct messaging_context *msg_ctx;
> > > -+ struct netlogon_creds_cli_context *netlogon_creds;
> > > -
> > > - bool display_usage;
> > > - void *private_data;
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index 9de74c0..3bf3f30 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -201,6 +201,7 @@ int run_rpc_command(struct net_context *c,
> > > - nt_errstr(nt_status) ));
> > > - goto fail;
> > > - }
> > > -+ c->netlogon_creds = pipe_hnd->netlogon_creds;
> > > - } else {
> > > - if (conn_flags & NET_FLAGS_SEAL) {
> > > - nt_status = cli_rpc_pipe_open_generic_auth(
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 7a4535c1e61de498230abd1f99bfe875ae59c2e0 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sun, 15 Sep 2013 13:19:52 +0200
> > > -Subject: [PATCH 194/249] s3:libsmb: add trust_pw_change()
> > > -
> > > -This protects the password change using a domain specific g_lock,
> > > -so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
> > > -even on multiple cluster nodes doesn't race anymore.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 16c6e4992fa882207eeaff0a1c4d9fe217be48b7)
> > > ----
> > > - source3/include/proto.h | 8 ++
> > > - source3/libsmb/trusts_util.c | 179 +++++++++++++++++++++++++++++++++++++++++++
> > > - 2 files changed, 187 insertions(+)
> > > -
> > > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > > -index 216a377..edda119 100644
> > > ---- a/source3/include/proto.h
> > > -+++ b/source3/include/proto.h
> > > -@@ -984,6 +984,14 @@ void update_trustdom_cache( void );
> > > - NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > - TALLOC_CTX *mem_ctx,
> > > - const char *domain) ;
> > > -+struct netlogon_creds_cli_context;
> > > -+struct messaging_context;
> > > -+struct dcerpc_binding_handle;
> > > -+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
> > > -+ struct messaging_context *msg_ctx,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ const char *domain,
> > > -+ bool force);
> > > -
> > > - /* The following definitions come from param/loadparm.c */
> > > -
> > > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > > -index 52fb481..b1bc006 100644
> > > ---- a/source3/libsmb/trusts_util.c
> > > -+++ b/source3/libsmb/trusts_util.c
> > > -@@ -20,12 +20,15 @@
> > > -
> > > - #include "includes.h"
> > > - #include "../libcli/auth/libcli_auth.h"
> > > -+#include "../libcli/auth/netlogon_creds_cli.h"
> > > - #include "rpc_client/cli_netlogon.h"
> > > - #include "rpc_client/cli_pipe.h"
> > > - #include "../librpc/gen_ndr/ndr_netlogon.h"
> > > - #include "secrets.h"
> > > - #include "passdb.h"
> > > - #include "libsmb/libsmb.h"
> > > -+#include "source3/include/messages.h"
> > > -+#include "source3/include/g_lock.h"
> > > -
> > > - /*********************************************************
> > > - Change the domain password on the PDC.
> > > -@@ -113,3 +116,179 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > -
> > > - return nt_status;
> > > - }
> > > -+
> > > -+struct trust_pw_change_state {
> > > -+ struct g_lock_ctx *g_ctx;
> > > -+ char *g_lock_key;
> > > -+};
> > > -+
> > > -+static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
> > > -+{
> > > -+ g_lock_unlock(state->g_ctx, state->g_lock_key);
> > > -+ return 0;
> > > -+}
> > > -+
> > > -+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
> > > -+ struct messaging_context *msg_ctx,
> > > -+ struct dcerpc_binding_handle *b,
> > > -+ const char *domain,
> > > -+ bool force)
> > > -+{
> > > -+ TALLOC_CTX *frame = talloc_stackframe();
> > > -+ struct trust_pw_change_state *state;
> > > -+ struct samr_Password current_nt_hash;
> > > -+ const struct samr_Password *previous_nt_hash = NULL;
> > > -+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> > > -+ const char *account_name;
> > > -+ char *new_trust_passwd;
> > > -+ char *pwd;
> > > -+ struct dom_sid sid;
> > > -+ time_t pass_last_set_time;
> > > -+ struct timeval g_timeout = { 0, };
> > > -+ int timeout = 0;
> > > -+ struct timeval tv = { 0, };
> > > -+ NTSTATUS status;
> > > -+
> > > -+ state = talloc_zero(frame, struct trust_pw_change_state);
> > > -+ if (state == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ state->g_ctx = g_lock_ctx_init(state, msg_ctx);
> > > -+ if (state->g_ctx == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ state->g_lock_key = talloc_asprintf(state,
> > > -+ "trust_password_change_%s",
> > > -+ domain);
> > > -+ if (state->g_lock_key == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ g_timeout = timeval_current_ofs(10, 0);
> > > -+ status = g_lock_lock(state->g_ctx,
> > > -+ state->g_lock_key,
> > > -+ G_LOCK_WRITE, g_timeout);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(1, ("could not get g_lock on [%s]!\n",
> > > -+ state->g_lock_key));
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ talloc_set_destructor(state, trust_pw_change_state_destructor);
> > > -+
> > > -+ if (!get_trust_pw_hash(domain, current_nt_hash.hash,
> > > -+ &account_name,
> > > -+ &sec_channel_type)) {
> > > -+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> > > -+ }
> > > -+
> > > -+ switch (sec_channel_type) {
> > > -+ case SEC_CHAN_WKSTA:
> > > -+ pwd = secrets_fetch_machine_password(domain,
> > > -+ &pass_last_set_time,
> > > -+ NULL);
> > > -+ if (pwd == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> > > -+ }
> > > -+ break;
> > > -+ case SEC_CHAN_DOMAIN:
> > > -+ if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> > > -+ }
> > > -+ break;
> > > -+ default:
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NOT_SUPPORTED;
> > > -+ }
> > > -+
> > > -+ timeout = lp_machine_password_timeout();
> > > -+ if (timeout == 0) {
> > > -+ if (!force) {
> > > -+ DEBUG(10,("machine password never expires\n"));
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ tv.tv_sec = pass_last_set_time;
> > > -+ DEBUG(10, ("password last changed %s\n",
> > > -+ timeval_string(talloc_tos(), &tv, false)));
> > > -+ tv.tv_sec += timeout;
> > > -+ DEBUGADD(10, ("password valid until %s\n",
> > > -+ timeval_string(talloc_tos(), &tv, false)));
> > > -+
> > > -+ if (!force && !timeval_expired(&tv)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ /* Create a random machine account password */
> > > -+ new_trust_passwd = generate_random_password(frame,
> > > -+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
> > > -+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
> > > -+ if (new_trust_passwd == NULL) {
> > > -+ DEBUG(0, ("generate_random_password failed\n"));
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_auth(context, b,
> > > -+ current_nt_hash,
> > > -+ previous_nt_hash);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_ServerPasswordSet(context, b,
> > > -+ new_trust_passwd, NULL);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
> > > -+ current_timestring(talloc_tos(), False)));
> > > -+
> > > -+ /*
> > > -+ * Return the result of trying to write the new password
> > > -+ * back into the trust account file.
> > > -+ */
> > > -+
> > > -+ switch (sec_channel_type) {
> > > -+
> > > -+ case SEC_CHAN_WKSTA:
> > > -+ if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
> > > -+ }
> > > -+ break;
> > > -+
> > > -+ case SEC_CHAN_DOMAIN:
> > > -+ /*
> > > -+ * we need to get the sid first for the
> > > -+ * pdb_set_trusteddom_pw call
> > > -+ */
> > > -+ if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
> > > -+ }
> > > -+ break;
> > > -+
> > > -+ default:
> > > -+ break;
> > > -+ }
> > > -+
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 09dae290b1d49a30eef5b93f5260dc44fb628437 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 18:33:51 +0200
> > > -Subject: [PATCH 195/249] s3:rpcclient: make use of trust_pw_change()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a9281e6570fcc5ff5abe3149615bed7029d1cf71)
> > > ----
> > > - source3/rpcclient/cmd_netlogon.c | 10 +++++-----
> > > - 1 file changed, 5 insertions(+), 5 deletions(-)
> > > -
> > > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > > -index 59e1e4e..000d65c 100644
> > > ---- a/source3/rpcclient/cmd_netlogon.c
> > > -+++ b/source3/rpcclient/cmd_netlogon.c
> > > -@@ -829,11 +829,11 @@ static NTSTATUS cmd_netlogon_change_trust_pw(struct rpc_pipe_client *cli,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -- /* Perform the sam logon */
> > > --
> > > -- result = trust_pw_find_change_and_store_it(cli, mem_ctx,
> > > -- lp_workgroup());
> > > --
> > > -+ result = trust_pw_change(rpcclient_netlogon_creds,
> > > -+ rpcclient_msg_ctx,
> > > -+ cli->binding_handle,
> > > -+ lp_workgroup(),
> > > -+ true); /* force */
> > > - if (!NT_STATUS_IS_OK(result))
> > > - goto done;
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 3731b2163f6bb88922a9fa84e60fa48afbbbda9a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 18:34:48 +0200
> > > -Subject: [PATCH 196/249] s3:net_rpc: make use of trust_pw_change()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit cfd139347c21f4f4ddd16026c2c8c221feabd6c5)
> > > ----
> > > - source3/utils/net_rpc.c | 6 +++++-
> > > - 1 file changed, 5 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index 3bf3f30..ba49f3e 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -279,7 +279,11 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
> > > - {
> > > - NTSTATUS status;
> > > -
> > > -- status = trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup);
> > > -+ status = trust_pw_change(c->netlogon_creds,
> > > -+ c->msg_ctx,
> > > -+ pipe_hnd->binding_handle,
> > > -+ c->opt_target_workgroup,
> > > -+ true); /* force */
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - d_fprintf(stderr, _("Failed to change machine account password: %s\n"),
> > > - nt_errstr(status));
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From cd8fdfc923adcc5b6c700ec52d1bba4643079247 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 18:35:39 +0200
> > > -Subject: [PATCH 197/249] s3:winbindd: use invalidate_cm_connection() to kill
> > > - the netlogon connection
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit dbd49d90bbf175525557eaa983ad57ca5076d710)
> > > ----
> > > - source3/winbindd/winbindd_dual.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
> > > -index 64af571..b26cdca 100644
> > > ---- a/source3/winbindd/winbindd_dual.c
> > > -+++ b/source3/winbindd/winbindd_dual.c
> > > -@@ -1056,7 +1056,7 @@ static void machine_password_change_handler(struct tevent_context *ctx,
> > > - "password was changed and we didn't know it. "
> > > - "Killing connections to domain %s\n",
> > > - child->domain->name));
> > > -- TALLOC_FREE(child->domain->conn.netlogon_pipe);
> > > -+ invalidate_cm_connection(&child->domain->conn);
> > > - }
> > > -
> > > - if (!calculate_next_machine_pwd_change(child->domain->name,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 6369757af75412746c0d9950971a77be72826b92 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 18:36:43 +0200
> > > -Subject: [PATCH 198/249] s3:winbindd: make use of trust_pw_change() for
> > > - periodic password changes
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 57741dd4ba5a9ed3abf7aad35a2a69fd66b49b4b)
> > > ----
> > > - source3/winbindd/winbindd_dual.c | 16 ++++++++--------
> > > - 1 file changed, 8 insertions(+), 8 deletions(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
> > > -index b26cdca..1d6a5ba 100644
> > > ---- a/source3/winbindd/winbindd_dual.c
> > > -+++ b/source3/winbindd/winbindd_dual.c
> > > -@@ -29,6 +29,7 @@
> > > -
> > > - #include "includes.h"
> > > - #include "winbindd.h"
> > > -+#include "rpc_client/rpc_client.h"
> > > - #include "nsswitch/wb_reqtrans.h"
> > > - #include "secrets.h"
> > > - #include "../lib/util/select.h"
> > > -@@ -999,10 +1000,10 @@ static void machine_password_change_handler(struct tevent_context *ctx,
> > > - struct timeval now,
> > > - void *private_data)
> > > - {
> > > -+ struct messaging_context *msg_ctx = winbind_messaging_context();
> > > - struct winbindd_child *child =
> > > - (struct winbindd_child *)private_data;
> > > - struct rpc_pipe_client *netlogon_pipe = NULL;
> > > -- TALLOC_CTX *frame;
> > > - NTSTATUS result;
> > > - struct timeval next_change;
> > > -
> > > -@@ -1039,15 +1040,14 @@ static void machine_password_change_handler(struct tevent_context *ctx,
> > > - return;
> > > - }
> > > -
> > > -- frame = talloc_stackframe();
> > > --
> > > -- result = trust_pw_find_change_and_store_it(netlogon_pipe,
> > > -- frame,
> > > -- child->domain->name);
> > > -- TALLOC_FREE(frame);
> > > -+ result = trust_pw_change(child->domain->conn.netlogon_creds,
> > > -+ msg_ctx,
> > > -+ netlogon_pipe->binding_handle,
> > > -+ child->domain->name,
> > > -+ false); /* force */
> > > -
> > > - DEBUG(10, ("machine_password_change_handler: "
> > > -- "trust_pw_find_change_and_store_it returned %s\n",
> > > -+ "trust_pw_change returned %s\n",
> > > - nt_errstr(result)));
> > > -
> > > - if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 5fe11c760d853dff63ad9b3505f3d3721b7e14f6 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 18:37:34 +0200
> > > -Subject: [PATCH 199/249] s3:winbindd: make use of trust_pw_change() in
> > > - _wbint_ChangeMachineAccount()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3c30e19c4a0e60e355b2f1d35edbb0a3b7688089)
> > > ----
> > > - source3/winbindd/winbindd_dual_srv.c | 35 +++++++----------------------------
> > > - 1 file changed, 7 insertions(+), 28 deletions(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
> > > -index 001591a..f064467 100644
> > > ---- a/source3/winbindd/winbindd_dual_srv.c
> > > -+++ b/source3/winbindd/winbindd_dual_srv.c
> > > -@@ -622,48 +622,27 @@ again:
> > > - NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
> > > - struct wbint_ChangeMachineAccount *r)
> > > - {
> > > -+ struct messaging_context *msg_ctx = winbind_messaging_context();
> > > - struct winbindd_domain *domain;
> > > -- int num_retries = 0;
> > > - NTSTATUS status;
> > > - struct rpc_pipe_client *netlogon_pipe;
> > > -- TALLOC_CTX *tmp_ctx;
> > > -
> > > --again:
> > > - domain = wb_child_domain();
> > > - if (domain == NULL) {
> > > - return NT_STATUS_REQUEST_NOT_ACCEPTED;
> > > - }
> > > -
> > > -- invalidate_cm_connection(&domain->conn);
> > > --
> > > -- {
> > > -- status = cm_connect_netlogon(domain, &netlogon_pipe);
> > > -- }
> > > --
> > > -- /* There is a race condition between fetching the trust account
> > > -- password and the periodic machine password change. So it's
> > > -- possible that the trust account password has been changed on us.
> > > -- We are returned NT_STATUS_ACCESS_DENIED if this happens. */
> > > --
> > > --#define MAX_RETRIES 3
> > > --
> > > -- if ((num_retries < MAX_RETRIES)
> > > -- && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
> > > -- num_retries++;
> > > -- goto again;
> > > -- }
> > > --
> > > -+ status = cm_connect_netlogon(domain, &netlogon_pipe);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
> > > - goto done;
> > > - }
> > > -
> > > -- tmp_ctx = talloc_new(p->mem_ctx);
> > > --
> > > -- status = trust_pw_find_change_and_store_it(netlogon_pipe,
> > > -- tmp_ctx,
> > > -- domain->name);
> > > -- talloc_destroy(tmp_ctx);
> > > -+ status = trust_pw_change(domain->conn.netlogon_creds,
> > > -+ msg_ctx,
> > > -+ netlogon_pipe->binding_handle,
> > > -+ domain->name,
> > > -+ true); /* force */
> > > -
> > > - /* Pass back result code - zero for success, other values for
> > > - specific failures. */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 9956ea8b561da89fb79739dd8a8552116c7867f7 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 18:39:52 +0200
> > > -Subject: [PATCH 200/249] s3:libsmb: remove unused
> > > - trust_pw_find_change_and_store_it()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a8ecebe3e840005c81df043cb07773972aaa2371)
> > > ----
> > > - source3/include/proto.h | 3 --
> > > - source3/libsmb/trusts_util.c | 81 --------------------------------------------
> > > - 2 files changed, 84 deletions(-)
> > > -
> > > -diff --git a/source3/include/proto.h b/source3/include/proto.h
> > > -index edda119..18348e5 100644
> > > ---- a/source3/include/proto.h
> > > -+++ b/source3/include/proto.h
> > > -@@ -981,9 +981,6 @@ void update_trustdom_cache( void );
> > > -
> > > - /* The following definitions come from libsmb/trusts_util.c */
> > > -
> > > --NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const char *domain) ;
> > > - struct netlogon_creds_cli_context;
> > > - struct messaging_context;
> > > - struct dcerpc_binding_handle;
> > > -diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
> > > -index b1bc006..b38aec6 100644
> > > ---- a/source3/libsmb/trusts_util.c
> > > -+++ b/source3/libsmb/trusts_util.c
> > > -@@ -36,87 +36,6 @@
> > > - already setup the connection to the NETLOGON pipe
> > > - **********************************************************/
> > > -
> > > --NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const char *domain)
> > > --{
> > > -- unsigned char old_trust_passwd_hash[16];
> > > -- unsigned char new_trust_passwd_hash[16];
> > > -- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
> > > -- const char *account_name;
> > > -- char *new_trust_passwd;
> > > -- NTSTATUS nt_status;
> > > --
> > > -- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
> > > -- &sec_channel_type)) {
> > > -- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
> > > -- return NT_STATUS_UNSUCCESSFUL;
> > > -- }
> > > --
> > > -- switch (sec_channel_type) {
> > > -- case SEC_CHAN_WKSTA:
> > > -- case SEC_CHAN_DOMAIN:
> > > -- break;
> > > -- default:
> > > -- return NT_STATUS_NOT_SUPPORTED;
> > > -- }
> > > --
> > > -- /* Create a random machine account password */
> > > -- new_trust_passwd = generate_random_password(mem_ctx,
> > > -- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
> > > -- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
> > > -- if (new_trust_passwd == NULL) {
> > > -- DEBUG(0, ("generate_random_password failed\n"));
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- E_md4hash(new_trust_passwd, new_trust_passwd_hash);
> > > --
> > > -- nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
> > > -- account_name,
> > > -- old_trust_passwd_hash,
> > > -- new_trust_passwd,
> > > -- new_trust_passwd_hash,
> > > -- sec_channel_type);
> > > --
> > > -- if (NT_STATUS_IS_OK(nt_status)) {
> > > -- DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
> > > -- current_timestring(talloc_tos(), False)));
> > > -- /*
> > > -- * Return the result of trying to write the new password
> > > -- * back into the trust account file.
> > > -- */
> > > --
> > > -- switch (sec_channel_type) {
> > > --
> > > -- case SEC_CHAN_WKSTA:
> > > -- if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
> > > -- nt_status = NT_STATUS_UNSUCCESSFUL;
> > > -- }
> > > -- break;
> > > --
> > > -- case SEC_CHAN_DOMAIN: {
> > > -- char *pwd;
> > > -- struct dom_sid sid;
> > > -- time_t pass_last_set_time;
> > > --
> > > -- /* we need to get the sid first for the
> > > -- * pdb_set_trusteddom_pw call */
> > > --
> > > -- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
> > > -- nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
> > > -- }
> > > -- if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
> > > -- nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
> > > -- }
> > > -- break;
> > > -- }
> > > -- }
> > > -- }
> > > --
> > > -- return nt_status;
> > > --}
> > > --
> > > - struct trust_pw_change_state {
> > > - struct g_lock_ctx *g_ctx;
> > > - char *g_lock_key;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f71cb73d7f034165802aad97e9be6f45ba32d519 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 19:19:39 +0200
> > > -Subject: [PATCH 201/249] s3:libnet: pass in struct netlogon_creds_cli_context
> > > - from the caller.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 77defb175e3ffd1b096485ac7de38ad161594b72)
> > > ----
> > > - source3/libnet/libnet_samsync.c | 2 +-
> > > - source3/libnet/libnet_samsync.h | 1 +
> > > - source3/utils/net_rpc_samsync.c | 1 +
> > > - 3 files changed, 3 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
> > > -index 02d3fc6..e7e1393 100644
> > > ---- a/source3/libnet/libnet_samsync.c
> > > -+++ b/source3/libnet/libnet_samsync.c
> > > -@@ -216,7 +216,7 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
> > > - struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
> > > - struct netlogon_creds_CredentialState *creds = NULL;
> > > -
> > > -- status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
> > > -+ status = netlogon_creds_cli_lock(ctx->netlogon_creds,
> > > - mem_ctx, &creds);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > -diff --git a/source3/libnet/libnet_samsync.h b/source3/libnet/libnet_samsync.h
> > > -index efdbb37..e1d66ec 100644
> > > ---- a/source3/libnet/libnet_samsync.h
> > > -+++ b/source3/libnet/libnet_samsync.h
> > > -@@ -75,6 +75,7 @@ struct samsync_context {
> > > - struct samsync_object *objects;
> > > -
> > > - struct rpc_pipe_client *cli;
> > > -+ struct netlogon_creds_cli_context *netlogon_creds;
> > > - struct messaging_context *msg_ctx;
> > > -
> > > - const struct samsync_ops *ops;
> > > -diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
> > > -index 772651f..6377ad4 100644
> > > ---- a/source3/utils/net_rpc_samsync.c
> > > -+++ b/source3/utils/net_rpc_samsync.c
> > > -@@ -129,6 +129,7 @@ NTSTATUS rpc_samdump_internals(struct net_context *c,
> > > -
> > > - ctx->mode = NET_SAMSYNC_MODE_DUMP;
> > > - ctx->cli = pipe_hnd;
> > > -+ ctx->netlogon_creds = c->netlogon_creds;
> > > - ctx->ops = &libnet_samsync_display_ops;
> > > - ctx->domain_name = domain_name;
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From acb678ce415403e1442116b32eb8b8b32b677f4a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 20:51:25 +0200
> > > -Subject: [PATCH 202/249] s3:rpcclient: make use of
> > > - rpccli_{create,setup}_netlogon_creds()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 5107ca02a41673739a1fc4a1c2a0fbe8465f211a)
> > > ----
> > > - source3/rpcclient/rpcclient.c | 59 ++++++++++++++++++++++++++++++-------------
> > > - 1 file changed, 41 insertions(+), 18 deletions(-)
> > > -
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index a875ff5..490f8df 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -676,6 +676,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - {
> > > - NTSTATUS ntresult;
> > > - WERROR wresult;
> > > -+ bool ok;
> > > -
> > > - TALLOC_CTX *mem_ctx;
> > > -
> > > -@@ -759,17 +760,20 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - return ntresult;
> > > - }
> > > -
> > > -- if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> > > -- &ndr_table_netlogon.syntax_id)) {
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -- NETLOGON_NEG_SUPPORTS_AES;
> > > -- enum netr_SchannelType sec_channel_type;
> > > -- uchar trust_password[16];
> > > -- const char *machine_account;
> > > -+ ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> > > -+ &ndr_table_netlogon.syntax_id);
> > > -+ if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
> > > -+ const char *dc_name = cmd_entry->rpc_pipe->desthost;
> > > -+ const char *domain = get_cmdline_auth_info_domain(auth_info);
> > > -+ enum netr_SchannelType sec_chan_type = 0;
> > > -+ const char *_account_name = NULL;
> > > -+ const char *account_name = NULL;
> > > -+ struct samr_Password current_nt_hash;
> > > -+ struct samr_Password *previous_nt_hash = NULL;
> > > -
> > > - if (!get_trust_pw_hash(get_cmdline_auth_info_domain(auth_info),
> > > -- trust_password, &machine_account,
> > > -- &sec_channel_type))
> > > -+ current_nt_hash.hash, &_account_name,
> > > -+ &sec_chan_type))
> > > - {
> > > - DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
> > > - get_cmdline_auth_info_domain(auth_info),
> > > -@@ -779,22 +783,41 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> > > - }
> > > -
> > > -- ntresult = rpccli_netlogon_setup_creds(cmd_entry->rpc_pipe,
> > > -- cmd_entry->rpc_pipe->desthost, /* server name */
> > > -- get_cmdline_auth_info_domain(auth_info), /* domain */
> > > -- lp_netbios_name(), /* client name */
> > > -- machine_account, /* machine account name */
> > > -- trust_password,
> > > -- sec_channel_type,
> > > -- &neg_flags);
> > > -+ account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
> > > -+ if (account_name == NULL) {
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ TALLOC_FREE(mem_ctx);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ ntresult = rpccli_create_netlogon_creds(dc_name,
> > > -+ domain,
> > > -+ account_name,
> > > -+ sec_chan_type,
> > > -+ rpcclient_msg_ctx,
> > > -+ talloc_autofree_context(),
> > > -+ &rpcclient_netlogon_creds);
> > > -+ if (!NT_STATUS_IS_OK(ntresult)) {
> > > -+ SAFE_FREE(previous_nt_hash);
> > > -+ TALLOC_FREE(mem_ctx);
> > > -+ return ntresult;
> > > -+ }
> > > -
> > > -+ ntresult = rpccli_setup_netlogon_creds(cli,
> > > -+ rpcclient_netlogon_creds,
> > > -+ false, /* force_reauth */
> > > -+ current_nt_hash,
> > > -+ previous_nt_hash);
> > > -+ SAFE_FREE(previous_nt_hash);
> > > - if (!NT_STATUS_IS_OK(ntresult)) {
> > > - DEBUG(0, ("Could not initialise credentials for %s.\n",
> > > - cmd_entry->table->name));
> > > - TALLOC_FREE(cmd_entry->rpc_pipe);
> > > -- talloc_free(mem_ctx);
> > > -+ TALLOC_FREE(rpcclient_netlogon_creds);
> > > -+ TALLOC_FREE(mem_ctx);
> > > - return ntresult;
> > > - }
> > > -+ cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
> > > - }
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From b04744971aa9cc696aa4a3c56dd46d58db8dda75 Mon Sep 17 00:00:00 2001
> > > -From: Garming Sam <garming@catalyst.net.nz>
> > > -Date: Fri, 29 Nov 2013 14:45:20 +1300
> > > -Subject: [PATCH 203/249] s3:rpcclient: give errors and clean up correctly
> > > - after failing to obtain secret
> > > -
> > > -Signed-off-by: Garming Sam <garming@catalyst.net.nz>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a012e2fdd6733e871ddeb68874a2df8413ad91ed)
> > > ----
> > > - source3/rpcclient/rpcclient.c | 6 ++++++
> > > - 1 file changed, 6 insertions(+)
> > > -
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index 490f8df..fd3ebdf 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -785,6 +785,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > -
> > > - account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
> > > - if (account_name == NULL) {
> > > -+ DEBUG(0, ("Out of memory creating account name to connect to %s.\n",
> > > -+ cmd_entry->table->name));
> > > -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> > > - SAFE_FREE(previous_nt_hash);
> > > - TALLOC_FREE(mem_ctx);
> > > - return NT_STATUS_NO_MEMORY;
> > > -@@ -798,6 +801,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - talloc_autofree_context(),
> > > - &rpcclient_netlogon_creds);
> > > - if (!NT_STATUS_IS_OK(ntresult)) {
> > > -+ DEBUG(0, ("Could not initialise credentials for %s.\n",
> > > -+ cmd_entry->table->name));
> > > -+ TALLOC_FREE(cmd_entry->rpc_pipe);
> > > - SAFE_FREE(previous_nt_hash);
> > > - TALLOC_FREE(mem_ctx);
> > > - return ntresult;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 564e6df9361025ff7da6fa92d83491cfd9e60b2b Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 17 Sep 2013 00:46:09 +0200
> > > -Subject: [PATCH 204/249] s3:rpcclient: remove optional auth_level parameter of
> > > - the 'samlogon' cmd
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 4c99e49898151a514e334a07f38eed83fe608c05)
> > > ----
> > > - source3/rpcclient/cmd_netlogon.c | 11 ++++-------
> > > - 1 file changed, 4 insertions(+), 7 deletions(-)
> > > -
> > > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > > -index 000d65c..97b79cb 100644
> > > ---- a/source3/rpcclient/cmd_netlogon.c
> > > -+++ b/source3/rpcclient/cmd_netlogon.c
> > > -@@ -782,9 +782,9 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > -
> > > - /* Check arguments */
> > > -
> > > -- if (argc < 3 || argc > 7) {
> > > -+ if (argc < 3 || argc > 6) {
> > > - fprintf(stderr, "Usage: samlogon <username> <password> [workstation]"
> > > -- "[logon_type (1 or 2)] [auth level (2 or 3)] [logon_parameter]\n");
> > > -+ "[logon_type (1 or 2)] [logon_parameter]\n");
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -@@ -797,11 +797,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > - if (argc >= 5)
> > > - sscanf(argv[4], "%i", &logon_type);
> > > -
> > > -- if (argc >= 6)
> > > -- validation_level = atoi(argv[5]);
> > > --
> > > -- if (argc == 7)
> > > -- sscanf(argv[6], "%x", &logon_param);
> > > -+ if (argc == 6)
> > > -+ sscanf(argv[5], "%x", &logon_param);
> > > -
> > > - /* Perform the sam logon */
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a61d399c13c9f46e283f85f3d076b0607c2729f3 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 17 Sep 2013 00:48:31 +0200
> > > -Subject: [PATCH 205/249] s3:rpcclient: make use of
> > > - rpccli_netlogon_password_logon() in the 'samlogon' cmd
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit c6bb47f2f199cc13101dccf656ac36e9eb879201)
> > > ----
> > > - source3/rpcclient/cmd_netlogon.c | 11 ++++++++---
> > > - 1 file changed, 8 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > > -index 97b79cb..b637b3e 100644
> > > ---- a/source3/rpcclient/cmd_netlogon.c
> > > -+++ b/source3/rpcclient/cmd_netlogon.c
> > > -@@ -776,7 +776,6 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > - NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
> > > - int logon_type = NetlogonNetworkInformation;
> > > - const char *username, *password;
> > > -- uint16_t validation_level = 3;
> > > - uint32 logon_param = 0;
> > > - const char *workstation = NULL;
> > > -
> > > -@@ -802,8 +801,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > -
> > > - /* Perform the sam logon */
> > > -
> > > -- result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type);
> > > --
> > > -+ result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
> > > -+ cli->binding_handle,
> > > -+ logon_param,
> > > -+ lp_workgroup(),
> > > -+ username,
> > > -+ password,
> > > -+ workstation,
> > > -+ logon_type);
> > > - if (!NT_STATUS_IS_OK(result))
> > > - goto done;
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fbe0154a63d401acd47c5190be37b8d69d3d64ba Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 17 Sep 2013 00:56:15 +0200
> > > -Subject: [PATCH 206/249] s3:winbindd: make use of
> > > - rpccli_netlogon_network_logon()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a34c837fdb59df1e66be9b5f23a07990e34fea1c)
> > > ----
> > > - source3/winbindd/winbindd_pam.c | 28 +++++++++++++++-------------
> > > - 1 file changed, 15 insertions(+), 13 deletions(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > > -index 39483a5..3f3ec70 100644
> > > ---- a/source3/winbindd/winbindd_pam.c
> > > -+++ b/source3/winbindd/winbindd_pam.c
> > > -@@ -1228,6 +1228,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > > -
> > > - do {
> > > - struct rpc_pipe_client *netlogon_pipe;
> > > -+ uint8_t authoritative = 0;
> > > -+ uint32_t flags = 0;
> > > -
> > > - ZERO_STRUCTP(info3);
> > > - retry = false;
> > > -@@ -1276,19 +1278,19 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > > - }
> > > - netr_attempts = 0;
> > > -
> > > -- result = rpccli_netlogon_sam_network_logon(
> > > -- netlogon_pipe,
> > > -- mem_ctx,
> > > -- logon_parameters,
> > > -- server, /* server name */
> > > -- username, /* user name */
> > > -- domainname, /* target domain */
> > > -- workstation, /* workstation */
> > > -- chal,
> > > -- -1, /* ignored */
> > > -- lm_response,
> > > -- nt_response,
> > > -- info3);
> > > -+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
> > > -+ netlogon_pipe->binding_handle,
> > > -+ mem_ctx,
> > > -+ logon_parameters,
> > > -+ username,
> > > -+ domainname,
> > > -+ workstation,
> > > -+ chal,
> > > -+ lm_response,
> > > -+ nt_response,
> > > -+ &authoritative,
> > > -+ &flags,
> > > -+ info3);
> > > -
> > > - /*
> > > - * we increment this after the "feature negotiation"
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From cfcb681d6f80253b6f2db769f5c5be1ffb54cc0e Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 20:53:51 +0200
> > > -Subject: [PATCH 207/249] s3:rpc_client: make cli_rpc_pipe_open_schannel() more
> > > - flexible
> > > -
> > > -It expects a messaging_context now
> > > -and returns a netlogon_creds_cli_context.
