2025-03-01 04:58:35 +03:00 · 2008-11-11 10:20:24 -08:00 · 2008-11-11 10:20:24 -08:00 · 4f2635b729
commit 4f2635b729
parent 8cb23a6b29 2e6bf03e51
339 changed files with 7989 additions and 5816 deletions
--- a/docs-xml/smbdotconf/tuning/syncalways.xml
+++ b/docs-xml/smbdotconf/tuning/syncalways.xml
@ -12,7 +12,7 @@
    </command> call to ensure the data is written to disk. Note that 
    the <parameter moreinfo="none">strict sync</parameter> parameter must be set to
    <constant>yes</constant> in order for this parameter to have 
-    any affect.</para>
+    any effect.</para>
 </description>
 <related>strict sync</related>
--- a/lib/replace/README
+++ b/lib/replace/README
@ -46,6 +46,8 @@ mkdtemp
 mkstemp (a secure one!)
 pread
 pwrite
 chown
 lchown
 getpass
 readline (the library)
 inet_ntoa
@ -64,6 +66,11 @@ getifaddrs
 freeifaddrs
 utime
 utimes
 dup2
 link
 readlink
 symlink
 realpath
 Types:
 bool
--- a/lib/replace/libreplace.m4
+++ b/lib/replace/libreplace.m4
@ -107,8 +107,8 @@ AC_CHECK_HEADERS(stropts.h)
 AC_CHECK_FUNCS(seteuid setresuid setegid setresgid chroot bzero strerror)
 AC_CHECK_FUNCS(vsyslog setlinebuf mktime ftruncate chsize rename)
 AC_CHECK_FUNCS(waitpid strlcpy strlcat initgroups memmove strdup)
-AC_CHECK_FUNCS(pread pwrite strndup strcasestr strtok_r mkdtemp)
+AC_CHECK_FUNCS(pread pwrite strndup strcasestr strtok_r mkdtemp dup2)
-AC_CHECK_FUNCS(isatty)
+AC_CHECK_FUNCS(isatty chown lchown link readlink symlink realpath)
 AC_HAVE_DECL(setresuid, [#include <unistd.h>])
 AC_HAVE_DECL(setresgid, [#include <unistd.h>])
 AC_HAVE_DECL(errno, [#include <errno.h>])
--- a/lib/replace/replace.c
+++ b/lib/replace/replace.c
@ -2,6 +2,7 @@
   Unix SMB/CIFS implementation.
   replacement routines for broken systems
   Copyright (C) Andrew Tridgell 1992-1998
   Copyright (C) Jelmer Vernooij 2005-2008
     ** NOTE! The following LGPL license applies to the replace
     ** library. This does NOT imply that all of Samba is released
@ -614,3 +615,63 @@ int rep_utimes(const char *filename, const struct timeval tv[2])
 	return utime(filename, &u);
 }
 #endif
 #ifndef HAVE_DUP2
 int rep_dup2(int oldfd, int newfd) 
 {
 	errno = ENOSYS;
 	return -1;
 }
 #endif
 #ifndef HAVE_CHOWN
 /**
 chown isn't used much but OS/2 doesn't have it
 **/
 int rep_chown(const char *fname, uid_t uid, gid_t gid)
 {
 	errno = ENOSYS;
 	return -1;
 }
 #endif
 #ifndef HAVE_LINK
 int rep_link(const char *oldpath, const char *newpath)
 {
 	errno = ENOSYS;
 	return -1;
 }
 #endif
 #ifndef HAVE_READLINK
 int rep_readlink(const char *path, char *buf, size_t bufsiz)
 {
 	errno = ENOSYS;
 	return -1;
 }
 #endif
 #ifndef HAVE_SYMLINK
 int rep_symlink(const char *oldpath, const char *newpath)
 {
 	errno = ENOSYS;
 	return -1;
 }
 #endif
 #ifndef HAVE_LCHOWN
 int rep_lchown(const char *fname,uid_t uid,gid_t gid)
 {
 	errno = ENOSYS;
 	return -1;
 }
 #endif
 #ifndef HAVE_REALPATH
 char *rep_realpath(const char *path, char *resolved_path)
 {
 	/* As realpath is not a system call we can't return ENOSYS. */
 	errno = EINVAL;
 	return NULL;
 }
 #endif
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@ -4,7 +4,7 @@
   macros to go along with the lib/replace/ portability layer code
   Copyright (C) Andrew Tridgell 2005
-   Copyright (C) Jelmer Vernooij 2006
+   Copyright (C) Jelmer Vernooij 2006-2008
   Copyright (C) Jeremy Allison 2007.
     ** NOTE! The following LGPL license applies to the replace
@ -215,6 +215,49 @@ int rep_seteuid(uid_t);
 int rep_setegid(gid_t);
 #endif
 #if (defined(USE_SETRESUID) && !defined(HAVE_SETRESUID_DECL))
 /* stupid glibc */
 int setresuid(uid_t ruid, uid_t euid, uid_t suid);
 #endif
 #if (defined(USE_SETRESUID) && !defined(HAVE_SETRESGID_DECL))
 int setresgid(gid_t rgid, gid_t egid, gid_t sgid);
 #endif
 #ifndef HAVE_CHOWN
 #define chown rep_chown
 int rep_chown(const char *path, uid_t uid, gid_t gid);
 #endif
 #ifndef HAVE_CHROOT
 #define chroot rep_chroot
 int rep_chroot(const char *dirname);
 #endif
 #ifndef HAVE_LINK
 #define link rep_link
 int rep_link(const char *oldpath, const char *newpath);
 #endif
 #ifndef HAVE_READLINK
 #define readlink rep_readlink
 ssize_t rep_readlink(const char *path, char *buf, size_t bufsize);
 #endif
 #ifndef HAVE_SYMLINK
 #define symlink rep_symlink
 int rep_symlink(const char *oldpath, const char *newpath);
 #endif
 #ifndef HAVE_REALPATH
 #define realpath rep_realpath
 char *rep_realpath(const char *path, char *resolved_path);
 #endif
 #ifndef HAVE_LCHOWN
 #define lchown rep_lchown
 int rep_lchown(const char *fname,uid_t uid,gid_t gid);
 #endif
 #ifndef HAVE_SETLINEBUF
 #define setlinebuf rep_setlinebuf
 void rep_setlinebuf(FILE *);
@ -358,6 +401,11 @@ struct tm;
 char *rep_strptime(const char *buf, const char *format, struct tm *tm);
 #endif
 #ifndef HAVE_DUP2
 #define dup2 rep_dup2
 int rep_dup2(int oldfd, int newfd);
 #endif
 /* Load header file for dynamic linking stuff */
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
--- a/lib/util/charset/charcnv.c
+++ b/lib/util/charset/charcnv.c
@ -155,6 +155,78 @@ static smb_iconv_t get_conv_handle(struct smb_iconv_convenience *ic,
 	return ic->conv_handles[from][to];
 }
 /**
 * Convert string from one encoding to another, making error checking etc
 *
 * @param mem_ctx Memory context
 * @param cd Iconv handle
 * @param src pointer to source string (multibyte or singlebyte)
 * @param srclen length of the source string in bytes
 * @param dest pointer to destination string (multibyte or singlebyte)
 * @param destlen maximal length allowed for string
 * @returns the number of bytes occupied in the destination
 **/
 _PUBLIC_ ssize_t iconv_talloc(TALLOC_CTX *ctx, 
 				       smb_iconv_t cd,
 				       void const *src, size_t srclen, 
 				       void **dest)
 {
 	size_t i_len, o_len, destlen;
 	size_t retval;
 	const char *inbuf = (const char *)src;
 	char *outbuf, *ob;
 	*dest = NULL;
 	/* it is _very_ rare that a conversion increases the size by
 	   more than 3x */
 	destlen = srclen;
 	outbuf = NULL;
 convert:
 	destlen = 2 + (destlen*3);
 	ob = talloc_realloc(ctx, outbuf, char, destlen);
 	if (!ob) {
 		DEBUG(0, ("convert_string_talloc: realloc failed!\n"));
 		talloc_free(outbuf);
 		return (size_t)-1;
 	} else {
 		outbuf = ob;
 	}
 	/* we give iconv 2 less bytes to allow us to terminate at the
 	   end */
 	i_len = srclen;
 	o_len = destlen-2;
 	retval = smb_iconv(cd,
 			   &inbuf, &i_len,
 			   &outbuf, &o_len);
 	if(retval == (size_t)-1) 		{
 	    	const char *reason="unknown error";
 		switch(errno) {
 			case EINVAL:
 				reason="Incomplete multibyte sequence";
 				break;
 			case E2BIG:
 				goto convert;		
 			case EILSEQ:
 				reason="Illegal multibyte sequence";
 				break;
 		}
 		DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));
 		talloc_free(ob);
 		return (size_t)-1;
 	}
 	destlen = (destlen-2) - o_len;
 	/* guarantee null termination in all charsets */
 	SSVAL(ob, destlen, 0);
 	*dest = ob;
 	return destlen;
 }
 /**
 * Convert string from one encoding to another, making error checking etc
@ -219,64 +291,6 @@ _PUBLIC_ ssize_t convert_string_convenience(struct smb_iconv_convenience *ic,
 	return destlen-o_len;
 }
 _PUBLIC_ ssize_t convert_string_talloc_descriptor(TALLOC_CTX *ctx, smb_iconv_t descriptor, void const *src, size_t srclen, void **dest)
 {
 	size_t i_len, o_len, destlen;
 	size_t retval;
 	const char *inbuf = (const char *)src;
 	char *outbuf, *ob;
 	*dest = NULL;
 	/* it is _very_ rare that a conversion increases the size by
 	   more than 3x */
 	destlen = srclen;
 	outbuf = NULL;
 convert:
 	destlen = 2 + (destlen*3);
 	ob = talloc_realloc(ctx, outbuf, char, destlen);
 	if (!ob) {
 		DEBUG(0, ("convert_string_talloc: realloc failed!\n"));
 		talloc_free(outbuf);
 		return (size_t)-1;
 	} else {
 		outbuf = ob;
 	}
 	/* we give iconv 2 less bytes to allow us to terminate at the
 	   end */
 	i_len = srclen;
 	o_len = destlen-2;
 	retval = smb_iconv(descriptor,
 			   &inbuf, &i_len,
 			   &outbuf, &o_len);
 	if(retval == (size_t)-1) 		{
 	    	const char *reason="unknown error";
 		switch(errno) {
 			case EINVAL:
 				reason="Incomplete multibyte sequence";
 				break;
 			case E2BIG:
 				goto convert;		
 			case EILSEQ:
 				reason="Illegal multibyte sequence";
 				break;
 		}
 		DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));
 		talloc_free(ob);
 		return (size_t)-1;
 	}
 	destlen = (destlen-2) - o_len;
 	/* guarantee null termination in all charsets */
 	SSVAL(ob, destlen, 0);
 	*dest = ob;
 	return destlen;
 }
 /**
 * Convert between character sets, allocating a new buffer using talloc for the result.
 *
@ -310,7 +324,7 @@ _PUBLIC_ ssize_t convert_string_talloc_convenience(TALLOC_CTX *ctx,
 		return -1;
 	}
-	return convert_string_talloc_descriptor(ctx, descriptor, src, srclen, dest);
+	return iconv_talloc(ctx, descriptor, src, srclen, dest);
 }
 /*
--- a/lib/util/charset/charset.h
+++ b/lib/util/charset/charset.h
@ -122,6 +122,11 @@ ssize_t convert_string(charset_t from, charset_t to,
 				void const *src, size_t srclen, 
 				void *dest, size_t destlen);
 ssize_t iconv_talloc(TALLOC_CTX *mem_ctx, 
 				       smb_iconv_t cd,
 				       void const *src, size_t srclen, 
 				       void **dest);
 extern struct smb_iconv_convenience *global_iconv_convenience;
 codepoint_t next_codepoint(const char *str, size_t *size);
@ -145,7 +150,6 @@ ssize_t convert_string_convenience(struct smb_iconv_convenience *ic,
 				charset_t from, charset_t to,
 				void const *src, size_t srclen, 
 				void *dest, size_t destlen);
 ssize_t convert_string_talloc_descriptor(TALLOC_CTX *ctx, smb_iconv_t descriptor, void const *src, size_t srclen, void **dest);
 ssize_t convert_string_talloc_convenience(TALLOC_CTX *ctx, 
 				       struct smb_iconv_convenience *ic, 
 				       charset_t from, charset_t to, 
--- a/lib/util/config.mk
+++ b/lib/util/config.mk
@ -34,10 +34,12 @@ PUBLIC_HEADERS += $(addprefix $(libutilsrcdir)/, util.h \
 				 byteorder.h \
 				 data_blob.h \
 				 debug.h \
 				 memory.h \
 				 mutex.h \
 				 safe_string.h \
 				 time.h \
 				 util_ldb.h \
 				 talloc_stack.h \
 				 xfile.h)
 [SUBSYSTEM::ASN1_UTIL]
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@ -17,6 +17,9 @@
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 #ifndef _SAMBA_DEBUG_H_
 #define _SAMBA_DEBUG_H_
 /**
 * @file
 * @brief Debugging macros
@ -80,7 +83,7 @@ enum debug_logtype {DEBUG_STDOUT = 0, DEBUG_FILE = 1, DEBUG_STDERR = 2};
 */
 _PUBLIC_ void dbghdr(int level, const char *location, const char *func);
-_PUBLIC_ void dbghdrclass(int level, int class, const char *location, const char *func);
+_PUBLIC_ void dbghdrclass(int level, int cls, const char *location, const char *func);
 /**
  reopen the log file (usually called because the log file name might have changed)
@ -131,3 +134,5 @@ _PUBLIC_ void register_debug_handlers(const char *name, struct debug_ops *ops);
 _PUBLIC_ void dbgtext(const char *format, ...) PRINTF_ATTRIBUTE(1,2);
 extern XFILE *dbf;
 #endif
--- a/lib/util/dprintf.c
+++ b/lib/util/dprintf.c
@ -60,7 +60,7 @@ _PUBLIC_ int d_vfprintf(FILE *f, const char *format, va_list ap)
 	if (ret <= 0) return ret;
-	clen = convert_string_talloc_descriptor(NULL, display_cd, p, ret, (void **)&p2);
+	clen = iconv_talloc(NULL, display_cd, p, ret, (void **)&p2);
        if (clen == -1) {
 		/* the string can't be converted - do the best we can,
 		   filling in non-printing chars with '?' */
--- a/lib/util/util.h
+++ b/lib/util/util.h
@ -49,12 +49,26 @@ extern const char *panic_action;
 /**
 * assert macros 
 */
 #ifdef DEVELOPER
 #define SMB_ASSERT(b) do { if (!(b)) { \
-	DEBUG(0,("PANIC: assert failed at %s(%d)\n", __FILE__, __LINE__)); \
+        DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \
-	smb_panic("assert failed"); }} while (0)
+		 __FILE__, __LINE__, #b)); smb_panic("assert failed: " #b); }} while(0)
 #else
 /* redefine the assert macro for non-developer builds */
 #define SMB_ASSERT(b) do { if (!(b)) { \
        DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \
 	    __FILE__, __LINE__, #b)); }} while (0)
 #endif
-#if defined(VALGRIND)
+#if _SAMBA_BUILD_ == 4
 #ifdef VALGRIND
 #define strlen(x) valgrind_strlen(x)
 size_t valgrind_strlen(const char *s);
 #endif
 #endif
 #ifndef ABS
 #define ABS(a) ((a)>0?(a):(-(a)))
 #endif
 #include "../lib/util/memory.h"
@ -69,10 +83,12 @@ _PUBLIC_ void call_backtrace(void);
 **/
 _PUBLIC_ _NORETURN_ void smb_panic(const char *why);
 #if _SAMBA_BUILD_ == 4
 /**
 setup our fault handlers
 **/
 _PUBLIC_ void fault_setup(const char *pname);
 #endif
 /**
  register a fault handler. 
@ -168,12 +184,14 @@ _PUBLIC_ char *generate_random_str_list(TALLOC_CTX *mem_ctx, size_t len, const c
 _PUBLIC_ char *generate_random_str(TALLOC_CTX *mem_ctx, size_t len);
 /* The following definitions come from lib/util/dprintf.c  */
 #if _SAMBA_BUILD_ == 4
 _PUBLIC_ void d_set_iconv(smb_iconv_t);
 _PUBLIC_ int d_vfprintf(FILE *f, const char *format, va_list ap) PRINTF_ATTRIBUTE(2,0);
 _PUBLIC_ int d_fprintf(FILE *f, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
 _PUBLIC_ int d_printf(const char *format, ...) PRINTF_ATTRIBUTE(1,2);
 _PUBLIC_ void display_set_stderr(void);
 #endif
 /* The following definitions come from lib/util/util_str.c  */
@ -256,7 +274,6 @@ _PUBLIC_ void all_string_sub(char *s,const char *pattern,const char *insert, siz
 Unescape a URL encoded string, in place.
 **/
 _PUBLIC_ void rfc1738_unescape(char *buf);
 size_t valgrind_strlen(const char *s);
 /**
  format a string into length-prefixed dotted domain format, as used in NBT
@ -285,11 +302,6 @@ limited by 'n' bytes
 **/
 _PUBLIC_ size_t ascii_len_n(const char *src, size_t n);
 /**
 Return a string representing a CIFS attribute for a file.
 **/
 _PUBLIC_ char *attrib_string(TALLOC_CTX *mem_ctx, uint32_t attrib);
 /**
 Set a boolean variable from the text value stored in the passed string.
 Returns true in success, false if the passed string does not correctly 
@ -306,10 +318,12 @@ _PUBLIC_ bool set_boolean(const char *boolean_string, bool *boolean);
 */
 _PUBLIC_ bool conv_str_bool(const char * str, bool * val);
 #if _SAMBA_BUILD_ == 4
 /**
 * Convert a size specification like 16K into an integral number of bytes. 
 **/
 _PUBLIC_ bool conv_str_size(const char * str, uint64_t * val);
 #endif
 /**
 * Parse a uint64_t value from a string
@ -354,7 +368,9 @@ _PUBLIC_ bool strequal(const char *s1, const char *s2);
 /* The following definitions come from lib/util/util_strlist.c  */
 /* separators for lists */
 #ifndef LIST_SEP
 #define LIST_SEP " \t,\n\r"
 #endif
 /**
  build a null terminated list of strings from a input string and a
@ -642,6 +658,7 @@ _PUBLIC_ int sys_fsusage(const char *path, uint64_t *dfree, uint64_t *dsize);
 * @brief MS-style Filename matching
 */
 #if _SAMBA_BUILD_ == 4
 /* protocol types. It assumes that higher protocols include lower protocols
   as subsets. FIXME: Move to one of the smb-specific headers */
 enum protocol_types {
@ -658,6 +675,7 @@ int ms_fnmatch(const char *pattern, const char *string, enum protocol_types prot
 /** a generic fnmatch function - uses for non-CIFS pattern matching */
 int gen_fnmatch(const char *pattern, const char *string);
 #endif
 /* The following definitions come from lib/util/mutex.c  */
@ -707,10 +725,12 @@ _PUBLIC_ int idr_remove(struct idr_context *idp, int id);
 /* The following definitions come from lib/util/become_daemon.c  */
 #if _SAMBA_BUILD_ == 4
 /**
 Become a daemon, discarding the controlling terminal.
 **/
 _PUBLIC_ void become_daemon(bool fork);
 #endif
 /**
 * Load a ini-style file.
--- a/lib/util/util_ldb.h
+++ b/lib/util/util_ldb.h
@ -1,6 +1,8 @@
 #ifndef __LIB_UTIL_UTIL_LDB_H__
 #define __LIB_UTIL_UTIL_LDB_H__
 struct ldb_dn;
 /* The following definitions come from lib/util/util_ldb.c  */
 int gendb_search_v(struct ldb_context *ldb,
--- a/libcli/nbt/libnbt.h
+++ b/libcli/nbt/libnbt.h
@ -122,6 +122,8 @@ struct nbt_name_socket {
 				struct socket_address *);
 		void *private_data;
 	} unexpected;
 	uint32_t wack_timeout;
 };
--- a/libcli/nbt/nbtsocket.c
+++ b/libcli/nbt/nbtsocket.c
@ -247,7 +247,7 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock)
 		req->received_wack = true;
 		/* although there can be a timeout in the packet, w2k3 screws it up,
 		   so better to set it ourselves */
-		req->timeout = lp_parm_int(global_loadparm, NULL, "nbt", "wack_timeout", 30);
+		req->timeout = nbtsock->wack_timeout;
 		req->te = event_add_timed(req->nbtsock->event_ctx, req,
 					  timeval_current_ofs(req->timeout, 0),
 					  nbt_name_socket_timeout, req);
@ -334,6 +334,7 @@ _PUBLIC_ struct nbt_name_socket *nbt_name_socket_init(TALLOC_CTX *mem_ctx,
 	nbtsock->send_queue = NULL;
 	nbtsock->num_pending = 0;
 	nbtsock->wack_timeout = 30;
 	nbtsock->incoming.handler = NULL;
 	nbtsock->unexpected.handler = NULL;
 	nbtsock->iconv_convenience = iconv_convenience;
--- a/libcli/nbt/pynbt.c
+++ b/libcli/nbt/pynbt.c
@ -48,7 +48,8 @@ static PyObject *py_nbt_node_init(PyTypeObject *self, PyObject *args, PyObject *
 		return NULL;
 	ev = s4_event_context_init(ret->mem_ctx);
-	ret->socket = nbt_name_socket_init(ret->mem_ctx, ev, py_iconv_convenience(ret->mem_ctx));
+	ret->socket = nbt_name_socket_init(ret->mem_ctx, ev, 
 									   py_iconv_convenience(ret->mem_ctx));
 	return (PyObject *)ret;
 }
--- a/libcli/util/doserr.c
+++ b/libcli/util/doserr.c
@ -37,6 +37,7 @@ static const struct werror_code_struct dos_errs[] =
 	{ "WERR_BAD_NET_RESP",  WERR_BAD_NET_RESP },
 	{ "WERR_UNEXP_NET_ERR", WERR_UNEXP_NET_ERR },
 	{ "WERR_INSUFFICIENT_BUFFER", WERR_INSUFFICIENT_BUFFER },
 	{ "WERR_SEM_TIMEOUT", WERR_SEM_TIMEOUT },
 	{ "WERR_NO_SUCH_SHARE", WERR_NO_SUCH_SHARE },
 	{ "WERR_FILE_EXISTS", WERR_FILE_EXISTS },
 	{ "WERR_INVALID_PARAM", WERR_INVALID_PARAM },
@ -61,6 +62,8 @@ static const struct werror_code_struct dos_errs[] =
 	{ "WERR_BUF_TOO_SMALL", WERR_BUF_TOO_SMALL },
 	{ "WERR_JOB_NOT_FOUND", WERR_JOB_NOT_FOUND },
 	{ "WERR_DEST_NOT_FOUND", WERR_DEST_NOT_FOUND },
 	{ "WERR_GROUP_NOT_FOUND", WERR_GROUP_NOT_FOUND },
 	{ "WERR_USER_NOT_FOUND", WERR_USER_NOT_FOUND },
 	{ "WERR_NOT_LOCAL_DOMAIN", WERR_NOT_LOCAL_DOMAIN },
 	{ "WERR_DOMAIN_CONTROLLER_NOT_FOUND", WERR_DOMAIN_CONTROLLER_NOT_FOUND },
 	{ "WERR_TIME_DIFF_AT_DC", WERR_TIME_DIFF_AT_DC },
@ -68,6 +71,16 @@ static const struct werror_code_struct dos_errs[] =
 	{ "WERR_SETUP_ALREADY_JOINED", WERR_SETUP_ALREADY_JOINED },
 	{ "WERR_SETUP_DOMAIN_CONTROLLER", WERR_SETUP_DOMAIN_CONTROLLER },
 	{ "WERR_DEVICE_NOT_AVAILABLE", WERR_DEVICE_NOT_AVAILABLE },
 	{ "WERR_DEFAULT_JOIN_REQUIRED", WERR_DEFAULT_JOIN_REQUIRED },
 	{ "WERR_USER_EXISTS", WERR_USER_EXISTS },
 	{ "WERR_REVISION_MISMATCH", WERR_REVISION_MISMATCH },
 	{ "WERR_NO_LOGON_SERVERS", WERR_NO_LOGON_SERVERS },
 	{ "WERR_NO_SUCH_LOGON_SESSION", WERR_NO_SUCH_LOGON_SESSION },
 	{ "WERR_USER_ALREADY_EXISTS", WERR_USER_ALREADY_EXISTS },
 	{ "WERR_NO_SUCH_USER", WERR_NO_SUCH_USER },
 	{ "WERR_GROUP_EXISTS", WERR_GROUP_EXISTS },
 	{ "WERR_MEMBER_IN_GROUP", WERR_MEMBER_IN_GROUP },
 	{ "WERR_USER_NOT_IN_GROUP", WERR_USER_NOT_IN_GROUP },
 	{ "WERR_PRINTER_DRIVER_IN_USE", WERR_PRINTER_DRIVER_IN_USE },
 	{ "WERR_STATUS_MORE_ENTRIES", WERR_STATUS_MORE_ENTRIES },
 	{ "WERR_NET_NAME_NOT_FOUND", WERR_NET_NAME_NOT_FOUND },
@ -85,6 +98,8 @@ static const struct werror_code_struct dos_errs[] =
 	{ "WERR_INVALID_OWNER", WERR_INVALID_OWNER },
 	{ "WERR_INVALID_COMPUTERNAME", WERR_INVALID_COMPUTERNAME },
 	{ "WERR_INVALID_DOMAINNAME", WERR_INVALID_DOMAINNAME },
 	{ "WERR_MACHINE_LOCKED", WERR_MACHINE_LOCKED },
 	{ "WERR_DC_NOT_FOUND", WERR_DC_NOT_FOUND },
 	{ "WERR_NO_LOGON_SERVERS", WERR_NO_LOGON_SERVERS },
 	{ "WERR_NO_SUCH_LOGON_SESSION", WERR_NO_SUCH_LOGON_SESSION },
 	{ "WERR_NO_SUCH_PRIVILEGE", WERR_NO_SUCH_PRIVILEGE },
@ -120,6 +135,7 @@ static const struct werror_code_struct dos_errs[] =
 	{ "WERR_INVALID_FLAGS", WERR_INVALID_FLAGS },
 	{ "WERR_NOT_FOUND", WERR_NOT_FOUND },
 	{ "WERR_SERVER_UNAVAILABLE", WERR_SERVER_UNAVAILABLE },
 	{ "WERR_NO_TRUST_SAM_ACCOUNT", WERR_NO_TRUST_SAM_ACCOUNT },
 	{ "WERR_CLASS_NOT_REGISTERED", WERR_CLASS_NOT_REGISTERED },
 	{ "WERR_NO_SHUTDOWN_IN_PROGRESS", WERR_NO_SHUTDOWN_IN_PROGRESS },
 	{ "WERR_SHUTDOWN_ALREADY_IN_PROGRESS", WERR_SHUTDOWN_ALREADY_IN_PROGRESS },
@ -134,6 +150,24 @@ static const struct werror_code_struct dos_errs[] =
 	{ "WERR_RPC_E_REMOTE_DISABLED", WERR_RPC_E_REMOTE_DISABLED },
 	{ "WERR_NOT_CONNECTED", WERR_NOT_CONNECTED },
 	{ "WERR_NAME_NOT_FOUND", WERR_NAME_NOT_FOUND},
 	{ "WERR_NONE_MAPPED", WERR_NONE_MAPPED },
 	{ "WERR_INVALID_DOMAIN_STATE", WERR_INVALID_DOMAIN_STATE },
 	{ "WERR_SPECIAL_ACCOUNT", WERR_SPECIAL_ACCOUNT },
 	{ "WERR_ALIAS_EXISTS", WERR_ALIAS_EXISTS },
 	{ "WERR_NO_SUCH_ALIAS", WERR_NO_SUCH_ALIAS },
 	{ "WERR_MEMBER_IN_ALIAS", WERR_MEMBER_IN_ALIAS },
 	{ "WERR_TIME_SKEW", WERR_TIME_SKEW },
 	{ "WERR_IO_PENDING", WERR_IO_PENDING },
 	{ "WERR_INVALID_SERVICE_CONTROL", WERR_INVALID_SERVICE_CONTROL },
 	{ "WERR_SERVICE_ALREADY_RUNNING", WERR_SERVICE_ALREADY_RUNNING },
 	{ "WERR_REG_CORRUPT", WERR_REG_CORRUPT },
 	{ "WERR_REG_IO_FAILURE", WERR_REG_IO_FAILURE },
 	{ "WERR_REG_FILE_INVALID", WERR_REG_FILE_INVALID },
 	{ "WERR_NO_SUCH_SERVICE", WERR_NO_SUCH_SERVICE },
 	{ "WERR_SERVICE_DISABLED", WERR_SERVICE_DISABLED },
 	{ "WERR_SERVICE_NEVER_STARTED", WERR_SERVICE_NEVER_STARTED },
 	{ "WERR_PASSWORD_MUST_CHANGE", WERR_PASSWORD_MUST_CHANGE },
 	{ "WERR_ACCOUNT_LOCKED_OUT", WERR_ACCOUNT_LOCKED_OUT },
 	{ NULL, W_ERROR(0) }
 };
@ -161,3 +195,57 @@ const char *win_errstr(WERROR werror)
        return msg;
 }
 struct werror_str_struct {
 	WERROR werror;
 	const char *friendly_errstr;
 };
 const struct werror_str_struct dos_err_strs[] = {
 	{ WERR_OK, "Success" },