> > > -
> > > -This way we can finally avoid having a rpc_pipe_client->netlogon_creds.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 660150b12a637da7f9ebb820e687f27ac22fb93a)
> > > ----
> > > - source3/rpc_client/cli_pipe.h | 5 ++++-
> > > - source3/rpc_client/cli_pipe_schannel.c | 9 +++++++--
> > > - source3/rpcclient/rpcclient.c | 13 +++++++------
> > > - source3/utils/net_rpc.c | 6 +++---
> > > - 4 files changed, 21 insertions(+), 12 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
> > > -index 2a76130..b704d8a 100644
> > > ---- a/source3/rpc_client/cli_pipe.h
> > > -+++ b/source3/rpc_client/cli_pipe.h
> > > -@@ -99,11 +99,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - struct rpc_pipe_client **presult);
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > -+ struct messaging_context *msg_ctx,
> > > - const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -- struct rpc_pipe_client **presult);
> > > -+ struct rpc_pipe_client **presult,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **pcreds);
> > > -
> > > - NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
> > > - struct rpc_pipe_client *cli,
> > > -diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
> > > -index 1fcf62e..a842333 100644
> > > ---- a/source3/rpc_client/cli_pipe_schannel.c
> > > -+++ b/source3/rpc_client/cli_pipe_schannel.c
> > > -@@ -38,14 +38,16 @@
> > > - ****************************************************************************/
> > > -
> > > - NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > -+ struct messaging_context *msg_ctx,
> > > - const struct ndr_interface_table *table,
> > > - enum dcerpc_transport_t transport,
> > > - enum dcerpc_AuthLevel auth_level,
> > > - const char *domain,
> > > -- struct rpc_pipe_client **presult)
> > > -+ struct rpc_pipe_client **presult,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ struct netlogon_creds_cli_context **pcreds)
> > > - {
> > > - TALLOC_CTX *frame = talloc_stackframe();
> > > -- struct messaging_context *msg_ctx = NULL;
> > > - const char *dc_name = smbXcli_conn_remote_name(cli->conn);
> > > - struct rpc_pipe_client *result = NULL;
> > > - NTSTATUS status;
> > > -@@ -121,6 +123,9 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
> > > -
> > > - if (NT_STATUS_IS_OK(status)) {
> > > - *presult = result;
> > > -+ if (pcreds != NULL) {
> > > -+ *pcreds = talloc_move(mem_ctx, &netlogon_creds);
> > > -+ }
> > > - }
> > > -
> > > - TALLOC_FREE(frame);
> > > -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > > -index fd3ebdf..43343e8 100644
> > > ---- a/source3/rpcclient/rpcclient.c
> > > -+++ b/source3/rpcclient/rpcclient.c
> > > -@@ -737,12 +737,16 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - &cmd_entry->rpc_pipe);
> > > - break;
> > > - case DCERPC_AUTH_TYPE_SCHANNEL:
> > > -+ TALLOC_FREE(rpcclient_netlogon_creds);
> > > - ntresult = cli_rpc_pipe_open_schannel(
> > > -- cli, cmd_entry->table,
> > > -+ cli, rpcclient_msg_ctx,
> > > -+ cmd_entry->table,
> > > - default_transport,
> > > - pipe_default_auth_level,
> > > - get_cmdline_auth_info_domain(auth_info),
> > > -- &cmd_entry->rpc_pipe);
> > > -+ &cmd_entry->rpc_pipe,
> > > -+ talloc_autofree_context(),
> > > -+ &rpcclient_netlogon_creds);
> > > - break;
> > > - default:
> > > - DEBUG(0, ("Could not initialise %s. Invalid "
> > > -@@ -762,7 +766,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > -
> > > - ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
> > > - &ndr_table_netlogon.syntax_id);
> > > -- if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
> > > -+ if (rpcclient_netlogon_creds == NULL && ok) {
> > > - const char *dc_name = cmd_entry->rpc_pipe->desthost;
> > > - const char *domain = get_cmdline_auth_info_domain(auth_info);
> > > - enum netr_SchannelType sec_chan_type = 0;
> > > -@@ -823,12 +827,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
> > > - TALLOC_FREE(mem_ctx);
> > > - return ntresult;
> > > - }
> > > -- cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
> > > - }
> > > - }
> > > -
> > > -- rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
> > > --
> > > - /* Run command */
> > > -
> > > - if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
> > > -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
> > > -index ba49f3e..d0f699a 100644
> > > ---- a/source3/utils/net_rpc.c
> > > -+++ b/source3/utils/net_rpc.c
> > > -@@ -192,16 +192,16 @@ int run_rpc_command(struct net_context *c,
> > > - && (ndr_syntax_id_equal(&table->syntax_id,
> > > - &ndr_table_netlogon.syntax_id))) {
> > > - /* Always try and create an schannel netlogon pipe. */
> > > -+ TALLOC_FREE(c->netlogon_creds);
> > > - nt_status = cli_rpc_pipe_open_schannel(
> > > -- cli, table, NCACN_NP,
> > > -+ cli, c->msg_ctx, table, NCACN_NP,
> > > - DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
> > > -- &pipe_hnd);
> > > -+ &pipe_hnd, c, &c->netlogon_creds);
> > > - if (!NT_STATUS_IS_OK(nt_status)) {
> > > - DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
> > > - nt_errstr(nt_status) ));
> > > - goto fail;
> > > - }
> > > -- c->netlogon_creds = pipe_hnd->netlogon_creds;
> > > - } else {
> > > - if (conn_flags & NET_FLAGS_SEAL) {
> > > - nt_status = cli_rpc_pipe_open_generic_auth(
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 603b40eeee3cf21de94f11471889d0443713ba4f Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 6 Sep 2013 13:54:30 +0200
> > > -Subject: [PATCH 208/249] s3:rpc_client: remove unused
> > > - rpccli_netlogon_set_trust_password()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 6d457ad9c156cf86d99e58dea21dba170defad1b)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 51 ---------------------------------------
> > > - source3/rpc_client/cli_netlogon.h | 7 ------
> > > - 2 files changed, 58 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index a9f8604..2f23d1b 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -759,54 +759,3 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > > -
> > > - return NT_STATUS_OK;
> > > - }
> > > --
> > > --/*********************************************************
> > > -- Change the domain password on the PDC.
> > > --
> > > -- Just changes the password betwen the two values specified.
> > > --
> > > -- Caller must have the cli connected to the netlogon pipe
> > > -- already.
> > > --**********************************************************/
> > > --
> > > --NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const char *account_name,
> > > -- const unsigned char orig_trust_passwd_hash[16],
> > > -- const char *new_trust_pwd_cleartext,
> > > -- const unsigned char new_trust_passwd_hash[16],
> > > -- enum netr_SchannelType sec_channel_type)
> > > --{
> > > -- NTSTATUS result;
> > > --
> > > -- if (cli->netlogon_creds == NULL) {
> > > -- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
> > > -- NETLOGON_NEG_SUPPORTS_AES;
> > > -- result = rpccli_netlogon_setup_creds(cli,
> > > -- cli->desthost, /* server name */
> > > -- lp_workgroup(), /* domain */
> > > -- lp_netbios_name(), /* client name */
> > > -- account_name, /* machine account name */
> > > -- orig_trust_passwd_hash,
> > > -- sec_channel_type,
> > > -- &neg_flags);
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
> > > -- nt_errstr(result)));
> > > -- return result;
> > > -- }
> > > -- }
> > > --
> > > -- result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
> > > -- cli->binding_handle,
> > > -- new_trust_pwd_cleartext,
> > > -- NULL); /* new_version */
> > > -- if (!NT_STATUS_IS_OK(result)) {
> > > -- DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
> > > -- nt_errstr(result)));
> > > -- return result;
> > > -- }
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index d4c6670..8547db6 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -93,12 +93,5 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > > - uint8_t *authoritative,
> > > - uint32_t *flags,
> > > - struct netr_SamInfo3 **info3);
> > > --NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- const char *account_name,
> > > -- const unsigned char orig_trust_passwd_hash[16],
> > > -- const char *new_trust_pwd_cleartext,
> > > -- const unsigned char new_trust_passwd_hash[16],
> > > -- enum netr_SchannelType sec_channel_type);
> > > -
> > > - #endif /* _RPC_CLIENT_CLI_NETLOGON_H_ */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From c9dc23d434bc7015f400b1969a055b95faac6594 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 6 Sep 2013 13:06:53 +0200
> > > -Subject: [PATCH 209/249] s3:rpc_client: remove unused
> > > - rpccli_netlogon_setup_creds()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit a4faf57b47095bfc0f4370ac093c8c4cef17584f)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 92 ---------------------------------------
> > > - source3/rpc_client/cli_netlogon.h | 8 ----
> > > - 2 files changed, 100 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 2f23d1b..687d0c2 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -35,98 +35,6 @@
> > > - #include "lib/param/param.h"
> > > - #include "libcli/smb/smbXcli_base.h"
> > > -
> > > --/****************************************************************************
> > > -- Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
> > > -- credentials chain. Stores the credentials in the struct dcinfo in the
> > > -- netlogon pipe struct.
> > > --****************************************************************************/
> > > --
> > > --NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > > -- const char *server_name,
> > > -- const char *domain,
> > > -- const char *clnt_name,
> > > -- const char *machine_account,
> > > -- const unsigned char machine_pwd[16],
> > > -- enum netr_SchannelType sec_chan_type,
> > > -- uint32_t *neg_flags_inout)
> > > --{
> > > -- TALLOC_CTX *frame = talloc_stackframe();
> > > -- struct loadparm_context *lp_ctx;
> > > -- NTSTATUS status;
> > > -- struct samr_Password password;
> > > -- fstring mach_acct;
> > > -- struct dcerpc_binding_handle *b = cli->binding_handle;
> > > -- struct netlogon_creds_CredentialState *creds = NULL;
> > > --
> > > -- if (!ndr_syntax_id_equal(&cli->abstract_syntax,
> > > -- &ndr_table_netlogon.syntax_id)) {
> > > -- TALLOC_FREE(frame);
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > -- }
> > > --
> > > -- if (!strequal(lp_netbios_name(), clnt_name)) {
> > > -- TALLOC_FREE(frame);
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > -- }
> > > --
> > > -- TALLOC_FREE(cli->netlogon_creds);
> > > --
> > > -- fstr_sprintf( mach_acct, "%s$", machine_account);
> > > --
> > > -- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > > -- if (lp_ctx == NULL) {
> > > -- TALLOC_FREE(frame);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- status = netlogon_creds_cli_context_global(lp_ctx,
> > > -- NULL, /* msg_ctx */
> > > -- mach_acct,
> > > -- sec_chan_type,
> > > -- server_name,
> > > -- domain,
> > > -- cli, &cli->netlogon_creds);
> > > -- talloc_unlink(frame, lp_ctx);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- TALLOC_FREE(frame);
> > > -- return status;
> > > -- }
> > > --
> > > -- status = netlogon_creds_cli_get(cli->netlogon_creds,
> > > -- frame, &creds);
> > > -- if (NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
> > > -- "cached credential\n",
> > > -- cli->desthost));
> > > -- *neg_flags_inout = creds->negotiate_flags;
> > > -- TALLOC_FREE(frame);
> > > -- return NT_STATUS_OK;
> > > -- }
> > > --
> > > -- /* Store the machine account password we're going to use. */
> > > -- memcpy(password.hash, machine_pwd, 16);
> > > --
> > > -- DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
> > > -- "chain established.\n",
> > > -- cli->desthost ));
> > > --
> > > -- status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
> > > -- password, NULL);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- TALLOC_FREE(frame);
> > > -- return status;
> > > -- }
> > > --
> > > -- status = netlogon_creds_cli_get(cli->netlogon_creds,
> > > -- frame, &creds);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- TALLOC_FREE(frame);
> > > -- return NT_STATUS_INTERNAL_ERROR;
> > > -- }
> > > --
> > > -- *neg_flags_inout = creds->negotiate_flags;
> > > -- TALLOC_FREE(frame);
> > > -- return NT_STATUS_OK;
> > > --}
> > > -
> > > - NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > > - {
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index 8547db6..0de836a 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -30,14 +30,6 @@ struct dcerpc_binding_handle;
> > > -
> > > - /* The following definitions come from rpc_client/cli_netlogon.c */
> > > -
> > > --NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
> > > -- const char *server_name,
> > > -- const char *domain,
> > > -- const char *clnt_name,
> > > -- const char *machine_account,
> > > -- const unsigned char machine_pwd[16],
> > > -- enum netr_SchannelType sec_chan_type,
> > > -- uint32_t *neg_flags_inout);
> > > - NTSTATUS rpccli_pre_open_netlogon_creds(void);
> > > - NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > > - const char *server_netbios_domain,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 2a072da1cc18acc7eb6d82769dc96b7e94ec57fe Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 19:23:18 +0200
> > > -Subject: [PATCH 210/249] s3:rpc_client: remove unused
> > > - rpccli_netlogon_sam_logon()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit e4fea80693b49e79a96acdac09d5ea292756635c)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 124 --------------------------------------
> > > - source3/rpc_client/cli_netlogon.h | 9 ---
> > > - 2 files changed, 133 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 687d0c2..171337a 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -160,130 +160,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > > -
> > > - /* Logon domain user */
> > > -
> > > --NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- uint32 logon_parameters,
> > > -- const char *domain,
> > > -- const char *username,
> > > -- const char *password,
> > > -- const char *workstation,
> > > -- uint16_t _ignored_validation_level,
> > > -- int logon_type)
> > > --{
> > > -- NTSTATUS status;
> > > -- union netr_LogonLevel *logon;
> > > -- uint16_t validation_level = 0;
> > > -- union netr_Validation *validation = NULL;
> > > -- uint8_t authoritative = 0;
> > > -- uint32_t flags = 0;
> > > -- fstring clnt_name_slash;
> > > --
> > > -- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > > -- if (!logon) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- if (workstation) {
> > > -- fstr_sprintf( clnt_name_slash, "\\\\%s", workstation );
> > > -- } else {
> > > -- fstr_sprintf( clnt_name_slash, "\\\\%s", lp_netbios_name() );
> > > -- }
> > > --
> > > -- /* Initialise input parameters */
> > > --
> > > -- switch (logon_type) {
> > > -- case NetlogonInteractiveInformation: {
> > > --
> > > -- struct netr_PasswordInfo *password_info;
> > > --
> > > -- struct samr_Password lmpassword;
> > > -- struct samr_Password ntpassword;
> > > --
> > > -- password_info = talloc_zero(mem_ctx, struct netr_PasswordInfo);
> > > -- if (!password_info) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
> > > --
> > > -- password_info->identity_info.domain_name.string = domain;
> > > -- password_info->identity_info.parameter_control = logon_parameters;
> > > -- password_info->identity_info.logon_id_low = 0xdead;
> > > -- password_info->identity_info.logon_id_high = 0xbeef;
> > > -- password_info->identity_info.account_name.string = username;
> > > -- password_info->identity_info.workstation.string = clnt_name_slash;
> > > --
> > > -- password_info->lmpassword = lmpassword;
> > > -- password_info->ntpassword = ntpassword;
> > > --
> > > -- logon->password = password_info;
> > > --
> > > -- break;
> > > -- }
> > > -- case NetlogonNetworkInformation: {
> > > -- struct netr_NetworkInfo *network_info;
> > > -- uint8 chal[8];
> > > -- unsigned char local_lm_response[24];
> > > -- unsigned char local_nt_response[24];
> > > -- struct netr_ChallengeResponse lm;
> > > -- struct netr_ChallengeResponse nt;
> > > --
> > > -- ZERO_STRUCT(lm);
> > > -- ZERO_STRUCT(nt);
> > > --
> > > -- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> > > -- if (!network_info) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- generate_random_buffer(chal, 8);
> > > --
> > > -- SMBencrypt(password, chal, local_lm_response);
> > > -- SMBNTencrypt(password, chal, local_nt_response);
> > > --
> > > -- lm.length = 24;
> > > -- lm.data = local_lm_response;
> > > --
> > > -- nt.length = 24;
> > > -- nt.data = local_nt_response;
> > > --
> > > -- network_info->identity_info.domain_name.string = domain;
> > > -- network_info->identity_info.parameter_control = logon_parameters;
> > > -- network_info->identity_info.logon_id_low = 0xdead;
> > > -- network_info->identity_info.logon_id_high = 0xbeef;
> > > -- network_info->identity_info.account_name.string = username;
> > > -- network_info->identity_info.workstation.string = clnt_name_slash;
> > > --
> > > -- memcpy(network_info->challenge, chal, 8);
> > > -- network_info->nt = nt;
> > > -- network_info->lm = lm;
> > > --
> > > -- logon->network = network_info;
> > > --
> > > -- break;
> > > -- }
> > > -- default:
> > > -- DEBUG(0, ("switch value %d not supported\n",
> > > -- logon_type));
> > > -- return NT_STATUS_INVALID_INFO_CLASS;
> > > -- }
> > > --
> > > -- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> > > -- cli->binding_handle,
> > > -- logon_type,
> > > -- logon,
> > > -- mem_ctx,
> > > -- &validation_level,
> > > -- &validation,
> > > -- &authoritative,
> > > -- &flags);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > > - struct dcerpc_binding_handle *binding_handle,
> > > - uint32_t logon_parameters,
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index 0de836a..eaa5b0c 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -43,15 +43,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > > - bool force_reauth,
> > > - struct samr_Password current_nt_hash,
> > > - const struct samr_Password *previous_nt_hash);
> > > --NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- uint32 logon_parameters,
> > > -- const char *domain,
> > > -- const char *username,
> > > -- const char *password,
> > > -- const char *workstation,
> > > -- uint16_t validation_level,
> > > -- int logon_type);
> > > - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > > - struct dcerpc_binding_handle *binding_handle,
> > > - uint32_t logon_parameters,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4092fca5daf42e1cd26af8069b09b97a7d01df9c Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 19:23:54 +0200
> > > -Subject: [PATCH 211/249] s3:rpc_client: remove unused
> > > - rpccli_netlogon_sam_network_logon()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3f41b583840ffa2220f61eea61833bf3c6bd33db)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 94 ---------------------------------------
> > > - source3/rpc_client/cli_netlogon.h | 12 -----
> > > - 2 files changed, 106 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 171337a..ca2d9bf 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -346,100 +346,6 @@ static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > > - * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
> > > - **/
> > > -
> > > --NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- uint32 logon_parameters,
> > > -- const char *server,
> > > -- const char *username,
> > > -- const char *domain,
> > > -- const char *workstation,
> > > -- const uint8 chal[8],
> > > -- uint16_t _ignored_validation_level,
> > > -- DATA_BLOB lm_response,
> > > -- DATA_BLOB nt_response,
> > > -- struct netr_SamInfo3 **info3)
> > > --{
> > > -- NTSTATUS status;
> > > -- const char *workstation_name_slash;
> > > -- union netr_LogonLevel *logon = NULL;
> > > -- struct netr_NetworkInfo *network_info;
> > > -- uint16_t validation_level = 0;
> > > -- union netr_Validation *validation = NULL;
> > > -- uint8_t authoritative = 0;
> > > -- uint32_t flags = 0;
> > > -- struct netr_ChallengeResponse lm;
> > > -- struct netr_ChallengeResponse nt;
> > > --
> > > -- *info3 = NULL;
> > > --
> > > -- ZERO_STRUCT(lm);
> > > -- ZERO_STRUCT(nt);
> > > --
> > > -- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
> > > -- if (!logon) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
> > > -- if (!network_info) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- if (workstation[0] != '\\' && workstation[1] != '\\') {
> > > -- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
> > > -- } else {
> > > -- workstation_name_slash = workstation;
> > > -- }
> > > --
> > > -- if (!workstation_name_slash) {
> > > -- DEBUG(0, ("talloc_asprintf failed!\n"));
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- /* Initialise input parameters */
> > > --
> > > -- lm.data = lm_response.data;
> > > -- lm.length = lm_response.length;
> > > -- nt.data = nt_response.data;
> > > -- nt.length = nt_response.length;
> > > --
> > > -- network_info->identity_info.domain_name.string = domain;
> > > -- network_info->identity_info.parameter_control = logon_parameters;
> > > -- network_info->identity_info.logon_id_low = 0xdead;
> > > -- network_info->identity_info.logon_id_high = 0xbeef;
> > > -- network_info->identity_info.account_name.string = username;
> > > -- network_info->identity_info.workstation.string = workstation_name_slash;
> > > --
> > > -- memcpy(network_info->challenge, chal, 8);
> > > -- network_info->nt = nt;
> > > -- network_info->lm = lm;
> > > --
> > > -- logon->network = network_info;
> > > --
> > > -- /* Marshall data and send request */
> > > --
> > > -- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
> > > -- cli->binding_handle,
> > > -- NetlogonNetworkInformation,
> > > -- logon,
> > > -- mem_ctx,
> > > -- &validation_level,
> > > -- &validation,
> > > -- &authoritative,
> > > -- &flags);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- status = map_validation_to_info3(mem_ctx,
> > > -- validation_level, validation,
> > > -- info3);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- return status;
> > > -- }
> > > --
> > > -- return NT_STATUS_OK;
> > > --}
> > > -
> > > - NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > > - struct dcerpc_binding_handle *binding_handle,
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index eaa5b0c..61fed4a 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -51,18 +51,6 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
> > > - const char *password,
> > > - const char *workstation,
> > > - enum netr_LogonInfoClass logon_type);
> > > --NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- uint32 logon_parameters,
> > > -- const char *server,
> > > -- const char *username,
> > > -- const char *domain,
> > > -- const char *workstation,
> > > -- const uint8 chal[8],
> > > -- uint16_t validation_level,
> > > -- DATA_BLOB lm_response,
> > > -- DATA_BLOB nt_response,
> > > -- struct netr_SamInfo3 **info3);
> > > - NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > > - struct dcerpc_binding_handle *binding_handle,
> > > - TALLOC_CTX *mem_ctx,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From bdfc02fd5830ed6e2f14aaf90456e572028ada6a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 16 Sep 2013 19:25:27 +0200
> > > -Subject: [PATCH 212/249] s3:rpc_client: finally remove unused
> > > - rpc_pipe_client->netlogon_creds
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit c0761c3eae34175d772476006caf5caad68bd8c6)
> > > ----
> > > - source3/rpc_client/cli_pipe.c | 9 ---------
> > > - source3/rpc_client/rpc_client.h | 3 ---
> > > - 2 files changed, 12 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
> > > -index 31cd7f5..8613a21 100644
> > > ---- a/source3/rpc_client/cli_pipe.c
> > > -+++ b/source3/rpc_client/cli_pipe.c
> > > -@@ -3097,15 +3097,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
> > > - return status;
> > > - }
> > > -
> > > -- status = netlogon_creds_cli_context_copy(netlogon_creds,
> > > -- rpccli,
> > > -- &rpccli->netlogon_creds);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
> > > -- nt_errstr(status)));
> > > -- TALLOC_FREE(rpccli);
> > > -- return status;
> > > -- }
> > > -
> > > - done:
> > > - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
> > > -diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
> > > -index 7c4cceb..7c5ff0e 100644
> > > ---- a/source3/rpc_client/rpc_client.h
> > > -+++ b/source3/rpc_client/rpc_client.h
> > > -@@ -48,9 +48,6 @@ struct rpc_pipe_client {
> > > - uint16 max_recv_frag;
> > > -
> > > - struct pipe_auth_data *auth;
> > > --
> > > -- /* The following is only non-null on a netlogon client pipe. */
> > > -- struct netlogon_creds_cli_context *netlogon_creds;
> > > - };
> > > -
> > > - #endif /* _RPC_CLIENT_H */
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 710124dca6a97d9148d62bc9aa727568d5284e45 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Thu, 17 Oct 2013 19:17:12 +0200
> > > -Subject: [PATCH 213/249] libcli/auth: remove unused
> > > - netlogon_creds_cli_context_copy()
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3d45d4dc3c69557bf1d1fe6d4a880ad74a2a41f1)
> > > ----
> > > - libcli/auth/netlogon_creds_cli.c | 47 ----------------------------------------
> > > - libcli/auth/netlogon_creds_cli.h | 4 ----
> > > - 2 files changed, 51 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > > -index 6590b21..1724064 100644
> > > ---- a/libcli/auth/netlogon_creds_cli.c
> > > -+++ b/libcli/auth/netlogon_creds_cli.c
> > > -@@ -488,53 +488,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > --NTSTATUS netlogon_creds_cli_context_copy(
> > > -- const struct netlogon_creds_cli_context *src,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- struct netlogon_creds_cli_context **_dst)
> > > --{
> > > -- struct netlogon_creds_cli_context *dst;
> > > --
> > > -- dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
> > > -- if (dst == NULL) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- *dst = *src;
> > > --
> > > -- dst->client.computer = talloc_strdup(dst, src->client.computer);
> > > -- if (dst->client.computer == NULL) {
> > > -- TALLOC_FREE(dst);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- dst->client.account = talloc_strdup(dst, src->client.account);
> > > -- if (dst->client.account == NULL) {
> > > -- TALLOC_FREE(dst);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- dst->server.computer = talloc_strdup(dst, src->server.computer);
> > > -- if (dst->server.computer == NULL) {
> > > -- TALLOC_FREE(dst);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
> > > -- if (dst->server.netbios_domain == NULL) {
> > > -- TALLOC_FREE(dst);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- dst->db.key_name = talloc_strdup(dst, src->db.key_name);
> > > -- if (dst->db.key_name == NULL) {
> > > -- TALLOC_FREE(dst);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > --
> > > -- dst->db.key_data = string_term_tdb_data(dst->db.key_name);
> > > --
> > > -- *_dst = dst;
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > - enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> > > - struct netlogon_creds_cli_context *context)
> > > - {
> > > -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
> > > -index f8f2bef..5bd8bd3 100644
> > > ---- a/libcli/auth/netlogon_creds_cli.h
> > > -+++ b/libcli/auth/netlogon_creds_cli.h
> > > -@@ -49,10 +49,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
> > > - const char *server_netbios_domain,
> > > - TALLOC_CTX *mem_ctx,
> > > - struct netlogon_creds_cli_context **_context);
> > > --NTSTATUS netlogon_creds_cli_context_copy(
> > > -- const struct netlogon_creds_cli_context *src,
> > > -- TALLOC_CTX *mem_ctx,
> > > -- struct netlogon_creds_cli_context **_dst);
> > > -
> > > - enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
> > > - struct netlogon_creds_cli_context *context);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From aa3a65e9770bb81e73b30e71b49855b18d012e68 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 6 Dec 2013 11:38:21 +0100
> > > -Subject: [PATCH 214/249] lib/param: add "allow nt4 crypto" option, defaulting
> > > - to false
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 87bdc88328568359e51af6615b378ba8dc67f647)
> > > ----
> > > - docs-xml/smbdotconf/logon/allownt4crypto.xml | 26 ++++++++++++++++++++++++++
> > > - lib/param/param_functions.c | 1 +
> > > - lib/param/param_table.c | 9 +++++++++
> > > - 3 files changed, 36 insertions(+)
> > > - create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml
> > > -
> > > -diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
> > > -new file mode 100644
> > > -index 0000000..4d417c7
> > > ---- /dev/null
> > > -+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
> > > -@@ -0,0 +1,26 @@
> > > -+<samba:parameter name="allow nt4 crypto"
> > > -+ context="G"
> > > -+ type="boolean"
> > > -+ advanced="1"
> > > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > > -+<description>
> > > -+ <para>This option controls whether the netlogon server (currently
> > > -+ only in 'active directory domain controller' mode), will
> > > -+ reject clients which does not support NETLOGON_NEG_STRONG_KEYS
> > > -+ nor NETLOGON_NEG_SUPPORTS_AES.</para>
> > > -+
> > > -+ <para>This option was added with Samba 4.2.0. It may lock out clients
> > > -+ which worked fine with Samba versions up to 4.1.x. as the effective default
> > > -+ was "yes" there, while it is "no" now.</para>
> > > -+
> > > -+ <para>If you have clients without RequireStrongKey = 1 in the registry,
> > > -+ you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
> > > -+ </para>
> > > -+
> > > -+ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
> > > -+
> > > -+ <para>This option yields precedence to the 'reject md5 clients' option.</para>
> > > -+</description>
> > > -+
> > > -+<value type="default">no</value>
> > > -+</samba:parameter>
> > > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > > -index 41b137f..bf931c6 100644
> > > ---- a/lib/param/param_functions.c
> > > -+++ b/lib/param/param_functions.c
> > > -@@ -154,6 +154,7 @@ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
> > > - FN_LOCAL_BOOL(durable_handles, bDurableHandles)
> > > -
> > > - FN_GLOBAL_BOOL(allow_insecure_widelinks, bAllowInsecureWidelinks)
> > > -+FN_GLOBAL_BOOL(allow_nt4_crypto, bAllowNT4Crypto)
> > > - FN_GLOBAL_BOOL(allow_trusted_domains, bAllowTrustedDomains)
> > > - FN_GLOBAL_BOOL(async_smb_echo_handler, bAsyncSMBEchoHandler)
> > > - FN_GLOBAL_BOOL(bind_interfaces_only, bBindInterfacesOnly)
> > > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > > -index 36e8554..5ef78de 100644
> > > ---- a/lib/param/param_table.c
> > > -+++ b/lib/param/param_table.c
> > > -@@ -4324,6 +4324,15 @@ static struct parm_struct parm_table[] = {
> > > - .special = NULL,
> > > - .enum_list = NULL
> > > - },
> > > -+ {
> > > -+ .label = "allow nt4 crypto",
> > > -+ .type = P_BOOL,
> > > -+ .p_class = P_GLOBAL,
> > > -+ .offset = GLOBAL_VAR(bAllowNT4Crypto),
> > > -+ .special = NULL,
> > > -+ .enum_list = NULL,
> > > -+ .flags = FLAG_ADVANCED,
> > > -+ },
> > > -
> > > - {N_("TLS options"), P_SEP, P_SEPARATOR},
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 51323c0574963065e2edf9346f310f08ce2b59e8 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 6 Dec 2013 11:39:15 +0100
> > > -Subject: [PATCH 215/249] lib/param: add "reject md5 client" option, defaulting
> > > - to false
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 807bcb4981fb20a9b97e69f01c3545ea7e85666e)
> > > ----
> > > - docs-xml/smbdotconf/logon/rejectmd5clients.xml | 18 ++++++++++++++++++
> > > - lib/param/param_functions.c | 1 +
> > > - lib/param/param_table.c | 9 +++++++++
> > > - 3 files changed, 28 insertions(+)
> > > - create mode 100644 docs-xml/smbdotconf/logon/rejectmd5clients.xml
> > > -
> > > -diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
> > > -new file mode 100644
> > > -index 0000000..04a5b4d
> > > ---- /dev/null
> > > -+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
> > > -@@ -0,0 +1,18 @@
> > > -+<samba:parameter name="reject md5 clients"
> > > -+ context="G"
> > > -+ type="boolean"
> > > -+ advanced="1"
> > > -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > > -+<description>
> > > -+ <para>This option controls whether the netlogon server (currently
> > > -+ only in 'active directory domain controller' mode), will
> > > -+ reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
> > > -+
> > > -+ <para>You can set this to yes if all domain members support aes.
> > > -+ This will prevent downgrade attacks.</para>
> > > -+
> > > -+ <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
> > > -+</description>
> > > -+
> > > -+<value type="default">no</value>
> > > -+</samba:parameter>
> > > -diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
> > > -index bf931c6..99f0b7f 100644
> > > ---- a/lib/param/param_functions.c
> > > -+++ b/lib/param/param_functions.c
> > > -@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
> > > - FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
> > > - FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
> > > - FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
> > > -+FN_GLOBAL_BOOL(reject_md5_clients, bRejectMD5Clients)
> > > - FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
> > > - FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
> > > - FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
> > > -diff --git a/lib/param/param_table.c b/lib/param/param_table.c
> > > -index 5ef78de..4850324 100644
> > > ---- a/lib/param/param_table.c
> > > -+++ b/lib/param/param_table.c
> > > -@@ -4333,6 +4333,15 @@ static struct parm_struct parm_table[] = {
> > > - .enum_list = NULL,
> > > - .flags = FLAG_ADVANCED,
> > > - },
> > > -+ {
> > > -+ .label = "reject md5 clients",
> > > -+ .type = P_BOOL,
> > > -+ .p_class = P_GLOBAL,
> > > -+ .offset = GLOBAL_VAR(bRejectMD5Clients),
> > > -+ .special = NULL,
> > > -+ .enum_list = NULL,
> > > -+ .flags = FLAG_ADVANCED,
> > > -+ },
> > > -
> > > - {N_("TLS options"), P_SEP, P_SEPARATOR},
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4f3cd17f89ddedaf6e34bc17b220f6ae6993d0c0 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 6 Dec 2013 13:41:43 +0100
> > > -Subject: [PATCH 216/249] selftest/Samba4: use "allow nt4 crypto = yes" for
> > > - testing
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 0d4806f9f056c3e37f5aed1ef19e2924aa8f4151)
> > > ----
> > > - selftest/target/Samba4.pm | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> > > -index ac2fdd9..ee6a365 100644
> > > ---- a/selftest/target/Samba4.pm
> > > -+++ b/selftest/target/Samba4.pm
> > > -@@ -776,6 +776,7 @@ sub provision($$$$$$$$$)
> > > - server max protocol = SMB2
> > > - host msdfs = $msdfs
> > > - lanman auth = yes
> > > -+ allow nt4 crypto = yes
> > > -
> > > - $extra_smbconf_options
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 32f88ae5a3d254c6e1b94ea2aaa45febf475af9e Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 23 Dec 2013 10:12:24 +0100
> > > -Subject: [PATCH 217/249] s4:netlogon: correctly calculate the negotiate_flags
> > > -
> > > -We need to bit-wise AND the client and server flags.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 3b77b804cdc9e7621f026ef9bc8e7059f471348e)
> > > ----
> > > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 59 +++++++++++++--------------
> > > - 1 file changed, 28 insertions(+), 31 deletions(-)
> > > -
> > > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -index c41cd02..b001cb5 100644
> > > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -@@ -120,6 +120,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > > -
> > > - const char *trust_dom_attrs[] = {"flatname", NULL};
> > > - const char *account_name;
> > > -+ uint32_t server_flags = 0;
> > > - uint32_t negotiate_flags = 0;
> > > -
> > > - ZERO_STRUCTP(r->out.return_credentials);
> > > -@@ -176,37 +177,33 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > > - memcache_delete(global_challenge_table,
> > > - SINGLETON_CACHE, challenge_key);
> > > -
> > > -- negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
> > > -- NETLOGON_NEG_PERSISTENT_SAMREPL |
> > > -- NETLOGON_NEG_ARCFOUR |
> > > -- NETLOGON_NEG_PROMOTION_COUNT |
> > > -- NETLOGON_NEG_CHANGELOG_BDC |
> > > -- NETLOGON_NEG_FULL_SYNC_REPL |
> > > -- NETLOGON_NEG_MULTIPLE_SIDS |
> > > -- NETLOGON_NEG_REDO |
> > > -- NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
> > > -- NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
> > > -- NETLOGON_NEG_GENERIC_PASSTHROUGH |
> > > -- NETLOGON_NEG_CONCURRENT_RPC |
> > > -- NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
> > > -- NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
> > > -- NETLOGON_NEG_TRANSITIVE_TRUSTS |
> > > -- NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
> > > -- NETLOGON_NEG_PASSWORD_SET2 |
> > > -- NETLOGON_NEG_GETDOMAININFO |
> > > -- NETLOGON_NEG_CROSS_FOREST_TRUSTS |
> > > -- NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
> > > -- NETLOGON_NEG_RODC_PASSTHROUGH |
> > > -- NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
> > > -- NETLOGON_NEG_AUTHENTICATED_RPC;
> > > --
> > > -- if (*r->in.negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
> > > -- negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
> > > -- }
> > > --
> > > -- if (*r->in.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -- negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
> > > -- }
> > > -+ server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
> > > -+ NETLOGON_NEG_PERSISTENT_SAMREPL |
> > > -+ NETLOGON_NEG_ARCFOUR |
> > > -+ NETLOGON_NEG_PROMOTION_COUNT |
> > > -+ NETLOGON_NEG_CHANGELOG_BDC |
> > > -+ NETLOGON_NEG_FULL_SYNC_REPL |
> > > -+ NETLOGON_NEG_MULTIPLE_SIDS |
> > > -+ NETLOGON_NEG_REDO |
> > > -+ NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
> > > -+ NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
> > > -+ NETLOGON_NEG_GENERIC_PASSTHROUGH |
> > > -+ NETLOGON_NEG_CONCURRENT_RPC |
> > > -+ NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
> > > -+ NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
> > > -+ NETLOGON_NEG_STRONG_KEYS |
> > > -+ NETLOGON_NEG_TRANSITIVE_TRUSTS |
> > > -+ NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
> > > -+ NETLOGON_NEG_PASSWORD_SET2 |
> > > -+ NETLOGON_NEG_GETDOMAININFO |
> > > -+ NETLOGON_NEG_CROSS_FOREST_TRUSTS |
> > > -+ NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
> > > -+ NETLOGON_NEG_RODC_PASSTHROUGH |
> > > -+ NETLOGON_NEG_SUPPORTS_AES |
> > > -+ NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
> > > -+ NETLOGON_NEG_AUTHENTICATED_RPC;
> > > -+
> > > -+ negotiate_flags = *r->in.negotiate_flags & server_flags;
> > > -
> > > - /*
> > > - * According to Microsoft (see bugid #6099)
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From ce8c9b651d9da88a13a8cd0fe02e5f3e2f1f6b51 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Mon, 23 Dec 2013 10:10:17 +0100
> > > -Subject: [PATCH 218/249] s4:netlogon: don't generate a debug message for
> > > - SEC_CHAN_NULL.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 2e36fbc77dc43f31ec78cdbef23b94bd00d6f565)
> > > ----
> > > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++
> > > - 1 file changed, 2 insertions(+)
> > > -
> > > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -index b001cb5..45a7262 100644
> > > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -@@ -220,6 +220,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > > - case SEC_CHAN_BDC:
> > > - case SEC_CHAN_RODC:
> > > - break;
> > > -+ case SEC_CHAN_NULL:
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > - default:
> > > - DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
> > > - r->in.secure_channel_type));
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From b4d5ace784d207f8562a4c93b55de415a81cec42 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 6 Dec 2013 12:08:50 +0100
> > > -Subject: [PATCH 219/249] s4:netlogon: implement "allow nt4 crypto" and "reject
> > > - md5 clients" features.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -
> > > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > > -Autobuild-Date(master): Tue Jan 7 16:53:31 CET 2014 on sn-devel-104
> > > -(cherry picked from commit 7d2abf520df1ff46d79dfd8ff579c230f2bc3c2a)
> > > ----
> > > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 20 ++++++++++++++++++++
> > > - 1 file changed, 20 insertions(+)
> > > -
> > > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -index 45a7262..6b57cda 100644
> > > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -@@ -122,6 +122,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > > - const char *account_name;
> > > - uint32_t server_flags = 0;
> > > - uint32_t negotiate_flags = 0;
> > > -+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
> > > -+ bool reject_des_client = !allow_nt4_crypto;
> > > -+ bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
> > > -
> > > - ZERO_STRUCTP(r->out.return_credentials);
> > > - *r->out.rid = 0;
> > > -@@ -205,6 +208,23 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > > -
> > > - negotiate_flags = *r->in.negotiate_flags & server_flags;
> > > -
> > > -+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
> > > -+ reject_des_client = false;
> > > -+ }
> > > -+
> > > -+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
> > > -+ reject_des_client = false;
> > > -+ reject_md5_client = false;
> > > -+ }
> > > -+
> > > -+ if (reject_des_client || reject_md5_client) {
> > > -+ /*
> > > -+ * Here we match Windows 2012 and return no flags.