 	{ WERR_ACCESS_DENIED, "Access is denied" },
 	{ WERR_INVALID_PARAM, "Invalid parameter" },
 	{ WERR_NOT_SUPPORTED, "Not supported" },
 	{ WERR_BAD_PASSWORD, "A bad password was supplied" },
 	{ WERR_NOMEM, "Out of memory" },
 	{ WERR_NO_LOGON_SERVERS, "No logon servers found" },
 	{ WERR_NO_SUCH_LOGON_SESSION, "No such logon session" },
 	{ WERR_DOMAIN_CONTROLLER_NOT_FOUND, "A domain controller could not be found" },
 	{ WERR_DC_NOT_FOUND, "A domain controller could not be found" },
 	{ WERR_SETUP_NOT_JOINED, "Join failed" },
 	{ WERR_SETUP_ALREADY_JOINED, "Machine is already joined" },
 	{ WERR_SETUP_DOMAIN_CONTROLLER, "Machine is a Domain Controller" },
 	{ WERR_LOGON_FAILURE, "Invalid logon credentials" },
 	{ WERR_USER_EXISTS, "User account already exists" },
 	{ WERR_PASSWORD_MUST_CHANGE, "The password must be changed" },
 	{ WERR_ACCOUNT_LOCKED_OUT, "Account locked out" },
 	{ WERR_TIME_SKEW, "Time difference between client and server" },
 	{ WERR_USER_ALREADY_EXISTS, "User already exists" },
 	{ WERR_PASSWORD_RESTRICTION, "Password does not meet restrictions" },
 	{ WERR_NONE_MAPPED, "Could not map names to SIDs" },
 	{ WERR_NO_SUCH_USER, "No such User" },
 	{ WERR_GROUP_EXISTS, "Group already exists" },
 	{ WERR_DS_DRA_BAD_DN, "An invalid distinguished name was specified for this replication" },
 	{ WERR_DS_DRA_BAD_NC, "An invalid naming context was specified for this replication operation" },
 	{ WERR_WRONG_PASSWORD, "The current password is incorrect" }
 };
 /*****************************************************************************
 Get friendly error string for WERRORs
 *****************************************************************************/
 const char *get_friendly_werror_msg(WERROR werror)
 {
 	int i = 0;
 	for (i = 0; i < ARRAY_SIZE(dos_err_strs); i++) {
 		if (W_ERROR_V(dos_err_strs[i].werror) ==
                    W_ERROR_V(werror)) {
 			return dos_err_strs[i].friendly_errstr;
 		}
 	}
 	return win_errstr(werror);
 }
--- a/libcli/util/ntstatus.h
+++ b/libcli/util/ntstatus.h
@ -592,6 +592,7 @@ typedef uint32_t NTSTATUS;
 #define NT_STATUS_TOO_MANY_LINKS NT_STATUS(0xC0000000 | 0x0265)
 #define NT_STATUS_QUOTA_LIST_INCONSISTENT NT_STATUS(0xC0000000 | 0x0266)
 #define NT_STATUS_FILE_IS_OFFLINE NT_STATUS(0xC0000000 | 0x0267)
 #define NT_STATUS_DS_BUSY NT_STATUS(0xC0000000 | 0x02a5)
 #define NT_STATUS_DS_NO_MORE_RIDS NT_STATUS(0xC0000000 | 0x02a8)
 #define NT_STATUS_NOT_A_REPARSE_POINT NT_STATUS(0xC0000000 | 0x0275)
 #define NT_STATUS_CURRENT_DOMAIN_NOT_ALLOWED NT_STATUS(0xC0000000 | 0x02E9)
@ -628,6 +629,9 @@ const char *get_nt_error_c_code(NTSTATUS nt_code);
 *****************************************************************************/
 NTSTATUS nt_status_string_to_code(const char *nt_status_str);
 /** Used by ntstatus_dos_equal: */
 extern bool ntstatus_check_dos_mapping;
 #define NT_STATUS_IS_OK(x) (NT_STATUS_V(x) == 0)
 #define NT_STATUS_IS_ERR(x) ((NT_STATUS_V(x) & 0xc0000000) == 0xc0000000)
 /* checking for DOS error mapping here is ugly, but unfortunately the
--- a/libcli/util/werror.h
+++ b/libcli/util/werror.h
@ -136,6 +136,7 @@ typedef uint32_t WERROR;
 #define WERR_TIME_SKEW W_ERROR(1398)
 #define WERR_EVENTLOG_FILE_CORRUPT W_ERROR(1500)
 #define WERR_SERVER_UNAVAILABLE W_ERROR(1722)
 #define WERR_NO_TRUST_SAM_ACCOUNT W_ERROR(1787)
 #define WERR_INVALID_FORM_NAME W_ERROR(1902)
 #define WERR_INVALID_FORM_SIZE W_ERROR(1903)
 #define WERR_PASSWORD_MUST_CHANGE W_ERROR(1907)
@ -258,6 +259,7 @@ typedef uint32_t WERROR;
 *****************************************************************************/
 const char *win_errstr(WERROR werror);
 const char *get_friendly_werror_msg(WERROR werror);
 #endif
--- a/librpc/idl/misc.idl
+++ b/librpc/idl/misc.idl
@ -2,12 +2,15 @@
  miscellaneous IDL structures
 */
 cpp_quote("#define netr_SamDatabaseID8Bit netr_SamDatabaseID")
 [
 	pointer_default(unique)
 ]
 interface misc
 {
 	typedef enum netr_SamDatabaseID8Bit netr_SamDatabaseID8Bit;
 	typedef [public,noprint,gensize,noejs] struct {
 		uint32 time_low;
 		uint16 time_mid;
--- a/librpc/idl/named_pipe_auth.idl
+++ b/librpc/idl/named_pipe_auth.idl
@ -0,0 +1,44 @@
 #include "idl_types.h"
 /*
  miscellaneous IDL structures
 */
 import "netlogon.idl";
 [
 	pointer_default(unique)
 ]
 interface named_pipe_auth
 {
 	const char *NAMED_PIPE_AUTH_MAGIC = "NPAM";
 	typedef [switch_type(uint32)] union {
 		[case(0)] ;/* anonymous */
 		[case(1)] netr_SamInfo3 info1;
 	} named_pipe_auth_req_info;
 	typedef [public,gensize] struct {
 		[flag(NDR_BIG_ENDIAN),
 		 value(ndr_size_named_pipe_auth_req(r,ndr->flags)-4)]
 			uint32 length;
 		[charset(DOS),value(NAMED_PIPE_AUTH_MAGIC)] uint8 magic[4];
 		uint32 level;
 		[switch_is(level)] named_pipe_auth_req_info info;
 	} named_pipe_auth_req;
 	typedef [switch_type(uint32)] union {
 		[case(0)] ;
 		[case(1)] ;
 	} named_pipe_auth_rep_info;
 	typedef [public,gensize] struct {
 		[flag(NDR_BIG_ENDIAN),
 		 value(ndr_size_named_pipe_auth_rep(r,ndr->flags)-4)]
 			uint32 length;
 		[charset(DOS),value(NAMED_PIPE_AUTH_MAGIC)] uint8 magic[4];
 		uint32 level;
 		[switch_is(level)] named_pipe_auth_rep_info info;
 		NTSTATUS status;
 	} named_pipe_auth_rep;
 }
--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
@ -8,10 +8,13 @@ import "misc.idl", "lsa.idl", "samr.idl", "security.idl", "nbt.idl";
 #include "idl_types.h"
 cpp_quote("#define netr_DeltaEnum8Bit netr_DeltaEnum")
 [
  uuid("12345678-1234-abcd-ef00-01234567cffb"),
  version(1.0),
  endpoint("ncacn_np:[\\pipe\\netlogon]","ncacn_ip_tcp:","ncalrpc:"),
  helper("../librpc/ndr/ndr_netlogon.h"),
  pointer_default(unique)
 ]
@ -19,6 +22,7 @@ interface netlogon
 {
 	typedef bitmap samr_AcctFlags samr_AcctFlags;
 	typedef bitmap samr_GroupAttrs samr_GroupAttrs;
 	typedef enum netr_DeltaEnum8Bit netr_DeltaEnum8Bit;
 	/*****************/
 	/* Function 0x00 */
@ -432,7 +436,7 @@ interface netlogon
 		boolean8 lm_password_present;
 		boolean8 password_expired;
 		lsa_String comment;
-		lsa_String parameters;
+		lsa_BinaryString parameters;
 		uint16 country_code;
 		uint16 code_page;
 		netr_USER_PRIVATE_INFO user_private_info;
@ -958,14 +962,38 @@ interface netlogon
 	/* i'm not at all sure how this call works */
 	typedef [bitmap16bit] bitmap {
 		NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED	= 0x0001,
 		NETR_CHANGELOG_CHANGED_PASSWORD		= 0x0002,
 		NETR_CHANGELOG_SID_INCLUDED		= 0x0004,
 		NETR_CHANGELOG_NAME_INCLUDED		= 0x0008,
 		NETR_CHANGELOG_FIRST_PROMOTION_OBJ	= 0x0010
 	} netr_ChangeLogFlags;
 	typedef [nodiscriminant] union {
 		[case(NETR_CHANGELOG_SID_INCLUDED)] dom_sid object_sid;
 		[case(NETR_CHANGELOG_NAME_INCLUDED)] nstring object_name;
 		[default];
 	} netr_ChangeLogObject;
 	typedef [public,gensize] struct {
 		uint32 serial_number1;
 		uint32 serial_number2;
 		uint32 object_rid;
 		netr_ChangeLogFlags flags;
 		netr_SamDatabaseID8Bit db_index;
 		netr_DeltaEnum8Bit delta_type;
 		[switch_is(flags & (NETR_CHANGELOG_SID_INCLUDED|NETR_CHANGELOG_NAME_INCLUDED))] netr_ChangeLogObject object;
 	} netr_ChangeLogEntry;
 	NTSTATUS netr_DatabaseRedo(
 		[in]     [string,charset(UTF16)] uint16 logon_server[],
 		[in]     [string,charset(UTF16)] uint16 computername[],
-		[in]     netr_Authenticator credential,
+		[in]     netr_Authenticator *credential,
 		[in,out,ref] netr_Authenticator *return_authenticator,
-		[in,unique][size_is(change_log_entry_size)] uint8 *change_log_entry,
+		[in]     [subcontext(4),subcontext_size(change_log_entry_size)] netr_ChangeLogEntry change_log_entry,
-		[in]     uint32 change_log_entry_size,
+		[in]     [value(ndr_size_netr_ChangeLogEntry(&change_log_entry, ndr->flags))] uint32 change_log_entry_size,
-		[out,ref]    netr_DELTA_ENUM_ARRAY *delta_enum_array
+		[out,ref]    netr_DELTA_ENUM_ARRAY **delta_enum_array
 		);
--- a/source3/librpc/idl/samr.idl
+++ b/source3/librpc/idl/samr.idl
@ -40,6 +40,8 @@ import "misc.idl", "lsa.idl", "security.idl";
 		ACB_NO_AUTH_DATA_REQD		= 0x00080000   /* 1 = No authorization data required */
 	} samr_AcctFlags;
 	/* SAM server specific access rights */
 	typedef [bitmap32bit] bitmap {
 		SAMR_ACCESS_CONNECT_TO_SERVER   = 0x00000001,
 		SAMR_ACCESS_SHUTDOWN_SERVER     = 0x00000002,
@ -49,6 +51,29 @@ import "misc.idl", "lsa.idl", "security.idl";
 		SAMR_ACCESS_OPEN_DOMAIN         = 0x00000020
 	} samr_ConnectAccessMask;
 	const int SAMR_ACCESS_ALL_ACCESS = 0x0000003F;
 	const int GENERIC_RIGHTS_SAM_ALL_ACCESS =
 		(STANDARD_RIGHTS_REQUIRED_ACCESS	|
 		 SAMR_ACCESS_ALL_ACCESS);
 	const int GENERIC_RIGHTS_SAM_READ =
 		(STANDARD_RIGHTS_READ_ACCESS		|
 		 SAMR_ACCESS_ENUM_DOMAINS);
 	const int GENERIC_RIGHTS_SAM_WRITE =
 		(STANDARD_RIGHTS_WRITE_ACCESS		|
 		 SAMR_ACCESS_CREATE_DOMAIN		|
 		 SAMR_ACCESS_INITIALIZE_SERVER		|
 		 SAMR_ACCESS_SHUTDOWN_SERVER);
 	const int GENERIC_RIGHTS_SAM_EXECUTE =
 		(STANDARD_RIGHTS_EXECUTE_ACCESS		|
 		 SAMR_ACCESS_OPEN_DOMAIN		|
 		 SAMR_ACCESS_CONNECT_TO_SERVER);
 	/* User Object specific access rights */
 	typedef [bitmap32bit] bitmap {
 		SAMR_USER_ACCESS_GET_NAME_ETC             = 0x00000001,
 		SAMR_USER_ACCESS_GET_LOCALE               = 0x00000002,
@ -63,6 +88,35 @@ import "misc.idl", "lsa.idl", "security.idl";
 		SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP  = 0x00000400
 	} samr_UserAccessMask;
 	const int SAMR_USER_ACCESS_ALL_ACCESS = 0x000007FF;
 	const int GENERIC_RIGHTS_USER_ALL_ACCESS =
 		(STANDARD_RIGHTS_REQUIRED_ACCESS	|
 		 SAMR_USER_ACCESS_ALL_ACCESS);	/* 0x000f07ff */
 	const int GENERIC_RIGHTS_USER_READ =
 		(STANDARD_RIGHTS_READ_ACCESS		|
 		 SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP	|
 		 SAMR_USER_ACCESS_GET_GROUPS		|
 		 SAMR_USER_ACCESS_GET_ATTRIBUTES	|
 		 SAMR_USER_ACCESS_GET_LOGONINFO		|
 		 SAMR_USER_ACCESS_GET_LOCALE);	/* 0x0002031a */
 	const int GENERIC_RIGHTS_USER_WRITE =
 		(STANDARD_RIGHTS_WRITE_ACCESS		|
 		 SAMR_USER_ACCESS_CHANGE_PASSWORD	|
 		 SAMR_USER_ACCESS_SET_LOC_COM		|
 		 SAMR_USER_ACCESS_SET_ATTRIBUTES	|
 		 SAMR_USER_ACCESS_SET_PASSWORD		|
 		 SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP);	/* 0x000204e4 */
 	const int GENERIC_RIGHTS_USER_EXECUTE =
 		(STANDARD_RIGHTS_EXECUTE_ACCESS		|
 		 SAMR_USER_ACCESS_CHANGE_PASSWORD	|
 		 SAMR_USER_ACCESS_GET_NAME_ETC);	/* 0x00020041 */
 	/* Domain Object specific access rights */
 	typedef [bitmap32bit] bitmap {
 		SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1  = 0x00000001,
 		SAMR_DOMAIN_ACCESS_SET_INFO_1     = 0x00000002,
@ -77,6 +131,34 @@ import "misc.idl", "lsa.idl", "security.idl";
 		SAMR_DOMAIN_ACCESS_SET_INFO_3     = 0x00000400
 	} samr_DomainAccessMask;
 	const int SAMR_DOMAIN_ACCESS_ALL_ACCESS	= 0x000007FF;
 	const int GENERIC_RIGHTS_DOMAIN_ALL_ACCESS =
 		(STANDARD_RIGHTS_REQUIRED_ACCESS	|
 		 SAMR_DOMAIN_ACCESS_ALL_ACCESS);
 	const int GENERIC_RIGHTS_DOMAIN_READ =
 		(STANDARD_RIGHTS_READ_ACCESS		|
 		 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS	|
 		 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2);
 	const int GENERIC_RIGHTS_DOMAIN_WRITE =
 		(STANDARD_RIGHTS_WRITE_ACCESS		|
 		 SAMR_DOMAIN_ACCESS_SET_INFO_3		|
 		 SAMR_DOMAIN_ACCESS_CREATE_ALIAS	|
 		 SAMR_DOMAIN_ACCESS_CREATE_GROUP	|
 		 SAMR_DOMAIN_ACCESS_CREATE_USER		|
 		 SAMR_DOMAIN_ACCESS_SET_INFO_2		|
 		 SAMR_DOMAIN_ACCESS_SET_INFO_1);
 	const int GENERIC_RIGHTS_DOMAIN_EXECUTE =
 		(STANDARD_RIGHTS_EXECUTE_ACCESS		|
 		 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT	|
 		 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS	|
 		 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1);
 	/* Group Object specific access rights */
 	typedef [bitmap32bit] bitmap {
 		SAMR_GROUP_ACCESS_LOOKUP_INFO     = 0x00000001,
 		SAMR_GROUP_ACCESS_SET_INFO        = 0x00000002,
@ -85,6 +167,28 @@ import "misc.idl", "lsa.idl", "security.idl";
 		SAMR_GROUP_ACCESS_GET_MEMBERS     = 0x00000010
 	} samr_GroupAccessMask;
 	const int SAMR_GROUP_ACCESS_ALL_ACCESS = 0x0000001F;
 	const int GENERIC_RIGHTS_GROUP_ALL_ACCESS =
 		(STANDARD_RIGHTS_REQUIRED_ACCESS	|
 		 SAMR_GROUP_ACCESS_ALL_ACCESS);	/* 0x000f001f */
 	const int GENERIC_RIGHTS_GROUP_READ =
 		(STANDARD_RIGHTS_READ_ACCESS		|
 		 SAMR_GROUP_ACCESS_GET_MEMBERS);	/* 0x00020010 */
 	const int GENERIC_RIGHTS_GROUP_WRITE =
 		(STANDARD_RIGHTS_WRITE_ACCESS		|
 		 SAMR_GROUP_ACCESS_REMOVE_MEMBER	|
 		 SAMR_GROUP_ACCESS_ADD_MEMBER		|
 		 SAMR_GROUP_ACCESS_SET_INFO);	/* 0x0002000e */
 	const int GENERIC_RIGHTS_GROUP_EXECUTE =
 		(STANDARD_RIGHTS_EXECUTE_ACCESS		|
 		 SAMR_GROUP_ACCESS_LOOKUP_INFO);	/* 0x00020001 */
 	/* Alias Object specific access rights */
 	typedef [bitmap32bit] bitmap {
 		SAMR_ALIAS_ACCESS_ADD_MEMBER      = 0x00000001,
 		SAMR_ALIAS_ACCESS_REMOVE_MEMBER   = 0x00000002,
@ -93,6 +197,26 @@ import "misc.idl", "lsa.idl", "security.idl";
 		SAMR_ALIAS_ACCESS_SET_INFO        = 0x00000010
 	} samr_AliasAccessMask;
 	const int SAMR_ALIAS_ACCESS_ALL_ACCESS = 0x0000001F;
 	const int GENERIC_RIGHTS_ALIAS_ALL_ACCESS =
 		(STANDARD_RIGHTS_REQUIRED_ACCESS	|
 		 SAMR_ALIAS_ACCESS_ALL_ACCESS);	/* 0x000f001f */
 	const int GENERIC_RIGHTS_ALIAS_READ =
 		(STANDARD_RIGHTS_READ_ACCESS		|
 		 SAMR_ALIAS_ACCESS_GET_MEMBERS);	/* 0x00020004 */
 	const int GENERIC_RIGHTS_ALIAS_WRITE =
 		(STANDARD_RIGHTS_WRITE_ACCESS		|
 		 SAMR_ALIAS_ACCESS_REMOVE_MEMBER	|
 		 SAMR_ALIAS_ACCESS_ADD_MEMBER		|
 		 SAMR_ALIAS_ACCESS_SET_INFO);	/* 0x00020013 */
 	const int GENERIC_RIGHTS_ALIAS_EXECUTE =
 		(STANDARD_RIGHTS_EXECUTE_ACCESS		|
 		 SAMR_ALIAS_ACCESS_LOOKUP_INFO);	/* 0x00020008 */
 	/******************/
 	/* Function: 0x00 */
 	NTSTATUS samr_Connect (
@ -316,10 +440,6 @@ import "misc.idl", "lsa.idl", "security.idl";
 	/************************/
 	/* Function    0x0b     */
 	const int MAX_SAM_ENTRIES_W2K = 0x400; /* 1024 */
 	const int MAX_SAM_ENTRIES_W95 = 50;
 	NTSTATUS samr_EnumDomainGroups(
 		[in]          policy_handle *domain_handle,
 		[in,out,ref]  uint32 *resume_handle,
@ -1088,7 +1208,7 @@ import "misc.idl", "lsa.idl", "security.idl";
 	NTSTATUS samr_QueryUserInfo2(
 		[in,ref]                  policy_handle *user_handle,
 		[in]                      uint16 level,
-		[out,ref,switch_is(level)]    samr_UserInfo *info
+		[out,ref,switch_is(level)]    samr_UserInfo **info
 		);
 	/************************/
@ -1310,10 +1430,9 @@ import "misc.idl", "lsa.idl", "security.idl";
 	NTSTATUS samr_RidToSid(
 		[in,ref]    policy_handle *domain_handle,
 		[in]        uint32        rid,
-		[out,ref]   dom_sid2      *sid
+		[out,ref]   dom_sid2      **sid
 		);
 	/************************/
 	/* Function    0x42     */
@ -1424,7 +1543,7 @@ import "misc.idl", "lsa.idl", "security.idl";
 	NTSTATUS samr_ValidatePassword(
 		[in] samr_ValidatePasswordLevel level,
-		[in,switch_is(level)] samr_ValidatePasswordReq req,
+		[in,switch_is(level)] samr_ValidatePasswordReq *req,
-		[out,ref,switch_is(level)] samr_ValidatePasswordRep *rep
+		[out,ref,switch_is(level)] samr_ValidatePasswordRep **rep
 		);
 }
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@ -5,27 +5,10 @@
 */
 import "misc.idl";
-
+import "dom_sid.idl";
 /* 
   use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
   just a dom sid, but with the sub_auths represented as a conformant
   array. As with all in-structure conformant arrays, the array length
   is placed before the start of the structure. That's what gives rise
   to the extra num_auths elemenent. We don't want the Samba code to
   have to bother with such esoteric NDR details, so its easier to just
   define it as a dom_sid and use pidl magic to make it all work. It
   just means you need to mark a sid as a "dom_sid2" in the IDL when you
   know it is of the conformant array variety
 */
 cpp_quote("#define dom_sid2 dom_sid")
 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
 cpp_quote("#define dom_sid28 dom_sid")
 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
 cpp_quote("#define dom_sid0 dom_sid")
 [
 	helper("librpc/gen_ndr/ndr_dom_sid.h"),
 	pointer_default(unique)
 ]
 interface security
@ -136,6 +119,20 @@ interface security
 	const int SEC_RIGHTS_DIR_EXECUTE  = SEC_RIGHTS_FILE_EXECUTE;
 	const int SEC_RIGHTS_DIR_ALL      = SEC_RIGHTS_FILE_ALL;
 	/* combinations of standard masks. */
 	const int STANDARD_RIGHTS_ALL_ACCESS		= SEC_STD_ALL; /* 0x001f0000 */
 	const int STANDARD_RIGHTS_MODIFY_ACCESS		= SEC_STD_READ_CONTROL; /* 0x00020000 */
 	const int STANDARD_RIGHTS_EXECUTE_ACCESS	= SEC_STD_READ_CONTROL; /* 0x00020000 */
 	const int STANDARD_RIGHTS_READ_ACCESS		= SEC_STD_READ_CONTROL; /* 0x00020000 */
 	const int STANDARD_RIGHTS_WRITE_ACCESS =
 		(SEC_STD_WRITE_OWNER		|
 		 SEC_STD_WRITE_DAC		|
 		 SEC_STD_DELETE);	/* 0x000d0000 */
 	const int STANDARD_RIGHTS_REQUIRED_ACCESS =
 		(SEC_STD_DELETE			|
 		 SEC_STD_READ_CONTROL		|
 		 SEC_STD_WRITE_DAC		|
 		 SEC_STD_WRITE_OWNER);	/* 0x000f0000 */
 	/***************************************************************/
 	/* WELL KNOWN SIDS */
@ -243,7 +240,7 @@ interface security
 	} sec_privilege;
-	typedef [bitmap8bit] bitmap {
+	typedef [public,bitmap8bit] bitmap {
 		SEC_ACE_FLAG_OBJECT_INHERIT		= 0x01,
 		SEC_ACE_FLAG_CONTAINER_INHERIT		= 0x02,
 		SEC_ACE_FLAG_NO_PROPAGATE_INHERIT	= 0x04,
@ -254,7 +251,7 @@ interface security
 		SEC_ACE_FLAG_FAILED_ACCESS		= 0x80
 	} security_ace_flags;
-	typedef [enum8bit] enum {
+	typedef [public,enum8bit] enum {
 		SEC_ACE_TYPE_ACCESS_ALLOWED		= 0,
 		SEC_ACE_TYPE_ACCESS_DENIED		= 1,
 		SEC_ACE_TYPE_SYSTEM_AUDIT		= 2,
@ -291,7 +288,7 @@ interface security
 		[switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
 	} security_ace_object;
-	typedef [nodiscriminant] union {
+	typedef [public,nodiscriminant] union {
 		[case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
 		[case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
 		[case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
@ -299,7 +296,7 @@ interface security
 		[default];
 	} security_ace_object_ctr;
-	typedef [public,gensize,nosize] struct {
+	typedef [public,nopull,gensize,nosize] struct {
 		security_ace_type type;  /* SEC_ACE_TYPE_* */
 		security_ace_flags flags; /* SEC_ACE_FLAG_* */
 		[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@ -933,7 +933,7 @@ _PUBLIC_ size_t ndr_size_struct(const void *p, int flags, ndr_push_flags_fn_t pu
 	/* avoid recursion */
 	if (flags & LIBNDR_FLAG_NO_NDR_SIZE) return 0;
-	ndr = ndr_push_init_ctx(NULL, lp_iconv_convenience(global_loadparm));
+	ndr = ndr_push_init_ctx(NULL, global_iconv_convenience);
 	if (!ndr) return 0;
 	ndr->flags |= flags | LIBNDR_FLAG_NO_NDR_SIZE;
 	status = push(ndr, NDR_SCALARS|NDR_BUFFERS, discard_const(p));
@ -958,7 +958,7 @@ _PUBLIC_ size_t ndr_size_union(const void *p, int flags, uint32_t level, ndr_pus
 	/* avoid recursion */
 	if (flags & LIBNDR_FLAG_NO_NDR_SIZE) return 0;
-	ndr = ndr_push_init_ctx(NULL, lp_iconv_convenience(global_loadparm));
+	ndr = ndr_push_init_ctx(NULL, global_iconv_convenience);
 	if (!ndr) return 0;
 	ndr->flags |= flags | LIBNDR_FLAG_NO_NDR_SIZE;
--- a/librpc/ndr/ndr_netlogon.c
+++ b/librpc/ndr/ndr_netlogon.c
@ -0,0 +1,64 @@
 /*
   Unix SMB/CIFS implementation.
   routines for marshalling/unmarshalling special netlogon types
   Copyright (C) Guenther Deschner 2008
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_netlogon.h"
 #include "librpc/gen_ndr/ndr_misc.h"
 _PUBLIC_ enum ndr_err_code ndr_push_netr_SamDatabaseID8Bit(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID8Bit r)
 {
 	if (r > 0xff) return NDR_ERR_BUFSIZE;
 	NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r));
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ enum ndr_err_code ndr_pull_netr_SamDatabaseID8Bit(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID8Bit *r)
 {
 	uint8_t v;
 	NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &v));
 	*r = v;
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_netr_SamDatabaseID8Bit(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID8Bit r)
 {
 	ndr_print_netr_SamDatabaseID(ndr, name, r);
 }
 _PUBLIC_ enum ndr_err_code ndr_push_netr_DeltaEnum8Bit(struct ndr_push *ndr, int ndr_flags, enum netr_DeltaEnum8Bit r)
 {
 	if (r > 0xff) return NDR_ERR_BUFSIZE;
 	NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r));
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ enum ndr_err_code ndr_pull_netr_DeltaEnum8Bit(struct ndr_pull *ndr, int ndr_flags, enum netr_DeltaEnum8Bit *r)
 {
 	uint8_t v;
 	NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &v));
 	*r = v;
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_netr_DeltaEnum8Bit(struct ndr_print *ndr, const char *name, enum netr_DeltaEnum8Bit r)
 {
 	ndr_print_netr_DeltaEnum(ndr, name, r);
 }
--- a/librpc/ndr/ndr_netlogon.h
+++ b/librpc/ndr/ndr_netlogon.h
@ -0,0 +1,28 @@
 /*
   Unix SMB/CIFS implementation.
   routines for marshalling/unmarshalling special netlogon types
   Copyright (C) Guenther Deschner 2008
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 _PUBLIC_ enum ndr_err_code ndr_push_netr_SamDatabaseID8Bit(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID8Bit r);
 _PUBLIC_ enum ndr_err_code ndr_pull_netr_SamDatabaseID8Bit(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID8Bit *r);
 _PUBLIC_ void ndr_print_netr_SamDatabaseID8Bit(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID8Bit r);
 _PUBLIC_ enum ndr_err_code ndr_push_netr_DeltaEnum8Bit(struct ndr_push *ndr, int ndr_flags, enum netr_DeltaEnum8Bit r);
 _PUBLIC_ enum ndr_err_code ndr_pull_netr_DeltaEnum8Bit(struct ndr_pull *ndr, int ndr_flags, enum netr_DeltaEnum8Bit *r);
 _PUBLIC_ void ndr_print_netr_DeltaEnum8Bit(struct ndr_print *ndr, const char *name, enum netr_DeltaEnum8Bit r);
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@ -0,0 +1,118 @@
 /* 
   Unix SMB/CIFS implementation.
   fast routines for getting the wire size of security objects
   Copyright (C) Andrew Tridgell 2003
   Copyright (C) Stefan Metzmacher 2006-2008
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_security.h"
 /*
  return the wire size of a security_ace
 */
 size_t ndr_size_security_ace(const struct security_ace *ace, int flags)
 {
 	size_t ret;
 	if (!ace) return 0;
 	ret = 8 + ndr_size_dom_sid(&ace->trustee, flags);
 	switch (ace->type) {
 	case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
 	case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 	case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
 	case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
 		ret += 4; /* uint32 bitmap ace->object.object.flags */
 		if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 			ret += 16; /* GUID ace->object.object.type.type */
 		}
 		if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
 			ret += 16; /* GUID ace->object.object.inherited_typeinherited_type */
 		}
 		break;
 	default:
 		break;
 	}
 	return ret;
 }
 enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, int ndr_flags, struct security_ace *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		uint32_t start_ofs = ndr->offset;
 		uint32_t size = 0;
 		uint32_t pad = 0;
 		NDR_CHECK(ndr_pull_align(ndr, 4));
 		NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type));
 		NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags));
 		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
 		NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
 		NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_SCALARS, &r->object));
 		NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
 		size = ndr->offset - start_ofs;
 		if (r->size < size) {
 			return ndr_pull_error(ndr, NDR_ERR_BUFSIZE,
 					      "ndr_pull_security_ace: r->size %u < size %u",
 					      (unsigned)r->size, size);
 		}
 		pad = r->size - size;
 		NDR_PULL_NEED_BYTES(ndr, pad);
 		ndr->offset += pad;
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_BUFFERS, &r->object));
 	}
 	return NDR_ERR_SUCCESS;
 }
 /*
  return the wire size of a security_acl
 */
 size_t ndr_size_security_acl(const struct security_acl *acl, int flags)
 {
 	size_t ret;
 	int i;
 	if (!acl) return 0;
 	ret = 8;
 	for (i=0;i<acl->num_aces;i++) {
 		ret += ndr_size_security_ace(&acl->aces[i], flags);
 	}
 	return ret;
 }
 /*
  return the wire size of a security descriptor
 */
 size_t ndr_size_security_descriptor(const struct security_descriptor *sd, int flags)
 {
 	size_t ret;
 	if (!sd) return 0;
 	ret = 20;
 	ret += ndr_size_dom_sid(sd->owner_sid, flags);
 	ret += ndr_size_dom_sid(sd->group_sid, flags);
 	ret += ndr_size_security_acl(sd->dacl, flags);
 	ret += ndr_size_security_acl(sd->sacl, flags);
 	return ret;
 }
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
@ -120,7 +120,8 @@ static NTSTATUS $name\__op_ndr_pull(struct dcesrv_call_state *dce_call, TALLOC_C
        /* unravel the NDR for the packet */
 	ndr_err = ndr_table_$name.calls[opnum].ndr_pull(pull, NDR_IN, *r);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		dcerpc_log_packet(&ndr_table_$name, opnum, NDR_IN,
+		dcerpc_log_packet(dce_call->conn->packet_log_dir, 
 				  &ndr_table_$name, opnum, NDR_IN,
 				  &dce_call->pkt.u.request.stub_and_verifier);
 		dce_call->fault_code = DCERPC_FAULT_NDR;
 		return NT_STATUS_NET_WRITE_FAULT;
@ -144,7 +145,8 @@ pidl "
 	}
 	if (dce_call->fault_code != 0) {
-		dcerpc_log_packet(&ndr_table_$name, opnum, NDR_IN,
+		dcerpc_log_packet(dce_call->conn->packet_log_dir, 
 		          &ndr_table_$name, opnum, NDR_IN,
 				  &dce_call->pkt.u.request.stub_and_verifier);
 		return NT_STATUS_NET_WRITE_FAULT;
 	}
@ -167,7 +169,8 @@ pidl "
 	}
 	if (dce_call->fault_code != 0) {
-		dcerpc_log_packet(&ndr_table_$name, opnum, NDR_IN,
+		dcerpc_log_packet(dce_call->conn->packet_log_dir,
 		          &ndr_table_$name, opnum, NDR_IN,
 				  &dce_call->pkt.u.request.stub_and_verifier);
 		return NT_STATUS_NET_WRITE_FAULT;
 	}
--- a/pidl/lib/Parse/Pidl/Samba4/Python.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm
@ -698,6 +698,14 @@ sub Interface($$$)
 		$self->pidl("}");
 		$self->pidl("");
 		$self->pidl("status = dcerpc_init(lp_ctx);");
 		$self->pidl("if (!NT_STATUS_IS_OK(status)) {");
 		$self->indent;
 		$self->pidl("PyErr_SetNTSTATUS(status);");
 		$self->pidl("return NULL;");
 		$self->deindent;
 		$self->pidl("}");
 		$self->pidl("credentials = cli_credentials_from_py_object(py_credentials);");
 		$self->pidl("if (credentials == NULL) {");
 		$self->indent;
@ -1173,7 +1181,6 @@ sub Parse($$$$$)
 	$self->pidl("{");
 	$self->indent;
 	$self->pidl("PyObject *m;");
 	$self->pidl("NTSTATUS status;");
 	$self->pidl("");
 	foreach (@{$self->{ready_types}}) {
@ -1210,14 +1217,6 @@ sub Parse($$$$$)
 	}
 	$self->pidl("");
 	$self->pidl("status = dcerpc_init();");
 	$self->pidl("if (!NT_STATUS_IS_OK(status)) {");
 	$self->indent;
 	$self->pidl("PyErr_SetNTSTATUS(status);");
 	$self->pidl("return;");
 	$self->deindent;
 	$self->pidl("}");
 	$self->deindent;
 	$self->pidl("}");
    return ($self->{res_hdr}, $self->{res});
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@ -224,6 +224,8 @@ MODULES = $(VFS_MODULES) $(PDB_MODULES) $(RPC_MODULES) $(IDMAP_MODULES) \
          $(CHARSET_MODULES) $(AUTH_MODULES) $(NSS_INFO_MODULES) \
 	  $(GPEXT_MODULES)
 EXTRA_ALL_TARGETS = @EXTRA_ALL_TARGETS@
 ######################################################################
 # object file lists
 ######################################################################
@ -267,7 +269,7 @@ LIBNDR_OBJ = ../librpc/ndr/ndr_basic.o \
 	     ../librpc/ndr/ndr_misc.o \
 	     librpc/gen_ndr/ndr_misc.o \
 	     librpc/gen_ndr/ndr_security.o \
-	     librpc/ndr/ndr_sec_helper.o \
+	     ../librpc/ndr/ndr_sec_helper.o \
 	     librpc/ndr/ndr_string.o \
 	     librpc/ndr/sid.o \
 	     ../librpc/ndr/uuid.o \
@ -278,7 +280,8 @@ RPCCLIENT_NDR_OBJ = rpc_client/ndr.o
 LIBNDR_GEN_OBJ0 = librpc/gen_ndr/ndr_samr.o \
 		  librpc/gen_ndr/ndr_lsa.o
-LIBNDR_GEN_OBJ1 = librpc/gen_ndr/ndr_netlogon.o
+LIBNDR_GEN_OBJ1 = librpc/gen_ndr/ndr_netlogon.o \
 		  ../librpc/ndr/ndr_netlogon.o
 LIBNDR_GEN_OBJ = librpc/gen_ndr/ndr_wkssvc.o \
 		 $(LIBNDR_GEN_OBJ0) \
@ -293,6 +296,7 @@ LIBNDR_GEN_OBJ = librpc/gen_ndr/ndr_wkssvc.o \
 		 librpc/gen_ndr/ndr_notify.o \
 		 librpc/gen_ndr/ndr_xattr.o \
 		 librpc/gen_ndr/ndr_epmapper.o \
 		 librpc/gen_ndr/ndr_named_pipe_auth.o \
 		 librpc/gen_ndr/ndr_ntsvcs.o
 RPC_PARSE_OBJ0 = rpc_parse/parse_prs.o rpc_parse/parse_misc.o
@ -404,7 +408,7 @@ LIBNMB_OBJ = libsmb/unexpected.o libsmb/namecache.o libsmb/nmblib.o \
 	     libsmb/namequery.o libsmb/conncache.o libads/dns.o
 NTERR_OBJ = libsmb/nterr.o
-DOSERR_OBJ = libsmb/doserr.o
+DOSERR_OBJ = ../libcli/util/doserr.o
 ERRORMAP_OBJ = libsmb/errormap.o
 DCE_RPC_ERR_OBJ = ../librpc/rpc/dcerpc_error.o
@ -639,6 +643,7 @@ VFS_FILEID_OBJ = modules/vfs_fileid.o
 VFS_AIO_FORK_OBJ = modules/vfs_aio_fork.o
 VFS_SYNCOPS_OBJ = modules/vfs_syncops.o
 VFS_ACL_XATTR_OBJ = modules/vfs_acl_xattr.o
 VFS_ACL_TDB_OBJ = modules/vfs_acl_tdb.o
 VFS_SMB_TRAFFIC_ANALYZER_OBJ = modules/vfs_smb_traffic_analyzer.o
 PLAINTEXT_AUTH_OBJ = auth/pampass.o auth/pass_check.o
@ -903,9 +908,9 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
 	  $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \
 	  $(LIBNDR_GEN_OBJ0)
-CIFS_MOUNT_OBJ = client/mount.cifs.o
+CIFS_MOUNT_OBJ = client/mount.cifs.o client/mtab.o
-CIFS_UMOUNT_OBJ = client/umount.cifs.o
+CIFS_UMOUNT_OBJ = client/umount.cifs.o client/mtab.o
 CIFS_UPCALL_OBJ = client/cifs.upcall.o
@ -1156,7 +1161,8 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.o \
 # now the rules...
 ######################################################################
 all:: SHOWFLAGS basics libs $(SBIN_PROGS) $(BIN_PROGS) $(ROOT_SBIN_PROGS) \
-	$(MODULES) $(NSS_MODULES) $(PAM_MODULES) @EXTRA_ALL_TARGETS@
+	$(MODULES) $(NSS_MODULES) $(PAM_MODULES) @CIFSUPCALL_PROGS@ \
 	$(EXTRA_ALL_TARGETS)
 basics::
@ -1219,10 +1225,11 @@ samba3-idl::
 		../librpc/idl/initshutdown.idl ../librpc/idl/srvsvc.idl ../librpc/idl/svcctl.idl \
 		../librpc/idl/eventlog.idl ../librpc/idl/wkssvc.idl ../librpc/idl/netlogon.idl \
 		../librpc/idl/notify.idl ../librpc/idl/epmapper.idl librpc/idl/messaging.idl \
-		../librpc/idl/xattr.idl ../librpc/idl/misc.idl librpc/idl/samr.idl \
+		../librpc/idl/xattr.idl ../librpc/idl/misc.idl ../librpc/idl/samr.idl \
 		../librpc/idl/security.idl ../librpc/idl/dssetup.idl ../librpc/idl/krb5pac.idl \
 		../librpc/idl/ntsvcs.idl librpc/idl/libnetapi.idl ../librpc/idl/drsuapi.idl \
-		../librpc/idl/drsblobs.idl ../librpc/idl/nbt.idl
+		../librpc/idl/drsblobs.idl ../librpc/idl/nbt.idl \
 		../librpc/idl/named_pipe_auth.idl librpc/idl/dom_sid.idl
 librpc/gen_ndr/tables.c:: librpc/gen_ndr/*.h
 	@echo "Generating $@"
@ -2453,6 +2460,10 @@ bin/smb_traffic_analyzer.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_SMB_TRAFFIC_ANALYZE
 	@echo "Building plugin $@"
 	@$(SHLD_MODULE) $(VFS_SMB_TRAFFIC_ANALYZER_OBJ)
 bin/acl_tdb.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_ACL_TDB_OBJ)
 	@echo "Building plugin $@"
 	@$(SHLD_MODULE) $(VFS_ACL_TDB_OBJ)
 bin/registry.@SHLIBEXT@: $(BINARY_PREREQS) libgpo/gpext/registry.o
 	@echo "Building plugin $@"
 	@$(SHLD_MODULE) libgpo/gpext/registry.o
@ -2847,9 +2858,10 @@ valgrindtest:: all torture timelimit
 	 PERL="$(PERL)" $(srcdir)/script/tests/selftest.sh ${selftest_prefix} all "${smbtorture4_path}"
 SELFTEST_FORMAT = plain
 selftestdir = ../selftest
 selftest:: all torture timelimit
-	@../selftest/selftest.pl --prefix=st --target=samba3 \
+	@$(selftestdir)/selftest.pl --prefix=st --target=samba3 \
 		--testlist="$(srcdir)/selftest/tests.sh|" \
 		--expected-failures=$(srcdir)/selftest/knownfail \
 		--exclude=$(srcdir)/selftest/skip \
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@ -469,13 +469,13 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
 		{
 		case SEC_DOMAIN:
 			DEBUG(5,("Making default auth method list for security=domain\n"));
-			auth_method_list = str_list_make(
+			auth_method_list = str_list_make_v3(
 				talloc_tos(), "guest sam winbind:ntdomain",
 				NULL);
 			break;
 		case SEC_SERVER:
 			DEBUG(5,("Making default auth method list for security=server\n"));
-			auth_method_list = str_list_make(
+			auth_method_list = str_list_make_v3(
 				talloc_tos(), "guest sam smbserver",
 				NULL);
 			break;
@ -483,36 +483,36 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
 			if (lp_encrypted_passwords()) {	
 				if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
 					DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n"));
-					auth_method_list = str_list_make(
+					auth_method_list = str_list_make_v3(
 						talloc_tos(),
 						"guest sam winbind:trustdomain",
 						NULL);
 				} else {
 					DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n"));
-					auth_method_list = str_list_make(
+					auth_method_list = str_list_make_v3(
 						talloc_tos(), "guest sam",
 						NULL);
 				}
 			} else {
 				DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
-				auth_method_list = str_list_make(
+				auth_method_list = str_list_make_v3(
 					talloc_tos(), "guest unix", NULL);
 			}
 			break;
 		case SEC_SHARE:
 			if (lp_encrypted_passwords()) {
 				DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n"));
-				auth_method_list = str_list_make(
+				auth_method_list = str_list_make_v3(
 					talloc_tos(), "guest sam", NULL);
 			} else {
 				DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n"));
-				auth_method_list = str_list_make(
+				auth_method_list = str_list_make_v3(
 					talloc_tos(), "guest unix", NULL);
 			}
 			break;
 		case SEC_ADS:
 			DEBUG(5,("Making default auth method list for security=ADS\n"));
-			auth_method_list = str_list_make(
+			auth_method_list = str_list_make_v3(
 				talloc_tos(), "guest sam winbind:ntdomain",
 				NULL);
 			break;
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@ -102,7 +102,7 @@ NT_USER_TOKEN *get_root_nt_token( void )
 	uid_to_sid(&u_sid, pw->pw_uid);
 	gid_to_sid(&g_sid, pw->pw_gid);
-	token = create_local_nt_token(NULL, &u_sid, False,
+	token = create_local_nt_token(talloc_autofree_context(), &u_sid, False,
 				      1, &global_sid_Builtin_Administrators);
 	token->privileges = se_disk_operators;
--- a/source3/client/mount.cifs.c
+++ b/source3/client/mount.cifs.c
@ -39,9 +39,10 @@
 #include <mntent.h>
 #include <fcntl.h>
 #include <limits.h>
 #include "mount.h"
 #define MOUNT_CIFS_VERSION_MAJOR "1"
-#define MOUNT_CIFS_VERSION_MINOR "11"
+#define MOUNT_CIFS_VERSION_MINOR "12"
 #ifndef MOUNT_CIFS_VENDOR_SUFFIX
 #ifdef _SAMBA_BUILD_
@ -79,15 +80,6 @@
 #define MOUNT_PASSWD_SIZE 64
 #define DOMAIN_SIZE 64
 /* exit status - bits below are ORed */
 #define EX_USAGE        1       /* incorrect invocation or permission */
 #define EX_SYSERR       2       /* out of memory, cannot fork, ... */
 #define EX_SOFTWARE     4       /* internal mount bug or wrong version */
 #define EX_USER         8       /* user interrupt */
 #define EX_FILEIO      16       /* problems writing, locking, ... mtab/fstab */
 #define EX_FAIL        32       /* mount failure */
 #define EX_SOMEOK      64       /* some mount succeeded */
 const char *thisprogram;
 int verboseflag = 0;
 static int got_password = 0;
@ -1424,48 +1416,57 @@ mount_retry:
 		printf("Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)\n");
 		rc = EX_FAIL;
 	} else {
 		atexit(unlock_mtab);
 		rc = lock_mtab();
 		if (rc) {
 			printf("cannot lock mtab");
 			goto mount_exit;
 		}
 		pmntfile = setmntent(MOUNTED, "a+");
-		if(pmntfile) {
+		if (!pmntfile) {
-			mountent.mnt_fsname = dev_name;
+			printf("could not update mount table\n");
-			mountent.mnt_dir = mountpoint;
+			unlock_mtab();
-			mountent.mnt_type = CONST_DISCARD(char *,"cifs");
+			rc = EX_FILEIO;
-			mountent.mnt_opts = (char *)malloc(220);
+			goto mount_exit;
-			if(mountent.mnt_opts) {
+		}
-				char * mount_user = getusername();
+		mountent.mnt_fsname = dev_name;
-				memset(mountent.mnt_opts,0,200);
+		mountent.mnt_dir = mountpoint;
-				if(flags & MS_RDONLY)
+		mountent.mnt_type = CONST_DISCARD(char *,"cifs");
-					strlcat(mountent.mnt_opts,"ro",220);
+		mountent.mnt_opts = (char *)malloc(220);
-				else
+		if(mountent.mnt_opts) {
-					strlcat(mountent.mnt_opts,"rw",220);
+			char * mount_user = getusername();
-				if(flags & MS_MANDLOCK)
+			memset(mountent.mnt_opts,0,200);
-					strlcat(mountent.mnt_opts,",mand",220);
+			if(flags & MS_RDONLY)
-				if(flags & MS_NOEXEC)
+				strlcat(mountent.mnt_opts,"ro",220);
-					strlcat(mountent.mnt_opts,",noexec",220);
+			else
-				if(flags & MS_NOSUID)
+				strlcat(mountent.mnt_opts,"rw",220);
-					strlcat(mountent.mnt_opts,",nosuid",220);
+			if(flags & MS_MANDLOCK)
-				if(flags & MS_NODEV)
+				strlcat(mountent.mnt_opts,",mand",220);
-					strlcat(mountent.mnt_opts,",nodev",220);
+			if(flags & MS_NOEXEC)
-				if(flags & MS_SYNCHRONOUS)
+				strlcat(mountent.mnt_opts,",noexec",220);
-					strlcat(mountent.mnt_opts,",synch",220);
+			if(flags & MS_NOSUID)
-				if(mount_user) {
+				strlcat(mountent.mnt_opts,",nosuid",220);
-					if(getuid() != 0) {
+			if(flags & MS_NODEV)
-						strlcat(mountent.mnt_opts,",user=",220);
+				strlcat(mountent.mnt_opts,",nodev",220);
-						strlcat(mountent.mnt_opts,mount_user,220);
+			if(flags & MS_SYNCHRONOUS)
-					}
+				strlcat(mountent.mnt_opts,",sync",220);
-					/* free(mount_user); do not free static mem */
+			if(mount_user) {
 				if(getuid() != 0) {
 					strlcat(mountent.mnt_opts,
 						",user=", 220);
 					strlcat(mountent.mnt_opts,
 						mount_user, 220);
 				}
 			}
 			mountent.mnt_freq = 0;
 			mountent.mnt_passno = 0;
 			rc = addmntent(pmntfile,&mountent);
 			endmntent(pmntfile);
 			SAFE_FREE(mountent.mnt_opts);
 			if (rc)
 				rc = EX_FILEIO;
 		} else {
 			printf("could not update mount table\n");
 			rc = EX_FILEIO;
 		}
 		mountent.mnt_freq = 0;
 		mountent.mnt_passno = 0;
 		rc = addmntent(pmntfile,&mountent);
 		endmntent(pmntfile);
 		unlock_mtab();
 		SAFE_FREE(mountent.mnt_opts);
 		if (rc)
 			rc = EX_FILEIO;
 	}
 mount_exit:
 	if(mountpassword) {
--- a/source3/client/mount.h
+++ b/source3/client/mount.h
@ -0,0 +1,38 @@
 /* 
 * Copyright (C) 2008 Jeff Layton (jlayton@samba.org)
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 * * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 /* most of this info was taken from the util-linux-ng sources */
 #ifndef _MOUNT_H_
 #define _MOUNT_H_
 /* exit status - bits below are ORed */
 #define EX_USAGE	1	/* incorrect invocation or permission */
 #define EX_SYSERR	2	/* out of memory, cannot fork, ... */
 #define EX_SOFTWARE	4	/* internal mount bug or wrong version */
 #define EX_USER		8	/* user interrupt */
 #define EX_FILEIO      16	/* problems writing, locking, ... mtab/fstab */
 #define EX_FAIL	       32	/* mount failure */
 #define EX_SOMEOK      64	/* some mount succeeded */
 #define _PATH_MOUNTED_LOCK	_PATH_MOUNTED "~"
 #define _PATH_MOUNTED_TMP	_PATH_MOUNTED ".tmp"
 extern int lock_mtab(void);
 extern void unlock_mtab(void);
 #endif /* ! _MOUNT_H_ */
--- a/source3/client/mtab.c
+++ b/source3/client/mtab.c
@ -0,0 +1,219 @@
 /*
 * mtab locking routines for use with mount.cifs and umount.cifs
 * Copyright (C) 2008 Jeff Layton (jlayton@samba.org)
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 /*
 * This code was copied from the util-linux-ng sources and modified:
 *
 * git://git.kernel.org/pub/scm/utils/util-linux-ng/util-linux-ng.git
 *
 * ...specifically from mount/fstab.c. That file has no explicit license. The
 * "default" license for anything in that tree is apparently GPLv2+, so I
 * believe we're OK to copy it here.
 *
 * Jeff Layton <jlayton@samba.org> 
 */
 #include <unistd.h>
 #include <errno.h>
 #include <stdio.h>
 #include <sys/time.h>
 #include <time.h>
 #include <fcntl.h>
 #include <mntent.h>
 #include <stdlib.h>
 #include <signal.h>
 #include "mount.h"
 /* Updating mtab ----------------------------------------------*/
 /* Flag for already existing lock file. */
 static int we_created_lockfile = 0;
 static int lockfile_fd = -1;
 /* Flag to indicate that signals have been set up. */
 static int signals_have_been_setup = 0;
 static void
 handler (int sig) {
     exit(EX_USER);
 }
 static void
 setlkw_timeout (int sig) {
     /* nothing, fcntl will fail anyway */
 }
 /* Remove lock file.  */
 void
 unlock_mtab (void) {
 	if (we_created_lockfile) {
 		close(lockfile_fd);
 		lockfile_fd = -1;
 		unlink (_PATH_MOUNTED_LOCK);
 		we_created_lockfile = 0;
 	}
 }
 /* Create the lock file.
   The lock file will be removed if we catch a signal or when we exit. */
 /* The old code here used flock on a lock file /etc/mtab~ and deleted
   this lock file afterwards. However, as rgooch remarks, that has a
   race: a second mount may be waiting on the lock and proceed as
   soon as the lock file is deleted by the first mount, and immediately
   afterwards a third mount comes, creates a new /etc/mtab~, applies
   flock to that, and also proceeds, so that the second and third mount
   now both are scribbling in /etc/mtab.
   The new code uses a link() instead of a creat(), where we proceed
   only if it was us that created the lock, and hence we always have
   to delete the lock afterwards. Now the use of flock() is in principle
   superfluous, but avoids an arbitrary sleep(). */
 /* Where does the link point to? Obvious choices are mtab and mtab~~.
   HJLu points out that the latter leads to races. Right now we use
   mtab~.<pid> instead. Use 20 as upper bound for the length of %d. */
 #define MOUNTLOCK_LINKTARGET		_PATH_MOUNTED_LOCK "%d"
 #define MOUNTLOCK_LINKTARGET_LTH	(sizeof(_PATH_MOUNTED_LOCK)+20)
 /*
 * The original mount locking code has used sleep(1) between attempts and
 * maximal number of attemps has been 5.
 *
 * There was very small number of attempts and extremely long waiting (1s)
 * that is useless on machines with large number of concurret mount processes.
 *
 * Now we wait few thousand microseconds between attempts and we have global
 * time limit (30s) rather than limit for number of attempts. The advantage
 * is that this method also counts time which we spend in fcntl(F_SETLKW) and
 * number of attempts is not so much restricted.
 *
 * -- kzak@redhat.com [2007-Mar-2007]
 */
 /* maximum seconds between first and last attempt */
 #define MOUNTLOCK_MAXTIME		30
 /* sleep time (in microseconds, max=999999) between attempts */
 #define MOUNTLOCK_WAITTIME		5000
 int
 lock_mtab (void) {
 	int i;
 	struct timespec waittime;
 	struct timeval maxtime;
 	char linktargetfile[MOUNTLOCK_LINKTARGET_LTH];
 	if (!signals_have_been_setup) {
 		int sig = 0;
 		struct sigaction sa;
 		sa.sa_handler = handler;
 		sa.sa_flags = 0;
 		sigfillset (&sa.sa_mask);
 		while (sigismember (&sa.sa_mask, ++sig) != -1
 		       && sig != SIGCHLD) {
 			if (sig == SIGALRM)
 				sa.sa_handler = setlkw_timeout;
 			else
 				sa.sa_handler = handler;
 			sigaction (sig, &sa, (struct sigaction *) 0);
 		}
 		signals_have_been_setup = 1;
 	}
 	sprintf(linktargetfile, MOUNTLOCK_LINKTARGET, getpid ());
 	i = open (linktargetfile, O_WRONLY|O_CREAT, S_IRUSR|S_IWUSR);
 	if (i < 0) {
 		/* linktargetfile does not exist (as a file)
 		   and we cannot create it. Read-only filesystem?
 		   Too many files open in the system?
 		   Filesystem full? */
 		return EX_FILEIO;
 	}
 	close(i);
 	gettimeofday(&maxtime, NULL);
 	maxtime.tv_sec += MOUNTLOCK_MAXTIME;
 	waittime.tv_sec = 0;
 	waittime.tv_nsec = (1000 * MOUNTLOCK_WAITTIME);
 	/* Repeat until it was us who made the link */
 	while (!we_created_lockfile) {
 		struct timeval now;
 		struct flock flock;
 		int errsv, j;
 		j = link(linktargetfile, _PATH_MOUNTED_LOCK);
 		errsv = errno;
 		if (j == 0)
 			we_created_lockfile = 1;
 		if (j < 0 && errsv != EEXIST) {
 			(void) unlink(linktargetfile);
 			return EX_FILEIO;
 		}
 		lockfile_fd = open (_PATH_MOUNTED_LOCK, O_WRONLY);
 		if (lockfile_fd < 0) {
 			/* Strange... Maybe the file was just deleted? */
 			gettimeofday(&now, NULL);
 			if (errno == ENOENT && now.tv_sec < maxtime.tv_sec) {
 				we_created_lockfile = 0;
 				continue;
 			}
 			(void) unlink(linktargetfile);
 			return EX_FILEIO;
 		}
 		flock.l_type = F_WRLCK;
 		flock.l_whence = SEEK_SET;
 		flock.l_start = 0;
 		flock.l_len = 0;
 		if (j == 0) {
 			/* We made the link. Now claim the lock. If we can't
 			 * get it, continue anyway
 			 */
 			fcntl (lockfile_fd, F_SETLK, &flock);
 			(void) unlink(linktargetfile);
 		} else {
 			/* Someone else made the link. Wait. */
 			gettimeofday(&now, NULL);
 			if (now.tv_sec < maxtime.tv_sec) {
 				alarm(maxtime.tv_sec - now.tv_sec);
 				if (fcntl (lockfile_fd, F_SETLKW, &flock) == -1) {
 					(void) unlink(linktargetfile);
 					return EX_FILEIO;
 				}
 				alarm(0);
 				nanosleep(&waittime, NULL);
 			} else {
 				(void) unlink(linktargetfile);
 				return EX_FILEIO;
 			}
 			close(lockfile_fd);
 		}
 	}
 	return 0;
 }
--- a/source3/client/umount.cifs.c
+++ b/source3/client/umount.cifs.c
@ -33,9 +33,10 @@
 #include <errno.h>
 #include <string.h>
 #include <mntent.h>
 #include "mount.h"
 #define UNMOUNT_CIFS_VERSION_MAJOR "0"
-#define UNMOUNT_CIFS_VERSION_MINOR "5"
+#define UNMOUNT_CIFS_VERSION_MINOR "6"
 #ifndef UNMOUNT_CIFS_VENDOR_SUFFIX
 #ifdef _SAMBA_BUILD_
@ -137,24 +138,6 @@ static int umount_check_perm(char * dir)
 	return rc;
 }
 static int lock_mtab(void)
 {
 	int rc;
 	rc = mknod(MOUNTED_LOCK , 0600, 0);
 	if(rc == -1)
 		printf("\ngetting lock file %s failed with %s\n",MOUNTED_LOCK,
 				strerror(errno));
 	return rc;	
 }
 static void unlock_mtab(void)
 {
 	unlink(MOUNTED_LOCK);	
 }
 static int remove_from_mtab(char * mountpoint)
 {
 	int rc;
@ -168,6 +151,7 @@ static int remove_from_mtab(char * mountpoint)
 	/* Do we first need to check if it is writable? */ 
 	atexit(unlock_mtab);
 	if (lock_mtab()) {
 		printf("Mount table locked\n");
 		return -EACCES;
--- a/source3/configure.in
+++ b/source3/configure.in
@ -399,7 +399,7 @@ dnl These have to be built static:
 default_static_modules="pdb_smbpasswd pdb_tdbsam rpc_lsarpc rpc_samr rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl2 rpc_ntsvcs2 rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog2 auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin auth_netlogond vfs_default nss_info_template"
 dnl These are preferably build shared, and static if dlopen() is not available
-default_shared_modules="vfs_recycle vfs_audit vfs_extd_audit vfs_full_audit vfs_netatalk vfs_fake_perms vfs_default_quota vfs_readonly vfs_cap vfs_expand_msdfs vfs_shadow_copy vfs_shadow_copy2 charset_CP850 charset_CP437 auth_script vfs_readahead vfs_xattr_tdb vfs_streams_xattr vfs_acl_xattr vfs_smb_traffic_analyzer"
+default_shared_modules="vfs_recycle vfs_audit vfs_extd_audit vfs_full_audit vfs_netatalk vfs_fake_perms vfs_default_quota vfs_readonly vfs_cap vfs_expand_msdfs vfs_shadow_copy vfs_shadow_copy2 charset_CP850 charset_CP437 auth_script vfs_readahead vfs_xattr_tdb vfs_streams_xattr vfs_acl_xattr vfs_acl_tdb vfs_smb_traffic_analyzer"
 if test "x$developer" = xyes; then
   default_static_modules="$default_static_modules rpc_rpcecho"
@ -857,19 +857,6 @@ if test x"$ac_cv_func_dirfd" = x"yes"; then
 	default_shared_modules="$default_shared_modules vfs_syncops"
 fi
 AC_CACHE_CHECK([for sig_atomic_t type],samba_cv_sig_atomic_t, [
    AC_TRY_COMPILE([
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
 #include <stddef.h>
 #endif
 #include <signal.h>],[sig_atomic_t i = 0],
 	samba_cv_sig_atomic_t=yes,samba_cv_sig_atomic_t=no)])
 if test x"$samba_cv_sig_atomic_t" = x"yes"; then
   AC_DEFINE(HAVE_SIG_ATOMIC_T_TYPE,1,[Whether we have the atomic_t variable type])
 fi
 AC_CACHE_CHECK([for struct sigevent type],samba_cv_struct_sigevent, [
    AC_TRY_COMPILE([
 #include <sys/types.h>
@ -908,11 +895,6 @@ if test x"$samba_cv_struct_timespec" = x"yes"; then
   AC_DEFINE(HAVE_STRUCT_TIMESPEC,1,[Whether we have struct timespec])
 fi
 # stupid headers have the functions but no declaration. grrrr.
 AC_HAVE_DECL(errno, [#include <errno.h>])
 AC_HAVE_DECL(setresuid, [#include <unistd.h>])
 AC_HAVE_DECL(setresgid, [#include <unistd.h>])