> > > -+ */
> > > -+ *r->out.negotiate_flags = 0;
> > > -+ return NT_STATUS_DOWNGRADE_DETECTED;
> > > -+ }
> > > -+
> > > - /*
> > > - * According to Microsoft (see bugid #6099)
> > > - * Windows 7 looks at the negotiate_flags
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From ff28e17cdcbe8e1ec4a275d80b3e749da4920c6d Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Wed, 8 Jan 2014 12:04:22 +0100
> > > -Subject: [PATCH 220/249] libcli/auth: fix usage of an uninitialized variable
> > > - in netlogon_creds_cli_check_caps()
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Günther Deschner <gd@samba.org>
> > > -(cherry picked from commit 0e62f3279525ea864590f713f334f4dc5f5d3a32)
> > > ----
> > > - libcli/auth/netlogon_creds_cli.c | 4 ++--
> > > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > > -index 1724064..51b30a1 100644
> > > ---- a/libcli/auth/netlogon_creds_cli.c
> > > -+++ b/libcli/auth/netlogon_creds_cli.c
> > > -@@ -1390,7 +1390,7 @@ struct netlogon_creds_cli_check_state {
> > > - };
> > > -
> > > - static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
> > > -- NTSTATUS status);
> > > -+ NTSTATUS status);
> > > - static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
> > > -
> > > - struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
> > > -@@ -1582,7 +1582,7 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
> > > - * with the next request as the sequence number processing
> > > - * gets out of sync.
> > > - */
> > > -- netlogon_creds_cli_check_cleanup(req, result);
> > > -+ netlogon_creds_cli_check_cleanup(req, status);
> > > - tevent_req_done(req);
> > > - return;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d4902881482eeecf5a219342b3862ac0fbb7b7a9 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 17 Jan 2014 14:00:27 +0100
> > > -Subject: [PATCH 221/249] libcli/auth: add netlogon_creds_cli_set_global_db()
> > > -
> > > -This can be used to inject a db_context from dbwrap_ctdb.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit ece3ba10a16138a75b207a0cf9fe299759253d99)
> > > ----
> > > - libcli/auth/netlogon_creds_cli.c | 10 ++++++++++
> > > - libcli/auth/netlogon_creds_cli.h | 2 ++
> > > - 2 files changed, 12 insertions(+)
> > > -
> > > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > > -index 51b30a1..37bdf74 100644
> > > ---- a/libcli/auth/netlogon_creds_cli.c
> > > -+++ b/libcli/auth/netlogon_creds_cli.c
> > > -@@ -199,6 +199,16 @@ static NTSTATUS netlogon_creds_cli_context_common(
> > > -
> > > - static struct db_context *netlogon_creds_cli_global_db;
> > > -
> > > -+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
> > > -+{
> > > -+ if (netlogon_creds_cli_global_db != NULL) {
> > > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > > -+ }
> > > -+
> > > -+ netlogon_creds_cli_global_db = talloc_move(talloc_autofree_context(), db);
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > - NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
> > > - {
> > > - char *fname;
> > > -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
> > > -index 5bd8bd3..90d0182 100644
> > > ---- a/libcli/auth/netlogon_creds_cli.h
> > > -+++ b/libcli/auth/netlogon_creds_cli.h
> > > -@@ -28,7 +28,9 @@
> > > - struct netlogon_creds_cli_context;
> > > - struct messaging_context;
> > > - struct dcerpc_binding_handle;
> > > -+struct db_context;
> > > -
> > > -+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
> > > - NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
> > > -
> > > - NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 80407a74da35cac64bef252698a2477787f0997d Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 17 Jan 2014 14:07:37 +0100
> > > -Subject: [PATCH 222/249] s3:rpc_client: use db_open() to open
> > > - "netlogon_creds_cli.tdb"
> > > -
> > > -This uses dbwrap_ctdb if running in a cluster.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 8cf4eff201aa9e1ba8127311bcfc2a357fb4ef03)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 38 ++++++++++++++++++++++++++++++++++++--
> > > - 1 file changed, 36 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index ca2d9bf..b7b490f 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -21,6 +21,7 @@
> > > - */
> > > -
> > > - #include "includes.h"
> > > -+#include "system/filesys.h"
> > > - #include "libsmb/libsmb.h"
> > > - #include "rpc_client/rpc_client.h"
> > > - #include "rpc_client/cli_pipe.h"
> > > -@@ -34,26 +35,53 @@
> > > - #include "../libcli/security/security.h"
> > > - #include "lib/param/param.h"
> > > - #include "libcli/smb/smbXcli_base.h"
> > > -+#include "dbwrap/dbwrap.h"
> > > -+#include "dbwrap/dbwrap_open.h"
> > > -+#include "util_tdb.h"
> > > -
> > > -
> > > - NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > > - {
> > > -- TALLOC_CTX *frame = talloc_stackframe();
> > > -+ static bool already_open = false;
> > > -+ TALLOC_CTX *frame;
> > > - struct loadparm_context *lp_ctx;
> > > -+ char *fname;
> > > -+ struct db_context *global_db;
> > > - NTSTATUS status;
> > > -
> > > -+ if (already_open) {
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ frame = talloc_stackframe();
> > > -+
> > > - lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > > - if (lp_ctx == NULL) {
> > > - TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > - }
> > > -
> > > -- status = netlogon_creds_cli_open_global_db(lp_ctx);
> > > -+ fname = lpcfg_private_db_path(frame, lp_ctx, "netlogon_creds_cli");
> > > -+ if (fname == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ global_db = db_open(talloc_autofree_context(), fname,
> > > -+ 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > > -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
> > > -+ if (global_db == NULL) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+
> > > -+ status = netlogon_creds_cli_set_global_db(&global_db);
> > > - TALLOC_FREE(frame);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - return status;
> > > - }
> > > -
> > > -+ already_open = true;
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -@@ -69,6 +97,12 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
> > > - struct loadparm_context *lp_ctx;
> > > - NTSTATUS status;
> > > -
> > > -+ status = rpccli_pre_open_netlogon_creds();
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > -+ }
> > > -+
> > > - lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
> > > - if (lp_ctx == NULL) {
> > > - TALLOC_FREE(frame);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 2ed3041405f5808031f2d5fd0e42f48246d22b7b Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 17 Jan 2014 14:08:59 +0100
> > > -Subject: [PATCH 223/249] libcli/auth: don't alter the computer_name in cluster
> > > - mode.
> > > -
> > > -This breaks NTLMv2 authentication.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 387ed2e15df085274f72cebda341040a1e767a4b)
> > > ----
> > > - libcli/auth/netlogon_creds_cli.c | 22 +++-------------------
> > > - 1 file changed, 3 insertions(+), 19 deletions(-)
> > > -
> > > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > > -index 37bdf74..88893ad 100644
> > > ---- a/libcli/auth/netlogon_creds_cli.c
> > > -+++ b/libcli/auth/netlogon_creds_cli.c
> > > -@@ -261,28 +261,12 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
> > > - bool seal_secure_channel = true;
> > > - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
> > > - bool neutralize_nt4_emulation = false;
> > > -- struct server_id self = {
> > > -- .vnn = NONCLUSTER_VNN,
> > > -- .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
> > > -- };
> > > --
> > > -- if (msg_ctx != NULL) {
> > > -- self = messaging_server_id(msg_ctx);
> > > -- }
> > > -
> > > - *_context = NULL;
> > > -
> > > -- if (self.vnn != NONCLUSTER_VNN) {
> > > -- client_computer = talloc_asprintf(frame,
> > > -- "%s_cluster_vnn_%u",
> > > -- lpcfg_netbios_name(lp_ctx),
> > > -- (unsigned)self.vnn);
> > > -- if (client_computer == NULL) {
> > > -- TALLOC_FREE(frame);
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- } else {
> > > -- client_computer = lpcfg_netbios_name(lp_ctx);
> > > -+ client_computer = lpcfg_netbios_name(lp_ctx);
> > > -+ if (strlen(client_computer) > 15) {
> > > -+ return NT_STATUS_INVALID_PARAMETER_MIX;
> > > - }
> > > -
> > > - /*
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8257c3a5d6e8319578d224e544242da81b043a54 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Fri, 10 Jan 2014 13:13:40 +0100
> > > -Subject: [PATCH 224/249] libcli/auth: reject computer_name longer than 15
> > > - chars
> > > -
> > > -This matches Windows, it seems they use a fixed size field to store
> > > -netlogon_creds_CredentialState.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit b8fdeb8ca7ce362058bb86a4e58b34fb6340867e)
> > > ----
> > > - libcli/auth/schannel_state_tdb.c | 8 ++++++++
> > > - 1 file changed, 8 insertions(+)
> > > -
> > > -diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
> > > -index 8f9c1f0..b91e242 100644
> > > ---- a/libcli/auth/schannel_state_tdb.c
> > > -+++ b/libcli/auth/schannel_state_tdb.c
> > > -@@ -78,6 +78,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
> > > - char *name_upper;
> > > - NTSTATUS status;
> > > -
> > > -+ if (strlen(creds->computer_name) > 15) {
> > > -+ /*
> > > -+ * We may want to check for a completely
> > > -+ * valid netbios name.
> > > -+ */
> > > -+ return STATUS_BUFFER_OVERFLOW;
> > > -+ }
> > > -+
> > > - name_upper = strupper_talloc(mem_ctx, creds->computer_name);
> > > - if (!name_upper) {
> > > - return NT_STATUS_NO_MEMORY;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d6af8ed76f728621a8ba7515cf1180d6654c8d83 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 11 Jan 2014 17:13:04 +0100
> > > -Subject: [PATCH 225/249] s3:rpc_server/netlogon: return a zero
> > > - return_authenticator on error
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit dcc2c8362df9af088613722ebd8a6261fb098a5c)
> > > ----
> > > - source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > > -index 09857b6..7bb9dd6 100644
> > > ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
> > > -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
> > > -@@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
> > > - talloc_unlink(p->mem_ctx, lp_ctx);
> > > -
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ ZERO_STRUCTP(r->out.return_credentials);
> > > - goto out;
> > > - }
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From be06629b25f8340ac54a9e674e6a5da1eb01e733 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Sat, 11 Jan 2014 17:13:04 +0100
> > > -Subject: [PATCH 226/249] s4:rpc_server/netlogon: return a zero
> > > - return_authenticator and rid on error
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > -(cherry picked from commit 25fb73f2821821630dde4cc263794e754ca03d68)
> > > ----
> > > - source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++++----
> > > - 1 file changed, 8 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -index 6b57cda..afa15d8 100644
> > > ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
> > > -@@ -348,9 +348,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > > - return NT_STATUS_INTERNAL_ERROR;
> > > - }
> > > -
> > > -- *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
> > > -- "objectSid", 0);
> > > --
> > > - mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
> > > - if (mach_pwd == NULL) {
> > > - return NT_STATUS_ACCESS_DENIED;
> > > -@@ -383,8 +380,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
> > > - nt_status = schannel_save_creds_state(mem_ctx,
> > > - dce_call->conn->dce_ctx->lp_ctx,
> > > - creds);
> > > -+ if (!NT_STATUS_IS_OK(nt_status)) {
> > > -+ ZERO_STRUCTP(r->out.return_credentials);
> > > -+ return nt_status;
> > > -+ }
> > > -
> > > -- return nt_status;
> > > -+ *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
> > > -+ "objectSid", 0);
> > > -+
> > > -+ return NT_STATUS_OK;
> > > - }
> > > -
> > > - static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f5fe58d49fc66867db743393a92e1cd8e4cb293b Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Wed, 29 Jan 2014 16:58:37 +0100
> > > -Subject: [PATCH 227/249] dbwrap_tool: remove the short form "-p" of
> > > - "--persistent"
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 6dd1008c4e8b0b798d589959021c9b578db74ff4)
> > > ----
> > > - source3/utils/dbwrap_tool.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
> > > -index 79b40d2..406e89e 100644
> > > ---- a/source3/utils/dbwrap_tool.c
> > > -+++ b/source3/utils/dbwrap_tool.c
> > > -@@ -420,7 +420,7 @@ int main(int argc, const char **argv)
> > > - struct poptOption popt_options[] = {
> > > - POPT_AUTOHELP
> > > - POPT_COMMON_SAMBA
> > > -- { "persistent", 'p', POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
> > > -+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
> > > - POPT_TABLEEND
> > > - };
> > > - int opt;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 209b5ec86620f8caadcc714db0cbec4789db0377 Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Thu, 30 Jan 2014 10:33:00 +0100
> > > -Subject: [PATCH 228/249] docs: remove short form "-p" of --persistent from
> > > - dbwrap_tool manpage
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 6f748fef652bbea3c8dbbbfb96b95270e6f1dcfc)
> > > ----
> > > - docs-xml/manpages/dbwrap_tool.1.xml | 4 ++--
> > > - 1 file changed, 2 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
> > > -index 074d819..94ae281 100644
> > > ---- a/docs-xml/manpages/dbwrap_tool.1.xml
> > > -+++ b/docs-xml/manpages/dbwrap_tool.1.xml
> > > -@@ -19,7 +19,7 @@
> > > - <refsynopsisdiv>
> > > - <cmdsynopsis>
> > > - <command>dbwrap_tool</command>
> > > -- <arg choice="opt">-p|--persistent</arg>
> > > -+ <arg choice="opt">--persistent</arg>
> > > - <arg choice="opt">-d <debug level></arg>
> > > - <arg choice="opt">-s <config file></arg>
> > > - <arg choice="opt">-l <log file base></arg>
> > > -@@ -70,7 +70,7 @@
> > > -
> > > - <variablelist>
> > > - <varlistentry>
> > > -- <term>-p|--persistent</term>
> > > -+ <term>--persistent</term>
> > > - <listitem><para>Open the database as a persistent database.
> > > - If this option is not specified, the database is opened as
> > > - non-persistent.
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From f3b8b74ff6d74fe9a0047256074e21c3363b112f Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Thu, 30 Jan 2014 10:29:49 +0100
> > > -Subject: [PATCH 229/249] dbwrap_tool: add option "--non-persistent" and force
> > > - excatly one of "--[non-]persistent"
> > > -
> > > -We want to force users of dbwrap_tool to explicitly specify
> > > -persistent or non-persistent. Otherwise, one could easily
> > > -by accident wipe a whole database that is actually persistent
> > > -but not currently opened by a samba process, just by openeing
> > > -the DB with the default non-persistent mode...
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit c3f93271ef447f9f16cd3002307c630c5f149f5a)
> > > ----
> > > - source3/utils/dbwrap_tool.c | 23 ++++++++++++++++++-----
> > > - 1 file changed, 18 insertions(+), 5 deletions(-)
> > > -
> > > -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
> > > -index 406e89e..ffca6b6 100644
> > > ---- a/source3/utils/dbwrap_tool.c
> > > -+++ b/source3/utils/dbwrap_tool.c
> > > -@@ -411,6 +411,7 @@ int main(int argc, const char **argv)
> > > - enum dbwrap_type type;
> > > - const char *valuestr = "0";
> > > - int persistent = 0;
> > > -+ int non_persistent = 0;
> > > - int tdb_flags = TDB_DEFAULT;
> > > -
> > > - TALLOC_CTX *mem_ctx = talloc_stackframe();
> > > -@@ -420,7 +421,13 @@ int main(int argc, const char **argv)
> > > - struct poptOption popt_options[] = {
> > > - POPT_AUTOHELP
> > > - POPT_COMMON_SAMBA
> > > -- { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
> > > -+ { "non-persistent", 0, POPT_ARG_NONE, &non_persistent, 0,
> > > -+ "treat the database as non-persistent "
> > > -+ "(CAVEAT: This mode might wipe your database!)",
> > > -+ NULL },
> > > -+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0,
> > > -+ "treat the database as persistent",
> > > -+ NULL },
> > > - POPT_TABLEEND
> > > - };
> > > - int opt;
> > > -@@ -463,6 +470,16 @@ int main(int argc, const char **argv)
> > > - goto done;
> > > - }
> > > -
> > > -+ if ((persistent == 0 && non_persistent == 0) ||
> > > -+ (persistent == 1 && non_persistent == 1))
> > > -+ {
> > > -+ d_fprintf(stderr, "ERROR: you must specify exactly one "
> > > -+ "of --persistent and --non-persistent\n");
> > > -+ goto done;
> > > -+ } else if (non_persistent == 1) {
> > > -+ tdb_flags |= TDB_CLEAR_IF_FIRST;
> > > -+ }
> > > -+
> > > - dbname = extra_argv[0];
> > > - opname = extra_argv[1];
> > > -
> > > -@@ -563,10 +580,6 @@ int main(int argc, const char **argv)
> > > - goto done;
> > > - }
> > > -
> > > -- if (persistent == 0) {
> > > -- tdb_flags |= TDB_CLEAR_IF_FIRST;
> > > -- }
> > > --
> > > - switch (op) {
> > > - case OP_FETCH:
> > > - case OP_STORE:
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 7209e84e02c722365bec4e2a473c24217cbeb22b Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Thu, 30 Jan 2014 10:36:46 +0100
> > > -Subject: [PATCH 230/249] docs: document new --non-persistent option to
> > > - dbwrap_tool
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 1e3b352f799038ec25437db53e051dadb9d97c95)
> > > ----
> > > - docs-xml/manpages/dbwrap_tool.1.xml | 20 ++++++++++++++++++--
> > > - 1 file changed, 18 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
> > > -index 94ae281..ff0e478 100644
> > > ---- a/docs-xml/manpages/dbwrap_tool.1.xml
> > > -+++ b/docs-xml/manpages/dbwrap_tool.1.xml
> > > -@@ -20,6 +20,7 @@
> > > - <cmdsynopsis>
> > > - <command>dbwrap_tool</command>
> > > - <arg choice="opt">--persistent</arg>
> > > -+ <arg choice="opt">--non-persistent</arg>
> > > - <arg choice="opt">-d <debug level></arg>
> > > - <arg choice="opt">-s <config file></arg>
> > > - <arg choice="opt">-l <log file base></arg>
> > > -@@ -72,8 +73,23 @@
> > > - <varlistentry>
> > > - <term>--persistent</term>
> > > - <listitem><para>Open the database as a persistent database.
> > > -- If this option is not specified, the database is opened as
> > > -- non-persistent.
> > > -+ </para>
> > > -+ <para>
> > > -+ Exactly one of --persistent and --non-persistent must be
> > > -+ specified.
> > > -+ </para></listitem>
> > > -+ </varlistentry>
> > > -+ <varlistentry>
> > > -+ <term>--non-persistent</term>
> > > -+ <listitem><para>Open the database as a non-persistent database.
> > > -+ </para>
> > > -+ <para>
> > > -+ Caveat: opening a database as non-persistent when there
> > > -+ is currently no other opener will wipe the database.
> > > -+ </para>
> > > -+ <para>
> > > -+ Exactly one of --persistent and --non-persistent must be
> > > -+ specified.
> > > - </para></listitem>
> > > - </varlistentry>
> > > - &popt.common.samba.client;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From accf5a617055c161540384fdfe195ad9c43cd048 Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Thu, 30 Jan 2014 10:47:15 +0100
> > > -Subject: [PATCH 231/249] docs: remove extra spaces in synopsis of dbwrap_tool
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit e93f052e37e736e5776fe7f7c7d246f9ecc4b4c8)
> > > ----
> > > - docs-xml/manpages/dbwrap_tool.1.xml | 4 +---
> > > - 1 file changed, 1 insertion(+), 3 deletions(-)
> > > -
> > > -diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
> > > -index ff0e478..68a88df 100644
> > > ---- a/docs-xml/manpages/dbwrap_tool.1.xml
> > > -+++ b/docs-xml/manpages/dbwrap_tool.1.xml
> > > -@@ -30,9 +30,7 @@
> > > - <arg choice="req"><operation></arg>
> > > - <arg choice="opt"><key>
> > > - <arg choice="opt"><type>
> > > -- <arg choice="opt"><value></arg>
> > > -- </arg>
> > > -- </arg>
> > > -+ <arg choice="opt"><value></arg></arg></arg>
> > > - </cmdsynopsis>
> > > - </refsynopsisdiv>
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 0e193981caa2ad9458e758a46076664d2efdb70e Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Fri, 24 Jan 2014 00:09:50 +0100
> > > -Subject: [PATCH 232/249] smbd:smb2: fix durable reconnect: set fsp->fnum from
> > > - the smbXsrv_open->local_id
> > > -
> > > -Originally, fsp->fnum was left at the INVALID fnum value.
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 6b2d67a345e90306f0d35402d0f4e3067a014057)
> > > ----
> > > - source3/smbd/durable.c | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c
> > > -index c3d0a6f..471c5b9 100644
> > > ---- a/source3/smbd/durable.c
> > > -+++ b/source3/smbd/durable.c
> > > -@@ -703,6 +703,7 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
> > > - fsp->share_access = e->share_access;
> > > - fsp->can_read = ((fsp->access_mask & (FILE_READ_DATA)) != 0);
> > > - fsp->can_write = ((fsp->access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) != 0);
> > > -+ fsp->fnum = op->local_id;
> > > -
> > > - /*
> > > - * TODO:
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From dbc1d6f8479cf84c714c4ed6b69df2a3673d0a46 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 24 Dec 2013 09:00:01 +0100
> > > -Subject: [PATCH 233/249] s3:smbd: skip empty records in smbXsrv_open_cleanup()
> > > -
> > > -This should avoid scary ndr_pull errors, if there's
> > > -a cleanup race.
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Michael Adam <obnox@samba.org>
> > > -
> > > -Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
> > > -Autobuild-Date(master): Thu Jan 30 18:49:37 CET 2014 on sn-devel-104
> > > -(cherry picked from commit 0b23345676c6f02d5bb1a327174d8456705ec0c7)
> > > ----
> > > - source3/smbd/smbXsrv_open.c | 9 +++++++++
> > > - 1 file changed, 9 insertions(+)
> > > -
> > > -diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
> > > -index 27dd50c..29c172c 100644
> > > ---- a/source3/smbd/smbXsrv_open.c
> > > -+++ b/source3/smbd/smbXsrv_open.c
> > > -@@ -1380,6 +1380,7 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
> > > - struct smbXsrv_open_global0 *op = NULL;
> > > - uint8_t key_buf[SMBXSRV_OPEN_GLOBAL_TDB_KEY_SIZE];
> > > - TDB_DATA key;
> > > -+ TDB_DATA val;
> > > - struct db_record *rec;
> > > - bool delete_open = false;
> > > - uint32_t global_id = persistent_id & UINT32_MAX;
> > > -@@ -1395,6 +1396,14 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
> > > - goto done;
> > > - }
> > > -
> > > -+ val = dbwrap_record_get_value(rec);
> > > -+ if (val.dsize == 0) {
> > > -+ DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
> > > -+ "empty record in %s, skipping...\n",
> > > -+ global_id, dbwrap_name(smbXsrv_open_global_db_ctx)));
> > > -+ goto done;
> > > -+ }
> > > -+
> > > - status = smbXsrv_open_global_parse_record(talloc_tos(), rec, &op);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(1, ("smbXsrv_open_cleanup[global: 0x%08x] "
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 838d9da4a7fe6c90ba7cae6563f0af5d8b6cf6d5 Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Mon, 27 Jan 2014 13:38:51 +0100
> > > -Subject: [PATCH 234/249] dbwrap: add flags DBWRAP_FLAG_NONE
> > > -
> > > -This is in preparation of adding a dbwrap_flags argument to db_open
> > > -and firends.
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 229dcfd3501e4743d5d9aea5c9f7a97d7612a499)
> > > ----
> > > - lib/dbwrap/dbwrap.h | 2 ++
> > > - 1 file changed, 2 insertions(+)
> > > -
> > > -diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
> > > -index 8bf3286..4064ba2 100644
> > > ---- a/lib/dbwrap/dbwrap.h
> > > -+++ b/lib/dbwrap/dbwrap.h
> > > -@@ -32,6 +32,8 @@ enum dbwrap_lock_order {
> > > - };
> > > - #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
> > > -
> > > -+#define DBWRAP_FLAG_NONE 0x0000000000000000ULL
> > > -+
> > > - /* The following definitions come from lib/dbwrap.c */
> > > -
> > > - TDB_DATA dbwrap_record_get_key(const struct db_record *rec);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 868d8e2fa389ab0c697e9a70a4373908aa7df80b Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Mon, 27 Jan 2014 14:49:12 +0100
> > > -Subject: [PATCH 235/249] dbwrap: add a dbwrap_flags argument to db_open()
> > > -
> > > -This is in preparation to support handing flags to backends,
> > > -in particular activating read only record support for ctdb
> > > -databases. For a start, this does nothing but adding the
> > > -parameter, and all databases use DBWRAP_FLAG_NONE.