 # and glibc has setresuid under linux but the function does
 # nothing until kernel 2.1.44! very dumb.
 AC_CACHE_CHECK([for real setresuid],samba_cv_have_setresuid,[
@ -1025,20 +1007,20 @@ if test x"$ac_cv_func_execl" = x"no"; then
    EXTRA_BIN_PROGS="$EXTRA_BIN_PROGS bin/smbrun\$(EXEEXT)"
 fi
-AC_CHECK_FUNCS(waitpid getcwd strdup strndup strnlen strerror chown fchown lchown chmod fchmod chroot link mknod mknod64)
+AC_CHECK_FUNCS(getcwd fchown chmod fchmod mknod mknod64)
-AC_CHECK_FUNCS(strtol strtoll strtoul strtoull strtouq __strtoull)
+AC_CHECK_FUNCS(strtol)
 AC_CHECK_FUNCS(fstat strchr chflags)
-AC_CHECK_FUNCS(getrlimit fsync fdatasync memset strlcpy strlcat setpgid)
+AC_CHECK_FUNCS(getrlimit fsync fdatasync setpgid)
-AC_CHECK_FUNCS(memmove setsid glob strpbrk pipe crypt16 getauthuid)
+AC_CHECK_FUNCS(setsid glob strpbrk crypt16 getauthuid)
-AC_CHECK_FUNCS(strftime sigprocmask sigblock sigaction sigset innetgr setnetgrent getnetgrent endnetgrent)
+AC_CHECK_FUNCS(sigprocmask sigblock sigaction sigset innetgr setnetgrent getnetgrent endnetgrent)
-AC_CHECK_FUNCS(initgroups select poll rdchk getgrnam getgrent pathconf realpath)
+AC_CHECK_FUNCS(initgroups select poll rdchk getgrnam getgrent pathconf)
-AC_CHECK_FUNCS(setpriv setgidx setuidx setgroups sysconf mktime rename ftruncate chsize stat64 fstat64)
+AC_CHECK_FUNCS(setpriv setgidx setuidx setgroups sysconf stat64 fstat64)
-AC_CHECK_FUNCS(lstat64 fopen64 atexit grantpt dup2 lseek64 ftruncate64)
+AC_CHECK_FUNCS(lstat64 fopen64 atexit grantpt lseek64 ftruncate64)
-AC_CHECK_FUNCS(fseek64 fseeko64 ftell64 ftello64 setluid getpwanam setlinebuf)
+AC_CHECK_FUNCS(fseek64 fseeko64 ftell64 ftello64 setluid getpwanam)
 AC_CHECK_FUNCS(opendir64 readdir64 seekdir64 telldir64 rewinddir64 closedir64)
 AC_CHECK_FUNCS(getpwent_r)
-AC_CHECK_FUNCS(getdents getdents64)
+AC_CHECK_FUNCS(getdents64)
-AC_CHECK_FUNCS(srandom random srand rand setenv usleep strcasecmp fcvt fcvtl symlink readlink)
+AC_CHECK_FUNCS(setenv strcasecmp fcvt fcvtl)
 AC_CHECK_FUNCS(syslog vsyslog timegm)
 AC_CHECK_FUNCS(setlocale nl_langinfo)
 AC_CHECK_FUNCS(nanosleep)
@ -1046,7 +1028,7 @@ AC_CHECK_FUNCS(mlock munlock mlockall munlockall)
 AC_CHECK_FUNCS(memalign posix_memalign hstrerror)
 AC_CHECK_HEADERS(sys/mman.h)
 # setbuffer, shmget, shm_open are needed for smbtorture
-AC_CHECK_FUNCS(setbuffer shmget shm_open)
+AC_CHECK_FUNCS(shmget shm_open)
 # Find a method of generating a stack trace
 AC_CHECK_HEADERS(execinfo.h libexc.h libunwind.h)
@ -6105,6 +6087,7 @@ SMB_MODULE(vfs_syncops, \$(VFS_SYNCOPS_OBJ), "bin/syncops.$SHLIBEXT", VFS)
 SMB_MODULE(vfs_zfsacl, \$(VFS_ZFSACL_OBJ), "bin/zfsacl.$SHLIBEXT", VFS)
 SMB_MODULE(vfs_notify_fam, \$(VFS_NOTIFY_FAM_OBJ), "bin/notify_fam.$SHLIBEXT", VFS)
 SMB_MODULE(vfs_acl_xattr, \$(VFS_ACL_XATTR_OBJ), "bin/acl_xattr.$SHLIBEXT", VFS)
 SMB_MODULE(vfs_acl_tdb, \$(VFS_ACL_TDB_OBJ), "bin/acl_tdb.$SHLIBEXT", VFS)
 SMB_MODULE(vfs_smb_traffic_analyzer, \$(VFS_SMB_TRAFFIC_ANALYZER_OBJ), "bin/smb_traffic_analyzer.$SHLIBEXT", VFS)
 SMB_SUBSYSTEM(VFS,smbd/vfs.o)
--- a/source3/groupdb/mapping_ldb.c
+++ b/source3/groupdb/mapping_ldb.c
@ -574,6 +574,13 @@ static int upgrade_map_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key,
 		return -1;
 	}
 	if ((int)map.gid == -1) {
 		/*
 		 * Ignore old invalid mappings
 		 */
 		return 0;
 	}
 	if (!add_mapping_entry(&map, 0)) {
 		DEBUG(0,("Failed to add mapping entry during upgrade\n"));
 		*(int *)state = -1;
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@ -524,14 +524,6 @@ struct timespec {
 };
 #endif
 #ifndef MIN
 #define MIN(a,b) ((a)<(b)?(a):(b))
 #endif
 #ifndef MAX
 #define MAX(a,b) ((a)>(b)?(a):(b))
 #endif
 #ifdef HAVE_BROKEN_GETGROUPS
 #define GID_T int
 #else
@ -567,11 +559,12 @@ typedef char fstring[FSTRING_LEN];
 #endif
 /* Samba 3 doesn't use iconv_convenience: */
-extern void *global_loadparm;
+extern void *global_iconv_convenience;
 extern void *cmdline_lp_ctx;
 struct smb_iconv_convenience *lp_iconv_convenience(void *lp_ctx);
 /* Lists, trees, caching, database... */
 #include "../lib/util/util.h"
 #include "../lib/util/xfile.h"
 #include "../lib/util/memory.h"
 #include "../lib/util/attr.h"
@ -619,6 +612,7 @@ struct smb_iconv_convenience *lp_iconv_convenience(void *lp_ctx);
 #include "msdfs.h"
 #include "rap.h"
 #include "../lib/crypto/md5.h"
 #include "../lib/crypto/md4.h"
 #include "../lib/crypto/arcfour.h"
 #include "../lib/crypto/crc32.h"
 #include "../lib/crypto/hmacmd5.h"
@ -717,7 +711,7 @@ enum flush_reason_enum {
 #include "modules/nfs4_acls.h"
 #include "nsswitch/libwbclient/wbclient.h"
-/***** automatically generated prototypes *****/
+/***** prototypes *****/
 #ifndef NO_PROTO_H
 #include "proto.h"
 #endif
@ -810,14 +804,6 @@ enum flush_reason_enum {
 #define ULTRIX_AUTH 1
 #endif
 #if (defined(USE_SETRESUID) && !defined(HAVE_SETRESUID_DECL))
 /* stupid glibc */
 int setresuid(uid_t ruid, uid_t euid, uid_t suid);
 #endif
 #if (defined(USE_SETRESUID) && !defined(HAVE_SETRESGID_DECL))
 int setresgid(gid_t rgid, gid_t egid, gid_t sgid);
 #endif
 /* yuck, I'd like a better way of doing this */
 #define DIRP_SIZE (256 + 32)
@ -890,11 +876,6 @@ int smb_xvasprintf(char **ptr, const char *format, va_list ap) PRINTF_ATTRIBUTE(
 int asprintf_strupper_m(char **strp, const char *fmt, ...) PRINTF_ATTRIBUTE(2,3);
 char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATTRIBUTE(2,3);
 /* we used to use these fns, but now we have good replacements
   for snprintf and vsnprintf */
 #define slprintf snprintf
 #define vslprintf vsnprintf
 /*
 * Veritas File System.  Often in addition to native.
 * Quotas different.
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@ -542,7 +542,6 @@ int cancel_named_event(struct event_context *event_ctx,
 void dump_event_list(struct event_context *event_ctx);
 /* The following definitions come from lib/fault.c  */
 void fault_setup(void (*fn)(void *));
 void dump_core_setup(const char *progname);
@ -555,10 +554,6 @@ const char *file_id_string_tos(const struct file_id *id);
 void push_file_id_16(char *buf, const struct file_id *id);
 void pull_file_id_16(char *buf, struct file_id *id);
 /* The following definitions come from lib/fsusage.c  */
 int sys_fsusage(const char *path, uint64_t *dfree, uint64_t *dsize);
 /* The following definitions come from lib/gencache.c  */
 bool gencache_init(void);
@ -573,13 +568,6 @@ void gencache_iterate(void (*fn)(const char* key, const char *value, time_t time
 int gencache_lock_entry( const char *key );
 void gencache_unlock_entry( const char *key );
 /* The following definitions come from lib/genrand.c  */
 void set_rand_reseed_callback(void (*fn)(void *, int *), void *userdata);
 void set_need_random_reseed(void);
 void generate_random_buffer(uint8_t *out, int len);
 char *generate_random_str(TALLOC_CTX *mem_ctx, size_t len);
 /* The following definitions come from lib/iconv.c  */
 NTSTATUS smb_register_charset(struct charset_functions *funcs) ;
@ -619,10 +607,6 @@ void init_ldap_debugging(void);
 char *escape_ldap_string_alloc(const char *s);
 char *escape_rdn_val_string_alloc(const char *s);
 /* The following definitions come from lib/md4.c  */
 void mdfour(unsigned char *out, const unsigned char *in, int n);
 /* The following definitions come from lib/module.c  */
 NTSTATUS smb_load_module(const char *module_name);
@ -796,13 +780,6 @@ bool share_access_check(const NT_USER_TOKEN *token, const char *sharename,
 			uint32 desired_access);
 bool parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, SEC_DESC **ppsd);
 /* The following definitions come from lib/signal.c  */
 void BlockSignals(bool block,int signum);
 void (*CatchSignal(int signum,void (*handler)(int )))(int);
 void CatchChild(void);
 void CatchChildLeaveStatus(void);
 /* The following definitions come from lib/smbldap.c  */
 int smb_ldap_start_tls(LDAP *ldap_struct, int version);
@ -976,18 +953,11 @@ int no_acl_syscall_error(int err);
 int sys_get_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
 int sys_set_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
-/* The following definitions come from lib/sysquotas_4A.c  */
+/* The following definitions come from lib/sysquotas_*.c  */
 int sys_get_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
 int sys_set_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
 /* The following definitions come from lib/sysquotas_linux.c  */
 int sys_get_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
 int sys_set_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
 /* The following definitions come from lib/sysquotas_xfs.c  */
 int sys_get_xfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
 int sys_set_xfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
@ -1023,15 +993,8 @@ long sys_telldir(SMB_STRUCT_DIR *dirp);
 void sys_rewinddir(SMB_STRUCT_DIR *dirp);
 int sys_closedir(SMB_STRUCT_DIR *dirp);
 int sys_mknod(const char *path, mode_t mode, SMB_DEV_T dev);
 char *sys_realpath(const char *path, char *resolved_path);
 int sys_waitpid(pid_t pid,int *status,int options);
 char *sys_getwd(char *s);
 int sys_symlink(const char *oldpath, const char *newpath);
 int sys_readlink(const char *path, char *buf, size_t bufsiz);
 int sys_link(const char *oldpath, const char *newpath);
 int sys_chown(const char *fname,uid_t uid,gid_t gid);
 int sys_lchown(const char *fname,uid_t uid,gid_t gid);
 int sys_chroot(const char *dname);
 void set_effective_capability(enum smbd_capability capability);
 void drop_effective_capability(enum smbd_capability capability);
 long sys_random(void);
@ -1050,11 +1013,6 @@ pid_t sys_fork(void);
 pid_t sys_getpid(void);
 int sys_popen(const char *command);
 int sys_pclose(int fd);
 void *sys_dlopen(const char *name, int flags);
 void *sys_dlsym(void *handle, const char *symbol);
 int sys_dlclose (void *handle);
 const char *sys_dlerror(void);
 int sys_dup2(int oldfd, int newfd) ;
 ssize_t sys_getxattr (const char *path, const char *name, void *value, size_t size);
 ssize_t sys_lgetxattr (const char *path, const char *name, void *value, size_t size);
 ssize_t sys_fgetxattr (int filedes, const char *name, void *value, size_t size);
@ -1105,45 +1063,14 @@ void register_msg_pool_usage(struct messaging_context *msg_ctx);
 /* The following definitions come from lib/time.c  */
 time_t get_time_t_max(void);
 void GetTimeOfDay(struct timeval *tval);
 time_t nt_time_to_unix(NTTIME nt);
 void unix_to_nt_time(NTTIME *nt, time_t t);
 bool null_time(time_t t);
 bool null_nttime(NTTIME t);
 bool null_timespec(struct timespec ts);
 void push_dos_date(uint8_t *buf, int offset, time_t unixdate, int zone_offset);
 void push_dos_date2(uint8_t *buf,int offset,time_t unixdate, int zone_offset);
 void push_dos_date3(uint8_t *buf,int offset,time_t unixdate, int zone_offset);
 time_t pull_dos_date(const uint8_t *date_ptr, int zone_offset);
 time_t pull_dos_date2(const uint8_t *date_ptr, int zone_offset);
 time_t pull_dos_date3(const uint8_t *date_ptr, int zone_offset);
 char *timestring(TALLOC_CTX *mem_ctx, time_t t);
 const char *nt_time_string(TALLOC_CTX *mem_ctx, NTTIME nt);
 NTTIME nttime_from_string(const char *s);
 struct timeval timeval_zero(void);
 bool timeval_is_zero(const struct timeval *tv);
 struct timeval timeval_current(void);
 struct timeval timeval_set(uint32_t secs, uint32_t usecs);
 struct timeval timeval_add(const struct timeval *tv,
 			   uint32_t secs, uint32_t usecs);
 struct timeval timeval_sum(const struct timeval *tv1,
 			   const struct timeval *tv2);
 struct timeval timeval_current_ofs(uint32_t secs, uint32_t usecs);
 int timeval_compare(const struct timeval *tv1, const struct timeval *tv2);
 bool timeval_expired(const struct timeval *tv);
 double timeval_elapsed2(const struct timeval *tv1, const struct timeval *tv2);
 double timeval_elapsed(const struct timeval *tv);
 struct timeval timeval_min(const struct timeval *tv1,
 			   const struct timeval *tv2);
 struct timeval timeval_max(const struct timeval *tv1,
 			   const struct timeval *tv2);
 struct timeval timeval_until(const struct timeval *tv1,
 			     const struct timeval *tv2);
 NTTIME timeval_to_nttime(const struct timeval *tv);
 uint32 convert_time_t_to_uint32(time_t t);
 time_t convert_uint32_to_time_t(uint32 u);
 int get_time_zone(time_t t);
 bool nt_time_is_zero(const NTTIME *nt);
 time_t generalized_to_unix_time(const char *str);
 int get_server_zone_offset(void);
@ -1180,7 +1107,6 @@ void cli_put_dos_date3(struct cli_state *cli, char *buf, int offset, time_t unix
 time_t cli_make_unix_date(struct cli_state *cli, const void *date_ptr);
 time_t cli_make_unix_date2(struct cli_state *cli, const void *date_ptr);
 time_t cli_make_unix_date3(struct cli_state *cli, const void *date_ptr);
 struct timespec nt_time_to_unix_timespec(NTTIME *nt);
 bool nt_time_equals(const NTTIME *nt1, const NTTIME *nt2);
 void TimeInit(void);
 void get_process_uptime(struct timeval *ret_time);
@ -1228,16 +1154,12 @@ bool get_cmdline_auth_info_smb_encrypt(void);
 bool get_cmdline_auth_info_use_machine_account(void);
 bool get_cmdline_auth_info_copy(struct user_auth_info *info);
 bool set_cmdline_auth_info_machine_account_creds(void);
 const char *tmpdir(void);
 bool add_gid_to_array_unique(TALLOC_CTX *mem_ctx, gid_t gid,
 			     gid_t **gids, size_t *num_gids);
 const char *get_numlist(const char *p, uint32 **num, int *count);
 bool file_exist_stat(const char *fname,SMB_STRUCT_STAT *sbuf);
 bool file_exist(const char *fname);
 bool socket_exist(const char *fname);
 time_t file_modtime(const char *fname);
 bool directory_exist_stat(char *dname,SMB_STRUCT_STAT *st);
 bool directory_exist(const char *dname);
 SMB_OFF_T get_file_size(char *file_name);
 char *attrib_string(uint16 mode);
 void show_msg(char *buf);
@ -1256,22 +1178,18 @@ bool reinit_after_fork(struct messaging_context *msg_ctx,
 		       bool parent_longlived);
 bool yesno(const char *p);
 void *malloc_(size_t size);
 void *malloc_array(size_t el_size, unsigned int count);
 void *memalign_array(size_t el_size, size_t align, unsigned int count);
 void *calloc_array(size_t size, size_t nmemb);
 void *Realloc(void *p, size_t size, bool free_old_on_error);
 void *realloc_array(void *p, size_t el_size, unsigned int count, bool free_old_on_error);
 void add_to_large_array(TALLOC_CTX *mem_ctx, size_t element_size,
 			void *element, void *_array, uint32 *num_elements,
 			ssize_t *array_size);
 void safe_free(void *p);
 char *talloc_get_myname(TALLOC_CTX *ctx);
 char *get_mydnsdomname(TALLOC_CTX *ctx);
 int interpret_protocol(const char *str,int def);
 char *automount_lookup(TALLOC_CTX *ctx, const char *user_name);
 char *automount_lookup(TALLOC_CTX *ctx, const char *user_name);
 bool process_exists(const struct server_id pid);
 bool process_exists_by_pid(pid_t pid);
 const char *uidtoname(uid_t uid);
 char *gidtoname(gid_t gid);
 uid_t nametouid(const char *name);
@ -1290,20 +1208,12 @@ void ra_lanman_string( const char *native_lanman );
 const char *get_remote_arch_str(void);
 void set_remote_arch(enum remote_arch_types type);
 enum remote_arch_types get_remote_arch(void);
 void print_asc(int level, const unsigned char *buf,int len);
 void dump_data(int level, const unsigned char *buf1,int len);
 void dump_data_pw(const char *msg, const uchar * data, size_t len);
 void dump_data_skip_zeros(int level, const uint8_t *buf, int len);
 const char *tab_depth(int level, int depth);
 int str_checksum(const char *s);
 void zero_free(void *p, size_t size);
 int set_maxfiles(int requested_max);
 int smb_mkstemp(char *name_template);
 void *smb_xmalloc_array(size_t size, unsigned int count);
 void *smb_xmemdup(const void *p, size_t size);
 char *smb_xstrdup(const char *s);
 char *smb_xstrndup(const char *s, size_t n);
 void *memdup(const void *p, size_t size);
 char *myhostname(void);
 char *lock_path(const char *name);
 char *pid_path(const char *name);
@ -1364,17 +1274,8 @@ const char *strip_hostname(const char *s);
 /* The following definitions come from lib/util_file.c  */
 char *fgets_slash(char *s2,int maxlen,XFILE *f);
 char *file_load(const char *fname, size_t *size, size_t maxsize, TALLOC_CTX *mem_ctx);
 char **file_lines_parse(char *p, size_t size, int *numlines, TALLOC_CTX *mem_ctx);
 bool unmap_file(void* start, size_t size);
 void *map_file(const char *fname, size_t size);
 char **file_lines_load(const char *fname, int *numlines, size_t maxsize, TALLOC_CTX *mem_ctx);
 char **fd_lines_load(int fd, int *numlines, size_t maxsize, TALLOC_CTX *mem_ctx);
 char **file_lines_pload(const char *syscmd, int *numlines);
 void file_lines_free(char **lines);
 void file_lines_slashcont(char **lines);
 bool file_save(const char *fname, const void *packet, size_t length);
 /* The following definitions come from lib/util_nscd.c  */
@ -1486,21 +1387,15 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
 bool interpret_string_addr_internal(struct addrinfo **ppres,
 					const char *str, int flags);
 bool is_ipaddress_v4(const char *str);
 bool is_ipaddress(const char *str);
 bool is_broadcast_addr(const struct sockaddr *pss);
 uint32 interpret_addr(const char *str);
 struct in_addr interpret_addr2(const char *str);
 bool interpret_string_addr(struct sockaddr_storage *pss,
 		const char *str,
 		int flags);
 bool is_loopback_ip_v4(struct in_addr ip);
 bool is_loopback_addr(const struct sockaddr *pss);
 bool is_zero_ip_v4(struct in_addr ip);
 bool is_zero_addr(const struct sockaddr *pss);
 void zero_ip_v4(struct in_addr *ip);
 void zero_addr(struct sockaddr_storage *pss);
 bool same_net_v4(struct in_addr ip1,struct in_addr ip2,struct in_addr mask);
 void in_addr_to_sockaddr_storage(struct sockaddr_storage *ss,
 		struct in_addr ip);
 bool same_net(const struct sockaddr *ip1,
@ -1581,22 +1476,17 @@ bool next_token_no_ltrim_talloc(TALLOC_CTX *ctx,
 			const char *sep);
 int StrCaseCmp(const char *s, const char *t);
 int StrnCaseCmp(const char *s, const char *t, size_t len);
 bool strequal(const char *s1, const char *s2);
 bool strnequal(const char *s1,const char *s2,size_t n);
 bool strcsequal(const char *s1,const char *s2);
 int strwicmp(const char *psz1, const char *psz2);
 void strnorm(char *s, int case_default);
 bool strisnormal(const char *s, int case_default);
 void string_replace( char *s, char oldc, char newc );
 char *push_skip_string(char *buf);
 char *skip_string(const char *base, size_t len, char *buf);
 size_t str_charnum(const char *s);
 size_t str_ascii_charnum(const char *s);
 bool trim_char(char *s,char cfront,char cback);
 bool trim_string(char *s,const char *front,const char *back);
 bool strhasupper(const char *s);
 bool strhaslower(const char *s);
 size_t count_chars(const char *s,char c);
 char *safe_strcpy_fn(const char *fn,
 		int line,
 		char *dest,
@ -1614,9 +1504,6 @@ char *alpha_strcpy_fn(const char *fn,
 		const char *other_safe_chars,
 		size_t maxlength);
 char *StrnCpy_fn(const char *fn, int line,char *dest,const char *src,size_t n);
 size_t strhex_to_str(char *buf, size_t buf_len, const char *strhex, size_t strhex_len);
 DATA_BLOB strhex_to_data_blob(TALLOC_CTX *mem_ctx, const char *strhex);
 char *hex_encode_talloc(TALLOC_CTX *mem_ctx, const unsigned char *buff_in, size_t len);
 bool in_list(const char *s, const char *list, bool casesensitive);
 void string_free(char **s);
 bool string_set(char **dest,const char *src);
@ -1664,10 +1551,6 @@ size_t strlen_m_term_null(const char *s);
 char *binary_string_rfc2254(char *buf, int len);
 char *binary_string(char *buf, int len);
 int fstr_sprintf(fstring s, const char *fmt, ...);
 char **str_list_make(TALLOC_CTX *mem_ctx, const char *string, const char *sep);
 char **str_list_copy(TALLOC_CTX *mem_ctx, const char **list);
 bool str_list_equal(const char **list1, const char **list2);
 size_t str_list_length( const char * const*list );
 bool str_list_sub_basic( char **list, const char *smb_name,
 			 const char *domain_name );
 bool str_list_substitute(char **list, const char *pattern, const char *insert);
@ -1698,10 +1581,8 @@ char *sstring_sub(const char *src, char front, char back);
 bool validate_net_name( const char *name,
 		const char *invalid_chars,
 		int max_len);
 size_t ascii_len_n(const char *src, size_t n);
 size_t utf16_len(const void *buf);
 size_t utf16_len_n(const void *src, size_t n);
 char *escape_shell_string(const char *src);
 char **str_list_make_v3(TALLOC_CTX *mem_ctx, const char *string, const char *sep);
 /* The following definitions come from lib/util_unistr.c  */
@ -1825,25 +1706,6 @@ void wins_srv_tags_free(char **list);
 struct in_addr wins_srv_ip_tag(const char *tag, struct in_addr src_ip);
 unsigned wins_srv_count_tag(const char *tag);
 /* The following definitions come from lib/xfile.c  */
 int x_setvbuf(XFILE *f, char *buf, int mode, size_t size);
 XFILE *x_fopen(const char *fname, int flags, mode_t mode);
 XFILE *x_fdup(const XFILE *f);
 int x_fclose(XFILE *f);
 size_t x_fwrite(const void *p, size_t size, size_t nmemb, XFILE *f);
 int x_fileno(const XFILE *f);
 int x_fflush(XFILE *f);
 void x_setbuffer(XFILE *f, char *buf, size_t size);
 void x_setbuf(XFILE *f, char *buf);
 void x_setlinebuf(XFILE *f);
 int x_feof(XFILE *f);
 int x_ferror(XFILE *f);
 int x_fgetc(XFILE *f);
 size_t x_fread(void *p, size_t size, size_t nmemb, XFILE *f);
 char *x_fgets(char *s, int size, XFILE *stream) ;
 off_t x_tseek(XFILE *f, off_t offset, int whence);
 /* The following definitions come from libads/ads_status.c  */
 ADS_STATUS ads_build_error(enum ads_error_type etype, 
@ -3075,12 +2937,6 @@ void netlogon_creds_client_step(struct dcinfo *dc,
 const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
 /* The following definitions come from libsmb/doserr.c  */
 const char *dos_errstr(WERROR werror);
 const char *get_friendly_werror_msg(WERROR werror);
 const char *win_errstr(WERROR werror);
 /* The following definitions come from libsmb/dsgetdcname.c  */
 void debug_dsdcinfo_flags(int lvl, uint32_t flags);
@ -5694,7 +5550,8 @@ void init_netr_SamInfo3(struct netr_SamInfo3 *r,
 			uint32_t sidcount,
 			struct netr_SidAttr *sids);
 NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info,
-				uint8_t pipe_session_key[16],
+				uint8_t *pipe_session_key,
 				size_t pipe_session_key_len,
 				struct netr_SamInfo3 *sam3);
 void init_netr_IdentityInfo(struct netr_IdentityInfo *r,
 			    const char *domain_name,
@ -7126,7 +6983,7 @@ void init_rpc_pipe_hnd(void);
 bool fsp_is_np(struct files_struct *fsp);
 NTSTATUS np_open(struct smb_request *smb_req, struct connection_struct *conn,
 		 const char *name, struct files_struct **pfsp);
-NTSTATUS np_write(struct files_struct *fsp, uint8_t *data, size_t len,
+NTSTATUS np_write(struct files_struct *fsp, const uint8_t *data, size_t len,
 		  ssize_t *nwritten);
 NTSTATUS np_read(struct files_struct *fsp, uint8_t *data, size_t len,
 		 ssize_t *nread, bool *is_data_outstanding);
@ -7743,7 +7600,7 @@ int wait_for_aio_completion(files_struct *fsp);
 /* The following definitions come from smbd/blocking.c  */
 bool push_blocking_lock_request( struct byte_range_lock *br_lck,
-		const struct smb_request *req,
+		struct smb_request *req,
 		files_struct *fsp,
 		int lock_timeout,
 		int lock_num,
@ -8017,7 +7874,7 @@ NTSTATUS dup_file_fsp(struct smb_request *req, files_struct *fsp,
 /* The following definitions come from smbd/ipc.c  */
 void send_trans_reply(connection_struct *conn,
-		      const uint8_t *inbuf,
+		      struct smb_request *req,
 		      char *rparam, int rparam_len,
 		      char *rdata, int rdata_len,
 		      bool buffer_too_large);
@ -8116,11 +7973,11 @@ void reply_negprot(struct smb_request *req);
 /* The following definitions come from smbd/notify.c  */
 void change_notify_reply(connection_struct *conn,
-			const uint8 *request_buf, uint32 max_param,
+			 struct smb_request *req, uint32 max_param,
 			 struct notify_change_buf *notify_buf);
 NTSTATUS change_notify_create(struct files_struct *fsp, uint32 filter,
 			      bool recursive);
-NTSTATUS change_notify_add_request(const struct smb_request *req,
+NTSTATUS change_notify_add_request(struct smb_request *req,
 				uint32 max_param,
 				uint32 filter, bool recursive,
 				struct files_struct *fsp);
@ -8185,6 +8042,10 @@ void reply_nttranss(struct smb_request *req);
 /* The following definitions come from smbd/open.c  */
 NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
                          const NT_USER_TOKEN *token,
                          uint32_t access_desired,
                          uint32_t *access_granted);
 NTSTATUS fd_close(files_struct *fsp);
 bool map_open_params_to_ntcreate(const char *fname, int deny_mode, int open_func,
 				 uint32 *paccess_mask,
@ -8372,7 +8233,7 @@ void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes);
 const char *smb_fn_name(int type);
 void add_to_common_flags2(uint32 v);
 void remove_from_common_flags2(uint32 v);
-void construct_reply_common(const char *inbuf, char *outbuf);
+void construct_reply_common_req(struct smb_request *req, char *outbuf);
 void chain_reply(struct smb_request *req);
 void check_reload(time_t t);
 void smbd_process(void);
@ -8414,6 +8275,12 @@ size_t srvstr_get_path(TALLOC_CTX *ctx,
 			size_t src_len,
 			int flags,
 			NTSTATUS *err);
 size_t srvstr_get_path_req_wcard(TALLOC_CTX *mem_ctx, struct smb_request *req,
 				 char **pp_dest, const char *src, int flags,
 				 NTSTATUS *err, bool *contains_wcard);
 size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
 			   char **pp_dest, const char *src, int flags,
 			   NTSTATUS *err);
 bool check_fsp_open(connection_struct *conn, struct smb_request *req,
 		    files_struct *fsp);
 bool check_fsp(connection_struct *conn, struct smb_request *req,
@ -8499,9 +8366,12 @@ NTSTATUS copy_file(TALLOC_CTX *ctx,
 			int count,
 			bool target_is_directory);
 void reply_copy(struct smb_request *req);
-uint32 get_lock_pid( char *data, int data_offset, bool large_file_format);
+uint32 get_lock_pid(const uint8_t *data, int data_offset,
-uint64_t get_lock_count( char *data, int data_offset, bool large_file_format);
+		    bool large_file_format);
-uint64_t get_lock_offset( char *data, int data_offset, bool large_file_format, bool *err);
+uint64_t get_lock_count(const uint8_t *data, int data_offset,
 			bool large_file_format);
 uint64_t get_lock_offset(const uint8_t *data, int data_offset,
 			 bool large_file_format, bool *err);
 void reply_lockingX(struct smb_request *req);
 void reply_readbmpx(struct smb_request *req);
 void reply_readbs(struct smb_request *req);
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@ -146,21 +146,6 @@ struct standard_mapping {
 #define STD_RIGHT_ALL_ACCESS		0x001F0000
 /* Combinations of standard masks. */
 #define STANDARD_RIGHTS_ALL_ACCESS	STD_RIGHT_ALL_ACCESS /* 0x001f0000 */
 #define STANDARD_RIGHTS_MODIFY_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
 #define STANDARD_RIGHTS_EXECUTE_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
 #define STANDARD_RIGHTS_READ_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
 #define STANDARD_RIGHTS_WRITE_ACCESS \
 		(STD_RIGHT_WRITE_OWNER_ACCESS	| \
 		 STD_RIGHT_WRITE_DAC_ACCESS	| \
 		 STD_RIGHT_DELETE_ACCESS)	/* 0x000d0000 */
 #define STANDARD_RIGHTS_REQUIRED_ACCESS \
 		(STD_RIGHT_DELETE_ACCESS	| \
 		STD_RIGHT_READ_CONTROL_ACCESS	| \
 		STD_RIGHT_WRITE_DAC_ACCESS	| \
 		STD_RIGHT_WRITE_OWNER_ACCESS)	/* 0x000f0000 */
 /* File Object specific access rights */
 #define SA_RIGHT_FILE_READ_DATA		0x00000001
@ -214,177 +199,6 @@ struct standard_mapping {
 		SA_RIGHT_FILE_WRITE_DATA	| \
 		SA_RIGHT_FILE_READ_DATA)
 /* SAM server specific access rights */
 #define SA_RIGHT_SAM_CONNECT_SERVER	0x00000001
 #define SA_RIGHT_SAM_SHUTDOWN_SERVER	0x00000002
 #define SA_RIGHT_SAM_INITIALISE_SERVER	0x00000004
 #define SA_RIGHT_SAM_CREATE_DOMAIN	0x00000008
 #define SA_RIGHT_SAM_ENUM_DOMAINS	0x00000010
 #define SA_RIGHT_SAM_OPEN_DOMAIN	0x00000020
 #define SA_RIGHT_SAM_ALL_ACCESS		0x0000003F
 #define GENERIC_RIGHTS_SAM_ALL_ACCESS \
 		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
 		SA_RIGHT_SAM_ALL_ACCESS)
 #define GENERIC_RIGHTS_SAM_READ	\
 		(STANDARD_RIGHTS_READ_ACCESS	| \
 		SA_RIGHT_SAM_ENUM_DOMAINS)
 #define GENERIC_RIGHTS_SAM_WRITE \
 		(STANDARD_RIGHTS_WRITE_ACCESS	| \
 		SA_RIGHT_SAM_CREATE_DOMAIN	| \
 		SA_RIGHT_SAM_INITIALISE_SERVER	| \
 		SA_RIGHT_SAM_SHUTDOWN_SERVER)
 #define GENERIC_RIGHTS_SAM_EXECUTE \
 		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
 		SA_RIGHT_SAM_OPEN_DOMAIN	| \
 		SA_RIGHT_SAM_CONNECT_SERVER)            
 /* Domain Object specific access rights */
 #define SA_RIGHT_DOMAIN_LOOKUP_INFO_1		0x00000001
 #define SA_RIGHT_DOMAIN_SET_INFO_1		0x00000002
 #define SA_RIGHT_DOMAIN_LOOKUP_INFO_2		0x00000004
 #define SA_RIGHT_DOMAIN_SET_INFO_2		0x00000008
 #define SA_RIGHT_DOMAIN_CREATE_USER		0x00000010
 #define SA_RIGHT_DOMAIN_CREATE_GROUP		0x00000020
 #define SA_RIGHT_DOMAIN_CREATE_ALIAS		0x00000040
 #define SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM	0x00000080
 #define SA_RIGHT_DOMAIN_ENUM_ACCOUNTS		0x00000100
 #define SA_RIGHT_DOMAIN_OPEN_ACCOUNT		0x00000200
 #define SA_RIGHT_DOMAIN_SET_INFO_3		0x00000400
 #define SA_RIGHT_DOMAIN_ALL_ACCESS		0x000007FF
 #define GENERIC_RIGHTS_DOMAIN_ALL_ACCESS \
 		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
 		SA_RIGHT_DOMAIN_ALL_ACCESS)
 #define GENERIC_RIGHTS_DOMAIN_READ \
 		(STANDARD_RIGHTS_READ_ACCESS		| \
 		SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM	| \
 		SA_RIGHT_DOMAIN_LOOKUP_INFO_2)
 #define GENERIC_RIGHTS_DOMAIN_WRITE \
 		(STANDARD_RIGHTS_WRITE_ACCESS	| \
 		SA_RIGHT_DOMAIN_SET_INFO_3	| \
 		SA_RIGHT_DOMAIN_CREATE_ALIAS	| \
 		SA_RIGHT_DOMAIN_CREATE_GROUP	| \
 		SA_RIGHT_DOMAIN_CREATE_USER	| \
 		SA_RIGHT_DOMAIN_SET_INFO_2	| \
 		SA_RIGHT_DOMAIN_SET_INFO_1)
 #define GENERIC_RIGHTS_DOMAIN_EXECUTE \
 		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
 		SA_RIGHT_DOMAIN_OPEN_ACCOUNT	| \
 		SA_RIGHT_DOMAIN_ENUM_ACCOUNTS	| \
 		SA_RIGHT_DOMAIN_LOOKUP_INFO_1)            
 /* User Object specific access rights */
 #define SA_RIGHT_USER_GET_NAME_ETC	0x00000001
 #define SA_RIGHT_USER_GET_LOCALE	0x00000002
 #define SA_RIGHT_USER_SET_LOC_COM	0x00000004
 #define SA_RIGHT_USER_GET_LOGONINFO	0x00000008
 #define SA_RIGHT_USER_ACCT_FLAGS_EXPIRY	0x00000010
 #define SA_RIGHT_USER_SET_ATTRIBUTES	0x00000020
 #define SA_RIGHT_USER_CHANGE_PASSWORD	0x00000040
 #define SA_RIGHT_USER_SET_PASSWORD	0x00000080
 #define SA_RIGHT_USER_GET_GROUPS	0x00000100
 #define SA_RIGHT_USER_READ_GROUP_MEM	0x00000200
 #define SA_RIGHT_USER_CHANGE_GROUP_MEM	0x00000400
 #define SA_RIGHT_USER_ALL_ACCESS	0x000007FF
 #define GENERIC_RIGHTS_USER_ALL_ACCESS \
 		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
 		SA_RIGHT_USER_ALL_ACCESS)	/* 0x000f07ff */
 #define GENERIC_RIGHTS_USER_READ \
 		(STANDARD_RIGHTS_READ_ACCESS	| \
 		SA_RIGHT_USER_READ_GROUP_MEM	| \
 		SA_RIGHT_USER_GET_GROUPS	| \
 		SA_RIGHT_USER_ACCT_FLAGS_EXPIRY	| \
 		SA_RIGHT_USER_GET_LOGONINFO	| \
 		SA_RIGHT_USER_GET_LOCALE)	/* 0x0002031a */
 #define GENERIC_RIGHTS_USER_WRITE \
 		(STANDARD_RIGHTS_WRITE_ACCESS	| \
 		SA_RIGHT_USER_CHANGE_PASSWORD	| \
 		SA_RIGHT_USER_SET_LOC_COM	| \
 		SA_RIGHT_USER_SET_ATTRIBUTES	| \
 		SA_RIGHT_USER_SET_PASSWORD	| \
 		SA_RIGHT_USER_CHANGE_GROUP_MEM)	/* 0x000204e4 */
 #define GENERIC_RIGHTS_USER_EXECUTE \
 		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
 		SA_RIGHT_USER_CHANGE_PASSWORD	| \
 		SA_RIGHT_USER_GET_NAME_ETC )	/* 0x00020041 */
 /* Group Object specific access rights */
 #define SA_RIGHT_GROUP_LOOKUP_INFO	0x00000001
 #define SA_RIGHT_GROUP_SET_INFO		0x00000002
 #define SA_RIGHT_GROUP_ADD_MEMBER	0x00000004
 #define SA_RIGHT_GROUP_REMOVE_MEMBER	0x00000008
 #define SA_RIGHT_GROUP_GET_MEMBERS	0x00000010
 #define SA_RIGHT_GROUP_ALL_ACCESS	0x0000001F
 #define GENERIC_RIGHTS_GROUP_ALL_ACCESS \
 		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
 		SA_RIGHT_GROUP_ALL_ACCESS)	/* 0x000f001f */
 #define GENERIC_RIGHTS_GROUP_READ \
 		(STANDARD_RIGHTS_READ_ACCESS	| \
 		SA_RIGHT_GROUP_GET_MEMBERS)	/* 0x00020010 */
 #define GENERIC_RIGHTS_GROUP_WRITE \
 		(STANDARD_RIGHTS_WRITE_ACCESS	| \
 		SA_RIGHT_GROUP_REMOVE_MEMBER	| \
 		SA_RIGHT_GROUP_ADD_MEMBER	| \
 		SA_RIGHT_GROUP_SET_INFO )	/* 0x0002000e */
 #define GENERIC_RIGHTS_GROUP_EXECUTE \
 		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
 		SA_RIGHT_GROUP_LOOKUP_INFO)	/* 0x00020001 */
 /* Alias Object specific access rights */
 #define SA_RIGHT_ALIAS_ADD_MEMBER	0x00000001
 #define SA_RIGHT_ALIAS_REMOVE_MEMBER	0x00000002
 #define SA_RIGHT_ALIAS_GET_MEMBERS	0x00000004
 #define SA_RIGHT_ALIAS_LOOKUP_INFO	0x00000008
 #define SA_RIGHT_ALIAS_SET_INFO		0x00000010
 #define SA_RIGHT_ALIAS_ALL_ACCESS 	0x0000001F
 #define GENERIC_RIGHTS_ALIAS_ALL_ACCESS \
 		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
 		SA_RIGHT_ALIAS_ALL_ACCESS)	/* 0x000f001f */
 #define GENERIC_RIGHTS_ALIAS_READ \
 		(STANDARD_RIGHTS_READ_ACCESS	| \
 		SA_RIGHT_ALIAS_GET_MEMBERS )	/* 0x00020004 */
 #define GENERIC_RIGHTS_ALIAS_WRITE \
 		(STANDARD_RIGHTS_WRITE_ACCESS	| \
 		SA_RIGHT_ALIAS_REMOVE_MEMBER	| \
 		SA_RIGHT_ALIAS_ADD_MEMBER	| \
 		SA_RIGHT_ALIAS_SET_INFO )	/* 0x00020013 */
 #define GENERIC_RIGHTS_ALIAS_EXECUTE \
 		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
 		SA_RIGHT_ALIAS_LOOKUP_INFO )	/* 0x00020008 */
 /*
 * Access Bits for registry ACLS
 */
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@ -625,12 +625,16 @@ struct current_user {
 };
 struct smb_request {
 	uint8_t cmd;
 	uint16 flags2;
 	uint16 smbpid;
 	uint16 mid;
 	uint16 vuid;
 	uint16 tid;
 	uint8  wct;
 	uint16_t *vwv;
 	uint16_t buflen;
 	const uint8_t *buf;
 	const uint8 *inbuf;
 	uint8 *outbuf;
 	size_t unread_bytes;
@ -1228,7 +1232,7 @@ struct bitmap {
 #define FILE_GENERIC_WRITE (STD_RIGHT_READ_CONTROL_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|\
 							FILE_WRITE_EA|FILE_APPEND_DATA|SYNCHRONIZE_ACCESS)
-#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE_ACCESS|\
+#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE_ACCESS|FILE_READ_ATTRIBUTES|\
 								FILE_EXECUTE|SYNCHRONIZE_ACCESS)
 /* Share specific rights. */
--- a/source3/include/smb_macros.h
+++ b/source3/include/smb_macros.h
@ -34,29 +34,6 @@
 #define IS_DOS_SYSTEM(test_mode)   (((test_mode) & aSYSTEM) != 0)
 #define IS_DOS_HIDDEN(test_mode)   (((test_mode) & aHIDDEN) != 0)
 #ifndef SAFE_FREE /* Oh no this is also defined in tdb.h */
 /**
 * Free memory if the pointer and zero the pointer.
 *
 * @note You are explicitly allowed to pass NULL pointers -- they will
 * always be ignored.
 **/
 #define SAFE_FREE(x) do { if ((x) != NULL) {free(x); x=NULL;} } while(0)
 #endif
 /* assert macros */
 #ifdef DEVELOPER
 #define SMB_ASSERT(b) ( (b) ? (void)0 : \
        (DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \
 		 __FILE__, __LINE__, #b)), smb_panic("assert failed: " #b)))
 #else
 /* redefine the assert macro for non-developer builds */
 #define SMB_ASSERT(b) ( (b) ? (void)0 : \
        (DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \
 	    __FILE__, __LINE__, #b))))
 #endif
 #define SMB_WARN(condition, message) \
    ((condition) ? (void)0 : \
     DEBUG(0, ("WARNING: %s: %s\n", #condition, message)))
@ -75,8 +52,8 @@
 				return ERROR_NT(NT_STATUS_INVALID_HANDLE); \
 			} while(0)
-#define CHECK_READ(fsp,inbuf) (((fsp)->fh->fd != -1) && ((fsp)->can_read || \
+#define CHECK_READ(fsp,req) (((fsp)->fh->fd != -1) && ((fsp)->can_read || \
-			((SVAL((inbuf),smb_flg2) & FLAGS2_READ_PERMIT_EXECUTE) && \
+			((req->flags2 & FLAGS2_READ_PERMIT_EXECUTE) && \
 			 (fsp->access_mask & FILE_EXECUTE))))
 #define CHECK_WRITE(fsp) ((fsp)->can_write && ((fsp)->fh->fd != -1))
@ -115,17 +92,6 @@
 #define VALID_STAT_OF_DIR(st) (VALID_STAT(st) && S_ISDIR((st).st_mode))
 #define SET_STAT_INVALID(st) ((st).st_nlink = 0)
 #ifndef MIN
 #define MIN(a,b) ((a)<(b)?(a):(b))
 #endif
 #ifndef MAX
 #define MAX(a,b) ((a)>(b)?(a):(b))
 #endif
 #ifndef ABS
 #define ABS(a) ((a)>0?(a):(-(a)))
 #endif
 /* Macros to get at offsets within smb_lkrng and smb_unlkrng
   structures. We cannot define these as actual structures
   due to possible differences in structure packing
@ -165,6 +131,8 @@
 /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */
 #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf)))
 #define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf))
 /* Note that chain_size must be available as an extern int to this macro. */
 #define smb_offset(p,buf) (PTR_DIFF(p,buf+4) + chain_size)
@ -361,14 +329,6 @@ do { \
 #define ADD_TO_LARGE_ARRAY(mem_ctx, type, elem, array, num, size) \
 	add_to_large_array((mem_ctx), sizeof(type), &(elem), (void *)(array), (num), (size));
 #ifndef ISDOT
 #define ISDOT(p) (*(p) == '.' && *((p) + 1) == '\0')
 #endif /* ISDOT */
 #ifndef ISDOTDOT
 #define ISDOTDOT(p) (*(p) == '.' && *((p) + 1) == '.' && *((p) + 2) == '\0')
 #endif /* ISDOTDOT */
 #ifndef toupper_ascii_fast
 /* Warning - this must only be called with 0 <= c < 128. IT WILL
 * GIVE GARBAGE if c > 128 or c < 0. JRA.
--- a/source3/include/srvstr.h
+++ b/source3/include/srvstr.h
@ -17,10 +17,6 @@
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 #define srvstr_pull(base_ptr, smb_flags2, dest, src, dest_len, src_len, flags) \
    pull_string(base_ptr, smb_flags2, dest, src, dest_len, src_len, flags)
 /* talloc version of above. */
 #define srvstr_pull_talloc(ctx, base_ptr, smb_flags2, dest, src, src_len, flags) \
    pull_string_talloc(ctx, base_ptr, smb_flags2, dest, src, src_len, flags)
@ -29,9 +25,6 @@
   end of the smbbuf area 
 */
-#define srvstr_pull_buf(inbuf, smb_flags2, dest, src, dest_len, flags) \
+#define srvstr_pull_req_talloc(ctx, req_, dest, src, flags) \
-    pull_string(inbuf, smb_flags2, dest, src, dest_len, smb_bufrem(inbuf, src), flags)
+    pull_string_talloc(ctx, req_->inbuf, req_->flags2, dest, src, \
-
+		       smbreq_bufrem(req_, src), flags)
 /* talloc version of above. */
 #define srvstr_pull_buf_talloc(ctx, inbuf, smb_flags2, dest, src, flags) \
    pull_string_talloc(ctx, inbuf, smb_flags2, dest, src, smb_bufrem(inbuf, src), flags)
--- a/source3/lib/debug.c
+++ b/source3/lib/debug.c
@ -472,7 +472,7 @@ bool debug_parse_levels(const char *params_str)
 	if (AllowDebugChange == False)
 		return True;
-	params = str_list_make(talloc_tos(), params_str, NULL);
+	params = str_list_make_v3(talloc_tos(), params_str, NULL);
 	if (debug_parse_params(params)) {
 		debug_dump_status(5);
@ -680,8 +680,8 @@ bool reopen_logs( void )
 	force_check_log_size();
 	(void)umask(oldumask);
-	/* Take over stderr to catch ouput into logs */
+	/* Take over stderr to catch output into logs */
-	if (dbf && sys_dup2(x_fileno(dbf), 2) == -1) {
+	if (dbf && dup2(x_fileno(dbf), 2) == -1) {
 		close_low_fds(True); /* Close stderr too, if dup2 can't point it
 					at the logfile */
 	}
--- a/source3/lib/fault.c
+++ b/source3/lib/fault.c
@ -129,7 +129,7 @@ void dump_core_setup(const char *progname)
 	}
 	mkdir(corepath,0700);
-	sys_chown(corepath,getuid(),getgid());
+	chown(corepath,getuid(),getgid());
 	chmod(corepath,0700);
 	SAFE_FREE(logbase);
--- a/source3/lib/memcache.c
+++ b/source3/lib/memcache.c
@ -40,37 +40,11 @@ struct memcache {
 static void memcache_element_parse(struct memcache_element *e,
 				   DATA_BLOB *key, DATA_BLOB *value);
 static bool memcache_is_talloc(enum memcache_number n)
 {
 	bool result;
 	switch (n) {
 	case GETPWNAM_CACHE:
 	case PDB_GETPWSID_CACHE:
 	case SINGLETON_CACHE_TALLOC:
 		result = true;
 		break;
 	default:
 		result = false;
 		break;
 	}
 	return result;
 }
 static int memcache_destructor(struct memcache *cache) {
 	struct memcache_element *e, *next;
 	for (e = cache->mru; e != NULL; e = next) {
 		next = e->next;
 		if (memcache_is_talloc((enum memcache_number)e->n)
 		    && (e->valuelength == sizeof(void *))) {
 			DATA_BLOB key, value;
 			void *ptr;
 			memcache_element_parse(e, &key, &value);
 			memcpy(&ptr, value.data, sizeof(ptr));
 			TALLOC_FREE(ptr);
 		}
 		SAFE_FREE(e);
 	}
 	return 0;
--- a/source3/lib/module.c
+++ b/source3/lib/module.c
@ -37,11 +37,11 @@ static NTSTATUS do_smb_load_module(const char *module_name, bool is_probe)
 	 * backwards compatibility, there might be symbols in the 
 	 * plugin referencing to old (removed) functions
 	 */
-	handle = sys_dlopen(module_name, RTLD_LAZY);
+	handle = dlopen(module_name, RTLD_LAZY);
 	/* This call should reset any possible non-fatal errors that 
 	   occured since last call to dl* functions */
-	error = sys_dlerror();
+	error = dlerror();
 	if(!handle) {
 		int level = is_probe ? 3 : 0;
@ -49,15 +49,15 @@ static NTSTATUS do_smb_load_module(const char *module_name, bool is_probe)
 		return NT_STATUS_UNSUCCESSFUL;
 	}
-	init = (init_module_function *)sys_dlsym(handle, "init_samba_module");
+	init = (init_module_function *)dlsym(handle, "init_samba_module");
-	/* we must check sys_dlerror() to determine if it worked, because
+	/* we must check dlerror() to determine if it worked, because
-           sys_dlsym() can validly return NULL */
+           dlsym() can validly return NULL */
-	error = sys_dlerror();
+	error = dlerror();
 	if (error) {
 		DEBUG(0, ("Error trying to resolve symbol 'init_samba_module' "
 			  "in %s: %s\n", module_name, error));
-		sys_dlclose(handle);
+		dlclose(handle);
 		return NT_STATUS_UNSUCCESSFUL;
 	}
@ -67,7 +67,7 @@ static NTSTATUS do_smb_load_module(const char *module_name, bool is_probe)
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("Module '%s' initialization failed: %s\n",
 			    module_name, get_friendly_nt_error_msg(status)));
-		sys_dlclose(handle);
+		dlclose(handle);
 	}
 	return status;
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@ -39,7 +39,7 @@ extern bool override_logfile;
 static void set_logfile(poptContext con, const char * arg)
 {
-	char *logfile = NULL;
+	char *lfile = NULL;
 	const char *pname;
 	/* Find out basename of current program */
@ -50,11 +50,11 @@ static void set_logfile(poptContext con, const char * arg)
 	else
 		pname++;
-	if (asprintf(&logfile, "%s/log.%s", arg, pname) < 0) {
+	if (asprintf(&lfile, "%s/log.%s", arg, pname) < 0) {
 		return;
 	}
-	lp_set_logfile(logfile);
+	lp_set_logfile(lfile);
-	SAFE_FREE(logfile);
+	SAFE_FREE(lfile);
 }
 static bool PrintSambaVersionString;
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@ -529,7 +529,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 			/* First add the regular ACE entry. */
 			init_sec_ace(new_ace, ptrustee, ace->type,
-			     	ace->access_mask, SEC_ACE_FLAG_INHERITED_ACE);
+			     	ace->access_mask, 0);
 			DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x"
 				" inherited as %s:%d/0x%02x/0x%08x\n",
@ -546,10 +546,13 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 			ptrustee = creator;
 			new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
 		} else if (container &&
 				!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
 			ptrustee = &ace->trustee;
 		}
 		init_sec_ace(new_ace, ptrustee, ace->type,
-			     ace->access_mask, new_flags | SEC_ACE_FLAG_INHERITED_ACE);
+			     ace->access_mask, new_flags);
 		DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
 			  " inherited as %s:%d/0x%02x/0x%08x\n",
@ -563,19 +566,20 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 	}
 	/* Create child security descriptor to return */
-
+	if (new_ace_list_ndx) {
-	new_dacl = make_sec_acl(ctx,
+		new_dacl = make_sec_acl(ctx,
-				ACL_REVISION,
+				NT4_ACL_REVISION,
 				new_ace_list_ndx,
 				new_ace_list);
-	if (!new_dacl) {
+		if (!new_dacl) {
-		return NT_STATUS_NO_MEMORY;
+			return NT_STATUS_NO_MEMORY;
 		}
 	}
 	*ppsd = make_sec_desc(ctx,
 			SECURITY_DESCRIPTOR_REVISION_1,
-			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT|
+			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
 				SEC_DESC_DACL_DEFAULTED,
 			owner_sid,
 			group_sid,
 			NULL,
--- a/source3/lib/sharesec.c
+++ b/source3/lib/sharesec.c
@ -279,7 +279,6 @@ bool share_access_check(const NT_USER_TOKEN *token, const char *sharename,
 	NTSTATUS status;
 	SEC_DESC *psd = NULL;
 	size_t sd_size;
 	bool ret = True;
 	psd = get_share_security(talloc_tos(), sharename, &sd_size);
--- a/source3/lib/smbconf/smbconf_reg.c
+++ b/source3/lib/smbconf/smbconf_reg.c
@ -112,7 +112,7 @@ static WERROR smbconf_reg_open_path(TALLOC_CTX *mem_ctx,
 	if (!W_ERROR_IS_OK(werr)) {
 		DEBUG(5, ("Error opening registry path '%s': %s\n",
-			  path, dos_errstr(werr)));
+			  path, win_errstr(werr)));
 	}
 done:
@ -212,7 +212,7 @@ static WERROR smbconf_reg_create_service_key(TALLOC_CTX *mem_ctx,
 	}
 	if (!W_ERROR_IS_OK(werr)) {
 		DEBUG(5, ("Error creating key %s: %s\n",
-			 subkeyname, dos_errstr(werr)));
+			 subkeyname, win_errstr(werr)));
 	}
 done:
@ -283,7 +283,7 @@ static WERROR smbconf_reg_set_value(struct registry_key *key,
 	if (!W_ERROR_IS_OK(werr)) {
 		DEBUG(5, ("Error adding value '%s' to "
 			  "key '%s': %s\n",
-			  canon_valname, key->key->name, dos_errstr(werr)));
+			  canon_valname, key->key->name, win_errstr(werr)));
 	}
 done:
@ -327,7 +327,7 @@ static WERROR smbconf_reg_set_multi_sz_value(struct registry_key *key,
 	werr = reg_setvalue(key, valname, value);
 	if (!W_ERROR_IS_OK(werr)) {
 		DEBUG(5, ("Error adding value '%s' to key '%s': %s\n",
-			  valname, key->key->name, dos_errstr(werr)));
+			  valname, key->key->name, win_errstr(werr)));
 	}
 done:
@ -585,7 +585,7 @@ static WERROR smbconf_reg_delete_values(struct registry_key *key)
 		DEBUG(1, ("smbconf_reg_delete_values: "
 			  "Error enumerating values of %s: %s\n",
 			  key->key->name,
-			  dos_errstr(werr)));
+			  win_errstr(werr)));
 		goto done;
 	}
--- a/source3/lib/smbconf/testsuite.c
+++ b/source3/lib/smbconf/testsuite.c
@ -45,7 +45,7 @@ static bool test_get_includes(struct smbconf_ctx *ctx)
 	werr = smbconf_get_global_includes(ctx, mem_ctx,
 					   &num_includes, &includes);
 	if (!W_ERROR_IS_OK(werr)) {
-		printf("failure: get_includes - %s\n", dos_errstr(werr));
+		printf("failure: get_includes - %s\n", win_errstr(werr));
 		goto done;
 	}
@ -80,7 +80,7 @@ static bool test_set_get_includes(struct smbconf_ctx *ctx)
 	werr = smbconf_set_global_includes(ctx, set_num_includes, set_includes);
 	if (!W_ERROR_IS_OK(werr)) {
 		printf("failure: get_set_includes (setting includes) - %s\n",
-		       dos_errstr(werr));
+		       win_errstr(werr));
 		goto done;
 	}
@ -88,7 +88,7 @@ static bool test_set_get_includes(struct smbconf_ctx *ctx)
 					   &get_includes);
 	if (!W_ERROR_IS_OK(werr)) {
 		printf("failure: get_set_includes (getting includes) - %s\n",
-		       dos_errstr(werr));
+		       win_errstr(werr));
 		goto done;
 	}
@ -135,14 +135,14 @@ static bool test_delete_includes(struct smbconf_ctx *ctx)
 	werr = smbconf_set_global_includes(ctx, set_num_includes, set_includes);
 	if (!W_ERROR_IS_OK(werr)) {
 		printf("failure: delete_includes (setting includes) - %s\n",
-		       dos_errstr(werr));
+		       win_errstr(werr));
 		goto done;
 	}
 	werr = smbconf_delete_global_includes(ctx);
 	if (!W_ERROR_IS_OK(werr)) {
 		printf("failure: delete_includes (deleting includes) - %s\n",
-		       dos_errstr(werr));
+		       win_errstr(werr));
 		goto done;
 	}
@ -150,7 +150,7 @@ static bool test_delete_includes(struct smbconf_ctx *ctx)
 					   &get_includes);
 	if (!W_ERROR_IS_OK(werr)) {
 		printf("failure: delete_includes (getting includes) - %s\n",
-		       dos_errstr(werr));
+		       win_errstr(werr));
 		goto done;
 	}
@ -162,7 +162,7 @@ static bool test_delete_includes(struct smbconf_ctx *ctx)
 	werr = smbconf_delete_global_includes(ctx);
 	if (!W_ERROR_IS_OK(werr)) {
 		printf("failuer: delete_includes (delete empty includes) - "
-		       "%s\n", dos_errstr(werr));
+		       "%s\n", win_errstr(werr));
 		goto done;
 	}
@ -214,7 +214,7 @@ static bool torture_smbconf_txt(void)
 	printf("test: init\n");
 	werr = smbconf_init_txt(mem_ctx, &conf_ctx, filename);
 	if (!W_ERROR_IS_OK(werr)) {
-		printf("failure: init failed: %s\n", dos_errstr(werr));
+		printf("failure: init failed: %s\n", win_errstr(werr));
 		ret = false;
 		goto done;
 	}
@ -251,7 +251,7 @@ static bool torture_smbconf_reg(void)
 	printf("test: init\n");
 	werr = smbconf_init_reg(mem_ctx, &conf_ctx, NULL);
 	if (!W_ERROR_IS_OK(werr)) {
-		printf("failure: init failed: %s\n", dos_errstr(werr));
+		printf("failure: init failed: %s\n", win_errstr(werr));
 		ret = false;
 		goto done;
 	}
--- a/source3/lib/smbrun.c
+++ b/source3/lib/smbrun.c
@ -153,7 +153,7 @@ static int smbrun_internal(const char *cmd, int *outfd, bool sanitize)
 	/* point our stdout at the file we want output to go into */
 	if (outfd) {
 		close(1);
-		if (sys_dup2(*outfd,1) != 1) {
+		if (dup2(*outfd,1) != 1) {
 			DEBUG(2,("Failed to create stdout file descriptor\n"));
 			close(*outfd);
 			exit(80);
@ -305,7 +305,7 @@ int smbrunsecret(const char *cmd, const char *secret)
 	close(ifd[1]);
 	close(0);
-	if (sys_dup2(ifd[0], 0) != 0) {
+	if (dup2(ifd[0], 0) != 0) {
 		DEBUG(2,("Failed to create stdin file descriptor\n"));
 		close(ifd[0]);
 		exit(80);
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@ -537,21 +537,6 @@ int sys_mknod(const char *path, mode_t mode, SMB_DEV_T dev)
 #endif
 }
 /*******************************************************************
 Wrapper for realpath.