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -(similar to commit cf0cb0add9ed47b8974272237fee0e1a4ba7bf68)
> > > ----
> > > - source3/groupdb/mapping_tdb.c | 2 +-
> > > - source3/lib/dbwrap/dbwrap_open.c | 3 ++-
> > > - source3/lib/dbwrap/dbwrap_open.h | 3 ++-
> > > - source3/lib/dbwrap/dbwrap_watch.c | 3 ++-
> > > - source3/lib/g_lock.c | 3 ++-
> > > - source3/lib/serverid.c | 3 ++-
> > > - source3/lib/sharesec.c | 2 +-
> > > - source3/locking/brlock.c | 2 +-
> > > - source3/locking/share_mode_lock.c | 2 +-
> > > - source3/modules/vfs_acl_tdb.c | 2 +-
> > > - source3/modules/vfs_xattr_tdb.c | 2 +-
> > > - source3/passdb/account_pol.c | 4 ++--
> > > - source3/passdb/pdb_tdb.c | 6 +++---
> > > - source3/passdb/secrets.c | 2 +-
> > > - source3/printing/printer_list.c | 3 ++-
> > > - source3/registry/reg_backend_db.c | 6 +++---
> > > - source3/rpc_client/cli_netlogon.c | 3 ++-
> > > - source3/smbd/notify_internal.c | 2 +-
> > > - source3/smbd/smbXsrv_open.c | 3 ++-
> > > - source3/smbd/smbXsrv_session.c | 3 ++-
> > > - source3/smbd/smbXsrv_tcon.c | 3 ++-
> > > - source3/smbd/smbXsrv_version.c | 3 ++-
> > > - source3/torture/test_dbwrap_watch.c | 3 ++-
> > > - source3/torture/test_idmap_tdb_common.c | 2 +-
> > > - source3/torture/torture.c | 3 ++-
> > > - source3/utils/dbwrap_tool.c | 2 +-
> > > - source3/utils/dbwrap_torture.c | 2 +-
> > > - source3/utils/net_idmap.c | 6 +++---
> > > - source3/utils/net_idmap_check.c | 2 +-
> > > - source3/utils/net_registry_check.c | 4 ++--
> > > - source3/utils/status.c | 2 +-
> > > - source3/winbindd/idmap_autorid.c | 2 +-
> > > - source3/winbindd/idmap_tdb.c | 2 +-
> > > - source3/winbindd/idmap_tdb2.c | 2 +-
> > > - 34 files changed, 55 insertions(+), 42 deletions(-)
> > > -
> > > -diff --git a/source3/groupdb/mapping_tdb.c b/source3/groupdb/mapping_tdb.c
> > > -index 088874f..0863187 100644
> > > ---- a/source3/groupdb/mapping_tdb.c
> > > -+++ b/source3/groupdb/mapping_tdb.c
> > > -@@ -54,7 +54,7 @@ static bool init_group_mapping(void)
> > > -
> > > - db = db_open(NULL, state_path("group_mapping.tdb"), 0,
> > > - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (db == NULL) {
> > > - DEBUG(0, ("Failed to open group mapping database: %s\n",
> > > - strerror(errno)));
> > > -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
> > > -index 515b4bf..6c9280c 100644
> > > ---- a/source3/lib/dbwrap/dbwrap_open.c
> > > -+++ b/source3/lib/dbwrap/dbwrap_open.c
> > > -@@ -60,7 +60,8 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> > > - const char *name,
> > > - int hash_size, int tdb_flags,
> > > - int open_flags, mode_t mode,
> > > -- enum dbwrap_lock_order lock_order)
> > > -+ enum dbwrap_lock_order lock_order,
> > > -+ uint64_t dbwrap_flags)
> > > - {
> > > - struct db_context *result = NULL;
> > > - #ifdef CLUSTER_SUPPORT
> > > -diff --git a/source3/lib/dbwrap/dbwrap_open.h b/source3/lib/dbwrap/dbwrap_open.h
> > > -index 51c7dfd..d14794e 100644
> > > ---- a/source3/lib/dbwrap/dbwrap_open.h
> > > -+++ b/source3/lib/dbwrap/dbwrap_open.h
> > > -@@ -39,6 +39,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> > > - const char *name,
> > > - int hash_size, int tdb_flags,
> > > - int open_flags, mode_t mode,
> > > -- enum dbwrap_lock_order lock_order);
> > > -+ enum dbwrap_lock_order lock_order,
> > > -+ uint64_t dbwrap_flags);
> > > -
> > > - #endif /* __DBWRAP_OPEN_H__ */
> > > -diff --git a/source3/lib/dbwrap/dbwrap_watch.c b/source3/lib/dbwrap/dbwrap_watch.c
> > > -index 7bdcd99..5f3d17d 100644
> > > ---- a/source3/lib/dbwrap/dbwrap_watch.c
> > > -+++ b/source3/lib/dbwrap/dbwrap_watch.c
> > > -@@ -34,7 +34,8 @@ static struct db_context *dbwrap_record_watchers_db(void)
> > > - watchers_db = db_open(
> > > - NULL, lock_path("dbwrap_watchers.tdb"), 0,
> > > - TDB_CLEAR_IF_FIRST | TDB_INCOMPATIBLE_HASH,
> > > -- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3);
> > > -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3,
> > > -+ DBWRAP_FLAG_NONE);
> > > - }
> > > - return watchers_db;
> > > - }
> > > -diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
> > > -index 8c7a6c2..6813f06 100644
> > > ---- a/source3/lib/g_lock.c
> > > -+++ b/source3/lib/g_lock.c
> > > -@@ -61,7 +61,8 @@ struct g_lock_ctx *g_lock_ctx_init(TALLOC_CTX *mem_ctx,
> > > - result->db = db_open(result, lock_path("g_lock.tdb"), 0,
> > > - TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > > - O_RDWR|O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_2);
> > > -+ DBWRAP_LOCK_ORDER_2,
> > > -+ DBWRAP_FLAG_NONE);
> > > - if (result->db == NULL) {
> > > - DEBUG(1, ("g_lock_init: Could not open g_lock.tdb\n"));
> > > - TALLOC_FREE(result);
> > > -diff --git a/source3/lib/serverid.c b/source3/lib/serverid.c
> > > -index cb49520..4259887 100644
> > > ---- a/source3/lib/serverid.c
> > > -+++ b/source3/lib/serverid.c
> > > -@@ -77,7 +77,8 @@ static struct db_context *serverid_db(void)
> > > - }
> > > - db = db_open(NULL, lock_path("serverid.tdb"), 0,
> > > - TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > > -- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2);
> > > -+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2,
> > > -+ DBWRAP_FLAG_NONE);
> > > - return db;
> > > - }
> > > -
> > > -diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
> > > -index c7a8e51..095c851 100644
> > > ---- a/source3/lib/sharesec.c
> > > -+++ b/source3/lib/sharesec.c
> > > -@@ -149,7 +149,7 @@ bool share_info_db_init(void)
> > > -
> > > - share_db = db_open(NULL, state_path("share_info.tdb"), 0,
> > > - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (share_db == NULL) {
> > > - DEBUG(0,("Failed to open share info database %s (%s)\n",
> > > - state_path("share_info.tdb"), strerror(errno) ));
> > > -diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
> > > -index 5d683dd..d88aa2d 100644
> > > ---- a/source3/locking/brlock.c
> > > -+++ b/source3/locking/brlock.c
> > > -@@ -292,7 +292,7 @@ void brl_init(bool read_only)
> > > - brlock_db = db_open(NULL, lock_path("brlock.tdb"),
> > > - lp_open_files_db_hash_size(), tdb_flags,
> > > - read_only?O_RDONLY:(O_RDWR|O_CREAT), 0644,
> > > -- DBWRAP_LOCK_ORDER_2);
> > > -+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
> > > - if (!brlock_db) {
> > > - DEBUG(0,("Failed to open byte range locking database %s\n",
> > > - lock_path("brlock.tdb")));
> > > -diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
> > > -index 4f049bd..22f8d9a 100644
> > > ---- a/source3/locking/share_mode_lock.c
> > > -+++ b/source3/locking/share_mode_lock.c
> > > -@@ -67,7 +67,7 @@ static bool locking_init_internal(bool read_only)
> > > - lp_open_files_db_hash_size(),
> > > - TDB_DEFAULT|TDB_VOLATILE|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > > - read_only?O_RDONLY:O_RDWR|O_CREAT, 0644,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > -
> > > - if (!lock_db) {
> > > - DEBUG(0,("ERROR: Failed to initialise locking database\n"));
> > > -diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
> > > -index 80839e3..8ee4bd5 100644
> > > ---- a/source3/modules/vfs_acl_tdb.c
> > > -+++ b/source3/modules/vfs_acl_tdb.c
> > > -@@ -60,7 +60,7 @@ static bool acl_tdb_init(void)
> > > -
> > > - become_root();
> > > - acl_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - unbecome_root();
> > > -
> > > - if (acl_db == NULL) {
> > > -diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c
> > > -index 43456cf..63a12fd 100644
> > > ---- a/source3/modules/vfs_xattr_tdb.c
> > > -+++ b/source3/modules/vfs_xattr_tdb.c
> > > -@@ -320,7 +320,7 @@ static bool xattr_tdb_init(int snum, TALLOC_CTX *mem_ctx, struct db_context **p_
> > > -
> > > - become_root();
> > > - db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_2);
> > > -+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
> > > - unbecome_root();
> > > -
> > > - if (db == NULL) {
> > > -diff --git a/source3/passdb/account_pol.c b/source3/passdb/account_pol.c
> > > -index c94df29..09a2d20 100644
> > > ---- a/source3/passdb/account_pol.c
> > > -+++ b/source3/passdb/account_pol.c
> > > -@@ -220,13 +220,13 @@ bool init_account_policy(void)
> > > - }
> > > -
> > > - db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
> > > -- O_RDWR, 0600, DBWRAP_LOCK_ORDER_1);
> > > -+ O_RDWR, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > -
> > > - if (db == NULL) { /* the account policies files does not exist or open
> > > - * failed, try to create a new one */
> > > - db = db_open(NULL, state_path("account_policy.tdb"), 0,
> > > - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (db == NULL) {
> > > - DEBUG(0,("Failed to open account policy database\n"));
> > > - return False;
> > > -diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
> > > -index f256e6c..162083f 100644
> > > ---- a/source3/passdb/pdb_tdb.c
> > > -+++ b/source3/passdb/pdb_tdb.c
> > > -@@ -226,7 +226,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
> > > -
> > > - tmp_db = db_open(NULL, tmp_fname, 0,
> > > - TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (tmp_db == NULL) {
> > > - DEBUG(0, ("tdbsam_convert_backup: Failed to create backup TDB passwd "
> > > - "[%s]\n", tmp_fname));
> > > -@@ -293,7 +293,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
> > > -
> > > - orig_db = db_open(NULL, dbname, 0,
> > > - TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (orig_db == NULL) {
> > > - DEBUG(0, ("tdbsam_convert_backup: Failed to re-open "
> > > - "converted passdb TDB [%s]\n", dbname));
> > > -@@ -444,7 +444,7 @@ static bool tdbsam_open( const char *name )
> > > - /* Try to open tdb passwd. Create a new one if necessary */
> > > -
> > > - db_sam = db_open(NULL, name, 0, TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (db_sam == NULL) {
> > > - DEBUG(0, ("tdbsam_open: Failed to open/create TDB passwd "
> > > - "[%s]\n", name));
> > > -diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
> > > -index 548b030..bff9a0d 100644
> > > ---- a/source3/passdb/secrets.c
> > > -+++ b/source3/passdb/secrets.c
> > > -@@ -79,7 +79,7 @@ bool secrets_init_path(const char *private_dir, bool use_ntdb)
> > > -
> > > - db_ctx = db_open(NULL, fname, 0,
> > > - TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > -
> > > - if (db_ctx == NULL) {
> > > - DEBUG(0,("Failed to open %s\n", fname));
> > > -diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c
> > > -index 815f89f..9a9fa0b 100644
> > > ---- a/source3/printing/printer_list.c
> > > -+++ b/source3/printing/printer_list.c
> > > -@@ -40,7 +40,8 @@ static struct db_context *get_printer_list_db(void)
> > > - }
> > > - db = db_open(NULL, PL_DB_NAME(), 0,
> > > - TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > > -- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1);
> > > -+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1,
> > > -+ DBWRAP_FLAG_NONE);
> > > - return db;
> > > - }
> > > -
> > > -diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c
> > > -index 3e561eb..fdaf576 100644
> > > ---- a/source3/registry/reg_backend_db.c
> > > -+++ b/source3/registry/reg_backend_db.c
> > > -@@ -732,11 +732,11 @@ WERROR regdb_init(void)
> > > -
> > > - regdb = db_open(NULL, state_path("registry.tdb"), 0,
> > > - REG_TDB_FLAGS, O_RDWR, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (!regdb) {
> > > - regdb = db_open(NULL, state_path("registry.tdb"), 0,
> > > - REG_TDB_FLAGS, O_RDWR|O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (!regdb) {
> > > - werr = ntstatus_to_werror(map_nt_error_from_unix(errno));
> > > - DEBUG(1,("regdb_init: Failed to open registry %s (%s)\n",
> > > -@@ -852,7 +852,7 @@ WERROR regdb_open( void )
> > > -
> > > - regdb = db_open(NULL, state_path("registry.tdb"), 0,
> > > - REG_TDB_FLAGS, O_RDWR, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if ( !regdb ) {
> > > - result = ntstatus_to_werror( map_nt_error_from_unix( errno ) );
> > > - DEBUG(0,("regdb_open: Failed to open %s! (%s)\n",
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index b7b490f..9e3c1bd 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -69,7 +69,8 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > > -
> > > - global_db = db_open(talloc_autofree_context(), fname,
> > > - 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > > -- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
> > > -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
> > > -+ DBWRAP_FLAG_NONE);
> > > - if (global_db == NULL) {
> > > - TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > -diff --git a/source3/smbd/notify_internal.c b/source3/smbd/notify_internal.c
> > > -index 2dc8674..67d8774 100644
> > > ---- a/source3/smbd/notify_internal.c
> > > -+++ b/source3/smbd/notify_internal.c
> > > -@@ -145,7 +145,7 @@ struct notify_context *notify_init(TALLOC_CTX *mem_ctx,
> > > - notify->db_index = db_open(
> > > - notify, lock_path("notify_index.tdb"),
> > > - 0, TDB_SEQNUM|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > > -- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3);
> > > -+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3, DBWRAP_FLAG_NONE);
> > > - if (notify->db_index == NULL) {
> > > - goto fail;
> > > - }
> > > -diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
> > > -index 29c172c..830c7aa 100644
> > > ---- a/source3/smbd/smbXsrv_open.c
> > > -+++ b/source3/smbd/smbXsrv_open.c
> > > -@@ -64,7 +64,8 @@ NTSTATUS smbXsrv_open_global_init(void)
> > > - TDB_CLEAR_IF_FIRST |
> > > - TDB_INCOMPATIBLE_HASH,
> > > - O_RDWR | O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1,
> > > -+ DBWRAP_FLAG_NONE);
> > > - if (db_ctx == NULL) {
> > > - NTSTATUS status;
> > > -
> > > -diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
> > > -index 017880c..a1ba52d 100644
> > > ---- a/source3/smbd/smbXsrv_session.c
> > > -+++ b/source3/smbd/smbXsrv_session.c
> > > -@@ -75,7 +75,8 @@ NTSTATUS smbXsrv_session_global_init(void)
> > > - TDB_CLEAR_IF_FIRST |
> > > - TDB_INCOMPATIBLE_HASH,
> > > - O_RDWR | O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1,
> > > -+ DBWRAP_FLAG_NONE);
> > > - if (db_ctx == NULL) {
> > > - NTSTATUS status;
> > > -
> > > -diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c
> > > -index b6e2058..2cbd761 100644
> > > ---- a/source3/smbd/smbXsrv_tcon.c
> > > -+++ b/source3/smbd/smbXsrv_tcon.c
> > > -@@ -62,7 +62,8 @@ NTSTATUS smbXsrv_tcon_global_init(void)
> > > - TDB_CLEAR_IF_FIRST |
> > > - TDB_INCOMPATIBLE_HASH,
> > > - O_RDWR | O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1,
> > > -+ DBWRAP_FLAG_NONE);
> > > - if (db_ctx == NULL) {
> > > - NTSTATUS status;
> > > -
> > > -diff --git a/source3/smbd/smbXsrv_version.c b/source3/smbd/smbXsrv_version.c
> > > -index 8ba5e1f..b24dae9 100644
> > > ---- a/source3/smbd/smbXsrv_version.c
> > > -+++ b/source3/smbd/smbXsrv_version.c
> > > -@@ -80,7 +80,8 @@ NTSTATUS smbXsrv_version_global_init(const struct server_id *server_id)
> > > - TDB_CLEAR_IF_FIRST |
> > > - TDB_INCOMPATIBLE_HASH,
> > > - O_RDWR | O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1,
> > > -+ DBWRAP_FLAG_NONE);
> > > - if (db_ctx == NULL) {
> > > - status = map_nt_error_from_unix_common(errno);
> > > - DEBUG(0,("smbXsrv_version_global_init: "
> > > -diff --git a/source3/torture/test_dbwrap_watch.c b/source3/torture/test_dbwrap_watch.c
> > > -index 9c2a679..4e699fe 100644
> > > ---- a/source3/torture/test_dbwrap_watch.c
> > > -+++ b/source3/torture/test_dbwrap_watch.c
> > > -@@ -48,7 +48,8 @@ bool run_dbwrap_watch1(int dummy)
> > > - goto fail;
> > > - }
> > > - db = db_open(msg, "test_watch.tdb", 0, TDB_DEFAULT,
> > > -- O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1);
> > > -+ O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1,
> > > -+ DBWRAP_FLAG_NONE);
> > > - if (db == NULL) {
> > > - fprintf(stderr, "db_open failed: %s\n", strerror(errno));
> > > - goto fail;
> > > -diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
> > > -index 6f5f3c5..f7262a2 100644
> > > ---- a/source3/torture/test_idmap_tdb_common.c
> > > -+++ b/source3/torture/test_idmap_tdb_common.c
> > > -@@ -86,7 +86,7 @@ static bool open_db(struct idmap_tdb_common_context *ctx)
> > > -
> > > - ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT,
> > > - O_RDWR | O_CREAT, 0600,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > -
> > > - if(!ctx->db) {
> > > - DEBUG(0, ("Failed to open database: %s\n", strerror(errno)));
> > > -diff --git a/source3/torture/torture.c b/source3/torture/torture.c
> > > -index 2e66912..1dc3eaf 100644
> > > ---- a/source3/torture/torture.c
> > > -+++ b/source3/torture/torture.c
> > > -@@ -9011,7 +9011,8 @@ static bool run_local_dbtrans(int dummy)
> > > - TDB_DATA value;
> > > -
> > > - db = db_open(talloc_tos(), "transtest.tdb", 0, TDB_DEFAULT,
> > > -- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1);
> > > -+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1,
> > > -+ DBWRAP_FLAG_NONE);
> > > - if (db == NULL) {
> > > - printf("Could not open transtest.db\n");
> > > - return false;
> > > -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
> > > -index ffca6b6..b56e07a 100644
> > > ---- a/source3/utils/dbwrap_tool.c
> > > -+++ b/source3/utils/dbwrap_tool.c
> > > -@@ -588,7 +588,7 @@ int main(int argc, const char **argv)
> > > - case OP_LISTKEYS:
> > > - case OP_EXISTS:
> > > - db = db_open(mem_ctx, dbname, 0, tdb_flags, O_RDWR | O_CREAT,
> > > -- 0644, DBWRAP_LOCK_ORDER_1);
> > > -+ 0644, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (db == NULL) {
> > > - d_fprintf(stderr, "ERROR: could not open dbname\n");
> > > - goto done;
> > > -diff --git a/source3/utils/dbwrap_torture.c b/source3/utils/dbwrap_torture.c
> > > -index 2741820..f748ac2 100644
> > > ---- a/source3/utils/dbwrap_torture.c
> > > -+++ b/source3/utils/dbwrap_torture.c
> > > -@@ -309,7 +309,7 @@ int main(int argc, const char *argv[])
> > > - }
> > > -
> > > - db = db_open(mem_ctx, db_name, 0, tdb_flags, O_RDWR | O_CREAT, 0644,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > -
> > > - if (db == NULL) {
> > > - d_fprintf(stderr, "failed to open db '%s': %s\n", db_name,
> > > -diff --git a/source3/utils/net_idmap.c b/source3/utils/net_idmap.c
> > > -index fbeca3e..6fc07e7 100644
> > > ---- a/source3/utils/net_idmap.c
> > > -+++ b/source3/utils/net_idmap.c
> > > -@@ -210,7 +210,7 @@ static int net_idmap_dump(struct net_context *c, int argc, const char **argv)
> > > - d_fprintf(stderr, _("dumping id mapping from %s\n"), dbfile);
> > > -
> > > - db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDONLY, 0,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (db == NULL) {
> > > - d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
> > > - dbfile, strerror(errno));
> > > -@@ -336,7 +336,7 @@ static int net_idmap_restore(struct net_context *c, int argc, const char **argv)
> > > - }
> > > -
> > > - db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (db == NULL) {
> > > - d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
> > > - dbfile, strerror(errno));
> > > -@@ -546,7 +546,7 @@ static int net_idmap_delete(struct net_context *c, int argc, const char **argv)
> > > - d_fprintf(stderr, _("deleting id mapping from %s\n"), dbfile);
> > > -
> > > - db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR, 0,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (db == NULL) {
> > > - d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
> > > - dbfile, strerror(errno));
> > > -diff --git a/source3/utils/net_idmap_check.c b/source3/utils/net_idmap_check.c
> > > -index e75c890..4b82871 100644
> > > ---- a/source3/utils/net_idmap_check.c
> > > -+++ b/source3/utils/net_idmap_check.c
> > > -@@ -790,7 +790,7 @@ static bool check_open_db(struct check_ctx* ctx, const char* name, int oflags)
> > > - }
> > > -
> > > - ctx->db = db_open(ctx, name, 0, TDB_DEFAULT, oflags, 0,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (ctx->db == NULL) {
> > > - d_fprintf(stderr,
> > > - _("Could not open idmap db (%s) for writing: %s\n"),
> > > -diff --git a/source3/utils/net_registry_check.c b/source3/utils/net_registry_check.c
> > > -index 8cdb8fa..d57c2aa 100644
> > > ---- a/source3/utils/net_registry_check.c
> > > -+++ b/source3/utils/net_registry_check.c
> > > -@@ -338,7 +338,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
> > > - }
> > > -
> > > - ctx->odb = db_open(ctx, ctx->opt.output, 0, TDB_DEFAULT, oflags, 0644,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (ctx->odb == NULL) {
> > > - d_fprintf(stderr,
> > > - _("Could not open db (%s) for writing: %s\n"),
> > > -@@ -351,7 +351,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
> > > -
> > > - static bool check_ctx_open_input(struct check_ctx *ctx) {
> > > - ctx->idb = db_open(ctx, ctx->fname, 0, TDB_DEFAULT, O_RDONLY, 0,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (ctx->idb == NULL) {
> > > - d_fprintf(stderr,
> > > - _("Could not open db (%s) for reading: %s\n"),
> > > -diff --git a/source3/utils/status.c b/source3/utils/status.c
> > > -index be7c52f..1ff0e36 100644
> > > ---- a/source3/utils/status.c
> > > -+++ b/source3/utils/status.c
> > > -@@ -508,7 +508,7 @@ static void print_notify_recs(const char *path,
> > > - struct db_context *db;
> > > - db = db_open(NULL, lock_path("locking.tdb"), 0,
> > > - TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH, O_RDONLY, 0,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > -
> > > - if (!db) {
> > > - d_printf("%s not initialised\n",
> > > -diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
> > > -index 57d952e..0bd2938 100644
> > > ---- a/source3/winbindd/idmap_autorid.c
> > > -+++ b/source3/winbindd/idmap_autorid.c
> > > -@@ -728,7 +728,7 @@ static NTSTATUS idmap_autorid_db_init(void)
> > > - /* Open idmap repository */
> > > - autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
> > > - TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > -
> > > - if (!autorid_db) {
> > > - DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
> > > -diff --git a/source3/winbindd/idmap_tdb.c b/source3/winbindd/idmap_tdb.c
> > > -index cc930ff..ebff347 100644
> > > ---- a/source3/winbindd/idmap_tdb.c
> > > -+++ b/source3/winbindd/idmap_tdb.c
> > > -@@ -321,7 +321,7 @@ static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
> > > -
> > > - /* Open idmap repository */
> > > - db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (!db) {
> > > - DEBUG(0, ("Unable to open idmap database\n"));
> > > - ret = NT_STATUS_UNSUCCESSFUL;
> > > -diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
> > > -index 4a9c2fe..942490d 100644
> > > ---- a/source3/winbindd/idmap_tdb2.c
> > > -+++ b/source3/winbindd/idmap_tdb2.c
> > > -@@ -114,7 +114,7 @@ static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
> > > -
> > > - /* Open idmap repository */
> > > - ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
> > > -- DBWRAP_LOCK_ORDER_1);
> > > -+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - TALLOC_FREE(db_path);
> > > -
> > > - if (ctx->db == NULL) {
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From b904731a81df57b3d33fe0c35663bc47d061d744 Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Tue, 28 Jan 2014 12:53:24 +0100
> > > -Subject: [PATCH 236/249] dbwrap: add a dbwrap_flags argument to db_open_ctdb()
> > > -
> > > -This is in preparation of directly supporting ctdb read only
> > > -record copies when opening a ctdb database from samba.
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 6def1c3f6e145abcc81ea69505133bbe128eacac)
> > > ----
> > > - source3/lib/dbwrap/dbwrap_ctdb.c | 6 ++++--
> > > - source3/lib/dbwrap/dbwrap_ctdb.h | 3 ++-
> > > - source3/lib/dbwrap/dbwrap_open.c | 2 +-
> > > - source3/torture/test_dbwrap_ctdb.c | 2 +-
> > > - 4 files changed, 8 insertions(+), 5 deletions(-)
> > > -
> > > -diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
> > > -index 5a473f9..af7a72f 100644
> > > ---- a/source3/lib/dbwrap/dbwrap_ctdb.c
> > > -+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
> > > -@@ -1498,7 +1498,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> > > - const char *name,
> > > - int hash_size, int tdb_flags,
> > > - int open_flags, mode_t mode,
> > > -- enum dbwrap_lock_order lock_order)
> > > -+ enum dbwrap_lock_order lock_order,
> > > -+ uint64_t dbwrap_flags)
> > > - {
> > > - struct db_context *result;
> > > - struct db_ctdb_ctx *db_ctdb;
> > > -@@ -1624,7 +1625,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> > > - const char *name,
> > > - int hash_size, int tdb_flags,
> > > - int open_flags, mode_t mode,
> > > -- enum dbwrap_lock_order lock_order)
> > > -+ enum dbwrap_lock_order lock_order,
> > > -+ uint64_t dbwrap_flags)
> > > - {
> > > - DEBUG(3, ("db_open_ctdb: no cluster support!\n"));
> > > - errno = ENOSYS;
> > > -diff --git a/source3/lib/dbwrap/dbwrap_ctdb.h b/source3/lib/dbwrap/dbwrap_ctdb.h
> > > -index bfbe3bd..3196b91 100644
> > > ---- a/source3/lib/dbwrap/dbwrap_ctdb.h
> > > -+++ b/source3/lib/dbwrap/dbwrap_ctdb.h
> > > -@@ -31,6 +31,7 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> > > - const char *name,
> > > - int hash_size, int tdb_flags,
> > > - int open_flags, mode_t mode,
> > > -- enum dbwrap_lock_order lock_order);
> > > -+ enum dbwrap_lock_order lock_order,
> > > -+ uint64_t dbwrap_flags);
> > > -
> > > - #endif /* __DBWRAP_CTDB_H__ */
> > > -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
> > > -index 6c9280c..61324f7 100644
> > > ---- a/source3/lib/dbwrap/dbwrap_open.c
> > > -+++ b/source3/lib/dbwrap/dbwrap_open.c
> > > -@@ -104,7 +104,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> > > - if (lp_parm_bool(-1, "ctdb", partname, True)) {
> > > - result = db_open_ctdb(mem_ctx, partname, hash_size,
> > > - tdb_flags, open_flags, mode,
> > > -- lock_order);
> > > -+ lock_order, dbwrap_flags);
> > > - if (result == NULL) {
> > > - DEBUG(0,("failed to attach to ctdb %s\n",
> > > - partname));
> > > -diff --git a/source3/torture/test_dbwrap_ctdb.c b/source3/torture/test_dbwrap_ctdb.c
> > > -index f7672ba..d7380b1 100644
> > > ---- a/source3/torture/test_dbwrap_ctdb.c
> > > -+++ b/source3/torture/test_dbwrap_ctdb.c
> > > -@@ -32,7 +32,7 @@ bool run_local_dbwrap_ctdb(int dummy)
> > > - uint32_t val;
> > > -
> > > - db = db_open_ctdb(talloc_tos(), "torture.tdb", 0, TDB_DEFAULT,
> > > -- O_RDWR, 0755, DBWRAP_LOCK_ORDER_1);
> > > -+ O_RDWR, 0755, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
> > > - if (db == NULL) {
> > > - perror("db_open_ctdb failed");
> > > - goto fail;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4f2d14112981d03000b533458e2e60a032d052de Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Tue, 28 Jan 2014 11:31:44 +0100
> > > -Subject: [PATCH 237/249] dbwrap: add DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 56bd4040889dfe492ff820497b7a6d76624a6048)
> > > ----
> > > - lib/dbwrap/dbwrap.h | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
> > > -index 4064ba2..02b4405 100644
> > > ---- a/lib/dbwrap/dbwrap.h
> > > -+++ b/lib/dbwrap/dbwrap.h
> > > -@@ -33,6 +33,7 @@ enum dbwrap_lock_order {
> > > - #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
> > > -
> > > - #define DBWRAP_FLAG_NONE 0x0000000000000000ULL
> > > -+#define DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS 0x0000000000000001ULL
> > > -
> > > - /* The following definitions come from lib/dbwrap.c */
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a007f8f7f627c4347f48bd2446637aab137e0608 Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 28 Jan 2014 21:24:22 +0100
> > > -Subject: [PATCH 238/249] dbwrap_ctdb: implement
> > > - DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
> > > -
> > > -For non-persistent databases we try to use CTDB_CONTROL_SET_DB_READONLY
> > > -in order to make use of readonly records.
> > > -
> > > -Pair-Programmed-With: Michael Adam <obnox@samba.org>
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -(cherry picked from commit a97b588b63f437d25c4344c76014326dbf0cbdb0)
> > > ----
> > > - source3/lib/dbwrap/dbwrap_ctdb.c | 21 +++++++++++++++++++++
> > > - 1 file changed, 21 insertions(+)
> > > -
> > > -diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
> > > -index af7a72f..3dc86d1 100644
> > > ---- a/source3/lib/dbwrap/dbwrap_ctdb.c
> > > -+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
> > > -@@ -1578,6 +1578,27 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
> > > - return NULL;
> > > - }
> > > -
> > > -+#ifdef HAVE_CTDB_WANT_READONLY_DECL
> > > -+ if (!result->persistent &&
> > > -+ (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS))
> > > -+ {
> > > -+ TDB_DATA indata;
> > > -+
> > > -+ indata = make_tdb_data((uint8_t *)&db_ctdb->db_id,
> > > -+ sizeof(db_ctdb->db_id));
> > > -+
> > > -+ status = ctdbd_control_local(
> > > -+ conn, CTDB_CONTROL_SET_DB_READONLY, 0, 0, indata,
> > > -+ NULL, NULL, &cstatus);
> > > -+ if (!NT_STATUS_IS_OK(status) || (cstatus != 0)) {
> > > -+ DEBUG(1, ("CTDB_CONTROL_SET_DB_READONLY failed: "
> > > -+ "%s, %d\n", nt_errstr(status), cstatus));
> > > -+ TALLOC_FREE(result);
> > > -+ return NULL;
> > > -+ }
> > > -+ }
> > > -+#endif
> > > -+
> > > - lp_ctx = loadparm_init_s3(db_path, loadparm_s3_helpers());
> > > -
> > > - db_ctdb->wtdb = tdb_wrap_open(db_ctdb, db_path, hash_size, tdb_flags,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d1ea222d46a594d45422eacccbd655d7e488792a Mon Sep 17 00:00:00 2001
> > > -From: Stefan Metzmacher <metze@samba.org>
> > > -Date: Tue, 28 Jan 2014 21:31:17 +0100
> > > -Subject: [PATCH 239/249] dbwrap_open: add 'dbwrap_optimize_readonly:* = yes'
> > > - option
> > > -
> > > -Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > > -Reviewed-by: Michael Adam <obnox@samba.org>
> > > -(cherry picked from commit a20c977c7a58a0c09d01bfa046c00fcd3f1462de)
> > > ----
> > > - source3/lib/dbwrap/dbwrap_open.c | 25 +++++++++++++++++++++++++
> > > - 1 file changed, 25 insertions(+)
> > > -
> > > -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
> > > -index 61324f7..7f3cddf 100644
> > > ---- a/source3/lib/dbwrap/dbwrap_open.c
> > > -+++ b/source3/lib/dbwrap/dbwrap_open.c
> > > -@@ -81,6 +81,31 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
> > > - return NULL;
> > > - }
> > > -
> > > -+ if (tdb_flags & TDB_CLEAR_IF_FIRST) {
> > > -+ const char *base;
> > > -+ bool try_readonly = false;
> > > -+
> > > -+ base = strrchr_m(name, '/');
> > > -+ if (base != NULL) {
> > > -+ base += 1;
> > > -+ } else {
> > > -+ base = name;
> > > -+ }
> > > -+
> > > -+ if (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS) {
> > > -+ try_readonly = true;
> > > -+ }
> > > -+
> > > -+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", "*", try_readonly);
> > > -+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", base, try_readonly);
> > > -+
> > > -+ if (try_readonly) {
> > > -+ dbwrap_flags |= DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
> > > -+ } else {
> > > -+ dbwrap_flags &= ~DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
> > > -+ }
> > > -+ }
> > > -+
> > > - #ifdef CLUSTER_SUPPORT
> > > - sockname = lp_ctdbd_socket();
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From ce06399f9fab90623a2166d69f1bbfc46f124d73 Mon Sep 17 00:00:00 2001
> > > -From: Michael Adam <obnox@samba.org>
> > > -Date: Mon, 27 Jan 2014 16:21:14 +0100
> > > -Subject: [PATCH 240/249] s3:rpc_client: optimize the netlogon_creds_cli.tdb
> > > - for read-only access
> > > -
> > > -Usually a record in this DB will be written once and then read
> > > -many times by winbindd processes on multiple nodes (when run in
> > > -a cluster). In order not to introduce a big performance penalty
> > > -with the increased correctness achieved by storing the netlogon
> > > -creds, in a cluster setup, we should activate ctdb's read only
> > > -record copies on this db.
> > > -
> > > -Signed-off-by: Michael Adam <obnox@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -(cherry picked from commit 020fab300d2f4f19301eff19ad810c71f77bbb78)
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 9e3c1bd..746c7b6 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -70,7 +70,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
> > > - global_db = db_open(talloc_autofree_context(), fname,
> > > - 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
> > > - O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
> > > -- DBWRAP_FLAG_NONE);
> > > -+ DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS);
> > > - if (global_db == NULL) {
> > > - TALLOC_FREE(frame);
> > > - return NT_STATUS_NO_MEMORY;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e39b8c0e22e609db117285d47cdbd1d854fe8d02 Mon Sep 17 00:00:00 2001
> > > -From: Ira Cooper <ira@samba.org>
> > > -Date: Thu, 13 Feb 2014 14:45:23 -0500
> > > -Subject: [PATCH 241/249] libcli: Overflow array index read possible, in auth
> > > - code.
> > > -
> > > -Changed the if condtion to detect when we'd improperly overflow.
> > > -
> > > -Coverity-Id: 1167990
> > > -Signed-off-by: Ira Cooper <ira@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > -
> > > -Autobuild-User(master): Ira Cooper <ira@samba.org>
> > > -Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
> > > -
> > > -(cherry picked from commit 8cd8aa6686c21e8c43a6d14c0ae1a21954d6e8cd)
> > > ----
> > > - libcli/auth/netlogon_creds_cli.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
> > > -index 88893ad..e3cf91c 100644
> > > ---- a/libcli/auth/netlogon_creds_cli.c
> > > -+++ b/libcli/auth/netlogon_creds_cli.c
> > > -@@ -1769,7 +1769,7 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
> > > - uint32_t ofs = 512 - len;
> > > - uint8_t *p;
> > > -
> > > -- if (ofs < 12) {
> > > -+ if (len > 500) {
> > > - tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
> > > - return tevent_req_post(req, ev);
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 4e15aa86c44e906ca30cfa4589e4f45f23625953 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Tue, 15 Jul 2014 08:28:42 +0200
> > > -Subject: [PATCH 242/249] s3-rpc_client: return info3 in
> > > - rpccli_netlogon_password_logon().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/rpc_client/cli_netlogon.c | 103 +++++++++++++++++++++-----------------
> > > - source3/rpc_client/cli_netlogon.h | 4 +-
> > > - source3/rpcclient/cmd_netlogon.c | 5 +-
> > > - 3 files changed, 64 insertions(+), 48 deletions(-)
> > > -
> > > -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
> > > -index 746c7b6..7063351 100644
> > > ---- a/source3/rpc_client/cli_netlogon.c
> > > -+++ b/source3/rpc_client/cli_netlogon.c
> > > -@@ -193,16 +193,65 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -+static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > > -+ uint16_t validation_level,
> > > -+ union netr_Validation *validation,
> > > -+ struct netr_SamInfo3 **info3_p)
> > > -+{
> > > -+ struct netr_SamInfo3 *info3;
> > > -+ NTSTATUS status;
> > > -+
> > > -+ if (validation == NULL) {
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > -+ }
> > > -+
> > > -+ switch (validation_level) {
> > > -+ case 3:
> > > -+ if (validation->sam3 == NULL) {
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > -+ }
> > > -+
> > > -+ info3 = talloc_move(mem_ctx, &validation->sam3);
> > > -+ break;
> > > -+ case 6:
> > > -+ if (validation->sam6 == NULL) {
> > > -+ return NT_STATUS_INVALID_PARAMETER;
> > > -+ }
> > > -+
> > > -+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
> > > -+ if (info3 == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(info3);
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ info3->sidcount = validation->sam6->sidcount;
> > > -+ info3->sids = talloc_move(info3, &validation->sam6->sids);
> > > -+ break;
> > > -+ default:
> > > -+ return NT_STATUS_BAD_VALIDATION_CLASS;
> > > -+ }
> > > -+
> > > -+ *info3_p = info3;
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > - /* Logon domain user */
> > > -
> > > - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > > - struct dcerpc_binding_handle *binding_handle,
> > > -+ TALLOC_CTX *mem_ctx,
> > > - uint32_t logon_parameters,
> > > - const char *domain,
> > > - const char *username,
> > > - const char *password,
> > > - const char *workstation,
> > > -- enum netr_LogonInfoClass logon_type)
> > > -+ enum netr_LogonInfoClass logon_type,
> > > -+ struct netr_SamInfo3 **info3)
> > > - {
> > > - TALLOC_CTX *frame = talloc_stackframe();
> > > - NTSTATUS status;
> > > -@@ -320,57 +369,19 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
> > > - &validation,
> > > - &authoritative,
> > > - &flags);
> > > -- TALLOC_FREE(frame);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(frame);
> > > - return status;
> > > - }
> > > -
> > > -- return NT_STATUS_OK;
> > > --}
> > > --
> > > --static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
> > > -- uint16_t validation_level,
> > > -- union netr_Validation *validation,
> > > -- struct netr_SamInfo3 **info3_p)
> > > --{
> > > -- struct netr_SamInfo3 *info3;
> > > -- NTSTATUS status;
> > > --
> > > -- if (validation == NULL) {
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > -- }
> > > --
> > > -- switch (validation_level) {
> > > -- case 3:
> > > -- if (validation->sam3 == NULL) {
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > -- }
> > > --
> > > -- info3 = talloc_move(mem_ctx, &validation->sam3);
> > > -- break;
> > > -- case 6:
> > > -- if (validation->sam6 == NULL) {
> > > -- return NT_STATUS_INVALID_PARAMETER;
> > > -- }
> > > --
> > > -- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
> > > -- if (info3 == NULL) {
> > > -- return NT_STATUS_NO_MEMORY;
> > > -- }
> > > -- status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
> > > -- if (!NT_STATUS_IS_OK(status)) {
> > > -- TALLOC_FREE(info3);
> > > -- return status;
> > > -- }
> > > --
> > > -- info3->sidcount = validation->sam6->sidcount;
> > > -- info3->sids = talloc_move(info3, &validation->sam6->sids);
> > > -- break;
> > > -- default:
> > > -- return NT_STATUS_BAD_VALIDATION_CLASS;
> > > -+ status = map_validation_to_info3(mem_ctx,
> > > -+ validation_level, validation,
> > > -+ info3);
> > > -+ TALLOC_FREE(frame);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > - }
> > > -
> > > -- *info3_p = info3;
> > > -
> > > - return NT_STATUS_OK;
> > > - }
> > > -diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
> > > -index 61fed4a..fee0801 100644
> > > ---- a/source3/rpc_client/cli_netlogon.h
> > > -+++ b/source3/rpc_client/cli_netlogon.h
> > > -@@ -45,12 +45,14 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
> > > - const struct samr_Password *previous_nt_hash);
> > > - NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
> > > - struct dcerpc_binding_handle *binding_handle,
> > > -+ TALLOC_CTX *mem_ctx,
> > > - uint32_t logon_parameters,
> > > - const char *domain,
> > > - const char *username,
> > > - const char *password,
> > > - const char *workstation,
> > > -- enum netr_LogonInfoClass logon_type);
> > > -+ enum netr_LogonInfoClass logon_type,
> > > -+ struct netr_SamInfo3 **info3);
> > > - NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
> > > - struct dcerpc_binding_handle *binding_handle,
> > > - TALLOC_CTX *mem_ctx,
> > > -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
> > > -index b637b3e..2d1c351 100644
> > > ---- a/source3/rpcclient/cmd_netlogon.c
> > > -+++ b/source3/rpcclient/cmd_netlogon.c
> > > -@@ -778,6 +778,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > - const char *username, *password;
> > > - uint32 logon_param = 0;
> > > - const char *workstation = NULL;
> > > -+ struct netr_SamInfo3 *info3 = NULL;
> > > -
> > > - /* Check arguments */
> > > -
> > > -@@ -803,12 +804,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
> > > -
> > > - result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
> > > - cli->binding_handle,
> > > -+ mem_ctx,
> > > - logon_param,
> > > - lp_workgroup(),
> > > - username,
> > > - password,
> > > - workstation,
> > > -- logon_type);
> > > -+ logon_type,
> > > -+ &info3);
> > > - if (!NT_STATUS_IS_OK(result))
> > > - goto done;
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 3459fada96951a57a787944aedc01caabe873c9d Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Tue, 15 Jul 2014 08:29:55 +0200
> > > -Subject: [PATCH 243/249] s3-winbindd: call interactive samlogon via
> > > - rpccli_netlogon_password_logon.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -
> > > -Conflicts:
> > > - source3/winbindd/winbindd_pam.c
> > > ----
> > > - source3/winbindd/winbindd_pam.c | 45 +++++++++++++++++++++++++++++------------
> > > - 1 file changed, 32 insertions(+), 13 deletions(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > > -index 3f3ec70..2a1b74a 100644
> > > ---- a/source3/winbindd/winbindd_pam.c
> > > -+++ b/source3/winbindd/winbindd_pam.c
> > > -@@ -1214,11 +1214,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > > - uint32_t logon_parameters,
> > > - const char *server,
> > > - const char *username,
> > > -+ const char *password,
> > > - const char *domainname,
> > > - const char *workstation,
> > > - const uint8_t chal[8],
> > > - DATA_BLOB lm_response,
> > > - DATA_BLOB nt_response,
> > > -+ bool interactive,
> > > - struct netr_SamInfo3 **info3)
> > > - {
> > > - int attempts = 0;
> > > -@@ -1278,19 +1280,32 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > > - }
> > > - netr_attempts = 0;
> > > -
> > > -- result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
> > > -- netlogon_pipe->binding_handle,
> > > -- mem_ctx,
> > > -- logon_parameters,
> > > -- username,
> > > -- domainname,
> > > -- workstation,
> > > -- chal,
> > > -- lm_response,
> > > -- nt_response,
> > > -- &authoritative,
> > > -- &flags,
> > > -- info3);
> > > -+ if (interactive && username != NULL && password != NULL) {
> > > -+ result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
> > > -+ netlogon_pipe->binding_handle,
> > > -+ mem_ctx,
> > > -+ logon_parameters,
> > > -+ domainname,
> > > -+ username,
> > > -+ password,
> > > -+ workstation,
> > > -+ NetlogonInteractiveInformation,
> > > -+ info3);
> > > -+ } else {
> > > -+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
> > > -+ netlogon_pipe->binding_handle,
> > > -+ mem_ctx,
> > > -+ logon_parameters,
> > > -+ username,
> > > -+ domainname,
> > > -+ workstation,
> > > -+ chal,
> > > -+ lm_response,
> > > -+ nt_response,
> > > -+ &authoritative,
> > > -+ &flags,
> > > -+ info3);
> > > -+ }
> > > -
> > > - /*
> > > - * we increment this after the "feature negotiation"
> > > -@@ -1433,11 +1448,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
> > > - 0,
> > > - domain->dcname,
> > > - name_user,
> > > -+ pass,
> > > - name_domain,
> > > - lp_netbios_name(),
> > > - chal,
> > > - lm_resp,
> > > - nt_resp,
> > > -+ true, /* interactive */
> > > - &my_info3);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - goto done;
> > > -@@ -1856,12 +1873,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
> > > - state->request->data.auth_crap.logon_parameters,
> > > - domain->dcname,
> > > - name_user,
> > > -+ NULL, /* password */
> > > - name_domain,
> > > - /* Bug #3248 - found by Stefan Burkei. */
> > > - workstation, /* We carefully set this above so use it... */
> > > - state->request->data.auth_crap.chal,
> > > - lm_resp,
> > > - nt_resp,
> > > -+ false, /* interactive */
> > > - &info3);
> > > - if (!NT_STATUS_IS_OK(result)) {
> > > - goto done;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From ad27b750ea3766581e528a41c132bb57927cc64c Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Mon, 7 Jul 2014 17:14:37 +0200
> > > -Subject: [PATCH 244/249] s3-winbindd: add wcache_query_user_fullname().