 ********************************************************************/
 char *sys_realpath(const char *path, char *resolved_path)
 {
 #if defined(HAVE_REALPATH)
 	return realpath(path, resolved_path);
 #else
 	/* As realpath is not a system call we can't return ENOSYS. */
 	errno = EINVAL;
 	return NULL;
 #endif
 }
 /*******************************************************************
 The wait() calls vary between systems
 ********************************************************************/
@ -580,104 +565,6 @@ char *sys_getwd(char *s)
 	return wd;
 }
 /*******************************************************************
 system wrapper for symlink
 ********************************************************************/
 int sys_symlink(const char *oldpath, const char *newpath)
 {
 #ifndef HAVE_SYMLINK
 	errno = ENOSYS;
 	return -1;
 #else
 	return symlink(oldpath, newpath);
 #endif
 }
 /*******************************************************************
 system wrapper for readlink
 ********************************************************************/
 int sys_readlink(const char *path, char *buf, size_t bufsiz)
 {
 #ifndef HAVE_READLINK
 	errno = ENOSYS;
 	return -1;
 #else
 	return readlink(path, buf, bufsiz);
 #endif
 }
 /*******************************************************************
 system wrapper for link
 ********************************************************************/
 int sys_link(const char *oldpath, const char *newpath)
 {
 #ifndef HAVE_LINK
 	errno = ENOSYS;
 	return -1;
 #else
 	return link(oldpath, newpath);
 #endif
 }
 /*******************************************************************
 chown isn't used much but OS/2 doesn't have it
 ********************************************************************/
 int sys_chown(const char *fname,uid_t uid,gid_t gid)
 {
 #ifndef HAVE_CHOWN
 	static int done;
 	if (!done) {
 		DEBUG(1,("WARNING: no chown!\n"));
 		done=1;
 	}
 	errno = ENOSYS;
 	return -1;
 #else
 	return(chown(fname,uid,gid));
 #endif
 }
 /*******************************************************************
 Wrapper for lchown.
 ********************************************************************/
 int sys_lchown(const char *fname,uid_t uid,gid_t gid)
 {
 #ifndef HAVE_LCHOWN
 	static int done;
 	if (!done) {
 		DEBUG(1,("WARNING: no lchown!\n"));
 		done=1;
 	}
 	errno = ENOSYS;
 	return -1;
 #else
 	return(lchown(fname,uid,gid));
 #endif
 }
 /*******************************************************************
 os/2 also doesn't have chroot
 ********************************************************************/
 int sys_chroot(const char *dname)
 {
 #ifndef HAVE_CHROOT
 	static int done;
 	if (!done) {
 		DEBUG(1,("WARNING: no chroot!\n"));
 		done=1;
 	}
 	errno = ENOSYS;
 	return -1;
 #else
 	return(chroot(dname));
 #endif
 }
 #if defined(HAVE_POSIX_CAPABILITIES)
 /**************************************************************************
@ -1303,56 +1190,6 @@ int sys_pclose(int fd)
 	return wstatus;
 }
 /**************************************************************************
 Wrappers for dlopen, dlsym, dlclose.
 ****************************************************************************/
 void *sys_dlopen(const char *name, int flags)
 {
 #if defined(HAVE_DLOPEN)
 	return dlopen(name, flags);
 #else
 	return NULL;
 #endif
 }
 void *sys_dlsym(void *handle, const char *symbol)
 {
 #if defined(HAVE_DLSYM)
    return dlsym(handle, symbol);
 #else
    return NULL;
 #endif
 }
 int sys_dlclose (void *handle)
 {
 #if defined(HAVE_DLCLOSE)
 	return dlclose(handle);
 #else
 	return 0;
 #endif
 }
 const char *sys_dlerror(void)
 {
 #if defined(HAVE_DLERROR)
 	return dlerror();
 #else
 	return NULL;
 #endif
 }
 int sys_dup2(int oldfd, int newfd) 
 {
 #if defined(HAVE_DUP2)
 	return dup2(oldfd, newfd);
 #else
 	errno = ENOSYS;
 	return -1;
 #endif
 }
 /**************************************************************************
 Wrapper for Admin Logs.
 ****************************************************************************/
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@ -1497,7 +1497,7 @@ uid_t nametouid(const char *name)
 	char *p;
 	uid_t u;
-	pass = getpwnam_alloc(NULL, name);
+	pass = getpwnam_alloc(talloc_autofree_context(), name);
 	if (pass) {
 		u = pass->pw_uid;
 		TALLOC_FREE(pass);
@ -2255,8 +2255,8 @@ char *myhostname(void)
 	static char *ret;
 	if (ret == NULL) {
 		/* This is cached forever so
-		 * use NULL talloc ctx. */
+		 * use talloc_autofree_context() ctx. */
-		ret = talloc_get_myname(NULL);
+		ret = talloc_get_myname(talloc_autofree_context());
 	}
 	return ret;
 }
--- a/source3/lib/util_pw.c
+++ b/source3/lib/util_pw.c
@ -57,7 +57,7 @@ struct passwd *getpwnam_alloc(TALLOC_CTX *mem_ctx, const char *name)
 		return NULL;
 	}
-	cached = tcopy_passwd(NULL, temp);
+	cached = tcopy_passwd(talloc_autofree_context(), temp);
 	if (cached == NULL) {
 		/*
 		 * Just don't add this into the cache, ignore the failure
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@ -164,10 +164,17 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 	/* handle the maximum allowed flag */
 	if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
 		uint32_t orig_access_desired = access_desired;
 		access_desired |= access_check_max_allowed(sd, token);
 		access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
 		*access_granted = access_desired;
 		bits_remaining = access_desired & ~SEC_STD_DELETE;
 		DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
 			orig_access_desired,
 			*access_granted,
 			bits_remaining));
 	}
 #if 0
--- a/source3/lib/util_str.c
+++ b/source3/lib/util_str.c
@ -2532,3 +2532,19 @@ char *escape_shell_string(const char *src)
 	*dest++ = '\0';
 	return ret;
 }
 /***************************************************
 Wrapper for str_list_make() to restore the s3 behavior.
 In samba 3.2 passing NULL or an empty string returned NULL.
 In master, it now returns a list of length 1 with the first string set
 to NULL (an empty list)
 ***************************************************/
 char **str_list_make_v3(TALLOC_CTX *mem_ctx, const char *string, const char *sep)
 {
 	if (!string || !*string) {
 		return NULL;
 	}
 	return str_list_make(mem_ctx, string, sep);
 }
--- a/source3/libads/ldap_printer.c
+++ b/source3/libads/ldap_printer.c
@ -309,7 +309,7 @@ WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli,
 					     &pol);
 	if (!W_ERROR_IS_OK(result)) {
 		DEBUG(3, ("Unable to open printer %s, error is %s.\n",
-			  printername, dos_errstr(result)));
+			  printername, win_errstr(result)));
 		return result;
 	}
@ -320,7 +320,7 @@ WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli,
 	if (!W_ERROR_IS_OK(result)) {
 		DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n",
-			  printername, dos_errstr(result)));
+			  printername, win_errstr(result)));
 	} else {
 		uint32 num_values = regval_ctr_numvals( dsdriver_ctr );
@ -337,7 +337,7 @@ WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli,
 	if (!W_ERROR_IS_OK(result)) {
 		DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n",
-			  printername, dos_errstr(result)));
+			  printername, win_errstr(result)));
 	} else {
 		uint32 num_values = regval_ctr_numvals( dsspooler_ctr );
--- a/source3/libgpo/gpext/gpext.c
+++ b/source3/libgpo/gpext/gpext.c
@ -603,7 +603,7 @@ NTSTATUS init_gp_extensions(TALLOC_CTX *mem_ctx)
 			werr = gp_extension_store_reg(mem_ctx, reg_ctx, info);
 			if (!W_ERROR_IS_OK(werr)) {
 				DEBUG(1,("gp_extension_store_reg failed: %s\n",
-					dos_errstr(werr)));
+					win_errstr(werr)));
 				TALLOC_FREE(info);
 				gpext->methods->shutdown();
 				status = werror_to_ntstatus(werr);
--- a/source3/libgpo/gpext/registry.c
+++ b/source3/libgpo/gpext/registry.c
@ -502,7 +502,7 @@ static WERROR reg_apply_registry(TALLOC_CTX *mem_ctx,
 						token, flags);
 		if (!W_ERROR_IS_OK(werr)) {
 			DEBUG(0,("failed to apply registry: %s\n",
-				dos_errstr(werr)));
+				win_errstr(werr)));
 			goto done;
 		}
 	}
@ -554,7 +554,7 @@ static NTSTATUS registry_process_group_policy(ADS_STRUCT *ads,
 				  entries, num_entries);
 	if (!W_ERROR_IS_OK(werr)) {
 		DEBUG(0,("failed to apply registry: %s\n",
-			dos_errstr(werr)));
+			win_errstr(werr)));
 		return werror_to_ntstatus(werr);
 	}
--- a/source3/libgpo/gpext/scripts.c
+++ b/source3/libgpo/gpext/scripts.c
@ -311,7 +311,7 @@ static WERROR scripts_apply(TALLOC_CTX *mem_ctx,
 						token, flags);
 		if (!W_ERROR_IS_OK(werr)) {
 			DEBUG(0,("failed to apply registry: %s\n",
-				dos_errstr(werr)));
+				win_errstr(werr)));
 			goto done;
 		}
 	}
--- a/source3/libgpo/gpo_ldap.c
+++ b/source3/libgpo/gpo_ldap.c
@ -44,7 +44,7 @@ bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
 		goto parse_error;
 	}
-	ext_list = str_list_make(mem_ctx, extension_raw, "]");
+	ext_list = str_list_make_v3(mem_ctx, extension_raw, "]");
 	if (!ext_list) {
 		goto parse_error;
 	}
@ -87,7 +87,7 @@ bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
 			p++;
 		}
-		ext_strings = str_list_make(mem_ctx, p, "}");
+		ext_strings = str_list_make_v3(mem_ctx, p, "}");
 		if (ext_strings == NULL) {
 			goto parse_error;
 		}
@ -162,7 +162,7 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
 	DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
-	link_list = str_list_make(mem_ctx, gp_link_raw, "]");
+	link_list = str_list_make_v3(mem_ctx, gp_link_raw, "]");
 	if (!link_list) {
 		goto parse_error;
 	}
--- a/source3/libgpo/gpo_reg.c
+++ b/source3/libgpo/gpo_reg.c
@ -466,13 +466,13 @@ WERROR gp_reg_state_store(TALLOC_CTX *mem_ctx,
 	werr = gp_secure_key(mem_ctx, flags, reg_ctx->curr_key,
 			     &token->user_sids[0]);
 	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(0,("failed to secure key: %s\n", dos_errstr(werr)));
+		DEBUG(0,("failed to secure key: %s\n", win_errstr(werr)));
 		goto done;
 	}
 	werr = gp_reg_store_groupmembership(mem_ctx, reg_ctx, token, flags);
 	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(0,("failed to store group membership: %s\n", dos_errstr(werr)));
+		DEBUG(0,("failed to store group membership: %s\n", win_errstr(werr)));
 		goto done;
 	}
@ -484,7 +484,7 @@ WERROR gp_reg_state_store(TALLOC_CTX *mem_ctx,
 	werr = gp_del_reg_state(mem_ctx, reg_ctx->curr_key, subkeyname);
 	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(0,("failed to delete old state: %s\n", dos_errstr(werr)));
+		DEBUG(0,("failed to delete old state: %s\n", win_errstr(werr)));
 		/* goto done; */
 	}
@ -534,7 +534,7 @@ WERROR gp_reg_state_store(TALLOC_CTX *mem_ctx,
 		if (!W_ERROR_IS_OK(werr)) {
 			DEBUG(0,("gp_reg_state_store: "
 				"gpo_store_reg_gpovals failed for %s: %s\n",
-				gpo->display_name, dos_errstr(werr)));
+				gpo->display_name, win_errstr(werr)));
 			goto done;
 		}
 	}
@ -663,7 +663,7 @@ WERROR gp_reg_state_read(TALLOC_CTX *mem_ctx,
 		if (!W_ERROR_IS_OK(werr)) {
 			DEBUG(0,("gp_reg_state_read: "
 				"gp_read_reg_subkey gave: %s\n",
-				dos_errstr(werr)));
+				win_errstr(werr)));
 			goto done;
 		}
@ -941,7 +941,7 @@ WERROR reg_apply_registry_entry(TALLOC_CTX *mem_ctx,
 				   root_key, &key);
 				   /* reg_ctx->curr_key, &key); */
 	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(0,("gp_store_reg_subkey failed: %s\n", dos_errstr(werr)));
+		DEBUG(0,("gp_store_reg_subkey failed: %s\n", win_errstr(werr)));
 		return werr;
 	}
@ -957,7 +957,7 @@ WERROR reg_apply_registry_entry(TALLOC_CTX *mem_ctx,
 			if (!W_ERROR_IS_OK(werr)) {
 				DEBUG(0,("reg_apply_registry_entry: "
 					"gp_secure_key failed: %s\n",
-					dos_errstr(werr)));
+					win_errstr(werr)));
 				return werr;
 			}
 			break;
@ -966,7 +966,7 @@ WERROR reg_apply_registry_entry(TALLOC_CTX *mem_ctx,
 			if (!W_ERROR_IS_OK(werr)) {
 				DEBUG(0,("reg_apply_registry_entry: "
 					"reg_setvalue failed: %s\n",
-					dos_errstr(werr)));
+					win_errstr(werr)));
 				dump_reg_entry(flags, "STORE", entry);
 				return werr;
 			}
@ -976,7 +976,7 @@ WERROR reg_apply_registry_entry(TALLOC_CTX *mem_ctx,
 			if (!W_ERROR_IS_OK(werr)) {
 				DEBUG(0,("reg_apply_registry_entry: "
 					"reg_deletevalue failed: %s\n",
-					dos_errstr(werr)));
+					win_errstr(werr)));
 				dump_reg_entry(flags, "STORE", entry);
 				return werr;
 			}
@ -986,7 +986,7 @@ WERROR reg_apply_registry_entry(TALLOC_CTX *mem_ctx,
 			if (!W_ERROR_IS_OK(werr)) {
 				DEBUG(0,("reg_apply_registry_entry: "
 					"reg_deleteallvalues failed: %s\n",
-					dos_errstr(werr)));
+					win_errstr(werr)));
 				dump_reg_entry(flags, "STORE", entry);
 				return werr;
 			}
--- a/source3/libnet/libnet_samsync_display.c
+++ b/source3/libnet/libnet_samsync_display.c
@ -126,7 +126,7 @@ static void display_group_info(uint32_t rid, struct netr_DELTA_GROUP *r)
 static void display_delete_group(uint32_t rid)
 {
-	d_printf("Delete Group '%d' ", rid);
+	d_printf("Delete Group '%d'\n", rid);
 }
 static void display_rename_group(uint32_t rid, struct netr_DELTA_RENAME *r)
@ -138,7 +138,7 @@ static void display_rename_group(uint32_t rid, struct netr_DELTA_RENAME *r)
 static void display_delete_user(uint32_t rid)
 {
-	d_printf("Delete User '%d' ", rid);
+	d_printf("Delete User '%d'\n", rid);
 }
 static void display_rename_user(uint32_t rid, struct netr_DELTA_RENAME *r)
@ -150,7 +150,7 @@ static void display_rename_user(uint32_t rid, struct netr_DELTA_RENAME *r)
 static void display_delete_alias(uint32_t rid)
 {
-	d_printf("Delete Alias '%d' ", rid);
+	d_printf("Delete Alias '%d'\n", rid);
 }
 static void display_rename_alias(uint32_t rid, struct netr_DELTA_RENAME *r)
--- a/source3/libnet/libnet_samsync_passdb.c
+++ b/source3/libnet/libnet_samsync_passdb.c
@ -118,12 +118,12 @@ static NTSTATUS sam_account_from_delta(struct samu *account,
 			pdb_set_profile_path(account, new_string, PDB_CHANGED);
 	}
-	if (r->parameters.string) {
+	if (r->parameters.array) {
 		DATA_BLOB mung;
 		char *newstr;
 		old_string = pdb_get_munged_dial(account);
-		mung.length = r->parameters.length;
+		mung.length = r->parameters.length * 2;
-		mung.data = (uint8 *) r->parameters.string;
+		mung.data = (uint8_t *) r->parameters.array;
 		newstr = (mung.length == 0) ? NULL :
 			base64_encode_data_blob(talloc_tos(), mung);
--- a/source3/librpc/gen_ndr/cli_netlogon.c
+++ b/source3/librpc/gen_ndr/cli_netlogon.c
@ -890,11 +890,11 @@ NTSTATUS rpccli_netr_DatabaseRedo(struct rpc_pipe_client *cli,
 				  TALLOC_CTX *mem_ctx,
 				  const char *logon_server /* [in] [charset(UTF16)] */,
 				  const char *computername /* [in] [charset(UTF16)] */,
-				  struct netr_Authenticator credential /* [in]  */,
+				  struct netr_Authenticator *credential /* [in] [ref] */,
 				  struct netr_Authenticator *return_authenticator /* [in,out] [ref] */,
-				  uint8_t *change_log_entry /* [in] [unique,size_is(change_log_entry_size)] */,
+				  struct netr_ChangeLogEntry change_log_entry /* [in] [subcontext_size(change_log_entry_size),subcontext(4)] */,
-				  uint32_t change_log_entry_size /* [in]  */,
+				  uint32_t change_log_entry_size /* [in] [value(ndr_size_netr_ChangeLogEntry(&change_log_entry,ndr->flags))] */,
-				  struct netr_DELTA_ENUM_ARRAY *delta_enum_array /* [out] [ref] */)
+				  struct netr_DELTA_ENUM_ARRAY **delta_enum_array /* [out] [ref] */)
 {
 	struct netr_DatabaseRedo r;
 	NTSTATUS status;
--- a/source3/librpc/gen_ndr/cli_netlogon.h
+++ b/source3/librpc/gen_ndr/cli_netlogon.h
@ -156,11 +156,11 @@ NTSTATUS rpccli_netr_DatabaseRedo(struct rpc_pipe_client *cli,
 				  TALLOC_CTX *mem_ctx,
 				  const char *logon_server /* [in] [charset(UTF16)] */,
 				  const char *computername /* [in] [charset(UTF16)] */,
-				  struct netr_Authenticator credential /* [in]  */,
+				  struct netr_Authenticator *credential /* [in] [ref] */,
 				  struct netr_Authenticator *return_authenticator /* [in,out] [ref] */,
-				  uint8_t *change_log_entry /* [in] [unique,size_is(change_log_entry_size)] */,
+				  struct netr_ChangeLogEntry change_log_entry /* [in] [subcontext_size(change_log_entry_size),subcontext(4)] */,
-				  uint32_t change_log_entry_size /* [in]  */,
+				  uint32_t change_log_entry_size /* [in] [value(ndr_size_netr_ChangeLogEntry(&change_log_entry,ndr->flags))] */,
-				  struct netr_DELTA_ENUM_ARRAY *delta_enum_array /* [out] [ref] */);
+				  struct netr_DELTA_ENUM_ARRAY **delta_enum_array /* [out] [ref] */);
 NTSTATUS rpccli_netr_LogonControl2Ex(struct rpc_pipe_client *cli,
 				     TALLOC_CTX *mem_ctx,
 				     const char *logon_server /* [in] [unique,charset(UTF16)] */,
--- a/source3/librpc/gen_ndr/cli_samr.c
+++ b/source3/librpc/gen_ndr/cli_samr.c
@ -2022,7 +2022,7 @@ NTSTATUS rpccli_samr_QueryUserInfo2(struct rpc_pipe_client *cli,
 				    TALLOC_CTX *mem_ctx,
 				    struct policy_handle *user_handle /* [in] [ref] */,
 				    uint16_t level /* [in]  */,
-				    union samr_UserInfo *info /* [out] [ref,switch_is(level)] */)
+				    union samr_UserInfo **info /* [out] [ref,switch_is(level)] */)
 {
 	struct samr_QueryUserInfo2 r;
 	NTSTATUS status;
@ -2838,7 +2838,7 @@ NTSTATUS rpccli_samr_RidToSid(struct rpc_pipe_client *cli,
 			      TALLOC_CTX *mem_ctx,
 			      struct policy_handle *domain_handle /* [in] [ref] */,
 			      uint32_t rid /* [in]  */,
-			      struct dom_sid2 *sid /* [out] [ref] */)
+			      struct dom_sid2 **sid /* [out] [ref] */)
 {
 	struct samr_RidToSid r;
 	NTSTATUS status;
@ -2921,8 +2921,8 @@ NTSTATUS rpccli_samr_SetDsrmPassword(struct rpc_pipe_client *cli,
 NTSTATUS rpccli_samr_ValidatePassword(struct rpc_pipe_client *cli,
 				      TALLOC_CTX *mem_ctx,
 				      enum samr_ValidatePasswordLevel level /* [in]  */,
-				      union samr_ValidatePasswordReq req /* [in] [switch_is(level)] */,
+				      union samr_ValidatePasswordReq *req /* [in] [ref,switch_is(level)] */,
-				      union samr_ValidatePasswordRep *rep /* [out] [ref,switch_is(level)] */)
+				      union samr_ValidatePasswordRep **rep /* [out] [ref,switch_is(level)] */)
 {
 	struct samr_ValidatePassword r;
 	NTSTATUS status;
--- a/source3/librpc/gen_ndr/cli_samr.h
+++ b/source3/librpc/gen_ndr/cli_samr.h
@ -255,7 +255,7 @@ NTSTATUS rpccli_samr_QueryUserInfo2(struct rpc_pipe_client *cli,
 				    TALLOC_CTX *mem_ctx,
 				    struct policy_handle *user_handle /* [in] [ref] */,
 				    uint16_t level /* [in]  */,
-				    union samr_UserInfo *info /* [out] [ref,switch_is(level)] */);
+				    union samr_UserInfo **info /* [out] [ref,switch_is(level)] */);
 NTSTATUS rpccli_samr_QueryDisplayInfo2(struct rpc_pipe_client *cli,
 				       TALLOC_CTX *mem_ctx,
 				       struct policy_handle *domain_handle /* [in] [ref] */,
@ -375,7 +375,7 @@ NTSTATUS rpccli_samr_RidToSid(struct rpc_pipe_client *cli,
 			      TALLOC_CTX *mem_ctx,
 			      struct policy_handle *domain_handle /* [in] [ref] */,
 			      uint32_t rid /* [in]  */,
-			      struct dom_sid2 *sid /* [out] [ref] */);
+			      struct dom_sid2 **sid /* [out] [ref] */);
 NTSTATUS rpccli_samr_SetDsrmPassword(struct rpc_pipe_client *cli,
 				     TALLOC_CTX *mem_ctx,
 				     struct lsa_String *name /* [in] [unique] */,
@ -384,6 +384,6 @@ NTSTATUS rpccli_samr_SetDsrmPassword(struct rpc_pipe_client *cli,
 NTSTATUS rpccli_samr_ValidatePassword(struct rpc_pipe_client *cli,
 				      TALLOC_CTX *mem_ctx,
 				      enum samr_ValidatePasswordLevel level /* [in]  */,
-				      union samr_ValidatePasswordReq req /* [in] [switch_is(level)] */,
+				      union samr_ValidatePasswordReq *req /* [in] [ref,switch_is(level)] */,
-				      union samr_ValidatePasswordRep *rep /* [out] [ref,switch_is(level)] */);
+				      union samr_ValidatePasswordRep **rep /* [out] [ref,switch_is(level)] */);
 #endif /* __CLI_SAMR__ */
--- a/source3/librpc/gen_ndr/dom_sid.h
+++ b/source3/librpc/gen_ndr/dom_sid.h
@ -0,0 +1,15 @@
 /* header auto-generated by pidl */
 #include <stdint.h>
 #define dom_sid2 dom_sid
 #define dom_sid28 dom_sid
 #define dom_sid0 dom_sid
 #ifndef _HEADER_dom_sid
 #define _HEADER_dom_sid
 struct _dummy_domsid {
 	uint8_t dummy;
 };
 #endif /* _HEADER_dom_sid */
--- a/source3/librpc/gen_ndr/misc.h
+++ b/source3/librpc/gen_ndr/misc.h
@ -2,9 +2,12 @@
 #include <stdint.h>
 #define netr_SamDatabaseID8Bit netr_SamDatabaseID
 #ifndef _HEADER_misc
 #define _HEADER_misc
 enum netr_SamDatabaseID8Bit;
 struct GUID {
 	uint32_t time_low;
 	uint16_t time_mid;
--- a/source3/librpc/gen_ndr/named_pipe_auth.h
+++ b/source3/librpc/gen_ndr/named_pipe_auth.h
@ -0,0 +1,32 @@
 /* header auto-generated by pidl */
 #include <stdint.h>
 #include "librpc/gen_ndr/netlogon.h"
 #ifndef _HEADER_named_pipe_auth
 #define _HEADER_named_pipe_auth
 #define NAMED_PIPE_AUTH_MAGIC	( "NPAM" )
 union named_pipe_auth_req_info {
 	struct netr_SamInfo3 info1;/* [case] */
 }/* [switch_type(uint32)] */;
 struct named_pipe_auth_req {
 	uint32_t length;/* [value(ndr_size_named_pipe_auth_req(r,ndr->flags)-4),flag(LIBNDR_FLAG_BIGENDIAN)] */
 	const char *magic;/* [value(NAMED_PIPE_AUTH_MAGIC),charset(DOS)] */
 	uint32_t level;
 	union named_pipe_auth_req_info info;/* [switch_is(level)] */
 }/* [gensize,public] */;
 union named_pipe_auth_rep_info {
 }/* [switch_type(uint32)] */;
 struct named_pipe_auth_rep {
 	uint32_t length;/* [value(ndr_size_named_pipe_auth_rep(r,ndr->flags)-4),flag(LIBNDR_FLAG_BIGENDIAN)] */
 	const char *magic;/* [value(NAMED_PIPE_AUTH_MAGIC),charset(DOS)] */
 	uint32_t level;
 	union named_pipe_auth_rep_info info;/* [switch_is(level)] */
 	NTSTATUS status;
 }/* [gensize,public] */;
 #endif /* _HEADER_named_pipe_auth */
--- a/source3/librpc/gen_ndr/ndr_dom_sid.h
+++ b/source3/librpc/gen_ndr/ndr_dom_sid.h
@ -0,0 +1,10 @@
 /* header auto-generated by pidl */
 #include "librpc/ndr/libndr.h"
 #include "librpc/gen_ndr/dom_sid.h"
 #ifndef _HEADER_NDR_dom_sid
 #define _HEADER_NDR_dom_sid
 #define NDR_DOM_SID_CALL_COUNT (0)
 #endif /* _HEADER_NDR_dom_sid */
--- a/source3/librpc/gen_ndr/ndr_named_pipe_auth.c
+++ b/source3/librpc/gen_ndr/ndr_named_pipe_auth.c
@ -0,0 +1,302 @@
 /* parser auto-generated by pidl */
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_named_pipe_auth.h"
 #include "librpc/gen_ndr/ndr_netlogon.h"
 static enum ndr_err_code ndr_push_named_pipe_auth_req_info(struct ndr_push *ndr, int ndr_flags, const union named_pipe_auth_req_info *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		int level = ndr_push_get_switch_value(ndr, r);
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, level));
 		switch (level) {
 			case 0: {
 			break; }
 			case 1: {
 				NDR_CHECK(ndr_push_netr_SamInfo3(ndr, NDR_SCALARS, &r->info1));
 			break; }
 			default:
 				return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
 		}
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		int level = ndr_push_get_switch_value(ndr, r);
 		switch (level) {
 			case 0:
 			break;
 			case 1:
 				NDR_CHECK(ndr_push_netr_SamInfo3(ndr, NDR_BUFFERS, &r->info1));
 			break;
 			default:
 				return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
 		}
 	}
 	return NDR_ERR_SUCCESS;
 }
 static enum ndr_err_code ndr_pull_named_pipe_auth_req_info(struct ndr_pull *ndr, int ndr_flags, union named_pipe_auth_req_info *r)
 {
 	int level;
 	uint32_t _level;
 	level = ndr_pull_get_switch_value(ndr, r);
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level));
 		if (_level != level) {
 			return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u for r", _level);
 		}
 		switch (level) {
 			case 0: {
 			break; }
 			case 1: {
 				NDR_CHECK(ndr_pull_netr_SamInfo3(ndr, NDR_SCALARS, &r->info1));
 			break; }
 			default:
 				return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
 		}
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		switch (level) {
 			case 0:
 			break;
 			case 1:
 				NDR_CHECK(ndr_pull_netr_SamInfo3(ndr, NDR_BUFFERS, &r->info1));
 			break;
 			default:
 				return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
 		}
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_named_pipe_auth_req_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_req_info *r)
 {
 	int level;
 	level = ndr_print_get_switch_value(ndr, r);
 	ndr_print_union(ndr, name, level, "named_pipe_auth_req_info");
 	switch (level) {
 		case 0:
 		break;
 		case 1:
 			ndr_print_netr_SamInfo3(ndr, "info1", &r->info1);
 		break;
 		default:
 			ndr_print_bad_level(ndr, name, level);
 	}
 }
 _PUBLIC_ enum ndr_err_code ndr_push_named_pipe_auth_req(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_req *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_push_align(ndr, 4));
 		{
 			uint32_t _flags_save_uint32 = ndr->flags;
 			ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN);
 			NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_size_named_pipe_auth_req(r, ndr->flags) - 4));
 			ndr->flags = _flags_save_uint32;
 		}
 		NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, NAMED_PIPE_AUTH_MAGIC, 4, sizeof(uint8_t), CH_DOS));
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->level));
 		NDR_CHECK(ndr_push_set_switch_value(ndr, &r->info, r->level));
 		NDR_CHECK(ndr_push_named_pipe_auth_req_info(ndr, NDR_SCALARS, &r->info));
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		NDR_CHECK(ndr_push_named_pipe_auth_req_info(ndr, NDR_BUFFERS, &r->info));
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_pull_align(ndr, 4));
 		{
 			uint32_t _flags_save_uint32 = ndr->flags;
 			ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN);
 			NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length));
 			ndr->flags = _flags_save_uint32;
 		}
 		NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS));
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level));
 		NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level));
 		NDR_CHECK(ndr_pull_named_pipe_auth_req_info(ndr, NDR_SCALARS, &r->info));
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		NDR_CHECK(ndr_pull_named_pipe_auth_req_info(ndr, NDR_BUFFERS, &r->info));
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_named_pipe_auth_req(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req *r)
 {
 	ndr_print_struct(ndr, name, "named_pipe_auth_req");
 	ndr->depth++;
 	ndr_print_uint32(ndr, "length", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?ndr_size_named_pipe_auth_req(r, ndr->flags) - 4:r->length);
 	ndr_print_string(ndr, "magic", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?NAMED_PIPE_AUTH_MAGIC:r->magic);
 	ndr_print_uint32(ndr, "level", r->level);
 	ndr_print_set_switch_value(ndr, &r->info, r->level);
 	ndr_print_named_pipe_auth_req_info(ndr, "info", &r->info);
 	ndr->depth--;
 }
 _PUBLIC_ size_t ndr_size_named_pipe_auth_req(const struct named_pipe_auth_req *r, int flags)
 {
 	return ndr_size_struct(r, flags, (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req);
 }
 static enum ndr_err_code ndr_push_named_pipe_auth_rep_info(struct ndr_push *ndr, int ndr_flags, const union named_pipe_auth_rep_info *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		int level = ndr_push_get_switch_value(ndr, r);
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, level));
 		switch (level) {
 			case 0: {
 			break; }
 			case 1: {
 			break; }
 			default:
 				return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
 		}
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		int level = ndr_push_get_switch_value(ndr, r);
 		switch (level) {
 			case 0:
 			break;
 			case 1:
 			break;
 			default:
 				return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
 		}
 	}
 	return NDR_ERR_SUCCESS;
 }
 static enum ndr_err_code ndr_pull_named_pipe_auth_rep_info(struct ndr_pull *ndr, int ndr_flags, union named_pipe_auth_rep_info *r)
 {
 	int level;
 	uint32_t _level;
 	level = ndr_pull_get_switch_value(ndr, r);
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level));
 		if (_level != level) {
 			return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u for r", _level);
 		}
 		switch (level) {
 			case 0: {
 			break; }
 			case 1: {
 			break; }
 			default:
 				return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
 		}
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		switch (level) {
 			case 0:
 			break;
 			case 1:
 			break;
 			default:
 				return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
 		}
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_named_pipe_auth_rep_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_rep_info *r)
 {
 	int level;
 	level = ndr_print_get_switch_value(ndr, r);
 	ndr_print_union(ndr, name, level, "named_pipe_auth_rep_info");
 	switch (level) {
 		case 0:
 		break;
 		case 1:
 		break;
 		default:
 			ndr_print_bad_level(ndr, name, level);
 	}
 }
 _PUBLIC_ enum ndr_err_code ndr_push_named_pipe_auth_rep(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_rep *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_push_align(ndr, 4));
 		{
 			uint32_t _flags_save_uint32 = ndr->flags;
 			ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN);
 			NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_size_named_pipe_auth_rep(r, ndr->flags) - 4));
 			ndr->flags = _flags_save_uint32;
 		}
 		NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, NAMED_PIPE_AUTH_MAGIC, 4, sizeof(uint8_t), CH_DOS));
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->level));
 		NDR_CHECK(ndr_push_set_switch_value(ndr, &r->info, r->level));
 		NDR_CHECK(ndr_push_named_pipe_auth_rep_info(ndr, NDR_SCALARS, &r->info));
 		NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->status));
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		NDR_CHECK(ndr_push_named_pipe_auth_rep_info(ndr, NDR_BUFFERS, &r->info));
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_pull_align(ndr, 4));
 		{
 			uint32_t _flags_save_uint32 = ndr->flags;
 			ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN);
 			NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length));
 			ndr->flags = _flags_save_uint32;
 		}
 		NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS));
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level));
 		NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level));
 		NDR_CHECK(ndr_pull_named_pipe_auth_rep_info(ndr, NDR_SCALARS, &r->info));
 		NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->status));
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		NDR_CHECK(ndr_pull_named_pipe_auth_rep_info(ndr, NDR_BUFFERS, &r->info));
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_named_pipe_auth_rep(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep *r)
 {
 	ndr_print_struct(ndr, name, "named_pipe_auth_rep");
 	ndr->depth++;
 	ndr_print_uint32(ndr, "length", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?ndr_size_named_pipe_auth_rep(r, ndr->flags) - 4:r->length);
 	ndr_print_string(ndr, "magic", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?NAMED_PIPE_AUTH_MAGIC:r->magic);
 	ndr_print_uint32(ndr, "level", r->level);
 	ndr_print_set_switch_value(ndr, &r->info, r->level);
 	ndr_print_named_pipe_auth_rep_info(ndr, "info", &r->info);
 	ndr_print_NTSTATUS(ndr, "status", r->status);
 	ndr->depth--;
 }
 _PUBLIC_ size_t ndr_size_named_pipe_auth_rep(const struct named_pipe_auth_rep *r, int flags)
 {
 	return ndr_size_struct(r, flags, (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_rep);
 }
--- a/source3/librpc/gen_ndr/ndr_named_pipe_auth.h
+++ b/source3/librpc/gen_ndr/ndr_named_pipe_auth.h
@ -0,0 +1,20 @@
 /* header auto-generated by pidl */
 #include "librpc/ndr/libndr.h"
 #include "librpc/gen_ndr/named_pipe_auth.h"
 #ifndef _HEADER_NDR_named_pipe_auth
 #define _HEADER_NDR_named_pipe_auth
 #define NDR_NAMED_PIPE_AUTH_CALL_COUNT (0)
 void ndr_print_named_pipe_auth_req_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_req_info *r);
 enum ndr_err_code ndr_push_named_pipe_auth_req(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_req *r);
 enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req *r);
 void ndr_print_named_pipe_auth_req(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req *r);
 size_t ndr_size_named_pipe_auth_req(const struct named_pipe_auth_req *r, int flags);
 void ndr_print_named_pipe_auth_rep_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_rep_info *r);
 enum ndr_err_code ndr_push_named_pipe_auth_rep(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_rep *r);
 enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep *r);
 void ndr_print_named_pipe_auth_rep(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep *r);
 size_t ndr_size_named_pipe_auth_rep(const struct named_pipe_auth_rep *r, int flags);
 #endif /* _HEADER_NDR_named_pipe_auth */
--- a/source3/librpc/gen_ndr/ndr_netlogon.c
+++ b/source3/librpc/gen_ndr/ndr_netlogon.c
@ -2513,7 +2513,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_USER(struct ndr_push *ndr, int ndr_
 		NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->lm_password_present));
 		NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->password_expired));
 		NDR_CHECK(ndr_push_lsa_String(ndr, NDR_SCALARS, &r->comment));
-		NDR_CHECK(ndr_push_lsa_String(ndr, NDR_SCALARS, &r->parameters));
+		NDR_CHECK(ndr_push_lsa_BinaryString(ndr, NDR_SCALARS, &r->parameters));
 		NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->country_code));
 		NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->code_page));
 		NDR_CHECK(ndr_push_netr_USER_PRIVATE_INFO(ndr, NDR_SCALARS, &r->user_private_info));
@ -2540,7 +2540,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_USER(struct ndr_push *ndr, int ndr_
 		NDR_CHECK(ndr_push_samr_Password(ndr, NDR_BUFFERS, &r->lmpassword));
 		NDR_CHECK(ndr_push_samr_Password(ndr, NDR_BUFFERS, &r->ntpassword));
 		NDR_CHECK(ndr_push_lsa_String(ndr, NDR_BUFFERS, &r->comment));
-		NDR_CHECK(ndr_push_lsa_String(ndr, NDR_BUFFERS, &r->parameters));
+		NDR_CHECK(ndr_push_lsa_BinaryString(ndr, NDR_BUFFERS, &r->parameters));
 		NDR_CHECK(ndr_push_netr_USER_PRIVATE_INFO(ndr, NDR_BUFFERS, &r->user_private_info));
 		NDR_CHECK(ndr_push_sec_desc_buf(ndr, NDR_BUFFERS, &r->sdbuf));
 		NDR_CHECK(ndr_push_lsa_String(ndr, NDR_BUFFERS, &r->profile_path));
@ -2578,7 +2578,7 @@ static enum ndr_err_code ndr_pull_netr_DELTA_USER(struct ndr_pull *ndr, int ndr_
 		NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->lm_password_present));
 		NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->password_expired));
 		NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->comment));
-		NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->parameters));
+		NDR_CHECK(ndr_pull_lsa_BinaryString(ndr, NDR_SCALARS, &r->parameters));
 		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->country_code));
 		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->code_page));
 		NDR_CHECK(ndr_pull_netr_USER_PRIVATE_INFO(ndr, NDR_SCALARS, &r->user_private_info));
@ -2605,7 +2605,7 @@ static enum ndr_err_code ndr_pull_netr_DELTA_USER(struct ndr_pull *ndr, int ndr_
 		NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_BUFFERS, &r->lmpassword));
 		NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_BUFFERS, &r->ntpassword));
 		NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->comment));
-		NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->parameters));
+		NDR_CHECK(ndr_pull_lsa_BinaryString(ndr, NDR_BUFFERS, &r->parameters));
 		NDR_CHECK(ndr_pull_netr_USER_PRIVATE_INFO(ndr, NDR_BUFFERS, &r->user_private_info));
 		NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_BUFFERS, &r->sdbuf));
 		NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->profile_path));
@ -2643,7 +2643,7 @@ _PUBLIC_ void ndr_print_netr_DELTA_USER(struct ndr_print *ndr, const char *name,
 	ndr_print_uint8(ndr, "lm_password_present", r->lm_password_present);
 	ndr_print_uint8(ndr, "password_expired", r->password_expired);
 	ndr_print_lsa_String(ndr, "comment", &r->comment);
-	ndr_print_lsa_String(ndr, "parameters", &r->parameters);
+	ndr_print_lsa_BinaryString(ndr, "parameters", &r->parameters);
 	ndr_print_uint16(ndr, "country_code", r->country_code);
 	ndr_print_uint16(ndr, "code_page", r->code_page);
 	ndr_print_netr_USER_PRIVATE_INFO(ndr, "user_private_info", &r->user_private_info);
@ -6232,6 +6232,192 @@ _PUBLIC_ void ndr_print_netr_NegotiateFlags(struct ndr_print *ndr, const char *n
 	ndr->depth--;
 }
 static enum ndr_err_code ndr_push_netr_ChangeLogFlags(struct ndr_push *ndr, int ndr_flags, uint16_t r)
 {
 	NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r));
 	return NDR_ERR_SUCCESS;
 }
 static enum ndr_err_code ndr_pull_netr_ChangeLogFlags(struct ndr_pull *ndr, int ndr_flags, uint16_t *r)
 {
 	uint16_t v;
 	NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &v));
 	*r = v;
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_netr_ChangeLogFlags(struct ndr_print *ndr, const char *name, uint16_t r)
 {
 	ndr_print_uint16(ndr, name, r);
 	ndr->depth++;
 	ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED", NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED, r);
 	ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_CHANGED_PASSWORD", NETR_CHANGELOG_CHANGED_PASSWORD, r);
 	ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_SID_INCLUDED", NETR_CHANGELOG_SID_INCLUDED, r);
 	ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_NAME_INCLUDED", NETR_CHANGELOG_NAME_INCLUDED, r);
 	ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_FIRST_PROMOTION_OBJ", NETR_CHANGELOG_FIRST_PROMOTION_OBJ, r);
 	ndr->depth--;
 }
 static enum ndr_err_code ndr_push_netr_ChangeLogObject(struct ndr_push *ndr, int ndr_flags, const union netr_ChangeLogObject *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		int level = ndr_push_get_switch_value(ndr, r);
 		switch (level) {
 			case NETR_CHANGELOG_SID_INCLUDED: {
 				NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->object_sid));
 			break; }
 			case NETR_CHANGELOG_NAME_INCLUDED: {
 				{
 					uint32_t _flags_save_string = ndr->flags;
 					ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM);
 					NDR_CHECK(ndr_push_string(ndr, NDR_SCALARS, r->object_name));
 					ndr->flags = _flags_save_string;
 				}
 			break; }
 			default: {
 			break; }
 		}
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		int level = ndr_push_get_switch_value(ndr, r);
 		switch (level) {
 			case NETR_CHANGELOG_SID_INCLUDED:
 				NDR_CHECK(ndr_push_dom_sid(ndr, NDR_BUFFERS, &r->object_sid));
 			break;
 			case NETR_CHANGELOG_NAME_INCLUDED:
 			break;
 			default:
 			break;
 		}
 	}
 	return NDR_ERR_SUCCESS;
 }
 static enum ndr_err_code ndr_pull_netr_ChangeLogObject(struct ndr_pull *ndr, int ndr_flags, union netr_ChangeLogObject *r)
 {
 	int level;
 	level = ndr_pull_get_switch_value(ndr, r);
 	if (ndr_flags & NDR_SCALARS) {
 		switch (level) {
 			case NETR_CHANGELOG_SID_INCLUDED: {
 				NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->object_sid));
 			break; }
 			case NETR_CHANGELOG_NAME_INCLUDED: {
 				{
 					uint32_t _flags_save_string = ndr->flags;
 					ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM);
 					NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->object_name));
 					ndr->flags = _flags_save_string;
 				}
 			break; }
 			default: {
 			break; }
 		}
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		switch (level) {
 			case NETR_CHANGELOG_SID_INCLUDED:
 				NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_BUFFERS, &r->object_sid));
 			break;
 			case NETR_CHANGELOG_NAME_INCLUDED:
 			break;
 			default:
 			break;
 		}
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_netr_ChangeLogObject(struct ndr_print *ndr, const char *name, const union netr_ChangeLogObject *r)
 {
 	int level;
 	level = ndr_print_get_switch_value(ndr, r);
 	ndr_print_union(ndr, name, level, "netr_ChangeLogObject");
 	switch (level) {
 		case NETR_CHANGELOG_SID_INCLUDED:
 			ndr_print_dom_sid(ndr, "object_sid", &r->object_sid);
 		break;
 		case NETR_CHANGELOG_NAME_INCLUDED:
 			ndr_print_string(ndr, "object_name", r->object_name);
 		break;
 		default:
 		break;
 	}
 }
 _PUBLIC_ enum ndr_err_code ndr_push_netr_ChangeLogEntry(struct ndr_push *ndr, int ndr_flags, const struct netr_ChangeLogEntry *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_push_align(ndr, 4));
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->serial_number1));
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->serial_number2));
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->object_rid));
 		NDR_CHECK(ndr_push_netr_ChangeLogFlags(ndr, NDR_SCALARS, r->flags));
 		NDR_CHECK(ndr_push_netr_SamDatabaseID8Bit(ndr, NDR_SCALARS, r->db_index));
 		NDR_CHECK(ndr_push_netr_DeltaEnum8Bit(ndr, NDR_SCALARS, r->delta_type));
 		NDR_CHECK(ndr_push_set_switch_value(ndr, &r->object, r->flags & (NETR_CHANGELOG_SID_INCLUDED | NETR_CHANGELOG_NAME_INCLUDED)));
 		NDR_CHECK(ndr_push_netr_ChangeLogObject(ndr, NDR_SCALARS, &r->object));
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		NDR_CHECK(ndr_push_netr_ChangeLogObject(ndr, NDR_BUFFERS, &r->object));
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ enum ndr_err_code ndr_pull_netr_ChangeLogEntry(struct ndr_pull *ndr, int ndr_flags, struct netr_ChangeLogEntry *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_pull_align(ndr, 4));
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->serial_number1));
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->serial_number2));
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->object_rid));
 		NDR_CHECK(ndr_pull_netr_ChangeLogFlags(ndr, NDR_SCALARS, &r->flags));
 		NDR_CHECK(ndr_pull_netr_SamDatabaseID8Bit(ndr, NDR_SCALARS, &r->db_index));
 		NDR_CHECK(ndr_pull_netr_DeltaEnum8Bit(ndr, NDR_SCALARS, &r->delta_type));
 		NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->flags & (NETR_CHANGELOG_SID_INCLUDED | NETR_CHANGELOG_NAME_INCLUDED)));
 		NDR_CHECK(ndr_pull_netr_ChangeLogObject(ndr, NDR_SCALARS, &r->object));
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		NDR_CHECK(ndr_pull_netr_ChangeLogObject(ndr, NDR_BUFFERS, &r->object));
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_netr_ChangeLogEntry(struct ndr_print *ndr, const char *name, const struct netr_ChangeLogEntry *r)
 {
 	ndr_print_struct(ndr, name, "netr_ChangeLogEntry");
 	ndr->depth++;
 	ndr_print_uint32(ndr, "serial_number1", r->serial_number1);
 	ndr_print_uint32(ndr, "serial_number2", r->serial_number2);
 	ndr_print_uint32(ndr, "object_rid", r->object_rid);
 	ndr_print_netr_ChangeLogFlags(ndr, "flags", r->flags);
 	ndr_print_netr_SamDatabaseID8Bit(ndr, "db_index", r->db_index);
 	ndr_print_netr_DeltaEnum8Bit(ndr, "delta_type", r->delta_type);
 	ndr_print_set_switch_value(ndr, &r->object, r->flags & (NETR_CHANGELOG_SID_INCLUDED | NETR_CHANGELOG_NAME_INCLUDED));
 	ndr_print_netr_ChangeLogObject(ndr, "object", &r->object);
 	ndr->depth--;
 }
 _PUBLIC_ size_t ndr_size_netr_ChangeLogEntry(const struct netr_ChangeLogEntry *r, int flags)
 {
 	return ndr_size_struct(r, flags, (ndr_push_flags_fn_t)ndr_push_netr_ChangeLogEntry);
 }
 static enum ndr_err_code ndr_push_netr_Blob(struct ndr_push *ndr, int ndr_flags, const struct netr_Blob *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
@ -11299,17 +11485,21 @@ static enum ndr_err_code ndr_push_netr_DatabaseRedo(struct ndr_push *ndr, int fl
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0));
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->in.computername, CH_UTF16)));
 		NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->in.computername, ndr_charset_length(r->in.computername, CH_UTF16), sizeof(uint16_t), CH_UTF16));
-		NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential));
+		if (r->in.credential == NULL) {
 			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
 		}
 		NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, r->in.credential));
 		if (r->in.return_authenticator == NULL) {
 			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
 		}
 		NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, r->in.return_authenticator));
-		NDR_CHECK(ndr_push_unique_ptr(ndr, r->in.change_log_entry));
+		{
-		if (r->in.change_log_entry) {
+			struct ndr_push *_ndr_change_log_entry;
-			NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.change_log_entry_size));
+			NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_change_log_entry, 4, ndr_size_netr_ChangeLogEntry(&r->in.change_log_entry, ndr->flags)));
-			NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->in.change_log_entry, r->in.change_log_entry_size));
+			NDR_CHECK(ndr_push_netr_ChangeLogEntry(_ndr_change_log_entry, NDR_SCALARS|NDR_BUFFERS, &r->in.change_log_entry));
 			NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_change_log_entry, 4, ndr_size_netr_ChangeLogEntry(&r->in.change_log_entry, ndr->flags)));
 		}
-		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.change_log_entry_size));
+		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_size_netr_ChangeLogEntry(&r->in.change_log_entry, ndr->flags)));
 	}
 	if (flags & NDR_OUT) {
 		if (r->out.return_authenticator == NULL) {
@ -11319,7 +11509,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseRedo(struct ndr_push *ndr, int fl
 		if (r->out.delta_enum_array == NULL) {
 			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
 		}
-		NDR_CHECK(ndr_push_netr_DELTA_ENUM_ARRAY(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.delta_enum_array));
+		NDR_CHECK(ndr_push_unique_ptr(ndr, *r->out.delta_enum_array));
 		if (*r->out.delta_enum_array) {
 			NDR_CHECK(ndr_push_netr_DELTA_ENUM_ARRAY(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.delta_enum_array));
 		}
 		NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->out.result));
 	}
 	return NDR_ERR_SUCCESS;
@ -11327,10 +11520,11 @@ static enum ndr_err_code ndr_push_netr_DatabaseRedo(struct ndr_push *ndr, int fl
 static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int flags, struct netr_DatabaseRedo *r)
 {
-	uint32_t _ptr_change_log_entry;
+	uint32_t _ptr_delta_enum_array;
 	TALLOC_CTX *_mem_save_credential_0;
 	TALLOC_CTX *_mem_save_return_authenticator_0;
 	TALLOC_CTX *_mem_save_change_log_entry_0;
 	TALLOC_CTX *_mem_save_delta_enum_array_0;
 	TALLOC_CTX *_mem_save_delta_enum_array_1;
 	if (flags & NDR_IN) {
 		ZERO_STRUCT(r->out);
@ -11348,7 +11542,13 @@ static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int fl
 		}
 		NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t)));
 		NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16));
-		NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential));
+		if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
 			NDR_PULL_ALLOC(ndr, r->in.credential);
 		}
 		_mem_save_credential_0 = NDR_PULL_GET_MEM_CTX(ndr);
 		NDR_PULL_SET_MEM_CTX(ndr, r->in.credential, LIBNDR_FLAG_REF_ALLOC);
 		NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, r->in.credential));
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_credential_0, LIBNDR_FLAG_REF_ALLOC);
 		if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
 			NDR_PULL_ALLOC(ndr, r->in.return_authenticator);
 		}
@ -11356,28 +11556,17 @@ static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int fl
 		NDR_PULL_SET_MEM_CTX(ndr, r->in.return_authenticator, LIBNDR_FLAG_REF_ALLOC);
 		NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, r->in.return_authenticator));
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_return_authenticator_0, LIBNDR_FLAG_REF_ALLOC);
-		NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_change_log_entry));
+		{
-		if (_ptr_change_log_entry) {
+			struct ndr_pull *_ndr_change_log_entry;
-			NDR_PULL_ALLOC(ndr, r->in.change_log_entry);
+			NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_change_log_entry, 4, r->in.change_log_entry_size));
-		} else {
+			NDR_CHECK(ndr_pull_netr_ChangeLogEntry(_ndr_change_log_entry, NDR_SCALARS|NDR_BUFFERS, &r->in.change_log_entry));
-			r->in.change_log_entry = NULL;
+			NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_change_log_entry, 4, r->in.change_log_entry_size));
 		}
 		if (r->in.change_log_entry) {
 			_mem_save_change_log_entry_0 = NDR_PULL_GET_MEM_CTX(ndr);
 			NDR_PULL_SET_MEM_CTX(ndr, r->in.change_log_entry, 0);
 			NDR_CHECK(ndr_pull_array_size(ndr, &r->in.change_log_entry));
 			NDR_PULL_ALLOC_N(ndr, r->in.change_log_entry, ndr_get_array_size(ndr, &r->in.change_log_entry));
 			NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.change_log_entry, ndr_get_array_size(ndr, &r->in.change_log_entry)));
 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_change_log_entry_0, 0);
 		}
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.change_log_entry_size));
 		NDR_PULL_ALLOC(ndr, r->out.return_authenticator);
 		*r->out.return_authenticator = *r->in.return_authenticator;
 		NDR_PULL_ALLOC(ndr, r->out.delta_enum_array);
 		ZERO_STRUCTP(r->out.delta_enum_array);
 		if (r->in.change_log_entry) {
 			NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.change_log_entry, r->in.change_log_entry_size));
 		}
 	}
 	if (flags & NDR_OUT) {
 		if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
@ -11392,7 +11581,18 @@ static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int fl
 		}
 		_mem_save_delta_enum_array_0 = NDR_PULL_GET_MEM_CTX(ndr);
 		NDR_PULL_SET_MEM_CTX(ndr, r->out.delta_enum_array, LIBNDR_FLAG_REF_ALLOC);
-		NDR_CHECK(ndr_pull_netr_DELTA_ENUM_ARRAY(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.delta_enum_array));
+		NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_delta_enum_array));
 		if (_ptr_delta_enum_array) {
 			NDR_PULL_ALLOC(ndr, *r->out.delta_enum_array);
 		} else {
 			*r->out.delta_enum_array = NULL;
 		}
 		if (*r->out.delta_enum_array) {
 			_mem_save_delta_enum_array_1 = NDR_PULL_GET_MEM_CTX(ndr);
 			NDR_PULL_SET_MEM_CTX(ndr, *r->out.delta_enum_array, 0);
 			NDR_CHECK(ndr_pull_netr_DELTA_ENUM_ARRAY(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.delta_enum_array));
 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_delta_enum_array_1, 0);
 		}
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_delta_enum_array_0, LIBNDR_FLAG_REF_ALLOC);
 		NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->out.result));
 	}
@ -11411,18 +11611,16 @@ _PUBLIC_ void ndr_print_netr_DatabaseRedo(struct ndr_print *ndr, const char *nam
 		ndr->depth++;
 		ndr_print_string(ndr, "logon_server", r->in.logon_server);
 		ndr_print_string(ndr, "computername", r->in.computername);
-		ndr_print_netr_Authenticator(ndr, "credential", &r->in.credential);
+		ndr_print_ptr(ndr, "credential", r->in.credential);
 		ndr->depth++;
 		ndr_print_netr_Authenticator(ndr, "credential", r->in.credential);
 		ndr->depth--;
 		ndr_print_ptr(ndr, "return_authenticator", r->in.return_authenticator);
 		ndr->depth++;
 		ndr_print_netr_Authenticator(ndr, "return_authenticator", r->in.return_authenticator);
 		ndr->depth--;
-		ndr_print_ptr(ndr, "change_log_entry", r->in.change_log_entry);
+		ndr_print_netr_ChangeLogEntry(ndr, "change_log_entry", &r->in.change_log_entry);
-		ndr->depth++;
+		ndr_print_uint32(ndr, "change_log_entry_size", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?ndr_size_netr_ChangeLogEntry(&r->in.change_log_entry, ndr->flags):r->in.change_log_entry_size);
 		if (r->in.change_log_entry) {
 			ndr_print_array_uint8(ndr, "change_log_entry", r->in.change_log_entry, r->in.change_log_entry_size);
 		}
 		ndr->depth--;
 		ndr_print_uint32(ndr, "change_log_entry_size", r->in.change_log_entry_size);
 		ndr->depth--;
 	}
 	if (flags & NDR_OUT) {
@ -11434,7 +11632,12 @@ _PUBLIC_ void ndr_print_netr_DatabaseRedo(struct ndr_print *ndr, const char *nam
 		ndr->depth--;
 		ndr_print_ptr(ndr, "delta_enum_array", r->out.delta_enum_array);
 		ndr->depth++;
-		ndr_print_netr_DELTA_ENUM_ARRAY(ndr, "delta_enum_array", r->out.delta_enum_array);
+		ndr_print_ptr(ndr, "delta_enum_array", *r->out.delta_enum_array);
 		ndr->depth++;
 		if (*r->out.delta_enum_array) {
 			ndr_print_netr_DELTA_ENUM_ARRAY(ndr, "delta_enum_array", *r->out.delta_enum_array);
 		}
 		ndr->depth--;
 		ndr->depth--;
 		ndr_print_NTSTATUS(ndr, "result", r->out.result);
 		ndr->depth--;
--- a/source3/librpc/gen_ndr/ndr_netlogon.h
+++ b/source3/librpc/gen_ndr/ndr_netlogon.h
@ -6,6 +6,7 @@
 #ifndef _HEADER_NDR_netlogon
 #define _HEADER_NDR_netlogon
 #include "../librpc/ndr/ndr_netlogon.h"
 #define NDR_NETLOGON_UUID "12345678-1234-abcd-ef00-01234567cffb"
 #define NDR_NETLOGON_VERSION 1.0
 #define NDR_NETLOGON_NAME "netlogon"
@ -190,6 +191,12 @@ void ndr_print_netr_CONTROL_QUERY_INFORMATION(struct ndr_print *ndr, const char
 void ndr_print_netr_LogonControlCode(struct ndr_print *ndr, const char *name, enum netr_LogonControlCode r);
 void ndr_print_netr_CONTROL_DATA_INFORMATION(struct ndr_print *ndr, const char *name, const union netr_CONTROL_DATA_INFORMATION *r);
 void ndr_print_netr_NegotiateFlags(struct ndr_print *ndr, const char *name, uint32_t r);
 void ndr_print_netr_ChangeLogFlags(struct ndr_print *ndr, const char *name, uint16_t r);
 void ndr_print_netr_ChangeLogObject(struct ndr_print *ndr, const char *name, const union netr_ChangeLogObject *r);
 enum ndr_err_code ndr_push_netr_ChangeLogEntry(struct ndr_push *ndr, int ndr_flags, const struct netr_ChangeLogEntry *r);
 enum ndr_err_code ndr_pull_netr_ChangeLogEntry(struct ndr_pull *ndr, int ndr_flags, struct netr_ChangeLogEntry *r);