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -This helper function is used to query the full name of a cached user object (for
> > > -further gecos processing).
> > > -
> > > -Thanks to Matt Rogers <mrogers@redhat.com>.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> > > -
> > > -Guenther
> > > -
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++++++++
> > > - source3/winbindd/winbindd_proto.h | 4 ++++
> > > - 2 files changed, 38 insertions(+)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
> > > -index 59ce515..d1e10e6c 100644
> > > ---- a/source3/winbindd/winbindd_cache.c
> > > -+++ b/source3/winbindd/winbindd_cache.c
> > > -@@ -2309,6 +2309,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
> > > - return status;
> > > - }
> > > -
> > > -+
> > > -+/**
> > > -+* @brief Query a fullname from the username cache (for further gecos processing)
> > > -+*
> > > -+* @param domain A pointer to the winbindd_domain struct.
> > > -+* @param mem_ctx The talloc context.
> > > -+* @param user_sid The user sid.
> > > -+* @param full_name A pointer to the full_name string.
> > > -+*
> > > -+* @return NTSTATUS code
> > > -+*/
> > > -+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ const struct dom_sid *user_sid,
> > > -+ const char **full_name)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+ struct wbint_userinfo info;
> > > -+
> > > -+ status = wcache_query_user(domain, mem_ctx, user_sid, &info);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ if (info.full_name != NULL) {
> > > -+ *full_name = talloc_strdup(mem_ctx, info.full_name);
> > > -+ if (*full_name == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > - /* Lookup user information from a rid */
> > > - static NTSTATUS query_user(struct winbindd_domain *domain,
> > > - TALLOC_CTX *mem_ctx,
> > > -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
> > > -index cfc19d0..cfb7812 100644
> > > ---- a/source3/winbindd/winbindd_proto.h
> > > -+++ b/source3/winbindd/winbindd_proto.h
> > > -@@ -105,6 +105,10 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
> > > - TALLOC_CTX *mem_ctx,
> > > - const struct dom_sid *user_sid,
> > > - struct wbint_userinfo *info);
> > > -+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
> > > -+ TALLOC_CTX *mem_ctx,
> > > -+ const struct dom_sid *user_sid,
> > > -+ const char **full_name);
> > > - NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
> > > - TALLOC_CTX *mem_ctx,
> > > - uint32 num_sids, const struct dom_sid *sids,
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From e89ca0b90887930a2f86dcaa4f6d3d05565f919c Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Mon, 7 Jul 2014 17:16:32 +0200
> > > -Subject: [PATCH 245/249] s3-winbindd: use wcache_query_user_fullname after
> > > - inspecting samlogon cache.
> > > -
> > > -The reason for this followup query is that very often the samlogon cache only
> > > -contains a info3 netlogon user structure that has been retrieved during a
> > > -netlogon samlogon authentication using "network" logon level. With that logon
> > > -level only a few info3 fields are filled in; the user's fullname is never filled
> > > -in that case. This is problematic when the cache is used to fill in the user's
> > > -gecos field (for NSS queries). When we have retrieved the user's fullname during
> > > -other queries, reuse it from the other caches.
> > > -
> > > -Thanks to Matt Rogers <mrogers@redhat.com>.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> > > -
> > > -Guenther
> > > -
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/winbindd/winbindd_ads.c | 8 ++++++++
> > > - source3/winbindd/winbindd_msrpc.c | 8 ++++++++
> > > - source3/winbindd/winbindd_pam.c | 20 ++++++++++++++++++++
> > > - 3 files changed, 36 insertions(+)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> > > -index 4c26389..a20fba5 100644
> > > ---- a/source3/winbindd/winbindd_ads.c
> > > -+++ b/source3/winbindd/winbindd_ads.c
> > > -@@ -619,6 +619,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> > > -
> > > - TALLOC_FREE(user);
> > > -
> > > -+ if (info->full_name == NULL) {
> > > -+ /* this might fail so we dont check the return code */
> > > -+ wcache_query_user_fullname(domain,
> > > -+ mem_ctx,
> > > -+ sid,
> > > -+ &info->full_name);
> > > -+ }
> > > -+
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
> > > -index 426d64c..c097bf3 100644
> > > ---- a/source3/winbindd/winbindd_msrpc.c
> > > -+++ b/source3/winbindd/winbindd_msrpc.c
> > > -@@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
> > > - user_info->full_name = talloc_strdup(user_info,
> > > - user->base.full_name.string);
> > > -
> > > -+ if (user_info->full_name == NULL) {
> > > -+ /* this might fail so we dont check the return code */
> > > -+ wcache_query_user_fullname(domain,
> > > -+ mem_ctx,
> > > -+ user_sid,
> > > -+ &user_info->full_name);
> > > -+ }
> > > -+
> > > - status = NT_STATUS_OK;
> > > - goto done;
> > > - }
> > > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > > -index 2a1b74a..bf71d97 100644
> > > ---- a/source3/winbindd/winbindd_pam.c
> > > -+++ b/source3/winbindd/winbindd_pam.c
> > > -@@ -1720,6 +1720,26 @@ process_result:
> > > - sid_compose(&user_sid, info3->base.domain_sid,
> > > - info3->base.rid);
> > > -
> > > -+ if (info3->base.full_name.string == NULL) {
> > > -+ struct netr_SamInfo3 *cached_info3;
> > > -+
> > > -+ cached_info3 = netsamlogon_cache_get(state->mem_ctx,
> > > -+ &user_sid);
> > > -+ if (cached_info3 != NULL &&
> > > -+ cached_info3->base.full_name.string != NULL) {
> > > -+ info3->base.full_name.string =
> > > -+ talloc_strdup(info3,
> > > -+ cached_info3->base.full_name.string);
> > > -+ } else {
> > > -+
> > > -+ /* this might fail so we dont check the return code */
> > > -+ wcache_query_user_fullname(domain,
> > > -+ info3,
> > > -+ &user_sid,
> > > -+ &info3->base.full_name.string);
> > > -+ }
> > > -+ }
> > > -+
> > > - wcache_invalidate_samlogon(find_domain_from_name(name_domain),
> > > - &user_sid);
> > > - netsamlogon_cache_store(name_user, info3);
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From aa042d490b2cccb7b6cc394e024004321a6c156c Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 9 Jul 2014 13:36:06 +0200
> > > -Subject: [PATCH 246/249] samlogon_cache: use a talloc_stackframe inside
> > > - netsamlogon_cache_store.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/libsmb/samlogon_cache.c | 13 ++++---------
> > > - 1 file changed, 4 insertions(+), 9 deletions(-)
> > > -
> > > -diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
> > > -index b04cf0a..f7457ae 100644
> > > ---- a/source3/libsmb/samlogon_cache.c
> > > -+++ b/source3/libsmb/samlogon_cache.c
> > > -@@ -125,7 +125,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > > - bool result = false;
> > > - struct dom_sid user_sid;
> > > - time_t t = time(NULL);
> > > -- TALLOC_CTX *mem_ctx;
> > > -+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
> > > - DATA_BLOB blob;
> > > - enum ndr_err_code ndr_err;
> > > - struct netsamlogoncache_entry r;
> > > -@@ -149,11 +149,6 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > > -
> > > - /* Prepare data */
> > > -
> > > -- if (!(mem_ctx = talloc( NULL, int))) {
> > > -- DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
> > > -- return false;
> > > -- }
> > > --
> > > - /* only Samba fills in the username, not sure why NT doesn't */
> > > - /* so we fill it in since winbindd_getpwnam() makes use of it */
> > > -
> > > -@@ -168,11 +163,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > > - NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
> > > - }
> > > -
> > > -- ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
> > > -+ ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
> > > - (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
> > > - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> > > - DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
> > > -- TALLOC_FREE(mem_ctx);
> > > -+ TALLOC_FREE(tmp_ctx);
> > > - return false;
> > > - }
> > > -
> > > -@@ -183,7 +178,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > > - result = true;
> > > - }
> > > -
> > > -- TALLOC_FREE(mem_ctx);
> > > -+ TALLOC_FREE(tmp_ctx);
> > > -
> > > - return result;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 8283d1acec0c0afd17197339a4986975d05abf29 Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Thu, 3 Jul 2014 16:17:46 +0200
> > > -Subject: [PATCH 247/249] samlogon_cache: avoid overwriting
> > > - info3->base.full_name.string.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -This field servers as a source for the gecos field. We should not overwrite it
> > > -when a info3 struct from a samlogon network level gets saved in which case this
> > > -field is always NULL.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > > -
> > > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > > -Autobuild-Date(master): Tue Jul 15 18:25:28 CEST 2014 on sn-devel-104
> > > ----
> > > - source3/libsmb/samlogon_cache.c | 14 ++++++++++++++
> > > - 1 file changed, 14 insertions(+)
> > > -
> > > -diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
> > > -index f7457ae..0a157d4 100644
> > > ---- a/source3/libsmb/samlogon_cache.c
> > > -+++ b/source3/libsmb/samlogon_cache.c
> > > -@@ -149,6 +149,20 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
> > > -
> > > - /* Prepare data */
> > > -
> > > -+ if (info3->base.full_name.string == NULL) {
> > > -+ struct netr_SamInfo3 *cached_info3;
> > > -+ const char *full_name = NULL;
> > > -+
> > > -+ cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
> > > -+ if (cached_info3 != NULL) {
> > > -+ full_name = cached_info3->base.full_name.string;
> > > -+ }
> > > -+
> > > -+ if (full_name != NULL) {
> > > -+ info3->base.full_name.string = talloc_strdup(info3, full_name);
> > > -+ }
> > > -+ }
> > > -+
> > > - /* only Samba fills in the username, not sure why NT doesn't */
> > > - /* so we fill it in since winbindd_getpwnam() makes use of it */
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fe9d7458001a952d1df23dcd584a1835df5d43d1 Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Thu, 3 Jul 2014 16:19:42 +0200
> > > -Subject: [PATCH 248/249] s3-winbind: Don't set the gecos field to NULL.
> > > -
> > > -The value is loaded from the cache anyway. So it will be set to NULL if
> > > -it is not available.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > > ----
> > > - source3/winbindd/nss_info_template.c | 1 -
> > > - 1 file changed, 1 deletion(-)
> > > -
> > > -diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
> > > -index 5fdfd9b..de93803 100644
> > > ---- a/source3/winbindd/nss_info_template.c
> > > -+++ b/source3/winbindd/nss_info_template.c
> > > -@@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
> > > - username */
> > > - *homedir = talloc_strdup( ctx, lp_template_homedir() );
> > > - *shell = talloc_strdup( ctx, lp_template_shell() );
> > > -- *gecos = NULL;
> > > -
> > > - if ( !*homedir || !*shell ) {
> > > - return NT_STATUS_NO_MEMORY;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From d2f3347a264bb7b8b0335404348990f52320b672 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Mon, 14 Jul 2014 18:22:26 +0200
> > > -Subject: [PATCH 249/249] s3-winbindd: prefer "displayName" over "name" in ads
> > > - user queries for the fullname.
> > > -
> > > -This makes use more consistent with security=domain as well where the gecos
> > > -field is also filled using the displayName field.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Guenther Deschner <gd@samba.org>
> > > -Pair-Programmed-With: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/winbindd/winbindd_ads.c | 16 +++++++++++-----
> > > - 1 file changed, 11 insertions(+), 5 deletions(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> > > -index a20fba5..4b5b2fa 100644
> > > ---- a/source3/winbindd/winbindd_ads.c
> > > -+++ b/source3/winbindd/winbindd_ads.c
> > > -@@ -327,7 +327,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
> > > - }
> > > -
> > > - info->acct_name = ads_pull_username(ads, mem_ctx, msg);
> > > -- info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
> > > -+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
> > > -+ if (info->full_name == NULL) {
> > > -+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
> > > -+ }
> > > - info->homedir = NULL;
> > > - info->shell = NULL;
> > > - info->primary_gid = (gid_t)-1;
> > > -@@ -592,7 +595,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> > > - struct netr_SamInfo3 *user = NULL;
> > > - gid_t gid = -1;
> > > - int ret;
> > > -- char *ads_name;
> > > -+ char *full_name;
> > > -
> > > - DEBUG(3,("ads: query_user\n"));
> > > -
> > > -@@ -704,7 +707,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> > > - * nss_get_info_cached call. nss_get_info_cached might destroy
> > > - * the ads struct, potentially invalidating the ldap message.
> > > - */
> > > -- ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
> > > -+ full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
> > > -+ if (full_name == NULL) {
> > > -+ full_name = ads_pull_string(ads, mem_ctx, msg, "name");
> > > -+ }
> > > -
> > > - ads_msgfree(ads, msg);
> > > - msg = NULL;
> > > -@@ -720,9 +726,9 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
> > > - }
> > > -
> > > - if (info->full_name == NULL) {
> > > -- info->full_name = ads_name;
> > > -+ info->full_name = full_name;
> > > - } else {
> > > -- TALLOC_FREE(ads_name);
> > > -+ TALLOC_FREE(full_name);
> > > - }
> > > -
> > > - status = NT_STATUS_OK;
> > > ---
> > > -1.9.3
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> > > deleted file mode 100644
> > > index 7a7bdf5..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> > > +++ /dev/null
> > > @@ -1,97 +0,0 @@
> > > -From f73c906237aa0c9d45900d69d31c9b39261f062a Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Tue, 16 Sep 2014 18:02:30 +0200
> > > -Subject: [PATCH 1/2] lib: Add daemon_status() to util library.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > > -(cherry picked from commit 9f5f5fa8ebf845c53b7a92557d7aec56ed820320)
> > > ----
> > > - lib/util/become_daemon.c | 11 +++++++++++
> > > - lib/util/samba_util.h | 6 ++++++
> > > - 2 files changed, 17 insertions(+)
> > > -
> > > -diff --git a/lib/util/become_daemon.c b/lib/util/become_daemon.c
> > > -index 35c8b32..688bedd 100644
> > > ---- a/lib/util/become_daemon.c
> > > -+++ b/lib/util/become_daemon.c
> > > -@@ -135,3 +135,14 @@ _PUBLIC_ void daemon_ready(const char *daemon)
> > > - #endif
> > > - DEBUG(0, ("STATUS=daemon '%s' finished starting up and ready to serve connections", daemon));
> > > - }
> > > -+
> > > -+_PUBLIC_ void daemon_status(const char *name, const char *msg)
> > > -+{
> > > -+ if (name == NULL) {
> > > -+ name = "Samba";
> > > -+ }
> > > -+#ifdef HAVE_SYSTEMD
> > > -+ sd_notifyf(0, "\nSTATUS=%s: %s", name, msg);
> > > -+#endif
> > > -+ DEBUG(0, ("STATUS=daemon '%s' : %s", name, msg));
> > > -+}
> > > -diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
> > > -index e3fe6a6..f4216d8 100644
> > > ---- a/lib/util/samba_util.h
> > > -+++ b/lib/util/samba_util.h
> > > -@@ -853,6 +853,12 @@ _PUBLIC_ void exit_daemon(const char *msg, int error);
> > > - **/
> > > - _PUBLIC_ void daemon_ready(const char *daemon);
> > > -
> > > -+/*
> > > -+ * Report the daemon status. For example if it is not ready to serve connections
> > > -+ * and is waiting for some event to happen.
> > > -+ */
> > > -+_PUBLIC_ void daemon_status(const char *name, const char *msg);
> > > -+
> > > - /**
> > > - * @brief Get a password from the console.
> > > - *
> > > ---
> > > -2.1.0
> > > -
> > > -
> > > -From 7fcd74039961fa0fb02934bc87ce41fd98234f1a Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Tue, 16 Sep 2014 18:03:51 +0200
> > > -Subject: [PATCH 2/2] nmbd: Send waiting status to systemd.
> > > -
> > > -This tells the Administrator what's going on and we should log that IPv6
> > > -is not supported.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Alexander Bokovoy <ab@samba.org>
> > > -
> > > -Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
> > > -Autobuild-Date(master): Wed Sep 17 13:16:43 CEST 2014 on sn-devel-104
> > > -
> > > -(cherry picked from commit 2df601bff0d949e66c79366b8248b9d950c0b430)
> > > ----
> > > - source3/nmbd/nmbd_subnetdb.c | 7 +++++--
> > > - 1 file changed, 5 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c
> > > -index 311a240..6c483af 100644
> > > ---- a/source3/nmbd/nmbd_subnetdb.c
> > > -+++ b/source3/nmbd/nmbd_subnetdb.c
> > > -@@ -247,8 +247,11 @@ bool create_subnets(void)
> > > -
> > > - /* Only count IPv4, non-loopback interfaces. */
> > > - if (iface_count_v4_nl() == 0) {
> > > -- DEBUG(0,("create_subnets: No local IPv4 non-loopback interfaces !\n"));
> > > -- DEBUG(0,("create_subnets: Waiting for an interface to appear ...\n"));
> > > -+ daemon_status("nmbd",
> > > -+ "No local IPv4 non-loopback interfaces "
> > > -+ "available, waiting for interface ...");
> > > -+ DEBUG(0,("NOTE: NetBIOS name resolution is not supported for "
> > > -+ "Internet Protocol Version 6 (IPv6).\n"));
> > > - }
> > > -
> > > - /* We only count IPv4, non-loopback interfaces here. */
> > > ---
> > > -2.1.0
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> > > deleted file mode 100644
> > > index 3215f2c..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> > > +++ /dev/null
> > > @@ -1,42 +0,0 @@
> > > -From 23dfa2e35bec9c0f6c3d579e7dc2e1d0ce636aa2 Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Fri, 19 Sep 2014 13:33:10 +0200
> > > -Subject: [PATCH] nsswitch: Skip groups we were not able to map.
> > > -
> > > -If we have configured the idmap_ad backend it is possible that the user
> > > -is in a group without a gid set. This will result in (uid_t)-1 as the
> > > -gid. We return this invalid gid to NSS which is wrong.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: David Disseldorp <ddiss@samba.org>
> > > -
> > > -Autobuild-User(master): David Disseldorp <ddiss@samba.org>
> > > -Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
> > > -
> > > -(cherry picked from commit 7f59711f076e98ece099f6b38ff6da8c80fa6d5e)
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - nsswitch/winbind_nss_linux.c | 5 +++++
> > > - 1 file changed, 5 insertions(+)
> > > -
> > > -diff --git a/nsswitch/winbind_nss_linux.c b/nsswitch/winbind_nss_linux.c
> > > -index 8d66a74..70ede3e 100644
> > > ---- a/nsswitch/winbind_nss_linux.c
> > > -+++ b/nsswitch/winbind_nss_linux.c
> > > -@@ -1101,6 +1101,11 @@ _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
> > > - continue;
> > > - }
> > > -
> > > -+ /* Skip groups without a mapping */
> > > -+ if (gid_list[i] == (uid_t)-1) {
> > > -+ continue;
> > > -+ }
> > > -+
> > > - /* Filled buffer ? If so, resize. */
> > > -
> > > - if (*start == *size) {
> > > ---
> > > -2.1.0
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> > > deleted file mode 100644
> > > index 394a640..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> > > +++ /dev/null
> > > @@ -1,44 +0,0 @@
> > > -From dc6b86b93c8f059b0cc96c364ffad05c88b7d92e Mon Sep 17 00:00:00 2001
> > > -From: Christof Schmitt <cs@samba.org>
> > > -Date: Fri, 22 Aug 2014 09:15:59 -0700
> > > -Subject: [PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child
> > > -
> > > -When authenticating users in a trusted domain, the idmap_ad module
> > > -always connects to a local DC instead of one in the trusted domain.
> > > -
> > > -Fix this by passing the correct realm to connect to.
> > > -
> > > -Also Comment parameters passed to ads_cached_connection_connect
> > > -
> > > -Signed-off-by: Christof Schmitt <cs@samba.org>
> > > -Reviewed-by: Jeremy Allison <jra@samba.org>
> > > -(cherry picked from commit c203c722e7e22f9146f2ecf6f42452c0e82042e4)
> > > ----
> > > - source3/winbindd/winbindd_ads.c | 11 +++++++++--
> > > - 1 files changed, 9 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> > > -index 4c26389..e47613e 100644
> > > ---- a/source3/winbindd/winbindd_ads.c
> > > -+++ b/source3/winbindd/winbindd_ads.c
> > > -@@ -187,8 +187,15 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
> > > - }
> > > - }
> > > -
> > > -- status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
> > > -- password, realm, 0);
> > > -+ status = ads_cached_connection_connect(
> > > -+ adsp, /* Returns ads struct. */
> > > -+ wb_dom->alt_name, /* realm to connect to. */
> > > -+ dom_name, /* 'workgroup' name for ads_init */
> > > -+ ldap_server, /* DNS name to connect to. */
> > > -+ password, /* password for auth realm. */
> > > -+ realm, /* realm used for krb5 ticket. */
> > > -+ 0); /* renewable ticket time. */
> > > -+
> > > - SAFE_FREE(realm);
> > > -
> > > - return status;
> > > ---
> > > -1.7.1
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> > > deleted file mode 100644
> > > index a1b05b8..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> > > +++ /dev/null
> > > @@ -1,35 +0,0 @@
> > > -From 0aab8ae3c137e5900d22160555bcef57cd62ca21 Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Wed, 17 Sep 2014 15:17:50 +0200
> > > -Subject: [PATCH 2/2] libcli: Fix a segfault calling smbXcli_req_set_pending()
> > > - on NULL.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10817
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Jeremy Allison <jra@samba.org>
> > > -
> > > -Autobuild-User(master): Jeremy Allison <jra@samba.org>
> > > -Autobuild-Date(master): Tue Sep 23 04:23:05 CEST 2014 on sn-devel-104
> > > -
> > > -(cherry picked from commit f92086f4a347dcc8fa948aa2614a2c12f1115e5a)
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - libcli/smb/smb1cli_echo.c | 1 -
> > > - 1 file changed, 1 deletion(-)
> > > -
> > > -diff --git a/libcli/smb/smb1cli_echo.c b/libcli/smb/smb1cli_echo.c
> > > -index 4fb7c60..10dff2d 100644
> > > ---- a/libcli/smb/smb1cli_echo.c
> > > -+++ b/libcli/smb/smb1cli_echo.c
> > > -@@ -96,7 +96,6 @@ static void smb1cli_echo_done(struct tevent_req *subreq)
> > > - NULL, /* pbytes_offset */
> > > - NULL, /* pinbuf */
> > > - expected, ARRAY_SIZE(expected));
> > > -- TALLOC_FREE(subreq);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - tevent_req_nterror(req, status);
> > > - return;
> > > ---
> > > -2.1.0
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> > > deleted file mode 100644
> > > index 35f4d8c..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> > > +++ /dev/null
> > > @@ -1,180 +0,0 @@
> > > -From 579901faf787d8d787c978324bdec87c349e3d9b Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Tue, 23 Sep 2014 14:09:41 +0200
> > > -Subject: [PATCH] s3-libads: Improve service principle guessing.
> > > -
> > > -If the name passed to the net command with the -S options is the long
> > > -hostname of the domaincontroller and not the 15 char NetBIOS name we
> > > -should construct a FQDN with the realm to get a Kerberos ticket.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > > -(cherry picked from commit 83c62bd3f5945bbe295cbfbd153736d4c709b3a6)
> > > ----
> > > - source3/libads/sasl.c | 124 +++++++++++++++++++++++++++-----------------------
> > > - 1 file changed, 66 insertions(+), 58 deletions(-)
> > > -
> > > -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
> > > -index 33f4e24..1450ff1 100644
> > > ---- a/source3/libads/sasl.c
> > > -+++ b/source3/libads/sasl.c
> > > -@@ -714,88 +714,96 @@ static void ads_free_service_principal(struct ads_service_principal *p)
> > > - static ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
> > > - char **returned_principal)
> > > - {
> > > -+ ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
> > > - char *princ = NULL;
> > > -+ TALLOC_CTX *frame;
> > > -+ char *server = NULL;
> > > -+ char *realm = NULL;
> > > -+ int rc;
> > > -
> > > -- if (ads->server.realm && ads->server.ldap_server) {
> > > -- char *server, *server_realm;
> > > --
> > > -- server = SMB_STRDUP(ads->server.ldap_server);
> > > -- server_realm = SMB_STRDUP(ads->server.realm);
> > > --
> > > -- if (!server || !server_realm) {
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -- }
> > > -+ frame = talloc_stackframe();
> > > -+ if (frame == NULL) {
> > > -+ return ADS_ERROR(LDAP_NO_MEMORY);
> > > -+ }
> > > -
> > > -- if (!strlower_m(server)) {
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -+ if (ads->server.realm && ads->server.ldap_server) {
> > > -+ server = strlower_talloc(frame, ads->server.ldap_server);
> > > -+ if (server == NULL) {
> > > -+ goto out;
> > > - }
> > > -
> > > -- if (!strupper_m(server_realm)) {
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -+ realm = strupper_talloc(frame, ads->server.realm);
> > > -+ if (realm == NULL) {
> > > -+ goto out;
> > > - }
> > > -
> > > -- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -- }
> > > -+ /*
> > > -+ * If we got a name which is bigger than a NetBIOS name,
> > > -+ * but isn't a FQDN, create one.
> > > -+ */
> > > -+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
> > > -+ char *dnsdomain;
> > > -
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -+ dnsdomain = strlower_talloc(frame, ads->server.realm);
> > > -+ if (dnsdomain == NULL) {
> > > -+ goto out;
> > > -+ }
> > > -
> > > -- if (!princ) {
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -+ server = talloc_asprintf(frame,
> > > -+ "%s.%s",
> > > -+ server, dnsdomain);
> > > -+ if (server == NULL) {
> > > -+ goto out;
> > > -+ }
> > > - }
> > > - } else if (ads->config.realm && ads->config.ldap_server_name) {
> > > -- char *server, *server_realm;
> > > --
> > > -- server = SMB_STRDUP(ads->config.ldap_server_name);
> > > -- server_realm = SMB_STRDUP(ads->config.realm);
> > > --
> > > -- if (!server || !server_realm) {
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -+ server = strlower_talloc(frame, ads->config.ldap_server_name);
> > > -+ if (server == NULL) {
> > > -+ goto out;
> > > - }
> > > -
> > > -- if (!strlower_m(server)) {
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -+ realm = strupper_talloc(frame, ads->config.realm);
> > > -+ if (realm == NULL) {
> > > -+ goto out;
> > > - }
> > > -
> > > -- if (!strupper_m(server_realm)) {
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -- }
> > > -- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -- }
> > > -+ /*
> > > -+ * If we got a name which is bigger than a NetBIOS name,
> > > -+ * but isn't a FQDN, create one.
> > > -+ */
> > > -+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
> > > -+ char *dnsdomain;
> > > -
> > > -- SAFE_FREE(server);
> > > -- SAFE_FREE(server_realm);
> > > -+ dnsdomain = strlower_talloc(frame, ads->server.realm);
> > > -+ if (dnsdomain == NULL) {
> > > -+ goto out;
> > > -+ }
> > > -
> > > -- if (!princ) {
> > > -- return ADS_ERROR(LDAP_NO_MEMORY);
> > > -+ server = talloc_asprintf(frame,
> > > -+ "%s.%s",
> > > -+ server, dnsdomain);
> > > -+ if (server == NULL) {
> > > -+ goto out;
> > > -+ }
> > > - }
> > > - }
> > > -
> > > -- if (!princ) {
> > > -- return ADS_ERROR(LDAP_PARAM_ERROR);
> > > -+ if (server == NULL || realm == NULL) {
> > > -+ goto out;
> > > -+ }
> > > -+
> > > -+ rc = asprintf(&princ, "ldap/%s@%s", server, realm);
> > > -+ if (rc == -1 || princ == NULL) {
> > > -+ status = ADS_ERROR(LDAP_PARAM_ERROR);
> > > -+ goto out;
> > > - }
> > > -
> > > - *returned_principal = princ;
> > > -
> > > -- return ADS_SUCCESS;
> > > -+ status = ADS_SUCCESS;
> > > -+out:
> > > -+ TALLOC_FREE(frame);
> > > -+ return status;
> > > - }
> > > -
> > > - static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
> > > ---
> > > -2.1.0
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> > > deleted file mode 100644
> > > index 5d309f1..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> > > +++ /dev/null
> > > @@ -1,329 +0,0 @@
> > > -From 1925edc67e223d73d672af48c2ebd3e5865e01d9 Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Wed, 24 Sep 2014 09:22:03 +0200
> > > -Subject: [PATCH 1/4] s3-libads: Add a function to retrieve the SPNs of a
> > > - computer account.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > > -(cherry picked from commit 4eaa4ccbdf279f1ff6d8218b36d92aeea0114cd8)
> > > ----
> > > - source3/libads/ads_proto.h | 6 +++++
> > > - source3/libads/ldap.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++
> > > - 2 files changed, 66 insertions(+)
> > > -
> > > -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
> > > -index 17a84d1..6a22807 100644
> > > ---- a/source3/libads/ads_proto.h
> > > -+++ b/source3/libads/ads_proto.h
> > > -@@ -87,6 +87,12 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
> > > - const char *name, const char **vals);
> > > - uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
> > > - uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
> > > -+
> > > -+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
> > > -+ ADS_STRUCT *ads,
> > > -+ const char *machine_name,
> > > -+ char ***spn_array,
> > > -+ size_t *num_spns);
> > > - ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
> > > - ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
> > > - const char *my_fqdn, const char *spn);
> > > -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
> > > -index fb99132..51a0883 100644
> > > ---- a/source3/libads/ldap.c
> > > -+++ b/source3/libads/ldap.c
> > > -@@ -1927,6 +1927,66 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
> > > - }
> > > -
> > > - /**
> > > -+ * @brief This gets the service principal names of an existing computer account.
> > > -+ *
> > > -+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
> > > -+ *
> > > -+ * @param[in] ads The ADS context to use.
> > > -+ *
> > > -+ * @param[in] machine_name The NetBIOS name of the computer, which is used to
> > > -+ * identify the computer account.
> > > -+ *
> > > -+ * @param[in] spn_array A pointer to store the array for SPNs.
> > > -+ *
> > > -+ * @param[in] num_spns The number of principals stored in the array.
> > > -+ *
> > > -+ * @return 0 on success, or a ADS error if a failure occured.
> > > -+ */
> > > -+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
> > > -+ ADS_STRUCT *ads,
> > > -+ const char *machine_name,
> > > -+ char ***spn_array,
> > > -+ size_t *num_spns)
> > > -+{
> > > -+ ADS_STATUS status;
> > > -+ LDAPMessage *res = NULL;
> > > -+ char *dn;
> > > -+ int count;
> > > -+
> > > -+ status = ads_find_machine_acct(ads,
> > > -+ &res,
> > > -+ machine_name);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
> > > -+ machine_name));
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ count = ads_count_replies(ads, res);
> > > -+ if (count != 1) {
> > > -+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ dn = ads_get_dn(ads, mem_ctx, res);
> > > -+ if (dn == NULL) {
> > > -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ *spn_array = ads_pull_strings(ads,
> > > -+ mem_ctx,
> > > -+ res,
> > > -+ "servicePrincipalName",
> > > -+ num_spns);
> > > -+
> > > -+done:
> > > -+ ads_msgfree(ads, res);
> > > -+
> > > -+ return status;
> > > -+}
> > > -+
> > > -+/**
> > > - * This adds a service principal name to an existing computer account
> > > - * (found by hostname) in AD.
> > > - * @param ads An initialized ADS_STRUCT
> > > ---
> > > -2.1.0
> > > -
> > > -
> > > -From ed3b6536e1027a26d7983942f62677aa2bc0e93c Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Wed, 24 Sep 2014 09:23:58 +0200
> > > -Subject: [PATCH 2/4] s3-libads: Add function to search for an element in an
> > > - array.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > > -(cherry picked from commit e1ee4c8bc7018db7787dd9a0be6d3aa40a477ee2)
> > > ----
> > > - source3/libads/ads_proto.h | 2 ++
> > > - source3/libads/ldap.c | 31 +++++++++++++++++++++++++++++++
> > > - 2 files changed, 33 insertions(+)
> > > -
> > > -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
> > > -index 6a22807..1e34247 100644
> > > ---- a/source3/libads/ads_proto.h
> > > -+++ b/source3/libads/ads_proto.h
> > > -@@ -88,6 +88,8 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
> > > - uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
> > > - uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
> > > -
> > > -+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el);
> > > -+
> > > - ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
> > > - ADS_STRUCT *ads,
> > > - const char *machine_name,
> > > -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
> > > -index 51a0883..8d104c2 100644
> > > ---- a/source3/libads/ldap.c
> > > -+++ b/source3/libads/ldap.c
> > > -@@ -1927,6 +1927,37 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
> > > - }
> > > -
> > > - /**
> > > -+ * @brief Search for an element in a string array.
> > > -+ *
> > > -+ * @param[in] el_array The string array to search.
> > > -+ *
> > > -+ * @param[in] num_el The number of elements in the string array.
> > > -+ *
> > > -+ * @param[in] el The string to search.
> > > -+ *
> > > -+ * @return True if found, false if not.
> > > -+ */
> > > -+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
> > > -+{
> > > -+ size_t i;
> > > -+
> > > -+ if (el_array == NULL || num_el == 0 || el == NULL) {
> > > -+ return false;
> > > -+ }
> > > -+
> > > -+ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
> > > -+ int cmp;
> > > -+
> > > -+ cmp = strcasecmp_m(el_array[i], el);
> > > -+ if (cmp == 0) {
> > > -+ return true;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ return false;
> > > -+}
> > > -+
> > > -+/**
> > > - * @brief This gets the service principal names of an existing computer account.
> > > - *
> > > - * @param[in] mem_ctx The memory context to use to allocate the spn array.
> > > ---
> > > -2.1.0
> > > -
> > > -
> > > -From 11700f1398d6197a99c686f1a43b45d6305ceae8 Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Fri, 26 Sep 2014 03:09:08 +0200
> > > -Subject: [PATCH 3/4] s3-libnet: Add libnet_join_get_machine_spns().
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > > -(cherry picked from commit 7e0b8fcce5572c88d50993a1dbd90f65638ba90f)
> > > ----
> > > - source3/libnet/libnet_join.c | 20 ++++++++++++++++++++
> > > - 1 file changed, 20 insertions(+)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index 1418385..3611cc7 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -358,6 +358,26 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
> > > - return status;
> > > - }
> > > -
> > > -+static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
> > > -+ struct libnet_JoinCtx *r,
> > > -+ char ***spn_array,
> > > -+ size_t *num_spns)
> > > -+{
> > > -+ ADS_STATUS status;
> > > -+
> > > -+ if (r->in.machine_name == NULL) {
> > > -+ return ADS_ERROR_SYSTEM(EINVAL);
> > > -+ }
> > > -+
> > > -+ status = ads_get_service_principal_names(mem_ctx,
> > > -+ r->in.ads,
> > > -+ r->in.machine_name,
> > > -+ spn_array,
> > > -+ num_spns);
> > > -+
> > > -+ return status;
> > > -+}
> > > -+
> > > - /****************************************************************
> > > - Set a machines dNSHostName and servicePrincipalName attributes
> > > - ****************************************************************/
> > > ---
> > > -2.1.0
> > > -
> > > -
> > > -From 472256e27ad5cb5e7657efaece71744269ca8d16 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 26 Sep 2014 03:35:43 +0200
> > > -Subject: [PATCH 4/4] s3-libnet: Make sure we do not overwrite precreated SPNs.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -
> > > -Autobuild-User(master): Günther Deschner <gd@samba.org>
> > > -Autobuild-Date(master): Fri Sep 26 08:22:45 CEST 2014 on sn-devel-104
> > > -
> > > -(cherry picked from commit 0aacbe78bb40d76b65087c2a197c92b0101e625e)
> > > ----
> > > - source3/libnet/libnet_join.c | 39 ++++++++++++++++++++++++++++++++++++---
> > > - 1 file changed, 36 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index 3611cc7..aa7b5cb 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -388,8 +388,10 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> > > - ADS_STATUS status;
> > > - ADS_MODLIST mods;
> > > - fstring my_fqdn;
> > > -- const char *spn_array[3] = {NULL, NULL, NULL};
> > > -+ const char **spn_array = NULL;
> > > -+ size_t num_spns = 0;
> > > - char *spn = NULL;
> > > -+ bool ok;
> > > -
> > > - /* Find our DN */
> > > -
> > > -@@ -398,6 +400,14 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> > > - return status;
> > > - }
> > > -
> > > -+ status = libnet_join_get_machine_spns(mem_ctx,
> > > -+ r,
> > > -+ discard_const_p(char **, &spn_array),
> > > -+ &num_spns);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
> > > -+ }
> > > -+
> > > - /* Windows only creates HOST/shortname & HOST/fqdn. */
> > > -
> > > - spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
> > > -@@ -407,7 +417,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> > > - if (!strupper_m(spn)) {
> > > - return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > > - }
> > > -- spn_array[0] = spn;
> > > -+
> > > -+ ok = ads_element_in_array(spn_array, num_spns, spn);
> > > -+ if (!ok) {
> > > -+ ok = add_string_to_array(spn_array, spn,
> > > -+ &spn_array, (int *)&num_spns);
> > > -+ if (!ok) {
> > > -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > > -+ }
> > > -+ }
> > > -
> > > - if (!name_to_fqdn(my_fqdn, r->in.machine_name)
> > > - || (strchr(my_fqdn, '.') == NULL)) {
> > > -@@ -424,8 +442,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> > > - if (!spn) {
> > > - return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > > - }
> > > -- spn_array[1] = spn;
> > > -+
> > > -+ ok = ads_element_in_array(spn_array, num_spns, spn);
> > > -+ if (!ok) {
> > > -+ ok = add_string_to_array(spn_array, spn,
> > > -+ &spn_array, (int *)&num_spns);
> > > -+ if (!ok) {
> > > -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > > -+ }
> > > -+ }
> > > -+ }
> > > -+
> > > -+ /* make sure to NULL terminate the array */
> > > -+ spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
> > > -+ if (spn_array == NULL) {
> > > -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> > > - }
> > > -+ spn_array[num_spns] = NULL;
> > > -
> > > - mods = ads_init_mods(mem_ctx);
> > > - if (!mods) {
> > > ---
> > > -2.1.0
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> > > deleted file mode 100644
> > > index 2174e15..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> > > +++ /dev/null
> > > @@ -1,159 +0,0 @@
> > > -From 3516236ec6eb42f29eda42542b109fa10217e68c Mon Sep 17 00:00:00 2001
> > > -From: Andreas Schneider <asn@samba.org>
> > > -Date: Wed, 24 Sep 2014 10:51:33 +0200
> > > -Subject: [PATCH] s3-libads: Add all machine account principals to the keytab.
> > > -
> > > -This adds all SPNs defined in the DC for the computer account to the
> > > -keytab using 'net ads keytab create -P'.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985
> > > -
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Guenther Deschner <gd@samba.org>
> > > -(cherry picked from commit 5d58b92f8fcbc509f4fe2bd3617bcaeada1806b6)
> > > ----
> > > - source3/libads/kerberos_keytab.c | 74 ++++++++++++++++++++++++++++------------
> > > - 1 file changed, 52 insertions(+), 22 deletions(-)
> > > -
> > > -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
> > > -index 83df088..d13625b 100644
> > > ---- a/source3/libads/kerberos_keytab.c
> > > -+++ b/source3/libads/kerberos_keytab.c
> > > -@@ -507,20 +507,57 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > > - krb5_kt_cursor cursor;
> > > - krb5_keytab_entry kt_entry;
> > > - krb5_kvno kvno;
> > > -- int i, found = 0;
> > > -+ size_t found = 0;
> > > - char *sam_account_name, *upn;
> > > - char **oldEntries = NULL, *princ_s[26];
> > > -- TALLOC_CTX *tmpctx = NULL;
> > > -+ TALLOC_CTX *frame;
> > > - char *machine_name;
> > > -+ char **spn_array;
> > > -+ size_t num_spns;
> > > -+ size_t i;
> > > -+ ADS_STATUS status;
> > > -
> > > -- /* these are the main ones we need */
> > > -- ret = ads_keytab_add_entry(ads, "host");
> > > -- if (ret != 0) {
> > > -- DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
> > > -- "adding 'host' principal.\n"));
> > > -- return ret;
> > > -+ frame = talloc_stackframe();
> > > -+ if (frame == NULL) {
> > > -+ ret = -1;
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ status = ads_get_service_principal_names(frame,
> > > -+ ads,
> > > -+ lp_netbios_name(),
> > > -+ &spn_array,
> > > -+ &num_spns);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ ret = -1;
> > > -+ goto done;
> > > - }
> > > -
> > > -+ for (i = 0; i < num_spns; i++) {
> > > -+ char *srv_princ;
> > > -+ char *p;
> > > -+
> > > -+ srv_princ = strlower_talloc(frame, spn_array[i]);
> > > -+ if (srv_princ == NULL) {
> > > -+ ret = -1;
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ p = strchr_m(srv_princ, '/');
> > > -+ if (p == NULL) {
> > > -+ continue;
> > > -+ }
> > > -+ p[0] = '\0';
> > > -+
> > > -+ /* Add the SPNs found on the DC */
> > > -+ ret = ads_keytab_add_entry(ads, srv_princ);
> > > -+ if (ret != 0) {
> > > -+ DEBUG(1, ("ads_keytab_add_entry failed while "
> > > -+ "adding '%s' principal.\n",
> > > -+ spn_array[i]));
> > > -+ goto done;
> > > -+ }
> > > -+ }
> > > -
> > > - #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
> > > - really needs them and we will fall back to verifying against
> > > -@@ -543,24 +580,17 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > > - if (ret) {
> > > - DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
> > > - error_message(ret)));
> > > -- return ret;
> > > -- }
> > > --
> > > -- tmpctx = talloc_init(__location__);
> > > -- if (!tmpctx) {
> > > -- DEBUG(0, (__location__ ": talloc_init() failed!\n"));
> > > -- ret = -1;
> > > - goto done;
> > > - }
> > > -
> > > -- machine_name = talloc_strdup(tmpctx, lp_netbios_name());
> > > -+ machine_name = talloc_strdup(frame, lp_netbios_name());
> > > - if (!machine_name) {
> > > - ret = -1;
> > > - goto done;
> > > - }
> > > -
> > > - /* now add the userPrincipalName and sAMAccountName entries */
> > > -- sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
> > > -+ sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
> > > - if (!sam_account_name) {
> > > - DEBUG(0, (__location__ ": unable to determine machine "
> > > - "account's name in AD!\n"));
> > > -@@ -584,7 +614,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > > - }
> > > -
> > > - /* remember that not every machine account will have a upn */
> > > -- upn = ads_get_upn(ads, tmpctx, machine_name);
> > > -+ upn = ads_get_upn(ads, frame, machine_name);
> > > - if (upn) {
> > > - ret = ads_keytab_add_entry(ads, upn);
> > > - if (ret != 0) {
> > > -@@ -596,7 +626,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > > -
> > > - /* Now loop through the keytab and update any other existing entries */
> > > - kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
> > > -- if (kvno == -1) {
> > > -+ if (kvno == (krb5_kvno)-1) {
> > > - DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
> > > - "determine the system's kvno.\n"));
> > > - goto done;
> > > -@@ -629,12 +659,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > > - * have a race condition where someone else could add entries after
> > > - * we've counted them. Re-open asap to minimise the race. JRA.
> > > - */
> > > -- DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
> > > -+ DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
> > > - if (!found) {
> > > - goto done;
> > > - }
> > > -
> > > -- oldEntries = talloc_array(tmpctx, char *, found);
> > > -+ oldEntries = talloc_array(frame, char *, found);
> > > - if (!oldEntries) {
> > > - DEBUG(1, (__location__ ": Failed to allocate space to store "
> > > - "the old keytab entries (talloc failed?).\n"));
> > > -@@ -708,7 +738,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
> > > -
> > > - done:
> > > - TALLOC_FREE(oldEntries);
> > > -- TALLOC_FREE(tmpctx);
> > > -+ TALLOC_FREE(frame);
> > > -
> > > - {
> > > - krb5_keytab_entry zero_kt_entry;
> > > ---
> > > -2.1.0
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> > > deleted file mode 100644
> > > index a939e70..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> > > +++ /dev/null
> > > @@ -1,988 +0,0 @@
> > > -From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 24 Sep 2014 22:16:20 +0200
> > > -Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}".
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++
> > > - 1 file changed, 308 insertions(+)
> > > -
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index 8b8e719..5f18bf4 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
> > > - return net_run_function(c, argc, argv, "net ads kerberos", func);
> > > - }
> > > -
> > > -+static int net_ads_enctype_lookup_account(struct net_context *c,
> > > -+ ADS_STRUCT *ads,
> > > -+ const char *account,
> > > -+ LDAPMessage **res,
> > > -+ const char **enctype_str)
> > > -+{
> > > -+ const char *filter;
> > > -+ const char *attrs[] = {
> > > -+ "msDS-SupportedEncryptionTypes",
> > > -+ NULL
> > > -+ };
> > > -+ int count;
> > > -+ int ret = -1;
> > > -+ ADS_STATUS status;
> > > -+
> > > -+ filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
> > > -+ account);
> > > -+ if (filter == NULL) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ status = ads_search(ads, res, filter, attrs);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ d_printf(_("no account found with filter: %s\n"), filter);
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ count = ads_count_replies(ads, *res);
> > > -+ switch (count) {
> > > -+ case 1:
> > > -+ break;
> > > -+ case 0:
> > > -+ d_printf(_("no account found with filter: %s\n"), filter);
> > > -+ goto done;
> > > -+ default:
> > > -+ d_printf(_("multiple accounts found with filter: %s\n"), filter);
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ if (enctype_str) {
> > > -+ *enctype_str = ads_pull_string(ads, c, *res,
> > > -+ "msDS-SupportedEncryptionTypes");
> > > -+ if (*enctype_str == NULL) {
> > > -+ d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
> > > -+ goto done;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ ret = 0;
> > > -+ done:
> > > -+ return ret;
> > > -+}
> > > -+
> > > -+static void net_ads_enctype_dump_enctypes(const char *username,
> > > -+ const char *enctype_str)
> > > -+{
> > > -+ int enctypes;
> > > -+
> > > -+ d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username);
> > > -+
> > > -+ enctypes = atoi(enctype_str);
> > > -+
> > > -+ printf("[%s] 0x%08x DES-CBC-CRC\n",
> > > -+ enctypes & ENC_CRC32 ? "X" : " ",
> > > -+ ENC_CRC32);
> > > -+ printf("[%s] 0x%08x DES-CBC-MD5\n",
> > > -+ enctypes & ENC_RSA_MD5 ? "X" : " ",
> > > -+ ENC_RSA_MD5);
> > > -+ printf("[%s] 0x%08x RC4-HMAC\n",
> > > -+ enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
> > > -+ ENC_RC4_HMAC_MD5);
> > > -+ printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
> > > -+ enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
> > > -+ ENC_HMAC_SHA1_96_AES128);
> > > -+ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
> > > -+ enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
> > > -+ ENC_HMAC_SHA1_96_AES256);
> > > -+}
> > > -+
> > > -+static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
> > > -+{
> > > -+ int ret = -1;
> > > -+ ADS_STATUS status;
> > > -+ ADS_STRUCT *ads = NULL;
> > > -+ LDAPMessage *res = NULL;
> > > -+ const char *str = NULL;
> > > -+
> > > -+ if (c->display_usage || (argc < 1)) {
> > > -+ d_printf( "%s\n"
> > > -+ "net ads enctypes list\n"
> > > -+ " %s\n",
> > > -+ _("Usage:"),
> > > -+ _("List supported enctypes"));
> > > -+ return 0;
> > > -+ }
> > > -+
> > > -+ status = ads_startup(c, false, &ads);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ printf("startup failed\n");
> > > -+ return ret;
> > > -+ }
> > > -+
> > > -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
> > > -+ if (ret) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ net_ads_enctype_dump_enctypes(argv[0], str);
> > > -+
> > > -+ ret = 0;
> > > -+ done:
> > > -+ ads_msgfree(ads, res);
> > > -+ ads_destroy(&ads);
> > > -+
> > > -+ return ret;
> > > -+}
> > > -+
> > > -+static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
> > > -+{
> > > -+ int ret = -1;
> > > -+ ADS_STATUS status;
> > > -+ ADS_STRUCT *ads;
> > > -+ LDAPMessage *res = NULL;
> > > -+ const char *etype_list_str;
> > > -+ const char *dn;
> > > -+ ADS_MODLIST mods;
> > > -+ uint32_t etype_list;
> > > -+ const char *str;
> > > -+
> > > -+ if (c->display_usage || argc < 1) {
> > > -+ d_printf( "%s\n"
> > > -+ "net ads enctypes set <sAMAccountName> [enctypes]\n"
> > > -+ " %s\n",
> > > -+ _("Usage:"),
> > > -+ _("Set supported enctypes"));
> > > -+ return 0;
> > > -+ }
> > > -+
> > > -+ status = ads_startup(c, false, &ads);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ printf("startup failed\n");
> > > -+ return ret;
> > > -+ }
> > > -+
> > > -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
> > > -+ if (ret) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ dn = ads_get_dn(ads, c, res);
> > > -+ if (dn == NULL) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
> > > -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
> > > -+ etype_list |= ENC_HMAC_SHA1_96_AES128;
> > > -+#endif
> > > -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> > > -+ etype_list |= ENC_HMAC_SHA1_96_AES256;
> > > -+#endif
> > > -+
> > > -+ if (argv[1] != NULL) {
> > > -+ sscanf(argv[1], "%i", &etype_list);
> > > -+ }
> > > -+
> > > -+ etype_list_str = talloc_asprintf(c, "%d", etype_list);
> > > -+ if (!etype_list_str) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ mods = ads_init_mods(c);
> > > -+ if (!mods) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes",
> > > -+ etype_list_str);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ status = ads_gen_mod(ads, dn, mods);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
> > > -+ ads_errstr(status));
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ ads_msgfree(ads, res);
> > > -+
> > > -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
> > > -+ if (ret) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ net_ads_enctype_dump_enctypes(argv[0], str);
> > > -+
> > > -+ ret = 0;
> > > -+ done:
> > > -+ ads_msgfree(ads, res);
> > > -+ ads_destroy(&ads);
> > > -+
> > > -+ return ret;
> > > -+}
> > > -+
> > > -+static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
> > > -+{
> > > -+ int ret = -1;
> > > -+ ADS_STATUS status;
> > > -+ ADS_STRUCT *ads;
> > > -+ LDAPMessage *res = NULL;
> > > -+ const char *dn;
> > > -+ ADS_MODLIST mods;
> > > -+
> > > -+ if (c->display_usage || argc < 1) {
> > > -+ d_printf( "%s\n"
> > > -+ "net ads enctypes delete <sAMAccountName>\n"
> > > -+ " %s\n",
> > > -+ _("Usage:"),
> > > -+ _("Delete supported enctypes"));
> > > -+ return 0;
> > > -+ }
> > > -+
> > > -+ status = ads_startup(c, false, &ads);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ printf("startup failed\n");
> > > -+ return ret;
> > > -+ }
> > > -+
> > > -+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
> > > -+ if (ret) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ dn = ads_get_dn(ads, c, res);
> > > -+ if (dn == NULL) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ mods = ads_init_mods(c);
> > > -+ if (!mods) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ status = ads_gen_mod(ads, dn, mods);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
> > > -+ ads_errstr(status));
> > > -+ goto done;
> > > -+ }
> > > -+
> > > -+ ret = 0;
> > > -+
> > > -+ done:
> > > -+ ads_msgfree(ads, res);
> > > -+ ads_destroy(&ads);
> > > -+ return ret;
> > > -+}
> > > -+
> > > -+static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
> > > -+{
> > > -+ struct functable func[] = {
> > > -+ {
> > > -+ "list",
> > > -+ net_ads_enctypes_list,
> > > -+ NET_TRANSPORT_ADS,
> > > -+ N_("List the supported encryption types"),
> > > -+ N_("net ads enctypes list\n"
> > > -+ " List the supported encryption types")
> > > -+ },
> > > -+ {
> > > -+ "set",
> > > -+ net_ads_enctypes_set,
> > > -+ NET_TRANSPORT_ADS,
> > > -+ N_("Set the supported encryption types"),
> > > -+ N_("net ads enctypes set\n"
> > > -+ " Set the supported encryption types")
> > > -+ },
> > > -+ {
> > > -+ "delete",
> > > -+ net_ads_enctypes_delete,
> > > -+ NET_TRANSPORT_ADS,
> > > -+ N_("Delete the supported encryption types"),
> > > -+ N_("net ads enctypes delete\n"
> > > -+ " Delete the supported encryption types")
> > > -+ },
> > > -+
> > > -+ {NULL, NULL, 0, NULL, NULL}
> > > -+ };
> > > -+
> > > -+ return net_run_function(c, argc, argv, "net ads enctypes", func);
> > > -+}
> > > -+
> > > -+
> > > - int net_ads(struct net_context *c, int argc, const char **argv)
> > > - {
> > > - struct functable func[] = {
> > > -@@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv)
> > > - N_("net ads kerberos\n"
> > > - " Manage kerberos keytab")
> > > - },
> > > -+ {
> > > -+ "enctypes",
> > > -+ net_ads_enctypes,
> > > -+ NET_TRANSPORT_ADS,
> > > -+ N_("List/modify supported encryption types"),
> > > -+ N_("net ads enctypes\n"
> > > -+ " List/modify enctypes")
> > > -+ },
> > > - {NULL, NULL, 0, NULL, NULL}
> > > - };
> > > -
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Wed, 24 Sep 2014 23:36:19 +0200
> > > -Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes".
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++
> > > - 1 file changed, 53 insertions(+)
> > > -
> > > -diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
> > > -index f39b420..9e982e3 100644
> > > ---- a/docs-xml/manpages/net.8.xml
> > > -+++ b/docs-xml/manpages/net.8.xml
> > > -@@ -1339,6 +1339,59 @@ to show in the result.
> > > - </refsect2>
> > > -
> > > - <refsect2>
> > > -+ <title>ADS ENCTYPES</title>
> > > -+
> > > -+<para>
> > > -+ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
> > > -+</para>
> > > -+
> > > -+<para>
> > > -+ This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
> > > -+</para>
> > > -+
> > > -+<para>0x00000001 DES-CBC-CRC</para>
> > > -+<para>0x00000002 DES-CBC-MD5</para>
> > > -+<para>0x00000004 RC4-HMAC</para>
> > > -+<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
> > > -+<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
> > > -+
> > > -+</refsect2>
> > > -+
> > > -+<refsect2>
> > > -+ <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title>
> > > -+
> > > -+<para>
> > > -+ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
> > > -+</para>
> > > -+
> > > -+<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
> > > -+
> > > -+</refsect2>
> > > -+
> > > -+<refsect2>
> > > -+ <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title>
> > > -+
> > > -+<para>
> > > -+ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types.
> > > -+</para>
> > > -+
> > > -+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
> > > -+
> > > -+</refsect2>
> > > -+
> > > -+<refsect2>
> > > -+ <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title>
> > > -+
> > > -+<para>
> > > -+ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
> > > -+</para>
> > > -+
> > > -+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
> > > -+
> > > -+</refsect2>
> > > -+
> > > -+
> > > -+<refsect2>
> > > - <title>SAM CREATEBUILTINGROUP <NAME></title>
> > > -
> > > - <para>
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 23 Nov 2012 12:34:27 +0100
> > > -Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in
> > > - AD >= 2008.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -Reviewed-by: Stefan Metzmacher <metze@samba.org>
> > > ----
> > > - source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++
> > > - 1 file changed, 65 insertions(+)
> > > -
> > > -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> > > -index 381a59c..e70e11a 100644
> > > ---- a/source3/libnet/libnet_join.c
> > > -+++ b/source3/libnet/libnet_join.c
> > > -@@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
> > > - /****************************************************************
> > > - ****************************************************************/
> > > -
> > > -+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
> > > -+ struct libnet_JoinCtx *r)
> > > -+{
> > > -+ ADS_STATUS status;
> > > -+ ADS_MODLIST mods;
> > > -+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
> > > -+ const char *etype_list_str;
> > > -+
> > > -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
> > > -+ etype_list |= ENC_HMAC_SHA1_96_AES128;
> > > -+#endif
> > > -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> > > -+ etype_list |= ENC_HMAC_SHA1_96_AES256;
> > > -+#endif
> > > -+
> > > -+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
> > > -+ if (!etype_list_str) {
> > > -+ return ADS_ERROR(LDAP_NO_MEMORY);
> > > -+ }
> > > -+
> > > -+ /* Find our DN */
> > > -+
> > > -+ status = libnet_join_find_machine_acct(mem_ctx, r);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ /* now do the mods */
> > > -+
> > > -+ mods = ads_init_mods(mem_ctx);
> > > -+ if (!mods) {
> > > -+ return ADS_ERROR(LDAP_NO_MEMORY);
> > > -+ }
> > > -+
> > > -+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
> > > -+ etype_list_str);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ return ads_gen_mod(r->in.ads, r->out.dn, mods);
> > > -+}
> > > -+
> > > -+/****************************************************************
> > > -+****************************************************************/
> > > -+
> > > - static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
> > > - struct libnet_JoinCtx *r)
> > > - {
> > > -@@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
> > > - struct libnet_JoinCtx *r)
> > > - {
> > > - ADS_STATUS status;
> > > -+ uint32_t func_level = 0;
> > > -
> > > - if (!r->in.ads) {
> > > - status = libnet_join_connect_ads(mem_ctx, r);
> > > -@@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
> > > - return status;
> > > - }
> > > -
> > > -+ status = ads_domain_func_level(r->in.ads, &func_level);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ libnet_join_set_error_string(mem_ctx, r,
> > > -+ "failed to query domain controller functional level: %s",
> > > -+ ads_errstr(status));
> > > -+ return status;
> > > -+ }
> > > -+
> > > -+ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
> > > -+ status = libnet_join_set_etypes(mem_ctx, r);
> > > -+ if (!ADS_ERR_OK(status)) {
> > > -+ libnet_join_set_error_string(mem_ctx, r,
> > > -+ "failed to set machine kerberos encryption types: %s",
> > > -+ ads_errstr(status));
> > > -+ return status;
> > > -+ }
> > > -+ }
> > > -+
> > > - if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
> > > - return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Fri, 26 Sep 2014 21:06:38 +0200
> > > -Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure
> > > - hostname is lowercase.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Found at MS interop event while working on AES kerberos key support.
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > -Reviewed-by: Andrew Bartlett <abartlet@samba.org>
> > > ----
> > > - source4/auth/kerberos/srv_keytab.c | 2 +-
> > > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > > -
> > > -diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
> > > -index d81e27d..3baba14 100644
> > > ---- a/source4/auth/kerberos/srv_keytab.c
> > > -+++ b/source4/auth/kerberos/srv_keytab.c
> > > -@@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
> > > - return ENOMEM;
> > > - }
> > > -
> > > -- machine_username = talloc_strdup(tmp_ctx, samAccountName);
> > > -+ machine_username = strlower_talloc(tmp_ctx, samAccountName);
> > > - if (!machine_username) {
> > > - *error_string = "Cannot duplicate samAccountName";
> > > - talloc_free(tmp_ctx);
> > > ---
> > > -1.9.3
> > > -
> > > -From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001
> > > -From: Jeremy Allison <jra@samba.org>
> > > -Date: Mon, 16 Jun 2014 22:49:29 -0700
> > > -Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 *
> > > - arguments of copy_netr_SamInfo3() and make_server_info_info3()
> > > -
> > > -Both functions only read from the struct netr_SamInfo3 * argument.
> > > -
> > > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > > -Reviewed-by: Simo Sorce <idra@samba.org>
> > > -
> > > -Conflicts:
> > > - source3/auth/proto.h
> > > - source3/auth/server_info.c
> > > ----
> > > - source3/auth/auth_util.c | 2 +-
> > > - source3/auth/proto.h | 4 ++--
> > > - source3/auth/server_info.c | 2 +-
> > > - 3 files changed, 4 insertions(+), 4 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> > > -index ceaa706..afa78ec 100644
> > > ---- a/source3/auth/auth_util.c
> > > -+++ b/source3/auth/auth_util.c
> > > -@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> > > - const char *sent_nt_username,
> > > - const char *domain,
> > > - struct auth_serversupplied_info **server_info,
> > > -- struct netr_SamInfo3 *info3)
> > > -+ const struct netr_SamInfo3 *info3)
> > > - {
> > > - static const char zeros[16] = {0, };
> > > -
> > > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > > -index 76661fc..6ec206e 100644
> > > ---- a/source3/auth/proto.h
> > > -+++ b/source3/auth/proto.h
> > > -@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> > > - const char *sent_nt_username,
> > > - const char *domain,
> > > - struct auth_serversupplied_info **server_info,
> > > -- struct netr_SamInfo3 *info3);
> > > -+ const struct netr_SamInfo3 *info3);
> > > - struct wbcAuthUserInfo;
> > > - NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
> > > - const char *sent_nt_username,
> > > -@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > > - const struct passwd *pwd,
> > > - struct netr_SamInfo3 **pinfo3);
> > > - struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > > -- struct netr_SamInfo3 *orig);
> > > -+ const struct netr_SamInfo3 *orig);
> > > - struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > > - const struct wbcAuthUserInfo *info);
> > > -
> > > -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> > > -index d2b7d6e..066b9a8 100644
> > > ---- a/source3/auth/server_info.c
> > > -+++ b/source3/auth/server_info.c
> > > -@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > > - } } while(0)
> > > -
> > > - struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
> > > -- struct netr_SamInfo3 *orig)
> > > -+ const struct netr_SamInfo3 *orig)
> > > - {
> > > - struct netr_SamInfo3 *info3;
> > > - unsigned int i;
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001
> > > -From: Jeremy Allison <jra@samba.org>
> > > -Date: Mon, 16 Jun 2014 22:54:45 -0700
> > > -Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const
> > > - struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
> > > -
> > > -make_server_info_info3() only reads from the info3 pointer.
> > > -
> > > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > > -Reviewed-by: Simo Sorce <idra@samba.org>
> > > ----
> > > - source3/auth/auth_generic.c | 2 +-
> > > - source3/auth/proto.h | 2 +-
> > > - source3/auth/user_krb5.c | 8 ++++----
> > > - 3 files changed, 6 insertions(+), 6 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> > > -index a2ba4e3..2880bc9 100644
> > > ---- a/source3/auth/auth_generic.c
> > > -+++ b/source3/auth/auth_generic.c
> > > -@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > > -
> > > - status = make_session_info_krb5(mem_ctx,
> > > - ntuser, ntdomain, username, pw,
> > > -- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> > > -+ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> > > - session_info);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
> > > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > > -index 6ec206e..75d1097 100644
> > > ---- a/source3/auth/proto.h
> > > -+++ b/source3/auth/proto.h
> > > -@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > > - char *ntdomain,
> > > - char *username,
> > > - struct passwd *pw,
> > > -- struct PAC_LOGON_INFO *logon_info,
> > > -+ const struct netr_SamInfo3 *info3,
> > > - bool mapped_to_guest, bool username_was_mapped,
> > > - DATA_BLOB *session_key,
> > > - struct auth_session_info **session_info);
> > > -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
> > > -index 974a8aa..0a538b4 100644
> > > ---- a/source3/auth/user_krb5.c
> > > -+++ b/source3/auth/user_krb5.c
> > > -@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > > - char *ntdomain,
> > > - char *username,
> > > - struct passwd *pw,
> > > -- struct PAC_LOGON_INFO *logon_info,
> > > -+ const struct netr_SamInfo3 *info3,
> > > - bool mapped_to_guest, bool username_was_mapped,
> > > - DATA_BLOB *session_key,
> > > - struct auth_session_info **session_info)
> > > -@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > > - return status;
> > > - }
> > > -
> > > -- } else if (logon_info) {
> > > -+ } else if (info3) {
> > > - /* pass the unmapped username here since map_username()
> > > - will be called again in make_server_info_info3() */
> > > -
> > > - status = make_server_info_info3(mem_ctx,
> > > - ntuser, ntdomain,
> > > - &server_info,
> > > -- &logon_info->info3);
> > > -+ info3);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(1, ("make_server_info_info3 failed: %s!\n",
> > > - nt_errstr(status)));
> > > -@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
> > > - char *ntdomain,
> > > - char *username,
> > > - struct passwd *pw,
> > > -- struct PAC_LOGON_INFO *logon_info,
> > > -+ const struct netr_SamInfo3 *info3,
> > > - bool mapped_to_guest, bool username_was_mapped,
> > > - DATA_BLOB *session_key,
> > > - struct auth_session_info **session_info)
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001
> > > -From: Jeremy Allison <jra@samba.org>
> > > -Date: Mon, 16 Jun 2014 23:11:58 -0700
> > > -Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to
> > > - create a new info3 and merge resource group SIDs into it.
> > > -
> > > -Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
> > > -
> > > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > > -Reviewed-by: Simo Sorce <idra@samba.org>
> > > ----
> > > - source3/auth/proto.h | 3 ++
> > > - source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++
> > > - 2 files changed, 80 insertions(+)
> > > -
> > > -diff --git a/source3/auth/proto.h b/source3/auth/proto.h
> > > -index 75d1097..cc51698 100644
> > > ---- a/source3/auth/proto.h
> > > -+++ b/source3/auth/proto.h
> > > -@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
> > > - struct netr_SamInfo3 *sam3);
> > > - NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
> > > - struct netr_SamInfo6 *sam6);
> > > -+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
> > > -+ const struct PAC_LOGON_INFO *logon_info,
> > > -+ struct netr_SamInfo3 **pp_info3);
> > > - NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
> > > - struct samu *samu,
> > > - const char *login_server,
> > > -diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
> > > -index 066b9a8..dc84794 100644
> > > ---- a/source3/auth/server_info.c
> > > -+++ b/source3/auth/server_info.c
> > > -@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
> > > - return NT_STATUS_OK;
> > > - }
> > > -
> > > -+/*
> > > -+ * Merge resource SIDs, if any, into the passed in info3 structure.
> > > -+ */
> > > -+
> > > -+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
> > > -+ struct netr_SamInfo3 *info3)
> > > -+{
> > > -+ uint32_t i = 0;
> > > -+
> > > -+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
> > > -+ return NT_STATUS_OK;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * If there are any resource groups (SID Compression) add
> > > -+ * them to the extra sids portion of the info3 in the PAC.
> > > -+ *
> > > -+ * This makes the info3 look like it would if we got the info
> > > -+ * from the DC rather than the PAC.
> > > -+ */
> > > -+
> > > -+ /*
> > > -+ * Construct a SID for each RID in the list and then append it
> > > -+ * to the info3.
> > > -+ */
> > > -+ for (i = 0; i < logon_info->res_groups.count; i++) {
> > > -+ NTSTATUS status;
> > > -+ struct dom_sid new_sid;
> > > -+ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
> > > -+
> > > -+ sid_compose(&new_sid,
> > > -+ logon_info->res_group_dom_sid,
> > > -+ logon_info->res_groups.rids[i].rid);
> > > -+
> > > -+ DEBUG(10, ("Adding SID %s to extra SIDS\n",
> > > -+ sid_string_dbg(&new_sid)));
> > > -+
> > > -+ status = append_netr_SidAttr(info3, &info3->sids,
> > > -+ &info3->sidcount,
> > > -+ &new_sid,
> > > -+ attributes);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
> > > -+ sid_string_dbg(&new_sid),
> > > -+ nt_errstr(status)));
> > > -+ return status;
> > > -+ }
> > > -+ }
> > > -+
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > -+/*
> > > -+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
> > > -+ * then merge resource SIDs, if any, into it. If successful return
> > > -+ * the created info3 struct.
> > > -+ */
> > > -+
> > > -+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
> > > -+ const struct PAC_LOGON_INFO *logon_info,
> > > -+ struct netr_SamInfo3 **pp_info3)
> > > -+{
> > > -+ NTSTATUS status;
> > > -+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
> > > -+ &logon_info->info3);
> > > -+ if (info3 == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ status = merge_resource_sids(logon_info, info3);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ TALLOC_FREE(info3);
> > > -+ return status;
> > > -+ }
> > > -+ *pp_info3 = info3;
> > > -+ return NT_STATUS_OK;
> > > -+}
> > > -+
> > > - #define RET_NOMEM(ptr) do { \
> > > - if (!ptr) { \
> > > - TALLOC_FREE(info3); \
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001
> > > -From: Jeremy Allison <jra@samba.org>
> > > -Date: Mon, 16 Jun 2014 23:15:21 -0700
> > > -Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use
> > > - a copy of the info3 struct from the struct PAC_LOGON_INFO.
> > > -
> > > -Call create_info3_from_pac_logon_info() to add in any resource SIDs
> > > -from the struct PAC_LOGON_INFO to the info3.
> > > -
> > > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > > -Reviewed-by: Simo Sorce <idra@samba.org>
> > > ----
> > > - source3/auth/auth_generic.c | 11 +++++++++--
> > > - 1 file changed, 9 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> > > -index 2880bc9..f841f0c 100644
> > > ---- a/source3/auth/auth_generic.c
> > > -+++ b/source3/auth/auth_generic.c
> > > -@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > > - {
> > > - TALLOC_CTX *tmp_ctx;
> > > - struct PAC_LOGON_INFO *logon_info = NULL;
> > > -+ struct netr_SamInfo3 *info3_copy = NULL;
> > > - bool is_mapped;
> > > - bool is_guest;
> > > - char *ntuser;
> > > -@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > > -
> > > - /* save the PAC data if we have it */
> > > - if (logon_info) {
> > > -- netsamlogon_cache_store(ntuser, &logon_info->info3);
> > > -+ status = create_info3_from_pac_logon_info(tmp_ctx,
> > > -+ logon_info,
> > > -+ &info3_copy);
> > > -+ if (!NT_STATUS_IS_OK(status)) {
> > > -+ goto done;
> > > -+ }
> > > -+ netsamlogon_cache_store(ntuser, info3_copy);
> > > - }
> > > -
> > > - /* setup the string used by %U */
> > > -@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
> > > -
> > > - status = make_session_info_krb5(mem_ctx,
> > > - ntuser, ntdomain, username, pw,
> > > -- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> > > -+ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
> > > - session_info);
> > > - if (!NT_STATUS_IS_OK(status)) {
> > > - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
> > > ---
> > > -1.9.3
> > > -
> > > -
> > > -From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001
> > > -From: Jeremy Allison <jra@samba.org>
> > > -Date: Mon, 16 Jun 2014 23:27:35 -0700
> > > -Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a
> > > - new info3 and merge in resource groups from a trusted PAC.
> > > -
> > > -Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.
> > > -
> > > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > > -Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
> > > -Reviewed-by: Simo Sorce <idra@samba.org>
> > > -
> > > -Autobuild-User(master): Jeremy Allison <jra@samba.org>
> > > -Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
> > > ----
> > > - source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++--
> > > - 1 file changed, 22 insertions(+), 2 deletions(-)
> > > -
> > > -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> > > -index c356686..0f1ca28 100644
> > > ---- a/source3/winbindd/winbindd_pam.c
> > > -+++ b/source3/winbindd/winbindd_pam.c
> > > -@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> > > - struct winbindd_request *req = state->request;
> > > - DATA_BLOB pac_blob;
> > > - struct PAC_LOGON_INFO *logon_info = NULL;
> > > -+ struct netr_SamInfo3 *info3_copy = NULL;
> > > - NTSTATUS result;
> > > -
> > > - pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
> > > -@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> > > -
> > > - if (logon_info) {
> > > - /* Signature verification succeeded, trust the PAC */
> > > -- netsamlogon_cache_store(NULL, &logon_info->info3);
> > > -+ result = create_info3_from_pac_logon_info(state->mem_ctx,
> > > -+ logon_info,
> > > -+ &info3_copy);
> > > -+ if (!NT_STATUS_IS_OK(result)) {
> > > -+ return result;
> > > -+ }
> > > -+ netsamlogon_cache_store(NULL, info3_copy);
> > > -
> > > - } else {
> > > - /* Try without signature verification */
> > > -@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> > > - nt_errstr(result)));
> > > - return result;
> > > - }
> > > -+ if (logon_info) {
> > > -+ /*
> > > -+ * Don't strictly need to copy here,
> > > -+ * but it makes it explicit we're
> > > -+ * returning a copy talloc'ed off
> > > -+ * the state->mem_ctx.
> > > -+ */
> > > -+ info3_copy = copy_netr_SamInfo3(state->mem_ctx,
> > > -+ &logon_info->info3);
> > > -+ if (info3_copy == NULL) {
> > > -+ return NT_STATUS_NO_MEMORY;
> > > -+ }
> > > -+ }
> > > - }
> > > -
> > > -- *info3 = &logon_info->info3;
> > > -+ *info3 = info3_copy;
> > > -
> > > - return NT_STATUS_OK;
> > > - }
> > > ---
> > > -1.9.3
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> > > deleted file mode 100644
> > > index 071069b..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> > > +++ /dev/null
> > > @@ -1,51 +0,0 @@
> > > -From 3bf805a38a1b901a55b08118ec04097d9787497c Mon Sep 17 00:00:00 2001
> > > -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
> > > -Date: Mon, 29 Sep 2014 17:16:15 +0200
> > > -Subject: [PATCH] s3-net: Force libkrb5 locator to use the same KDC for join
> > > - and DNS update.
> > > -MIME-Version: 1.0
> > > -Content-Type: text/plain; charset=UTF-8
> > > -Content-Transfer-Encoding: 8bit
> > > -
> > > -Guenther
> > > -
> > > -Signed-off-by: Günther Deschner <gd@samba.org>
> > > ----
> > > - source3/utils/net_ads.c | 21 +++++++++++++++++++++
> > > - 1 file changed, 21 insertions(+)
> > > -
> > > -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > > -index e96377f..efbc3d2 100644
> > > ---- a/source3/utils/net_ads.c
> > > -+++ b/source3/utils/net_ads.c
> > > -@@ -1566,6 +1566,27 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
> > > - * If the dns update fails, we still consider the join
> > > - * operation as succeeded if we came this far.
> > > - */
> > > -+
> > > -+ if (r->out.dns_domain_name != NULL) {
> > > -+
> > > -+ /* Avoid potential libkrb5 issues finding a good KDC when we
> > > -+ * already found one during the join. When the locator plugin is
> > > -+ * installed (but winbind is not yet running) make sure we can
> > > -+ * force libkrb5 to reuse that KDC. - gd */
> > > -+
> > > -+ char *env;
> > > -+
> > > -+ env = talloc_asprintf_strupper_m(r,
> > > -+ "WINBINDD_LOCATOR_KDC_ADDRESS_%s",
> > > -+ r->out.dns_domain_name);
> > > -+ if (env == NULL) {
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ setenv(env, r->in.ads->auth.kdc_server, 0);
> > > -+ setenv("_NO_WINBINDD", "1", 0);
> > > -+ }
> > > -+
> > > - _net_ads_join_dns_updates(c, ctx, r);
> > > -
> > > - TALLOC_FREE(r);
> > > ---
> > > -1.9.3
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> > > deleted file mode 100644
> > > index 9721afa..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> > > +++ /dev/null
> > > @@ -1,154 +0,0 @@
> > > -From 170166b8a0076089c6a8505f53a22f5b72c15786 Mon Sep 17 00:00:00 2001
> > > -From: Jeremy Allison <jra@samba.org>
> > > -Date: Tue, 28 Oct 2014 11:55:30 -0700
> > > -Subject: [PATCH] s3-nmbd: Fix netbios name truncation.
> > > -
> > > -Try and cope with truncation more intelligently.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10896
> > > -
> > > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -(cherry picked from commit 6adcc7bffd5e1474ecba04d2328955c0b208cabc)
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/nmbd/nmbd_nameregister.c | 76 +++++++++++++++++++++++++++++++++++-----
> > > - 1 file changed, 68 insertions(+), 8 deletions(-)
> > > -
> > > -diff --git a/source3/nmbd/nmbd_nameregister.c b/source3/nmbd/nmbd_nameregister.c
> > > -index 71c4751..8b078e6 100644
> > > ---- a/source3/nmbd/nmbd_nameregister.c
> > > -+++ b/source3/nmbd/nmbd_nameregister.c
> > > -@@ -482,17 +482,77 @@ void register_name(struct subnet_record *subrec,
> > > - {
> > > - struct nmb_name nmbname;
> > > - nstring nname;
> > > -+ size_t converted_size;
> > > -
> > > - errno = 0;
> > > -- push_ascii_nstring(nname, name);
> > > -- if (errno == E2BIG) {
> > > -- unstring tname;
> > > -- pull_ascii_nstring(tname, sizeof(tname), nname);
> > > -- DEBUG(0,("register_name: NetBIOS name %s is too long. Truncating to %s\n",
> > > -- name, tname));
> > > -- make_nmb_name(&nmbname, tname, type);
> > > -- } else {
> > > -+ converted_size = push_ascii_nstring(nname, name);
> > > -+ if (converted_size != (size_t)-1) {
> > > -+ /* Success. */
> > > - make_nmb_name(&nmbname, name, type);
> > > -+ } else if (errno == E2BIG) {
> > > -+ /*
> > > -+ * Name converted to CH_DOS is too large.
> > > -+ * try to truncate.
> > > -+ */
> > > -+ char *converted_str_dos = NULL;
> > > -+ char *converted_str_unix = NULL;
> > > -+ bool ok;
> > > -+
> > > -+ converted_size = 0;
> > > -+
> > > -+ ok = convert_string_talloc(talloc_tos(),
> > > -+ CH_UNIX,
> > > -+ CH_DOS,
> > > -+ name,
> > > -+ strlen(name)+1,
> > > -+ &converted_str_dos,
> > > -+ &converted_size);
> > > -+ if (!ok) {
> > > -+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
> > > -+ "converted. Failing to register name.\n",
> > > -+ name));
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ /*
> > > -+ * As it's now CH_DOS codepage
> > > -+ * we truncate by writing '\0' at
> > > -+ * MAX_NETBIOSNAME_LEN-1 and then
> > > -+ * convert back to CH_UNIX which we
> > > -+ * need for the make_nmb_name() call.
> > > -+ */
> > > -+ if (converted_size >= MAX_NETBIOSNAME_LEN) {
> > > -+ converted_str_dos[MAX_NETBIOSNAME_LEN-1] = '\0';
> > > -+ }
> > > -+
> > > -+ ok = convert_string_talloc(talloc_tos(),
> > > -+ CH_DOS,
> > > -+ CH_UNIX,
> > > -+ converted_str_dos,
> > > -+ strlen(converted_str_dos)+1,
> > > -+ &converted_str_unix,
> > > -+ &converted_size);
> > > -+ if (!ok) {
> > > -+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
> > > -+ "converted back to CH_UNIX. "
> > > -+ "Failing to register name.\n",
> > > -+ converted_str_dos));
> > > -+ TALLOC_FREE(converted_str_dos);
> > > -+ return;
> > > -+ }
> > > -+
> > > -+ make_nmb_name(&nmbname, converted_str_unix, type);
> > > -+
> > > -+ TALLOC_FREE(converted_str_dos);
> > > -+ TALLOC_FREE(converted_str_unix);
> > > -+ } else {
> > > -+ /*
> > > -+ * Generic conversion error. Fail to register.
> > > -+ */
> > > -+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
> > > -+ "converted (%s). Failing to register name.\n",
> > > -+ name, strerror(errno)));
> > > -+ return;
> > > - }
> > > -
> > > - /* Always set the NB_ACTIVE flag on the name we are
> > > ---
> > > -2.1.2
> > > -
> > > -From 653a1c312e6b85f1d8113beec52a27e0ba71ef79 Mon Sep 17 00:00:00 2001
> > > -From: Jeremy Allison <jra@samba.org>
> > > -Date: Fri, 31 Oct 2014 11:01:26 -0700
> > > -Subject: [PATCH] s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
> > > -
> > > -This screws up if the name is greater than MAX_NETBIOSNAME_LEN-1 in the
> > > -unix charset, but less than or equal to MAX_NETBIOSNAME_LEN-1 in the DOS
> > > -charset, but this is so old we have to live with that.
> > > -
> > > -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10920
> > > -
> > > -Signed-off-by: Jeremy Allison <jra@samba.org>
> > > -Reviewed-by: Andreas Schneider <asn@samba.org>
> > > -
> > > -(cherry picked from commit 7467f6e72cba214eeca75c34e9d9fba354c7ef31)
> > > -Signed-off-by: Andreas Schneider <asn@samba.org>
> > > ----
> > > - source3/lib/util_names.c | 10 +++++++++-
> > > - 1 file changed, 9 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
> > > -index cf54a0e..1392b48 100644
> > > ---- a/source3/lib/util_names.c
> > > -+++ b/source3/lib/util_names.c
> > > -@@ -60,7 +60,15 @@ static bool set_my_netbios_names(const char *name, int i)
> > > - {
> > > - SAFE_FREE(smb_my_netbios_names[i]);
> > > -
> > > -- smb_my_netbios_names[i] = SMB_STRDUP(name);
> > > -+ /*
> > > -+ * Don't include space for terminating '\0' in strndup,
> > > -+ * it is automatically added. This screws up if the name
> > > -+ * is greater than MAX_NETBIOSNAME_LEN-1 in the unix
> > > -+ * charset, but less than or equal to MAX_NETBIOSNAME_LEN-1
> > > -+ * in the DOS charset, but this is so old we have to live
> > > -+ * with that.
> > > -+ */
> > > -+ smb_my_netbios_names[i] = SMB_STRNDUP(name, MAX_NETBIOSNAME_LEN-1);
> > > - if (!smb_my_netbios_names[i])
> > > - return False;
> > > - return strupper_m(smb_my_netbios_names[i]);
> > > ---
> > > -2.1.2
> > > -
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> > > deleted file mode 100644
> > > index 447e243..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> > > +++ /dev/null
> > > @@ -1,52 +0,0 @@
> > > -Don't check xsltproc manpages
> > > -
> > > -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > > -
> > > -diff -Nurp samba-4.1.12.orig/lib/ldb/wscript samba-4.1.12/lib/ldb/wscript
> > > ---- samba-4.1.12.orig/lib/ldb/wscript 2014-07-28 16:13:45.000000000 +0900
> > > -+++ samba-4.1.12/lib/ldb/wscript 2015-04-23 17:08:45.277000225 +0900
> > > -@@ -56,7 +56,7 @@ def configure(conf):
> > > - conf.define('USING_SYSTEM_PYLDB_UTIL', 1)
> > > -
> > > - if conf.env.standalone_ldb:
> > > -- conf.CHECK_XSLTPROC_MANPAGES()
> > > -+ #conf.CHECK_XSLTPROC_MANPAGES()
> > > -
> > > - # we need this for the ldap backend
> > > - if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
> > > -diff -Nurp samba-4.1.12.orig/lib/ntdb/wscript samba-4.1.12/lib/ntdb/wscript
> > > ---- samba-4.1.12.orig/lib/ntdb/wscript 2013-12-05 18:16:48.000000000 +0900
> > > -+++ samba-4.1.12/lib/ntdb/wscript 2015-04-23 17:09:17.680000274 +0900
> > > -@@ -121,7 +121,7 @@ def configure(conf):
> > > - Logs.warn('Disabling pyntdb as python devel libs not found')
> > > - conf.env.disable_python = True
> > > -
> > > -- conf.CHECK_XSLTPROC_MANPAGES()
> > > -+ #conf.CHECK_XSLTPROC_MANPAGES()
> > > -
> > > - # This make #include <ccan/...> work.
> > > - conf.ADD_EXTRA_INCLUDES('''#lib''')
> > > -diff -Nurp samba-4.1.12.orig/lib/talloc/wscript samba-4.1.12/lib/talloc/wscript
> > > ---- samba-4.1.12.orig/lib/talloc/wscript 2013-12-05 18:16:48.000000000 +0900
> > > -+++ samba-4.1.12/lib/talloc/wscript 2015-04-23 17:08:21.781000339 +0900
> > > -@@ -55,7 +55,7 @@ def configure(conf):
> > > - if conf.env.standalone_talloc:
> > > - conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
> > > -
> > > -- conf.CHECK_XSLTPROC_MANPAGES()
> > > -+ #conf.CHECK_XSLTPROC_MANPAGES()
> > > -
> > > - if not conf.env.disable_python:
> > > - # also disable if we don't have the python libs installed
> > > -diff -Nurp samba-4.1.12.orig/lib/tdb/wscript samba-4.1.12/lib/tdb/wscript
> > > ---- samba-4.1.12.orig/lib/tdb/wscript 2013-12-05 18:16:48.000000000 +0900
> > > -+++ samba-4.1.12/lib/tdb/wscript 2015-04-23 17:09:02.538000343 +0900
> > > -@@ -43,7 +43,7 @@ def configure(conf):
> > > -
> > > - conf.env.disable_python = getattr(Options.options, 'disable_python', False)
> > > -
> > > -- conf.CHECK_XSLTPROC_MANPAGES()
> > > -+ #conf.CHECK_XSLTPROC_MANPAGES()
> > > -
> > > - if not conf.env.disable_python:
> > > - # also disable if we don't have the python libs installed
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> > > deleted file mode 100644
> > > index 1a31e0d..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> > > +++ /dev/null
> > > @@ -1,22 +0,0 @@
> > > -samba: execute prog on target directly is impossible.
> > > -
> > > -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > > -
> > > -diff -Nurp samba-4.1.12.orig/lib/ccan/wscript samba-4.1.12/lib/ccan/wscript
> > > ---- samba-4.1.12.orig/lib/ccan/wscript 2013-06-13 18:21:02.000000000 +0900
> > > -+++ samba-4.1.12/lib/ccan/wscript 2015-04-27 14:26:25.123000238 +0900
> > > -@@ -127,10 +127,10 @@ def configure(conf):
> > > - # Only check for FILE_OFFSET_BITS=64 if off_t is normally small:
> > > - # use raw routines because wrappers include previous _GNU_SOURCE
> > > - # or _FILE_OFFSET_BITS defines.
> > > -- conf.check(fragment="""#include <sys/types.h>
> > > -- int main(void) { return !(sizeof(off_t) < 8); }""",
> > > -- execute=True, msg='Checking for small off_t',
> > > -- define_name='SMALL_OFF_T')
> > > -+ conf.CHECK_CODE("""#include <sys/types.h>
> > > -+ int main(void) { return !(sizeof(off_t) < 8); }""",
> > > -+ link=True, execute=True, addmain=False, msg='Checking for small off_t',
> > > -+ define='HAVE_SMALL_OFF_T')
> > > - # Unreliable return value above, hence use define.
> > > - if conf.CONFIG_SET('SMALL_OFF_T'):
> > > - conf.check(fragment="""#include <sys/types.h>
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> > > deleted file mode 100644
> > > index 83c42eb..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> > > +++ /dev/null
> > > @@ -1,22 +0,0 @@
> > > -waf trys to get package's configuration by native ncurses6-config.
> > > -it will make native header files and library be used.
> > > -
> > > -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > > -
> > > ---- samba-4.1.12.orig/source3/wscript_configure_system_ncurses 2013-12-05 18:16:48.000000000 +0900
> > > -+++ samba-4.1.12/source3/wscript_configure_system_ncurses 2015-04-29 16:12:22.619000250 +0900
> > > -@@ -2,14 +2,6 @@ import Logs, Options, sys
> > > -
> > > - Logs.info("Looking for ncurses features")
> > > -
> > > --conf.find_program('ncurses5-config', var='NCURSES_CONFIG')
> > > --if not conf.env.NCURSES_CONFIG:
> > > -- conf.find_program('ncurses6-config', var='NCURSES_CONFIG')
> > > --
> > > --if conf.env.NCURSES_CONFIG:
> > > -- conf.check_cfg(path=conf.env.NCURSES_CONFIG, args="--cflags --libs",
> > > -- package="", uselib_store="NCURSES")
> > > --
> > > - conf.CHECK_HEADERS('ncurses.h menu.h panel.h form.h', lib='ncurses')
> > > -
> > > - conf.CHECK_FUNCS_IN('initscr', 'ncurses')
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> > > deleted file mode 100644
> > > index 8c4e2ad..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> > > +++ /dev/null
> > > @@ -1,42 +0,0 @@
> > > -systemd-daemon is contained by libsystemd, so we just need link libsystemd to
> > > -obtain the implementation of systemd-daemon's function.
> > > -
> > > -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > > -
> > > -diff -Nurp samba-4.1.12.orig/lib/util/wscript_build samba-4.1.12/lib/util/wscript_build
> > > ---- samba-4.1.12.orig/lib/util/wscript_build 2014-09-08 18:26:14.000000000 +0900
> > > -+++ samba-4.1.12/lib/util/wscript_build 2015-04-29 16:16:58.303000207 +0900
> > > -@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-util',
> > > - server_id.c dprintf.c parmlist.c bitmap.c pidfile.c
> > > - tevent_debug.c util_process.c memcache.c''',
> > > - deps='DYNCONFIG',
> > > -- public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd-daemon',
> > > -+ public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd',
> > > - public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h',
> > > - header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ],
> > > - local_include=False,
> > > -diff -Nurp samba-4.1.12.orig/wscript samba-4.1.12/wscript
> > > ---- samba-4.1.12.orig/wscript 2014-07-28 16:13:45.000000000 +0900
> > > -+++ samba-4.1.12/wscript 2015-04-29 16:17:52.338000264 +0900
> > > -@@ -183,16 +183,16 @@ def configure(conf):
> > > - conf.env['ENABLE_PIE'] = True
> > > -
> > > - if Options.options.enable_systemd != False:
> > > -- conf.check_cfg(package='libsystemd-daemon', args='--cflags --libs',
> > > -- msg='Checking for libsystemd-daemon', uselib_store="SYSTEMD-DAEMON")
> > > -- conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd-daemon')
> > > -- conf.CHECK_LIB('systemd-daemon', shlib=True)
> > > -+ conf.check_cfg(package='libsystemd', args='--cflags --libs',
> > > -+ msg='Checking for libsystemd', uselib_store="SYSTEMD-DAEMON")
> > > -+ conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd')
> > > -+ conf.CHECK_LIB('systemd', shlib=True)
> > > -
> > > - if conf.CONFIG_SET('HAVE_SYSTEMD_SD_DAEMON_H'):
> > > - conf.DEFINE('HAVE_SYSTEMD', '1')
> > > - conf.env['ENABLE_SYSTEMD'] = True
> > > - else:
> > > -- conf.SET_TARGET_TYPE('systemd-daemon', 'EMPTY')
> > > -+ conf.SET_TARGET_TYPE('systemd', 'EMPTY')
> > > - conf.undefine('HAVE_SYSTEMD')
> > > -
> > > - conf.SAMBA_CONFIG_H('include/config.h')
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> > > deleted file mode 100644
> > > index 4254e11..0000000
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> > > +++ /dev/null
> > > @@ -1,10 +0,0 @@
> > > ---- ./source4/auth/wscript_configure.orig 2015-11-19 19:53:11.022212181 +0100
> > > -+++ ./source4/auth/wscript_configure 2015-11-19 19:53:17.466212205 +0100
> > > -@@ -2,7 +2,3 @@
> > > -
> > > - conf.CHECK_HEADERS('security/pam_appl.h')
> > > - conf.CHECK_FUNCS_IN('pam_start', 'pam', checklibc=True)
> > > --
> > > --if (conf.CHECK_HEADERS('sasl/sasl.h') and
> > > -- conf.CHECK_FUNCS_IN('sasl_client_init', 'sasl2')):
> > > -- conf.DEFINE('HAVE_SASL', 1)
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/00-fix-typos-in-man-pages.patch
> > > similarity index 100%
> > > rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch
> > > rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/00-fix-typos-in-man-pages.patch
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/0006-avoid-using-colon-in-the-checking-msg.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/0006-avoid-using-colon-in-the-checking-msg.patch
> > > similarity index 100%
> > > rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/0006-avoid-using-colon-in-the-checking-msg.patch
> > > rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/0006-avoid-using-colon-in-the-checking-msg.patch
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> > > new file mode 100644
> > > index 0000000..c37cfcd
> > > --- /dev/null
> > > +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> > > @@ -0,0 +1,43 @@
> > > +Don't check xsltproc manpages
> > > +
> > > +Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > > +
> > > +Index: samba-4.4.2/lib/ldb/wscript
> > > +===================================================================
> > > +--- samba-4.4.2.orig/lib/ldb/wscript
> > > ++++ samba-4.4.2/lib/ldb/wscript
> > > +@@ -65,7 +65,7 @@ def configure(conf):
> > > + conf.define('USING_SYSTEM_LDB', 1)
> > > +
> > > + if conf.env.standalone_ldb:
> > > +- conf.CHECK_XSLTPROC_MANPAGES()
> > > ++ #conf.CHECK_XSLTPROC_MANPAGES()
> > > +
> > > + # we need this for the ldap backend
> > > + if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
> > > +Index: samba-4.4.2/lib/talloc/wscript
> > > +===================================================================
> > > +--- samba-4.4.2.orig/lib/talloc/wscript
> > > ++++ samba-4.4.2/lib/talloc/wscript
> > > +@@ -56,7 +56,7 @@ def configure(conf):
> > > + if conf.env.standalone_talloc:
> > > + conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
> > > +
> > > +- conf.CHECK_XSLTPROC_MANPAGES()
> > > ++ #conf.CHECK_XSLTPROC_MANPAGES()
> > > +
> > > + if not conf.env.disable_python:
> > > + # also disable if we don't have the python libs installed
> > > +Index: samba-4.4.2/lib/tdb/wscript
> > > +===================================================================
> > > +--- samba-4.4.2.orig/lib/tdb/wscript
> > > ++++ samba-4.4.2/lib/tdb/wscript
> > > +@@ -92,7 +92,7 @@ def configure(conf):
> > > + not conf.env.disable_tdb_mutex_locking):
> > > + conf.define('USE_TDB_MUTEX_LOCKING', 1)
> > > +
> > > +- conf.CHECK_XSLTPROC_MANPAGES()
> > > ++ #conf.CHECK_XSLTPROC_MANPAGES()
> > > +
> > > + if not conf.env.disable_python:
> > > + # also disable if we don't have the python libs installed
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
> > > old mode 100755
> > > new mode 100644
> > > similarity index 79%
> > > rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
> > > rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
> > > index 5c20d31..e112b3b
> > > --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
> > > +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch
> > > @@ -3,18 +3,19 @@ we just check whether does the module exist.
> > >
> > > Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
> > >
> > > ---- samba-4.1.12.orig/buildtools/wafsamba/samba_bundled.py 2013-06-13 17:21:02.000000000 +0800
> > > -+++ samba-4.1.12/buildtools/wafsamba/samba_bundled.py 2015-07-16 16:57:06.649092158 +0800
> > > -@@ -1,7 +1,7 @@
> > > - # functions to support bundled libraries
> > > +Index: samba-4.4.2/buildtools/wafsamba/samba_bundled.py
> > > +===================================================================
> > > +--- samba-4.4.2.orig/buildtools/wafsamba/samba_bundled.py
> > > ++++ samba-4.4.2/buildtools/wafsamba/samba_bundled.py
> > > +@@ -2,6 +2,7 @@
> > >
> > > + import sys
> > > + import Build, Options, Logs
> > > ++import imp, os
> > > from Configure import conf
> > > --import sys, Logs
> > > -+import sys, Logs, imp
> > > - from samba_utils import *
> > > + from samba_utils import TO_LIST
> > >
> > > - def PRIVATE_NAME(bld, name, private_extension, private_library):
> > > -@@ -228,17 +228,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
> > > +@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
> > > # versions
> > > minversion = minimum_library_version(conf, libname, minversion)
> > >
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/21-add-config-option-without-valgrind.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.2/21-add-config-option-without-valgrind.patch
> > > similarity index 100%
> > > rename from meta-networking/recipes-connectivity/samba/samba-4.1.12/21-add-config-option-without-valgrind.patch
> > > rename to meta-networking/recipes-connectivity/samba/samba-4.4.2/21-add-config-option-without-valgrind.patch
> > > diff --git a/meta-networking/recipes-connectivity/samba/samba_4.1.12.bb b/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
> > > similarity index 82%
> > > rename from meta-networking/recipes-connectivity/samba/samba_4.1.12.bb
> > > rename to meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
> > > index ff58dae..585df9d 100644
> > > --- a/meta-networking/recipes-connectivity/samba/samba_4.1.12.bb
> > > +++ b/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
> > > @@ -13,38 +13,14 @@ ${SAMBA_MIRROR} http://www.mirrorservice.org/sites/ftp.samba.org \n \
> > >
> > > SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
> > > file://00-fix-typos-in-man-pages.patch \
> > > - file://01-fix-force-user-sec-ads.patch \
> > > - file://02-fix-ipv6-join.patch \
> > > - file://03-net-ads-kerberos-pac.patch \
> > > - file://04-ipv6-workaround.patch \
> > > - file://05-fix-gecos-field-with-samlogon.patch \
> > > - file://06-fix-nmbd-systemd-status-update.patch \
> > > - file://07-fix-idmap-ad-getgroups-without-gid.patch \
> > > - file://08-fix-idmap-ad-sfu-with-trusted-domains.patch \
> > > - file://09-fix-smbclient-echo-cmd-segfault.patch \
> > > - file://10-improve-service-principal-guessing-in-net.patch \
> > > - file://11-fix-overwriting-of-spns-during-net-ads-join.patch \
> > > - file://12-add-precreated-spns-from-AD-during-keytab-generation.patch \
> > > - file://13-fix-aes-enctype.patch \
> > > - file://14-fix-dnsupdate.patch \
> > > - file://15-fix-netbios-name-truncation.patch \
> > > file://16-do-not-check-xsltproc-manpages.patch \
> > > - file://17-execute-prog-by-qemu.patch \
> > > - file://18-avoid-get-config-by-native-ncurses.patch \
> > > - file://19-systemd-daemon-is-contained-by-libsystemd.patch \
> > > file://20-do-not-import-target-module-while-cross-compile.patch \
> > > file://21-add-config-option-without-valgrind.patch \
> > > - file://0001-waf-sanitize-and-fix-added-cross-answer.patch \
> > > - file://0002-Adds-a-new-mode-to-samba-cross-compiling.patch \
> > > - file://0003-waf-improve-readability-of-cross-answers-generated-b.patch \
> > > - file://0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch \
> > > - file://0005-build-unify-and-fix-endian-tests.patch \
> > > file://0006-avoid-using-colon-in-the-checking-msg.patch \
> > > - file://0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch \
> > > "
> > >
> > > -SRC_URI[md5sum] = "232016d7581a1ba11e991ec2674553c4"
> > > -SRC_URI[sha256sum] = "033604674936bf5c77d7df299b0626052b84a41505a6a6afe902f6274fc29898"
> > > +SRC_URI[md5sum] = "03a65a3adf08ceb1636ad59d234d7f9d"
> > > +SRC_URI[sha256sum] = "eaecd41a85ebb9507b8db9856ada2a949376e9d53cf75664b5493658f6e5926a"
> > >
> > > inherit systemd waf-samba cpan-base perlnative
> > > # remove default added RDEPENDS on perl
> > > @@ -59,15 +35,15 @@ PACKAGECONFIG ??= "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)} \
> > > ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '${SYSVINITTYPE}', '', d)} \
> > > ${@base_contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
> > > ${@base_contains('DISTRO_FEATURES', 'zeroconf', 'zeroconf', '', d)} \
> > > - acl aio cups ldap \
> > > + acl cups ldap \
> > > "
> > >
> > > RDEPENDS_${PN}-base += "${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'lsb', '', d)}"
> > > +RDEPENDS_${PN}-ctdb-tests += "bash"
> > >
> > > PACKAGECONFIG[acl] = "--with-acl-support,--without-acl-support,acl"
> > > -PACKAGECONFIG[aio] = "--with-aio-support,--without-aio-support,libaio"
> > > PACKAGECONFIG[fam] = "--with-fam,--without-fam,gamin"
> > > -PACKAGECONFIG[pam] = "--with-pam --with-pam_smbpass --with-pammodulesdir=${base_libdir}/security,--without-pam --without-pam_smbpass,libpam"
> > > +PACKAGECONFIG[pam] = "--with-pam --with-pammodulesdir=${base_libdir}/security,--without-pam --without-pam_smbpass,libpam"
> > > PACKAGECONFIG[lsb] = ",,lsb"
> > > PACKAGECONFIG[sysv] = ",,sysvinit"
> > > PACKAGECONFIG[cups] = "--enable-cups,--disable-cups,cups"
> > > @@ -78,8 +54,6 @@ PACKAGECONFIG[dmapi] = "--with-dmapi,--without-dmapi,dmapi"
> > > PACKAGECONFIG[zeroconf] = "--enable-avahi,--disable-avahi,avahi"
> > > PACKAGECONFIG[valgrind] = ",--without-valgrind,valgrind,"
> > >
> > > -SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'sasl', '', 'file://21-avoid-sasl-unless-wanted.patch', d)}"
> > > -
> > > SAMBA4_IDMAP_MODULES="idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2"
> > > SAMBA4_PDB_MODULES="pdb_tdbsam,${@bb.utils.contains('PACKAGECONFIG', 'ldap', 'pdb_ldap,', '', d)}pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4"
> > > SAMBA4_AUTH_MODULES="auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4"
> > > @@ -87,15 +61,12 @@ SAMBA4_MODULES="${SAMBA4_IDMAP_MODULES},${SAMBA4_PDB_MODULES},${SAMBA4_AUTH_MODU
> > >
> > > SAMBA4_LIBS="heimdal,!zlib,!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb"
> > >
> > > -PERL_VERNDORLIB="${libdir}/perl5/vendor_perl/${PERLVERSION}"
> > > -
> > > EXTRA_OECONF += "--enable-fhs \
> > > --with-piddir=/run \
> > > --with-sockets-dir=/run/samba \
> > > --with-modulesdir=${libdir}/samba \
> > > --with-lockdir=${localstatedir}/lib/samba \
> > > --with-cachedir=${localstatedir}/lib/samba \
> > > - --with-perl-lib-install-dir=${PERL_VERNDORLIB} \
> > > --disable-gnutls \
> > > --disable-rpath-install \
> > > --with-shared-modules=${SAMBA4_MODULES} \
> > > @@ -104,7 +75,6 @@ EXTRA_OECONF += "--enable-fhs \
> > > --without-ad-dc \
> > > ${@base_conditional('TARGET_ARCH', 'x86_64', '', '--disable-glusterfs', d)} \
> > > --with-cluster-support \
> > > - --enable-old-ctdb \
> > > --with-profiling-data \
> > > --with-libiconv=${STAGING_DIR_HOST}${prefix} \
> > > "
> > > @@ -113,13 +83,6 @@ DISABLE_STATIC = ""
> > > LDFLAGS += "-Wl,-z,relro,-z,now"
> > >
> > > do_install_append() {
> > > - if [ -d "${D}/run" ]; then
> > > - if [ -d "${D}/run/samba" ]; then
> > > - rmdir --ignore-fail-on-non-empty "${D}/run/samba"
> > > - fi
> > > - rmdir --ignore-fail-on-non-empty "${D}/run"
> > > - fi
> > > -
> > > if ${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'true', 'false', d)}; then
> > > install -d ${D}${systemd_unitdir}/system
> > > for i in nmb smb winbind; do
> > > @@ -127,20 +90,20 @@ do_install_append() {
> > > done
> > > sed -i 's,\(ExecReload=\).*\(/kill\),\1${base_bindir}\2,' ${D}${systemd_unitdir}/system/*.service
> > >
> > > - install -d ${D}${sysconfdir}/tmpfiles.d
> > > + install -d ${D}${sysconfdir}/tmpfiles.d
> > > install -m644 packaging/systemd/samba.conf.tmp ${D}${sysconfdir}/tmpfiles.d/samba.conf
> > > echo "d ${localstatedir}/log/samba 0755 root root -" \
> > > >> ${D}${sysconfdir}/tmpfiles.d/samba.conf
> > > elif ${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'true', 'false', d)}; then
> > > - install -d ${D}${sysconfdir}/init.d
> > > - install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
> > > - update-rc.d -r ${D} samba.sh start 20 3 5 .
> > > - update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> > > + install -d ${D}${sysconfdir}/init.d
> > > + install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
> > > + update-rc.d -r ${D} samba.sh start 20 3 5 .
> > > + update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> > > elif ${@bb.utils.contains('PACKAGECONFIG', 'sysv', 'true', 'false', d)}; then
> > > - install -d ${D}${sysconfdir}/init.d
> > > - install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
> > > - update-rc.d -r ${D} samba.sh start 20 3 5 .
> > > - update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> > > + install -d ${D}${sysconfdir}/init.d
> > > + install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
> > > + update-rc.d -r ${D} samba.sh start 20 3 5 .
> > > + update-rc.d -r ${D} samba.sh start 20 0 1 6 .
> > > fi
> > >
> > > install -d ${D}${sysconfdir}/samba
> > > @@ -149,11 +112,13 @@ do_install_append() {
> > >
> > > install -d ${D}${sysconfdir}/sysconfig/
> > > install -m644 packaging/systemd/samba.sysconfig ${D}${sysconfdir}/sysconfig/samba
> > > +
> > > + rm -rf ${D}/run ${D}${localstatedir}/run
> > > }
> > >
> > > PACKAGES += "${PN}-python ${PN}-python-dbg ${PN}-pidl libwinbind libwinbind-dbg libwinbind-krb5-locator"
> > > PACKAGES =+ "libwbclient libnss-winbind winbind winbind-dbg libnetapi libsmbsharemodes \
> > > - libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base"
> > > + libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base ${PN}-ctdb-tests"
> > >
> > > RDEPENDS_${PN} += "${PN}-base"
> > >
> > > @@ -166,6 +131,12 @@ FILES_${PN}-base = "${sbindir}/nmbd \
> > > ${localstatedir}/spool/samba \
> > > "
> > >
> > > +FILES_${PN}-ctdb-tests = "${bindir}/ctdb_run_tests \
> > > + ${libdir}/ctdb-tests \
> > > + ${datadir}/ctdb-tests \
> > > + /run/ctdb \
> > > + "
> > > +
> > > # figured out by
> > > # FILES="tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/smbd tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/nmbd"
> > > #
> > > @@ -312,16 +283,20 @@ FILES_libwinbind-dbg = "${base_libdir}/security/.debug/pam_winbind.so"
> > > FILES_libwinbind-krb5-locator = "${libdir}/winbind_krb5_locator.so"
> > >
> > > FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.so \
> > > + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/_ldb_text.py \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.py \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.so \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.so \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.py \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/external/* \
> > > + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/kcc/* \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/netcmd/*.py \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/provision/*.py \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.py \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.so \
> > > + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/subunit/* \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/tests/* \
> > > + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/third_party/* \
> > > ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/web_server/* \
> > > "
> > >
> > > @@ -332,4 +307,4 @@ FILES_${PN}-python-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.d
> > > "
> > >
> > > RDEPENDS_${PN}-pidl_append = " perl"
> > > -FILES_${PN}-pidl = "${bindir}/pidl ${PERL_VERNDORLIB}/*"
> > > +FILES_${PN}-pidl = "${bindir}/pidl ${datadir}/perl5/Parse"
> > > --
> > > 1.9.1
> > >
> > > --
> > > _______________________________________________
> > > Openembedded-devel mailing list
> > > Openembedded-devel@lists.openembedded.org
> > > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
> >
> > --
> > Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
>
>
>
> --
> -Joe MacDonald.
> :wq
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [meta-networking][PATCH 5/5] samba: Update to latest stable
2016-04-20 9:27 ` Martin Jansa
@ 2016-04-20 13:06 ` Joe MacDonald
2016-04-27 18:30 ` Mark Asselstine
0 siblings, 1 reply; 16+ messages in thread
From: Joe MacDonald @ 2016-04-20 13:06 UTC (permalink / raw)
To: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 12733 bytes --]
[Re: [oe] [meta-networking][PATCH 5/5] samba: Update to latest stable] On 16.04.20 (Wed 11:27) Martin Jansa wrote:
> On Tue, Apr 19, 2016 at 09:01:25AM -0400, Joe MacDonald wrote:
> > [Re: [oe] [meta-networking][PATCH 5/5] samba: Update to latest stable] On 16.04.19 (Tue 11:15) Martin Jansa wrote:
> >
> > > On Mon, Apr 18, 2016 at 05:00:53PM -0400, Joe MacDonald wrote:
> > > > The previous version of Samba had many critical security updates that
> > > > would've required significant backporting effort. Update to the latest
> > > > stable release instead.
> > >
> > > Does it fix floating dependency on libpam as well?
> >
> > It does not, unfortunately. After an embarrassingly long time with this
> > I thought it would be best to carry it this far, integrate the
> > outstanding patches against it, then tackle the libpam dependency issue.
> > Since I know you've sunk a lot of time into this recently I know you
> > know all too well what a tangle the samba build and dependency checking
> > system can be.
>
> Agreed that it can be resolved in follow-up patch.
>
> > It at least meets the criteria of "better than I found it", I think.
>
> Partially agree, but first please fix this one found in last world build:
Got it, I've fixed that in my tree by removing the --without-pam_smbpass
option from line 46 of the samba recipe. In the interests of not
sending out yet another giant patch with one tiny change in it to the
list, here's my current merge queue:
The following changes since commit ab62c7437ff28d045ecff3f82621990ff94662e6:
cyrus-sasl: Drop unneeded group addition (2016-04-19 09:31:39 -0400)
are available in the git repository at:
git://git.openembedded.org/meta-openembedded-contrib joeythesaint/meta-networking-next
for you to fetch changes up to 5182767a3a84491394a54708d5e06d31d59b7c1e:
vpnc: stage vpnc-script (2016-04-20 08:55:44 -0400)
----------------------------------------------------------------
Armin Kuster (1):
c-ares: Add package to networking
Christopher Larson (3):
ctdb: disable the service by default
ctdb: rdepend on procps
ctdb: drop duplicated DESCRIPTION
Fabio Berton (1):
lldpd: Update to version 0.9.2
Ioan-Adrian Ratiu (2):
openconnect: add recipe
vpnc: stage vpnc-script
Jagadeesh Krishnanjanappa (1):
iscsitarget: resolve build error with linux kernel 4.3 and above
Joe MacDonald (5):
samba: Update to latest stable
libldb: Update to latest stable
libtevent: Update to latest stable
libtdb: Update to latest stable
libtalloc: Update to latest stable
Johannes Pointner (1):
samba: add volatile file to support readonly rootfs
Mark Asselstine (1):
dnsmasq: get systemd only working again
.../openconnect/openconnect_git.bb | 18 +
...1-waf-sanitize-and-fix-added-cross-answer.patch | 60 -
...-Adds-a-new-mode-to-samba-cross-compiling.patch | 112 -
...-readability-of-cross-answers-generated-b.patch | 66 -
...wafsamba-CHECK_SIZEOF-cross-compile-frien.patch | 72 -
.../0005-build-unify-and-fix-endian-tests.patch | 169 -
...sing-of-cross-answers-file-in-case-answer.patch | 36 -
.../samba-4.1.12/01-fix-force-user-sec-ads.patch | 1448 -
.../samba/samba-4.1.12/02-fix-ipv6-join.patch | 266 -
.../samba-4.1.12/03-net-ads-kerberos-pac.patch | 962 -
.../samba/samba-4.1.12/04-ipv6-workaround.patch | 211 -
.../05-fix-gecos-field-with-samlogon.patch | 29894 -------------------
.../06-fix-nmbd-systemd-status-update.patch | 97 -
.../07-fix-idmap-ad-getgroups-without-gid.patch | 42 -
.../08-fix-idmap-ad-sfu-with-trusted-domains.patch | 44 -
.../09-fix-smbclient-echo-cmd-segfault.patch | 35 -
...improve-service-principal-guessing-in-net.patch | 180 -
...x-overwriting-of-spns-during-net-ads-join.patch | 329 -
...ted-spns-from-AD-during-keytab-generation.patch | 159 -
.../samba/samba-4.1.12/13-fix-aes-enctype.patch | 988 -
.../samba/samba-4.1.12/14-fix-dnsupdate.patch | 51 -
.../15-fix-netbios-name-truncation.patch | 154 -
.../16-do-not-check-xsltproc-manpages.patch | 52 -
.../samba-4.1.12/17-execute-prog-by-qemu.patch | 22 -
.../18-avoid-get-config-by-native-ncurses.patch | 22 -
...systemd-daemon-is-contained-by-libsystemd.patch | 42 -
.../samba-4.1.12/21-avoid-sasl-unless-wanted.patch | 10 -
.../00-fix-typos-in-man-pages.patch | 0
...006-avoid-using-colon-in-the-checking-msg.patch | 0
.../16-do-not-check-xsltproc-manpages.patch | 43 +
...-import-target-module-while-cross-compile.patch | 19 +-
.../21-add-config-option-without-valgrind.patch | 0
.../samba/samba-4.4.2/volatiles.03_samba | 3 +
.../samba/{samba_4.1.12.bb => samba_4.4.2.bb} | 82 +-
.../recipes-connectivity/vpnc/vpnc_0.5.3.bb | 7 +
.../lldpd/{lldpd_0.9.0.bb => lldpd_0.9.2.bb} | 4 +-
...pdated_bio_struct_of_linux_v4.3_and_above.patch | 75 +
.../iscsitarget/iscsitarget_1.4.20.3+svn502.bb | 8 +-
.../recipes-support/c-ares/c-ares_1.11.0.bb | 13 +
meta-networking/recipes-support/ctdb/ctdb_2.5.1.bb | 11 +-
.../recipes-support/dnsmasq/files/dnsmasq.service | 7 +-
...-import-target-module-while-cross-compile.patch | 19 +-
.../libldb/{libldb_1.1.21.bb => libldb_1.1.26.bb} | 4 +-
.../{libtalloc_2.1.3.bb => libtalloc_2.1.6.bb} | 5 +-
.../libtdb/{libtdb_1.3.7.bb => libtdb_1.3.8.bb} | 4 +-
.../{libtevent_0.9.25.bb => libtevent_0.9.28.bb} | 4 +-
46 files changed, 231 insertions(+), 35618 deletions(-)
create mode 100644 meta-networking/recipes-connectivity/openconnect/openconnect_git.bb
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/00-fix-typos-in-man-pages.patch (100%)
rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/0006-avoid-using-colon-in-the-checking-msg.patch (100%)
create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/20-do-not-import-target-module-while-cross-compile.patch (79%)
mode change 100755 => 100644
rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/21-add-config-option-without-valgrind.patch (100%)
create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.2/volatiles.03_samba
rename meta-networking/recipes-connectivity/samba/{samba_4.1.12.bb => samba_4.4.2.bb} (82%)
rename meta-networking/recipes-daemons/lldpd/{lldpd_0.9.0.bb => lldpd_0.9.2.bb} (94%)
create mode 100644 meta-networking/recipes-extended/iscsitarget/files/build_with_updated_bio_struct_of_linux_v4.3_and_above.patch
create mode 100644 meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
rename meta-networking/recipes-support/libldb/{libldb_1.1.21.bb => libldb_1.1.26.bb} (92%)
rename meta-networking/recipes-support/libtalloc/{libtalloc_2.1.3.bb => libtalloc_2.1.6.bb} (91%)
rename meta-networking/recipes-support/libtdb/{libtdb_1.3.7.bb => libtdb_1.3.8.bb} (87%)
rename meta-networking/recipes-support/libtevent/{libtevent_0.9.25.bb => libtevent_0.9.28.bb} (88%)
Still trying to test this queue out before merging upstream, but it
might happen today if all goes well.
-J.
>
> ERROR: samba-4.4.2-r0 do_configure: Function failed: do_configure (log file is located at /home/jenkins/oe/world/shr-core/tmp-glibc/work/armv5te-oe-linux-gnueabi/samba/4.4.2-r0/temp/log.do_configure.1777)
> ERROR: Logfile of failure stored in: /home/jenkins/oe/world/shr-core/tmp-glibc/work/armv5te-oe-linux-gnueabi/samba/4.4.2-r0/temp/log.do_configure.1777
> Log data follows:
> | DEBUG: Executing python function sysroot_cleansstate
> | DEBUG: Python function sysroot_cleansstate finished
> | DEBUG: Executing shell function do_configure
> | waf [command] [options]
> |
> | Main commands (example: ./waf build -j4)
> | build : build all targets
> | clean : removes the build files
> | configure : configures the project
> | ctags : build 'tags' file using ctags
> | dist : makes a tarball for distribution
> | distcheck : test that distribution tarball builds and installs
> | distclean : removes the build directory
> | etags : build TAGS file using etags
> | install : installs the build files
> | pep8 : run pep8 validator
> | pydoctor : build python apidocs
> | reconfigure : reconfigure if config scripts have changed
> | test : Run the test suite (see test options below)
> | testonly : run tests without doing a build first
> | uninstall : removes the installed files
> | wafdocs : build wafsamba apidocs
> | wildcard_cmd: called on a unknown command
> |
> | waf: error: no such option: --without-pam_smbpass
> | WARNING: exit code 1 from a shell command.
> | ERROR: Function failed: do_configure (log file is located at /home/jenkins/oe/world/shr-core/tmp-glibc/work/armv5te-oe-linux-gnueabi/samba/4.4.2-r0/temp/log.do_configure.1777)
> NOTE: recipe samba-4.4.2-r0: task do_configure: Failed
> ERROR: Task 20263 (/home/jenkins/oe/world/shr-core/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb, do_configure) failed with exit code '1'
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Update Samba
2016-04-18 21:00 Update Samba Joe MacDonald
` (4 preceding siblings ...)
2016-04-18 21:00 ` [meta-networking][PATCH 5/5] samba: " Joe MacDonald
@ 2016-04-22 16:30 ` George McCollister
2016-04-25 14:01 ` Joe MacDonald
5 siblings, 1 reply; 16+ messages in thread
From: George McCollister @ 2016-04-22 16:30 UTC (permalink / raw)
To: openembedded-devel
I'm looking forward to seeing these changes in krogoth as what is in
there now is unusable from a security standpoint. I cherry picked the
patches to krogoth and my builds suceeded but haven't gotten around to
doing any operational testing yet.
-George
On Mon, Apr 18, 2016 at 4:00 PM, Joe MacDonald <joe_macdonald@mentor.com> wrote:
> I'm still doing some testing on this and I haven't built for all the
> architectures yet, but it passed at least the most basic smoke-test. Given the
> number of outstanding CVEs against our current version of Samba (thanks Armin!
> :-)) I think it's best fo rus to update this rather than trying to do any
> back-ports, but that also introduces a not-inconsiderable level of risk for
> Samba users. So please, if you're one of them, kick the tires on this as soon
> as you can (or ping me back letting me know what your thoughts are on this, at
> least).
>
> Thanks all.
>
> --
> -Joe MacDonald.
> :wq
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Update Samba
2016-04-22 16:30 ` Update Samba George McCollister
@ 2016-04-25 14:01 ` Joe MacDonald
2016-04-25 14:38 ` akuster808
2016-04-25 14:43 ` akuster808
0 siblings, 2 replies; 16+ messages in thread
From: Joe MacDonald @ 2016-04-25 14:01 UTC (permalink / raw)
To: George McCollister, Armin Kuster; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 1760 bytes --]
[Re: [oe] Update Samba] On 16.04.22 (Fri 11:30) George McCollister wrote:
> I'm looking forward to seeing these changes in krogoth as what is in
> there now is unusable from a security standpoint. I cherry picked the
> patches to krogoth and my builds suceeded but haven't gotten around to
> doing any operational testing yet.
Agreed.
Armin: I've already done one merge directly to krogoth to resolve a
build breakage, but since you're maintaining the branch I didn't want to
do any additional ones (even though we started talking about samba
specifically in the krogoth context) without an explicit go-ahead from
you.
Do you want me to send you a patch set, a pull request or do you want me
to merge the samba changes directly?
-J.
>
> -George
>
> On Mon, Apr 18, 2016 at 4:00 PM, Joe MacDonald <joe_macdonald@mentor.com> wrote:
> > I'm still doing some testing on this and I haven't built for all the
> > architectures yet, but it passed at least the most basic smoke-test. Given the
> > number of outstanding CVEs against our current version of Samba (thanks Armin!
> > :-)) I think it's best fo rus to update this rather than trying to do any
> > back-ports, but that also introduces a not-inconsiderable level of risk for
> > Samba users. So please, if you're one of them, kick the tires on this as soon
> > as you can (or ping me back letting me know what your thoughts are on this, at
> > least).
> >
> > Thanks all.
> >
> > --
> > -Joe MacDonald.
> > :wq
> >
> > --
> > _______________________________________________
> > Openembedded-devel mailing list
> > Openembedded-devel@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Update Samba
2016-04-25 14:01 ` Joe MacDonald
@ 2016-04-25 14:38 ` akuster808
2016-04-25 14:54 ` Joe MacDonald
2016-04-25 14:43 ` akuster808
1 sibling, 1 reply; 16+ messages in thread
From: akuster808 @ 2016-04-25 14:38 UTC (permalink / raw)
To: Joe MacDonald, George McCollister; +Cc: openembedded-devel
Joe,
On 04/25/2016 07:01 AM, Joe MacDonald wrote:
> [Re: [oe] Update Samba] On 16.04.22 (Fri 11:30) George McCollister wrote:
>
>> I'm looking forward to seeing these changes in krogoth as what is in
>> there now is unusable from a security standpoint. I cherry picked the
>> patches to krogoth and my builds suceeded but haven't gotten around to
>> doing any operational testing yet.
>
> Agreed.
>
> Armin: I've already done one merge directly to krogoth to resolve a
> build breakage,
I just finished a a build myself and am seeing this warnings. Are these
covered by your changes? I can send patches if not.
WARNING: samba-4.4.2-r0 do_package_qa: QA Issue: samba rdepends on
libaio, but it isn't a build dependency, missing libaio in DEPENDS or
PACKAGECONFIG? [build-deps]
WARNING: samba-4.4.2-r0 do_package_qa: QA Issue: samba rdepends on
lttng-ust, but it isn't a build dependency, missing lttng-ust in DEPENDS
or PACKAGECONFIG? [build-deps]
but since you're maintaining the branch I didn't want to
> do any additional ones (even though we started talking about samba
> specifically in the krogoth context) without an explicit go-ahead from
> you.
>
> Do you want me to send you a patch set, a pull request or do you want me
> to merge the samba changes directly?
Go ahead and merged directly.
- Armin
> -J.
>
>>
>> -George
>>
>> On Mon, Apr 18, 2016 at 4:00 PM, Joe MacDonald <joe_macdonald@mentor.com> wrote:
>>> I'm still doing some testing on this and I haven't built for all the
>>> architectures yet, but it passed at least the most basic smoke-test. Given the
>>> number of outstanding CVEs against our current version of Samba (thanks Armin!
>>> :-)) I think it's best fo rus to update this rather than trying to do any
>>> back-ports, but that also introduces a not-inconsiderable level of risk for
>>> Samba users. So please, if you're one of them, kick the tires on this as soon
>>> as you can (or ping me back letting me know what your thoughts are on this, at
>>> least).
>>>
>>> Thanks all.
>>>
>>> --
>>> -Joe MacDonald.
>>> :wq
>>>
>>> --
>>> _______________________________________________
>>> Openembedded-devel mailing list
>>> Openembedded-devel@lists.openembedded.org
>>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Update Samba
2016-04-25 14:01 ` Joe MacDonald
2016-04-25 14:38 ` akuster808
@ 2016-04-25 14:43 ` akuster808
1 sibling, 0 replies; 16+ messages in thread
From: akuster808 @ 2016-04-25 14:43 UTC (permalink / raw)
To: Joe MacDonald, George McCollister; +Cc: openembedded-devel
Joe,
On 04/25/2016 07:01 AM, Joe MacDonald wrote:
> [Re: [oe] Update Samba] On 16.04.22 (Fri 11:30) George McCollister wrote:
>
>> I'm looking forward to seeing these changes in krogoth as what is in
>> there now is unusable from a security standpoint. I cherry picked the
>> patches to krogoth and my builds suceeded but haven't gotten around to
>> doing any operational testing yet.
>
> Agreed.
>
> Armin: I've already done one merge directly to krogoth to resolve a
> build breakage,
I just finished a a build myself and am seeing this warnings. Are these
covered by your changes? I can send patches if not.
WARNING: samba-4.4.2-r0 do_package_qa: QA Issue: samba rdepends on
libaio, but it isn't a build dependency, missing libaio in DEPENDS or
PACKAGECONFIG? [build-deps]
WARNING: samba-4.4.2-r0 do_package_qa: QA Issue: samba rdepends on
lttng-ust, but it isn't a build dependency, missing lttng-ust in DEPENDS
or PACKAGECONFIG? [build-deps]
but since you're maintaining the branch I didn't want to
> do any additional ones (even though we started talking about samba
> specifically in the krogoth context) without an explicit go-ahead from
> you.
>
> Do you want me to send you a patch set, a pull request or do you want me
> to merge the samba changes directly?
Go ahead and merged directly.
- Armin
> -J.
>
>>
>> -George
>>
>> On Mon, Apr 18, 2016 at 4:00 PM, Joe MacDonald <joe_macdonald@mentor.com> wrote:
>>> I'm still doing some testing on this and I haven't built for all the
>>> architectures yet, but it passed at least the most basic smoke-test. Given the
>>> number of outstanding CVEs against our current version of Samba (thanks Armin!
>>> :-)) I think it's best fo rus to update this rather than trying to do any
>>> back-ports, but that also introduces a not-inconsiderable level of risk for
>>> Samba users. So please, if you're one of them, kick the tires on this as soon
>>> as you can (or ping me back letting me know what your thoughts are on this, at
>>> least).
>>>
>>> Thanks all.
>>>
>>> --
>>> -Joe MacDonald.
>>> :wq
>>>
>>> --
>>> _______________________________________________
>>> Openembedded-devel mailing list
>>> Openembedded-devel@lists.openembedded.org
>>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Update Samba
2016-04-25 14:38 ` akuster808
@ 2016-04-25 14:54 ` Joe MacDonald
0 siblings, 0 replies; 16+ messages in thread
From: Joe MacDonald @ 2016-04-25 14:54 UTC (permalink / raw)
To: akuster808; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 3032 bytes --]
Hey Armin,
[Re: [oe] Update Samba] On 16.04.25 (Mon 07:38) akuster808 wrote:
> Joe,
>
>
> On 04/25/2016 07:01 AM, Joe MacDonald wrote:
> > [Re: [oe] Update Samba] On 16.04.22 (Fri 11:30) George McCollister wrote:
> >
> >> I'm looking forward to seeing these changes in krogoth as what is in
> >> there now is unusable from a security standpoint. I cherry picked the
> >> patches to krogoth and my builds suceeded but haven't gotten around to
> >> doing any operational testing yet.
> >
> > Agreed.
> >
> > Armin: I've already done one merge directly to krogoth to resolve a
> > build breakage,
>
> I just finished a a build myself and am seeing this warnings. Are these
> covered by your changes? I can send patches if not.
>
> WARNING: samba-4.4.2-r0 do_package_qa: QA Issue: samba rdepends on
> libaio, but it isn't a build dependency, missing libaio in DEPENDS or
> PACKAGECONFIG? [build-deps]
> WARNING: samba-4.4.2-r0 do_package_qa: QA Issue: samba rdepends on
> lttng-ust, but it isn't a build dependency, missing lttng-ust in DEPENDS
> or PACKAGECONFIG? [build-deps]
No, neither of these are covered in my changes. I hadn't seen either of
these, even with my autobuilder. libaio is kind of a pain because in
the previous versions of samba there was a configure option to
enable/disable it, but that's gone in any version post 4.1, AFAICT. I
hadn't seen anything related to lttng in any version. Please send
patches and I'll merge them to both places and the samba update to
krogoth.
Thanks.
-J.
>
> but since you're maintaining the branch I didn't want to
> > do any additional ones (even though we started talking about samba
> > specifically in the krogoth context) without an explicit go-ahead from
> > you.
> >
> > Do you want me to send you a patch set, a pull request or do you want me
> > to merge the samba changes directly?
>
> Go ahead and merged directly.
>
> - Armin
>
> > -J.
> >
> >>
> >> -George
> >>
> >> On Mon, Apr 18, 2016 at 4:00 PM, Joe MacDonald <joe_macdonald@mentor.com> wrote:
> >>> I'm still doing some testing on this and I haven't built for all the
> >>> architectures yet, but it passed at least the most basic smoke-test. Given the
> >>> number of outstanding CVEs against our current version of Samba (thanks Armin!
> >>> :-)) I think it's best fo rus to update this rather than trying to do any
> >>> back-ports, but that also introduces a not-inconsiderable level of risk for
> >>> Samba users. So please, if you're one of them, kick the tires on this as soon
> >>> as you can (or ping me back letting me know what your thoughts are on this, at
> >>> least).
> >>>
> >>> Thanks all.
> >>>
> >>> --
> >>> -Joe MacDonald.
> >>> :wq
> >>>
> >>> --
> >>> _______________________________________________
> >>> Openembedded-devel mailing list
> >>> Openembedded-devel@lists.openembedded.org
> >>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [meta-networking][PATCH 5/5] samba: Update to latest stable
2016-04-20 13:06 ` Joe MacDonald
@ 2016-04-27 18:30 ` Mark Asselstine
0 siblings, 0 replies; 16+ messages in thread
From: Mark Asselstine @ 2016-04-27 18:30 UTC (permalink / raw)
To: openembedded-devel, Joe_MacDonald
On Wed, Apr 20, 2016 at 9:06 AM, Joe MacDonald <Joe_MacDonald@mentor.com> wrote:
> [Re: [oe] [meta-networking][PATCH 5/5] samba: Update to latest stable] On 16.04.20 (Wed 11:27) Martin Jansa wrote:
>
>> On Tue, Apr 19, 2016 at 09:01:25AM -0400, Joe MacDonald wrote:
>> > [Re: [oe] [meta-networking][PATCH 5/5] samba: Update to latest stable] On 16.04.19 (Tue 11:15) Martin Jansa wrote:
>> >
>> > > On Mon, Apr 18, 2016 at 05:00:53PM -0400, Joe MacDonald wrote:
>> > > > The previous version of Samba had many critical security updates that
>> > > > would've required significant backporting effort. Update to the latest
>> > > > stable release instead.
>> > >
>> > > Does it fix floating dependency on libpam as well?
>> >
>> > It does not, unfortunately. After an embarrassingly long time with this
>> > I thought it would be best to carry it this far, integrate the
>> > outstanding patches against it, then tackle the libpam dependency issue.
>> > Since I know you've sunk a lot of time into this recently I know you
>> > know all too well what a tangle the samba build and dependency checking
>> > system can be.
>>
>> Agreed that it can be resolved in follow-up patch.
>>
>> > It at least meets the criteria of "better than I found it", I think.
>>
>> Partially agree, but first please fix this one found in last world build:
>
I am seeing an issue that I believe is related to this uprev. I am
getting rootfs generation issues:
Preparing... ######################################## [ 0%]
warning: Removing ctdb-2.5.1-r0@core2_64 due to file /usr/bin/ctdb
conflicting with samba-4.4.2-r0@core2_64
error: ctdb-dev-2.5.1-r0 conflicts with ctdb = 2.5.1-r0
Looking at the relationship between samba and ctdb it appears that the
landscape has changed some starting in version 4.2. Samba now includes
and installs ctdb instead of relying on stand-alone ctdb. Referencing
https://wiki.samba.org/index.php/CTDB_Setup we see this activated by
'--with-cluster-support' which we do pass to configure based on the
bb.
Dropping the DEPENDS on ctdb resolves this issue. Any thoughts on
this, should I just send a patch with the above or is there other
considerations I am missing?
Mark
> Got it, I've fixed that in my tree by removing the --without-pam_smbpass
> option from line 46 of the samba recipe. In the interests of not
> sending out yet another giant patch with one tiny change in it to the
> list, here's my current merge queue:
>
> The following changes since commit ab62c7437ff28d045ecff3f82621990ff94662e6:
>
> cyrus-sasl: Drop unneeded group addition (2016-04-19 09:31:39 -0400)
>
> are available in the git repository at:
>
> git://git.openembedded.org/meta-openembedded-contrib joeythesaint/meta-networking-next
>
> for you to fetch changes up to 5182767a3a84491394a54708d5e06d31d59b7c1e:
>
> vpnc: stage vpnc-script (2016-04-20 08:55:44 -0400)
>
> ----------------------------------------------------------------
> Armin Kuster (1):
> c-ares: Add package to networking
>
> Christopher Larson (3):
> ctdb: disable the service by default
> ctdb: rdepend on procps
> ctdb: drop duplicated DESCRIPTION
>
> Fabio Berton (1):
> lldpd: Update to version 0.9.2
>
> Ioan-Adrian Ratiu (2):
> openconnect: add recipe
> vpnc: stage vpnc-script
>
> Jagadeesh Krishnanjanappa (1):
> iscsitarget: resolve build error with linux kernel 4.3 and above
>
> Joe MacDonald (5):
> samba: Update to latest stable
> libldb: Update to latest stable
> libtevent: Update to latest stable
> libtdb: Update to latest stable
> libtalloc: Update to latest stable
>
> Johannes Pointner (1):
> samba: add volatile file to support readonly rootfs
>
> Mark Asselstine (1):
> dnsmasq: get systemd only working again
>
> .../openconnect/openconnect_git.bb | 18 +
> ...1-waf-sanitize-and-fix-added-cross-answer.patch | 60 -
> ...-Adds-a-new-mode-to-samba-cross-compiling.patch | 112 -
> ...-readability-of-cross-answers-generated-b.patch | 66 -
> ...wafsamba-CHECK_SIZEOF-cross-compile-frien.patch | 72 -
> .../0005-build-unify-and-fix-endian-tests.patch | 169 -
> ...sing-of-cross-answers-file-in-case-answer.patch | 36 -
> .../samba-4.1.12/01-fix-force-user-sec-ads.patch | 1448 -
> .../samba/samba-4.1.12/02-fix-ipv6-join.patch | 266 -
> .../samba-4.1.12/03-net-ads-kerberos-pac.patch | 962 -
> .../samba/samba-4.1.12/04-ipv6-workaround.patch | 211 -
> .../05-fix-gecos-field-with-samlogon.patch | 29894 -------------------
> .../06-fix-nmbd-systemd-status-update.patch | 97 -
> .../07-fix-idmap-ad-getgroups-without-gid.patch | 42 -
> .../08-fix-idmap-ad-sfu-with-trusted-domains.patch | 44 -
> .../09-fix-smbclient-echo-cmd-segfault.patch | 35 -
> ...improve-service-principal-guessing-in-net.patch | 180 -
> ...x-overwriting-of-spns-during-net-ads-join.patch | 329 -
> ...ted-spns-from-AD-during-keytab-generation.patch | 159 -
> .../samba/samba-4.1.12/13-fix-aes-enctype.patch | 988 -
> .../samba/samba-4.1.12/14-fix-dnsupdate.patch | 51 -
> .../15-fix-netbios-name-truncation.patch | 154 -
> .../16-do-not-check-xsltproc-manpages.patch | 52 -
> .../samba-4.1.12/17-execute-prog-by-qemu.patch | 22 -
> .../18-avoid-get-config-by-native-ncurses.patch | 22 -
> ...systemd-daemon-is-contained-by-libsystemd.patch | 42 -
> .../samba-4.1.12/21-avoid-sasl-unless-wanted.patch | 10 -
> .../00-fix-typos-in-man-pages.patch | 0
> ...006-avoid-using-colon-in-the-checking-msg.patch | 0
> .../16-do-not-check-xsltproc-manpages.patch | 43 +
> ...-import-target-module-while-cross-compile.patch | 19 +-
> .../21-add-config-option-without-valgrind.patch | 0
> .../samba/samba-4.4.2/volatiles.03_samba | 3 +
> .../samba/{samba_4.1.12.bb => samba_4.4.2.bb} | 82 +-
> .../recipes-connectivity/vpnc/vpnc_0.5.3.bb | 7 +
> .../lldpd/{lldpd_0.9.0.bb => lldpd_0.9.2.bb} | 4 +-
> ...pdated_bio_struct_of_linux_v4.3_and_above.patch | 75 +
> .../iscsitarget/iscsitarget_1.4.20.3+svn502.bb | 8 +-
> .../recipes-support/c-ares/c-ares_1.11.0.bb | 13 +
> meta-networking/recipes-support/ctdb/ctdb_2.5.1.bb | 11 +-
> .../recipes-support/dnsmasq/files/dnsmasq.service | 7 +-
> ...-import-target-module-while-cross-compile.patch | 19 +-
> .../libldb/{libldb_1.1.21.bb => libldb_1.1.26.bb} | 4 +-
> .../{libtalloc_2.1.3.bb => libtalloc_2.1.6.bb} | 5 +-
> .../libtdb/{libtdb_1.3.7.bb => libtdb_1.3.8.bb} | 4 +-
> .../{libtevent_0.9.25.bb => libtevent_0.9.28.bb} | 4 +-
> 46 files changed, 231 insertions(+), 35618 deletions(-)
> create mode 100644 meta-networking/recipes-connectivity/openconnect/openconnect_git.bb
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
> delete mode 100644 meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
> rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/00-fix-typos-in-man-pages.patch (100%)
> rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/0006-avoid-using-colon-in-the-checking-msg.patch (100%)
> create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch
> rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/20-do-not-import-target-module-while-cross-compile.patch (79%)
> mode change 100755 => 100644
> rename meta-networking/recipes-connectivity/samba/{samba-4.1.12 => samba-4.4.2}/21-add-config-option-without-valgrind.patch (100%)
> create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.2/volatiles.03_samba
> rename meta-networking/recipes-connectivity/samba/{samba_4.1.12.bb => samba_4.4.2.bb} (82%)
> rename meta-networking/recipes-daemons/lldpd/{lldpd_0.9.0.bb => lldpd_0.9.2.bb} (94%)
> create mode 100644 meta-networking/recipes-extended/iscsitarget/files/build_with_updated_bio_struct_of_linux_v4.3_and_above.patch
> create mode 100644 meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
> rename meta-networking/recipes-support/libldb/{libldb_1.1.21.bb => libldb_1.1.26.bb} (92%)
> rename meta-networking/recipes-support/libtalloc/{libtalloc_2.1.3.bb => libtalloc_2.1.6.bb} (91%)
> rename meta-networking/recipes-support/libtdb/{libtdb_1.3.7.bb => libtdb_1.3.8.bb} (87%)
> rename meta-networking/recipes-support/libtevent/{libtevent_0.9.25.bb => libtevent_0.9.28.bb} (88%)
>
> Still trying to test this queue out before merging upstream, but it
> might happen today if all goes well.
>
> -J.
>
>>
>> ERROR: samba-4.4.2-r0 do_configure: Function failed: do_configure (log file is located at /home/jenkins/oe/world/shr-core/tmp-glibc/work/armv5te-oe-linux-gnueabi/samba/4.4.2-r0/temp/log.do_configure.1777)
>> ERROR: Logfile of failure stored in: /home/jenkins/oe/world/shr-core/tmp-glibc/work/armv5te-oe-linux-gnueabi/samba/4.4.2-r0/temp/log.do_configure.1777
>> Log data follows:
>> | DEBUG: Executing python function sysroot_cleansstate
>> | DEBUG: Python function sysroot_cleansstate finished
>> | DEBUG: Executing shell function do_configure
>> | waf [command] [options]
>> |
>> | Main commands (example: ./waf build -j4)
>> | build : build all targets
>> | clean : removes the build files
>> | configure : configures the project
>> | ctags : build 'tags' file using ctags
>> | dist : makes a tarball for distribution
>> | distcheck : test that distribution tarball builds and installs
>> | distclean : removes the build directory
>> | etags : build TAGS file using etags
>> | install : installs the build files
>> | pep8 : run pep8 validator
>> | pydoctor : build python apidocs
>> | reconfigure : reconfigure if config scripts have changed
>> | test : Run the test suite (see test options below)
>> | testonly : run tests without doing a build first
>> | uninstall : removes the installed files
>> | wafdocs : build wafsamba apidocs
>> | wildcard_cmd: called on a unknown command
>> |
>> | waf: error: no such option: --without-pam_smbpass
>> | WARNING: exit code 1 from a shell command.
>> | ERROR: Function failed: do_configure (log file is located at /home/jenkins/oe/world/shr-core/tmp-glibc/work/armv5te-oe-linux-gnueabi/samba/4.4.2-r0/temp/log.do_configure.1777)
>> NOTE: recipe samba-4.4.2-r0: task do_configure: Failed
>> ERROR: Task 20263 (/home/jenkins/oe/world/shr-core/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.4.2.bb, do_configure) failed with exit code '1'
>
>
> --
> -Joe MacDonald.
> :wq
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2016-04-27 18:30 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-18 21:00 Update Samba Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 1/5] libtalloc: Update to latest stable Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 2/5] libtdb: " Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 3/5] libtevent: " Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 4/5] libldb: " Joe MacDonald
2016-04-18 21:00 ` [meta-networking][PATCH 5/5] samba: " Joe MacDonald
2016-04-19 9:15 ` Martin Jansa
2016-04-19 13:01 ` Joe MacDonald
2016-04-20 9:27 ` Martin Jansa
2016-04-20 13:06 ` Joe MacDonald
2016-04-27 18:30 ` Mark Asselstine
2016-04-22 16:30 ` Update Samba George McCollister
2016-04-25 14:01 ` Joe MacDonald
2016-04-25 14:38 ` akuster808
2016-04-25 14:54 ` Joe MacDonald
2016-04-25 14:43 ` akuster808
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.