 void ndr_print_netr_ChangeLogEntry(struct ndr_print *ndr, const char *name, const struct netr_ChangeLogEntry *r);
 size_t ndr_size_netr_ChangeLogEntry(const struct netr_ChangeLogEntry *r, int flags);
 void ndr_print_netr_Blob(struct ndr_print *ndr, const char *name, const struct netr_Blob *r);
 void ndr_print_netr_DsRGetDCName_flags(struct ndr_print *ndr, const char *name, uint32_t r);
 void ndr_print_netr_DsRGetDCNameInfo_AddressType(struct ndr_print *ndr, const char *name, enum netr_DsRGetDCNameInfo_AddressType r);
--- a/source3/librpc/gen_ndr/ndr_samr.c
+++ b/source3/librpc/gen_ndr/ndr_samr.c
@ -9815,8 +9815,11 @@ static enum ndr_err_code ndr_push_samr_QueryUserInfo2(struct ndr_push *ndr, int
 		if (r->out.info == NULL) {
 			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
 		}
-		NDR_CHECK(ndr_push_set_switch_value(ndr, r->out.info, r->in.level));
+		NDR_CHECK(ndr_push_unique_ptr(ndr, *r->out.info));
-		NDR_CHECK(ndr_push_samr_UserInfo(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.info));
+		if (*r->out.info) {
 			NDR_CHECK(ndr_push_set_switch_value(ndr, *r->out.info, r->in.level));
 			NDR_CHECK(ndr_push_samr_UserInfo(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.info));
 		}
 		NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->out.result));
 	}
 	return NDR_ERR_SUCCESS;
@ -9824,8 +9827,10 @@ static enum ndr_err_code ndr_push_samr_QueryUserInfo2(struct ndr_push *ndr, int
 static enum ndr_err_code ndr_pull_samr_QueryUserInfo2(struct ndr_pull *ndr, int flags, struct samr_QueryUserInfo2 *r)
 {
 	uint32_t _ptr_info;
 	TALLOC_CTX *_mem_save_user_handle_0;
 	TALLOC_CTX *_mem_save_info_0;
 	TALLOC_CTX *_mem_save_info_1;
 	if (flags & NDR_IN) {
 		ZERO_STRUCT(r->out);
@ -9846,8 +9851,19 @@ static enum ndr_err_code ndr_pull_samr_QueryUserInfo2(struct ndr_pull *ndr, int
 		}
 		_mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr);
 		NDR_PULL_SET_MEM_CTX(ndr, r->out.info, LIBNDR_FLAG_REF_ALLOC);
-		NDR_CHECK(ndr_pull_set_switch_value(ndr, r->out.info, r->in.level));
+		NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info));
-		NDR_CHECK(ndr_pull_samr_UserInfo(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.info));
+		if (_ptr_info) {
 			NDR_PULL_ALLOC(ndr, *r->out.info);
 		} else {
 			*r->out.info = NULL;
 		}
 		if (*r->out.info) {
 			_mem_save_info_1 = NDR_PULL_GET_MEM_CTX(ndr);
 			NDR_PULL_SET_MEM_CTX(ndr, *r->out.info, 0);
 			NDR_CHECK(ndr_pull_set_switch_value(ndr, *r->out.info, r->in.level));
 			NDR_CHECK(ndr_pull_samr_UserInfo(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.info));
 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_1, 0);
 		}
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, LIBNDR_FLAG_REF_ALLOC);
 		NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->out.result));
 	}
@ -9876,8 +9892,13 @@ _PUBLIC_ void ndr_print_samr_QueryUserInfo2(struct ndr_print *ndr, const char *n
 		ndr->depth++;
 		ndr_print_ptr(ndr, "info", r->out.info);
 		ndr->depth++;
-		ndr_print_set_switch_value(ndr, r->out.info, r->in.level);
+		ndr_print_ptr(ndr, "info", *r->out.info);
-		ndr_print_samr_UserInfo(ndr, "info", r->out.info);
+		ndr->depth++;
 		if (*r->out.info) {
 			ndr_print_set_switch_value(ndr, *r->out.info, r->in.level);
 			ndr_print_samr_UserInfo(ndr, "info", *r->out.info);
 		}
 		ndr->depth--;
 		ndr->depth--;
 		ndr_print_NTSTATUS(ndr, "result", r->out.result);
 		ndr->depth--;
@ -11886,7 +11907,10 @@ static enum ndr_err_code ndr_push_samr_RidToSid(struct ndr_push *ndr, int flags,
 		if (r->out.sid == NULL) {
 			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
 		}
-		NDR_CHECK(ndr_push_dom_sid2(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.sid));
+		NDR_CHECK(ndr_push_unique_ptr(ndr, *r->out.sid));
 		if (*r->out.sid) {
 			NDR_CHECK(ndr_push_dom_sid2(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.sid));
 		}
 		NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->out.result));
 	}
 	return NDR_ERR_SUCCESS;
@ -11894,8 +11918,10 @@ static enum ndr_err_code ndr_push_samr_RidToSid(struct ndr_push *ndr, int flags,
 static enum ndr_err_code ndr_pull_samr_RidToSid(struct ndr_pull *ndr, int flags, struct samr_RidToSid *r)
 {
 	uint32_t _ptr_sid;
 	TALLOC_CTX *_mem_save_domain_handle_0;
 	TALLOC_CTX *_mem_save_sid_0;
 	TALLOC_CTX *_mem_save_sid_1;
 	if (flags & NDR_IN) {
 		ZERO_STRUCT(r->out);
@ -11916,7 +11942,18 @@ static enum ndr_err_code ndr_pull_samr_RidToSid(struct ndr_pull *ndr, int flags,
 		}
 		_mem_save_sid_0 = NDR_PULL_GET_MEM_CTX(ndr);
 		NDR_PULL_SET_MEM_CTX(ndr, r->out.sid, LIBNDR_FLAG_REF_ALLOC);
-		NDR_CHECK(ndr_pull_dom_sid2(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.sid));
+		NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid));
 		if (_ptr_sid) {
 			NDR_PULL_ALLOC(ndr, *r->out.sid);
 		} else {
 			*r->out.sid = NULL;
 		}
 		if (*r->out.sid) {
 			_mem_save_sid_1 = NDR_PULL_GET_MEM_CTX(ndr);
 			NDR_PULL_SET_MEM_CTX(ndr, *r->out.sid, 0);
 			NDR_CHECK(ndr_pull_dom_sid2(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.sid));
 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sid_1, 0);
 		}
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sid_0, LIBNDR_FLAG_REF_ALLOC);
 		NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->out.result));
 	}
@ -11945,7 +11982,12 @@ _PUBLIC_ void ndr_print_samr_RidToSid(struct ndr_print *ndr, const char *name, i
 		ndr->depth++;
 		ndr_print_ptr(ndr, "sid", r->out.sid);
 		ndr->depth++;
-		ndr_print_dom_sid2(ndr, "sid", r->out.sid);
+		ndr_print_ptr(ndr, "sid", *r->out.sid);
 		ndr->depth++;
 		if (*r->out.sid) {
 			ndr_print_dom_sid2(ndr, "sid", *r->out.sid);
 		}
 		ndr->depth--;
 		ndr->depth--;
 		ndr_print_NTSTATUS(ndr, "result", r->out.result);
 		ndr->depth--;
@ -12049,15 +12091,21 @@ static enum ndr_err_code ndr_push_samr_ValidatePassword(struct ndr_push *ndr, in
 {
 	if (flags & NDR_IN) {
 		NDR_CHECK(ndr_push_samr_ValidatePasswordLevel(ndr, NDR_SCALARS, r->in.level));
-		NDR_CHECK(ndr_push_set_switch_value(ndr, &r->in.req, r->in.level));
+		if (r->in.req == NULL) {
-		NDR_CHECK(ndr_push_samr_ValidatePasswordReq(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.req));
+			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
 		}
 		NDR_CHECK(ndr_push_set_switch_value(ndr, r->in.req, r->in.level));
 		NDR_CHECK(ndr_push_samr_ValidatePasswordReq(ndr, NDR_SCALARS|NDR_BUFFERS, r->in.req));
 	}
 	if (flags & NDR_OUT) {
 		if (r->out.rep == NULL) {
 			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
 		}
-		NDR_CHECK(ndr_push_set_switch_value(ndr, r->out.rep, r->in.level));
+		NDR_CHECK(ndr_push_unique_ptr(ndr, *r->out.rep));
-		NDR_CHECK(ndr_push_samr_ValidatePasswordRep(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.rep));
+		if (*r->out.rep) {
 			NDR_CHECK(ndr_push_set_switch_value(ndr, *r->out.rep, r->in.level));
 			NDR_CHECK(ndr_push_samr_ValidatePasswordRep(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.rep));
 		}
 		NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->out.result));
 	}
 	return NDR_ERR_SUCCESS;
@ -12065,13 +12113,22 @@ static enum ndr_err_code ndr_push_samr_ValidatePassword(struct ndr_push *ndr, in
 static enum ndr_err_code ndr_pull_samr_ValidatePassword(struct ndr_pull *ndr, int flags, struct samr_ValidatePassword *r)
 {
 	uint32_t _ptr_rep;
 	TALLOC_CTX *_mem_save_req_0;
 	TALLOC_CTX *_mem_save_rep_0;
 	TALLOC_CTX *_mem_save_rep_1;
 	if (flags & NDR_IN) {
 		ZERO_STRUCT(r->out);
 		NDR_CHECK(ndr_pull_samr_ValidatePasswordLevel(ndr, NDR_SCALARS, &r->in.level));
-		NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->in.req, r->in.level));
+		if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
-		NDR_CHECK(ndr_pull_samr_ValidatePasswordReq(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.req));
+			NDR_PULL_ALLOC(ndr, r->in.req);
 		}
 		_mem_save_req_0 = NDR_PULL_GET_MEM_CTX(ndr);
 		NDR_PULL_SET_MEM_CTX(ndr, r->in.req, LIBNDR_FLAG_REF_ALLOC);
 		NDR_CHECK(ndr_pull_set_switch_value(ndr, r->in.req, r->in.level));
 		NDR_CHECK(ndr_pull_samr_ValidatePasswordReq(ndr, NDR_SCALARS|NDR_BUFFERS, r->in.req));
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_req_0, LIBNDR_FLAG_REF_ALLOC);
 		NDR_PULL_ALLOC(ndr, r->out.rep);
 		ZERO_STRUCTP(r->out.rep);
 	}
@ -12081,8 +12138,19 @@ static enum ndr_err_code ndr_pull_samr_ValidatePassword(struct ndr_pull *ndr, in
 		}
 		_mem_save_rep_0 = NDR_PULL_GET_MEM_CTX(ndr);
 		NDR_PULL_SET_MEM_CTX(ndr, r->out.rep, LIBNDR_FLAG_REF_ALLOC);
-		NDR_CHECK(ndr_pull_set_switch_value(ndr, r->out.rep, r->in.level));
+		NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rep));
-		NDR_CHECK(ndr_pull_samr_ValidatePasswordRep(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.rep));
+		if (_ptr_rep) {
 			NDR_PULL_ALLOC(ndr, *r->out.rep);
 		} else {
 			*r->out.rep = NULL;
 		}
 		if (*r->out.rep) {
 			_mem_save_rep_1 = NDR_PULL_GET_MEM_CTX(ndr);
 			NDR_PULL_SET_MEM_CTX(ndr, *r->out.rep, 0);
 			NDR_CHECK(ndr_pull_set_switch_value(ndr, *r->out.rep, r->in.level));
 			NDR_CHECK(ndr_pull_samr_ValidatePasswordRep(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.rep));
 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rep_1, 0);
 		}
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rep_0, LIBNDR_FLAG_REF_ALLOC);
 		NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->out.result));
 	}
@ -12100,8 +12168,11 @@ _PUBLIC_ void ndr_print_samr_ValidatePassword(struct ndr_print *ndr, const char
 		ndr_print_struct(ndr, "in", "samr_ValidatePassword");
 		ndr->depth++;
 		ndr_print_samr_ValidatePasswordLevel(ndr, "level", r->in.level);
-		ndr_print_set_switch_value(ndr, &r->in.req, r->in.level);
+		ndr_print_ptr(ndr, "req", r->in.req);
-		ndr_print_samr_ValidatePasswordReq(ndr, "req", &r->in.req);
+		ndr->depth++;
 		ndr_print_set_switch_value(ndr, r->in.req, r->in.level);
 		ndr_print_samr_ValidatePasswordReq(ndr, "req", r->in.req);
 		ndr->depth--;
 		ndr->depth--;
 	}
 	if (flags & NDR_OUT) {
@ -12109,8 +12180,13 @@ _PUBLIC_ void ndr_print_samr_ValidatePassword(struct ndr_print *ndr, const char
 		ndr->depth++;
 		ndr_print_ptr(ndr, "rep", r->out.rep);
 		ndr->depth++;
-		ndr_print_set_switch_value(ndr, r->out.rep, r->in.level);
+		ndr_print_ptr(ndr, "rep", *r->out.rep);
-		ndr_print_samr_ValidatePasswordRep(ndr, "rep", r->out.rep);
+		ndr->depth++;
 		if (*r->out.rep) {
 			ndr_print_set_switch_value(ndr, *r->out.rep, r->in.level);
 			ndr_print_samr_ValidatePasswordRep(ndr, "rep", *r->out.rep);
 		}
 		ndr->depth--;
 		ndr->depth--;
 		ndr_print_NTSTATUS(ndr, "result", r->out.result);
 		ndr->depth--;
--- a/source3/librpc/gen_ndr/ndr_security.c
+++ b/source3/librpc/gen_ndr/ndr_security.c
@ -4,13 +4,14 @@
 #include "librpc/gen_ndr/ndr_security.h"
 #include "librpc/gen_ndr/ndr_misc.h"
-static enum ndr_err_code ndr_push_security_ace_flags(struct ndr_push *ndr, int ndr_flags, uint8_t r)
+#include "librpc/gen_ndr/ndr_dom_sid.h"
 _PUBLIC_ enum ndr_err_code ndr_push_security_ace_flags(struct ndr_push *ndr, int ndr_flags, uint8_t r)
 {
 	NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r));
 	return NDR_ERR_SUCCESS;
 }
-static enum ndr_err_code ndr_pull_security_ace_flags(struct ndr_pull *ndr, int ndr_flags, uint8_t *r)
+_PUBLIC_ enum ndr_err_code ndr_pull_security_ace_flags(struct ndr_pull *ndr, int ndr_flags, uint8_t *r)
 {
 	uint8_t v;
 	NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &v));
@ -33,13 +34,13 @@ _PUBLIC_ void ndr_print_security_ace_flags(struct ndr_print *ndr, const char *na
 	ndr->depth--;
 }
-static enum ndr_err_code ndr_push_security_ace_type(struct ndr_push *ndr, int ndr_flags, enum security_ace_type r)
+_PUBLIC_ enum ndr_err_code ndr_push_security_ace_type(struct ndr_push *ndr, int ndr_flags, enum security_ace_type r)
 {
 	NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r));
 	return NDR_ERR_SUCCESS;
 }
-static enum ndr_err_code ndr_pull_security_ace_type(struct ndr_pull *ndr, int ndr_flags, enum security_ace_type *r)
+_PUBLIC_ enum ndr_err_code ndr_pull_security_ace_type(struct ndr_pull *ndr, int ndr_flags, enum security_ace_type *r)
 {
 	uint8_t v;
 	NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &v));
@ -278,7 +279,7 @@ _PUBLIC_ void ndr_print_security_ace_object(struct ndr_print *ndr, const char *n
 	ndr->depth--;
 }
-static enum ndr_err_code ndr_push_security_ace_object_ctr(struct ndr_push *ndr, int ndr_flags, const union security_ace_object_ctr *r)
+_PUBLIC_ enum ndr_err_code ndr_push_security_ace_object_ctr(struct ndr_push *ndr, int ndr_flags, const union security_ace_object_ctr *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		int level = ndr_push_get_switch_value(ndr, r);
@ -331,7 +332,7 @@ static enum ndr_err_code ndr_push_security_ace_object_ctr(struct ndr_push *ndr,
 	return NDR_ERR_SUCCESS;
 }
-static enum ndr_err_code ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, int ndr_flags, union security_ace_object_ctr *r)
+_PUBLIC_ enum ndr_err_code ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, int ndr_flags, union security_ace_object_ctr *r)
 {
 	int level;
 	level = ndr_pull_get_switch_value(ndr, r);
@ -431,25 +432,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_ace(struct ndr_push *ndr, int ndr_f
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, int ndr_flags, struct security_ace *r)
 {
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_pull_align(ndr, 4));
 		NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type));
 		NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags));
 		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
 		NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
 		NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_SCALARS, &r->object));
 		NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
 	}
 	if (ndr_flags & NDR_BUFFERS) {
 		NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_BUFFERS, &r->object));
 		NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_BUFFERS, &r->trustee));
 	}
 	return NDR_ERR_SUCCESS;
 }
 _PUBLIC_ void ndr_print_security_ace(struct ndr_print *ndr, const char *name, const struct security_ace *r)
 {
 	ndr_print_struct(ndr, name, "security_ace");
--- a/source3/librpc/gen_ndr/ndr_security.h
+++ b/source3/librpc/gen_ndr/ndr_security.h
@ -6,13 +6,20 @@
 #ifndef _HEADER_NDR_security
 #define _HEADER_NDR_security
 #include "librpc/gen_ndr/ndr_dom_sid.h"
 #define NDR_SECURITY_CALL_COUNT (0)
 enum ndr_err_code ndr_push_security_ace_flags(struct ndr_push *ndr, int ndr_flags, uint8_t r);
 enum ndr_err_code ndr_pull_security_ace_flags(struct ndr_pull *ndr, int ndr_flags, uint8_t *r);
 void ndr_print_security_ace_flags(struct ndr_print *ndr, const char *name, uint8_t r);
 enum ndr_err_code ndr_push_security_ace_type(struct ndr_push *ndr, int ndr_flags, enum security_ace_type r);
 enum ndr_err_code ndr_pull_security_ace_type(struct ndr_pull *ndr, int ndr_flags, enum security_ace_type *r);
 void ndr_print_security_ace_type(struct ndr_print *ndr, const char *name, enum security_ace_type r);
 void ndr_print_security_ace_object_flags(struct ndr_print *ndr, const char *name, uint32_t r);
 void ndr_print_security_ace_object_type(struct ndr_print *ndr, const char *name, const union security_ace_object_type *r);
 void ndr_print_security_ace_object_inherited_type(struct ndr_print *ndr, const char *name, const union security_ace_object_inherited_type *r);
 void ndr_print_security_ace_object(struct ndr_print *ndr, const char *name, const struct security_ace_object *r);
 enum ndr_err_code ndr_push_security_ace_object_ctr(struct ndr_push *ndr, int ndr_flags, const union security_ace_object_ctr *r);
 enum ndr_err_code ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, int ndr_flags, union security_ace_object_ctr *r);
 void ndr_print_security_ace_object_ctr(struct ndr_print *ndr, const char *name, const union security_ace_object_ctr *r);
 enum ndr_err_code ndr_push_security_ace(struct ndr_push *ndr, int ndr_flags, const struct security_ace *r);
 enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, int ndr_flags, struct security_ace *r);
--- a/source3/librpc/gen_ndr/netlogon.h
+++ b/source3/librpc/gen_ndr/netlogon.h
@ -7,11 +7,14 @@
 #include "librpc/gen_ndr/samr.h"
 #include "librpc/gen_ndr/security.h"
 #include "librpc/gen_ndr/nbt.h"
 #define netr_DeltaEnum8Bit netr_DeltaEnum
 #ifndef _HEADER_netlogon
 #define _HEADER_netlogon
 #define DSGETDC_VALID_FLAGS	( (DS_FORCE_REDISCOVERY|DS_DIRECTORY_SERVICE_REQUIRED|DS_DIRECTORY_SERVICE_PREFERRED|DS_GC_SERVER_REQUIRED|DS_PDC_REQUIRED|DS_BACKGROUND_ONLY|DS_IP_REQUIRED|DS_KDC_REQUIRED|DS_TIMESERV_REQUIRED|DS_WRITABLE_REQUIRED|DS_GOOD_TIMESERV_PREFERRED|DS_AVOID_SELF|DS_ONLY_LDAP_NEEDED|DS_IS_FLAT_NAME|DS_IS_DNS_NAME|DS_RETURN_FLAT_NAME|DS_RETURN_DNS_NAME) )
 #define DS_GFTI_UPDATE_TDO	( 0x1 )
 enum netr_DeltaEnum8Bit;
 struct netr_UasInfo {
 	const char *account_name;/* [unique,charset(UTF16)] */
 	uint32_t priv;
@ -324,7 +327,7 @@ struct netr_DELTA_USER {
 	uint8_t lm_password_present;
 	uint8_t password_expired;
 	struct lsa_String comment;
-	struct lsa_String parameters;
+	struct lsa_BinaryString parameters;
 	uint16_t country_code;
 	uint16_t code_page;
 	struct netr_USER_PRIVATE_INFO user_private_info;
@ -712,6 +715,28 @@ union netr_CONTROL_DATA_INFORMATION {
 #define NETLOGON_NEG_AUTHENTICATED_RPC_LSASS ( 0x20000000 )
 #define NETLOGON_NEG_SCHANNEL ( 0x40000000 )
 /* bitmap netr_ChangeLogFlags */
 #define NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED ( 0x0001 )
 #define NETR_CHANGELOG_CHANGED_PASSWORD ( 0x0002 )
 #define NETR_CHANGELOG_SID_INCLUDED ( 0x0004 )
 #define NETR_CHANGELOG_NAME_INCLUDED ( 0x0008 )
 #define NETR_CHANGELOG_FIRST_PROMOTION_OBJ ( 0x0010 )
 union netr_ChangeLogObject {
 	struct dom_sid object_sid;/* [case(NETR_CHANGELOG_SID_INCLUDED)] */
 	const char * object_name;/* [flag(LIBNDR_FLAG_STR_NULLTERM),case(NETR_CHANGELOG_NAME_INCLUDED)] */
 }/* [nodiscriminant] */;
 struct netr_ChangeLogEntry {
 	uint32_t serial_number1;
 	uint32_t serial_number2;
 	uint32_t object_rid;
 	uint16_t flags;
 	enum netr_SamDatabaseID8Bit db_index;
 	enum netr_DeltaEnum8Bit delta_type;
 	union netr_ChangeLogObject object;/* [switch_is(flags&(NETR_CHANGELOG_SID_INCLUDED|NETR_CHANGELOG_NAME_INCLUDED))] */
 }/* [gensize,public] */;
 struct netr_Blob {
 	uint32_t length;
 	uint8_t *data;/* [unique,size_is(length)] */
@ -1251,14 +1276,14 @@ struct netr_DatabaseRedo {
 	struct {
 		const char *logon_server;/* [charset(UTF16)] */
 		const char *computername;/* [charset(UTF16)] */
-		struct netr_Authenticator credential;
+		struct netr_Authenticator *credential;/* [ref] */
-		uint8_t *change_log_entry;/* [unique,size_is(change_log_entry_size)] */
+		struct netr_ChangeLogEntry change_log_entry;/* [subcontext_size(change_log_entry_size),subcontext(4)] */
-		uint32_t change_log_entry_size;
+		uint32_t change_log_entry_size;/* [value(ndr_size_netr_ChangeLogEntry(&change_log_entry,ndr->flags))] */
 		struct netr_Authenticator *return_authenticator;/* [ref] */
 	} in;
 	struct {
-		struct netr_DELTA_ENUM_ARRAY *delta_enum_array;/* [ref] */
+		struct netr_DELTA_ENUM_ARRAY **delta_enum_array;/* [ref] */
 		struct netr_Authenticator *return_authenticator;/* [ref] */
 		NTSTATUS result;
 	} out;
--- a/source3/librpc/gen_ndr/samr.h
+++ b/source3/librpc/gen_ndr/samr.h
@ -8,8 +8,31 @@
 #ifndef _HEADER_samr
 #define _HEADER_samr
-#define MAX_SAM_ENTRIES_W2K	( 0x400 )
+#define SAMR_ACCESS_ALL_ACCESS	( 0x0000003F )
-#define MAX_SAM_ENTRIES_W95	( 50 )
+#define GENERIC_RIGHTS_SAM_ALL_ACCESS	( (STANDARD_RIGHTS_REQUIRED_ACCESS|SAMR_ACCESS_ALL_ACCESS) )
 #define GENERIC_RIGHTS_SAM_READ	( (STANDARD_RIGHTS_READ_ACCESS|SAMR_ACCESS_ENUM_DOMAINS) )
 #define GENERIC_RIGHTS_SAM_WRITE	( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_ACCESS_CREATE_DOMAIN|SAMR_ACCESS_INITIALIZE_SERVER|SAMR_ACCESS_SHUTDOWN_SERVER) )
 #define GENERIC_RIGHTS_SAM_EXECUTE	( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_ACCESS_OPEN_DOMAIN|SAMR_ACCESS_CONNECT_TO_SERVER) )
 #define SAMR_USER_ACCESS_ALL_ACCESS	( 0x000007FF )
 #define GENERIC_RIGHTS_USER_ALL_ACCESS	( (STANDARD_RIGHTS_REQUIRED_ACCESS|SAMR_USER_ACCESS_ALL_ACCESS) )
 #define GENERIC_RIGHTS_USER_READ	( (STANDARD_RIGHTS_READ_ACCESS|SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP|SAMR_USER_ACCESS_GET_GROUPS|SAMR_USER_ACCESS_GET_ATTRIBUTES|SAMR_USER_ACCESS_GET_LOGONINFO|SAMR_USER_ACCESS_GET_LOCALE) )
 #define GENERIC_RIGHTS_USER_WRITE	( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_USER_ACCESS_CHANGE_PASSWORD|SAMR_USER_ACCESS_SET_LOC_COM|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP) )
 #define GENERIC_RIGHTS_USER_EXECUTE	( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_USER_ACCESS_CHANGE_PASSWORD|SAMR_USER_ACCESS_GET_NAME_ETC) )
 #define SAMR_DOMAIN_ACCESS_ALL_ACCESS	( 0x000007FF )
 #define GENERIC_RIGHTS_DOMAIN_ALL_ACCESS	( (STANDARD_RIGHTS_REQUIRED_ACCESS|SAMR_DOMAIN_ACCESS_ALL_ACCESS) )
 #define GENERIC_RIGHTS_DOMAIN_READ	( (STANDARD_RIGHTS_READ_ACCESS|SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS|SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2) )
 #define GENERIC_RIGHTS_DOMAIN_WRITE	( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_DOMAIN_ACCESS_SET_INFO_3|SAMR_DOMAIN_ACCESS_CREATE_ALIAS|SAMR_DOMAIN_ACCESS_CREATE_GROUP|SAMR_DOMAIN_ACCESS_CREATE_USER|SAMR_DOMAIN_ACCESS_SET_INFO_2|SAMR_DOMAIN_ACCESS_SET_INFO_1) )
 #define GENERIC_RIGHTS_DOMAIN_EXECUTE	( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT|SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS|SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1) )
 #define SAMR_GROUP_ACCESS_ALL_ACCESS	( 0x0000001F )
 #define GENERIC_RIGHTS_GROUP_ALL_ACCESS	( (STANDARD_RIGHTS_REQUIRED_ACCESS|SAMR_GROUP_ACCESS_ALL_ACCESS) )
 #define GENERIC_RIGHTS_GROUP_READ	( (STANDARD_RIGHTS_READ_ACCESS|SAMR_GROUP_ACCESS_GET_MEMBERS) )
 #define GENERIC_RIGHTS_GROUP_WRITE	( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_GROUP_ACCESS_REMOVE_MEMBER|SAMR_GROUP_ACCESS_ADD_MEMBER|SAMR_GROUP_ACCESS_SET_INFO) )
 #define GENERIC_RIGHTS_GROUP_EXECUTE	( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_GROUP_ACCESS_LOOKUP_INFO) )
 #define SAMR_ALIAS_ACCESS_ALL_ACCESS	( 0x0000001F )
 #define GENERIC_RIGHTS_ALIAS_ALL_ACCESS	( (STANDARD_RIGHTS_REQUIRED_ACCESS|SAMR_ALIAS_ACCESS_ALL_ACCESS) )
 #define GENERIC_RIGHTS_ALIAS_READ	( (STANDARD_RIGHTS_READ_ACCESS|SAMR_ALIAS_ACCESS_GET_MEMBERS) )
 #define GENERIC_RIGHTS_ALIAS_WRITE	( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_ALIAS_ACCESS_REMOVE_MEMBER|SAMR_ALIAS_ACCESS_ADD_MEMBER|SAMR_ALIAS_ACCESS_SET_INFO) )
 #define GENERIC_RIGHTS_ALIAS_EXECUTE	( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_ALIAS_ACCESS_LOOKUP_INFO) )
 #define SAMR_ENUM_USERS_MULTIPLIER	( 54 )
 #define PASS_MUST_CHANGE_AT_NEXT_LOGON	( 0x01 )
 #define PASS_DONT_CHANGE_AT_NEXT_LOGON	( 0x00 )
@ -1440,7 +1463,7 @@ struct samr_QueryUserInfo2 {
 	} in;
 	struct {
-		union samr_UserInfo *info;/* [ref,switch_is(level)] */
+		union samr_UserInfo **info;/* [ref,switch_is(level)] */
 		NTSTATUS result;
 	} out;
@ -1722,7 +1745,7 @@ struct samr_RidToSid {
 	} in;
 	struct {
-		struct dom_sid2 *sid;/* [ref] */
+		struct dom_sid2 **sid;/* [ref] */
 		NTSTATUS result;
 	} out;
@ -1746,11 +1769,11 @@ struct samr_SetDsrmPassword {
 struct samr_ValidatePassword {
 	struct {
 		enum samr_ValidatePasswordLevel level;
-		union samr_ValidatePasswordReq req;/* [switch_is(level)] */
+		union samr_ValidatePasswordReq *req;/* [ref,switch_is(level)] */
 	} in;
 	struct {
-		union samr_ValidatePasswordRep *rep;/* [ref,switch_is(level)] */
+		union samr_ValidatePasswordRep **rep;/* [ref,switch_is(level)] */
 		NTSTATUS result;
 	} out;
--- a/source3/librpc/gen_ndr/security.h
+++ b/source3/librpc/gen_ndr/security.h
@ -3,9 +3,7 @@
 #include <stdint.h>
 #include "librpc/gen_ndr/misc.h"
-#define dom_sid2 dom_sid
+#include "librpc/gen_ndr/dom_sid.h"
 #define dom_sid28 dom_sid
 #define dom_sid0 dom_sid
 #ifndef _HEADER_security
 #define _HEADER_security
@ -68,6 +66,12 @@
 #define SEC_RIGHTS_DIR_WRITE	( SEC_RIGHTS_FILE_WRITE )
 #define SEC_RIGHTS_DIR_EXECUTE	( SEC_RIGHTS_FILE_EXECUTE )
 #define SEC_RIGHTS_DIR_ALL	( SEC_RIGHTS_FILE_ALL )
 #define STANDARD_RIGHTS_ALL_ACCESS	( SEC_STD_ALL )
 #define STANDARD_RIGHTS_MODIFY_ACCESS	( SEC_STD_READ_CONTROL )
 #define STANDARD_RIGHTS_EXECUTE_ACCESS	( SEC_STD_READ_CONTROL )
 #define STANDARD_RIGHTS_READ_ACCESS	( SEC_STD_READ_CONTROL )
 #define STANDARD_RIGHTS_WRITE_ACCESS	( (SEC_STD_WRITE_OWNER|SEC_STD_WRITE_DAC|SEC_STD_DELETE) )
 #define STANDARD_RIGHTS_REQUIRED_ACCESS	( (SEC_STD_DELETE|SEC_STD_READ_CONTROL|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER) )
 #define SID_NULL	( "S-1-0-0" )
 #define NAME_WORLD	( "WORLD" )
 #define SID_WORLD_DOMAIN	( "S-1-1" )
@ -239,7 +243,7 @@ struct security_ace_object {
 union security_ace_object_ctr {
 	struct security_ace_object object;/* [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] */
-}/* [nodiscriminant] */;
+}/* [public,nodiscriminant] */;
 struct security_ace {
 	enum security_ace_type type;
@ -248,7 +252,7 @@ struct security_ace {
 	uint32_t access_mask;
 	union security_ace_object_ctr object;/* [switch_is(type)] */
 	struct dom_sid trustee;
-}/* [gensize,public,nosize] */;
+}/* [gensize,public,nopull,nosize] */;
 enum security_acl_revision
 #ifndef USE_UINT_ENUMS
--- a/source3/librpc/gen_ndr/srv_netlogon.c
+++ b/source3/librpc/gen_ndr/srv_netlogon.c
@ -1454,7 +1454,7 @@ static bool api_netr_DatabaseRedo(pipes_struct *p)
 	ZERO_STRUCT(r->out);
 	r->out.return_authenticator = r->in.return_authenticator;
-	r->out.delta_enum_array = talloc_zero(r, struct netr_DELTA_ENUM_ARRAY);
+	r->out.delta_enum_array = talloc_zero(r, struct netr_DELTA_ENUM_ARRAY *);
 	if (r->out.delta_enum_array == NULL) {
 		talloc_free(r);
 		return false;
--- a/source3/librpc/gen_ndr/srv_samr.c
+++ b/source3/librpc/gen_ndr/srv_samr.c
@ -3750,7 +3750,7 @@ static bool api_samr_QueryUserInfo2(pipes_struct *p)
 	}
 	ZERO_STRUCT(r->out);
-	r->out.info = talloc_zero(r, union samr_UserInfo);
+	r->out.info = talloc_zero(r, union samr_UserInfo *);
 	if (r->out.info == NULL) {
 		talloc_free(r);
 		return false;
@ -5202,7 +5202,7 @@ static bool api_samr_RidToSid(pipes_struct *p)
 	}
 	ZERO_STRUCT(r->out);
-	r->out.sid = talloc_zero(r, struct dom_sid2);
+	r->out.sid = talloc_zero(r, struct dom_sid2 *);
 	if (r->out.sid == NULL) {
 		talloc_free(r);
 		return false;
@ -5355,7 +5355,7 @@ static bool api_samr_ValidatePassword(pipes_struct *p)
 	}
 	ZERO_STRUCT(r->out);
-	r->out.rep = talloc_zero(r, union samr_ValidatePasswordRep);
+	r->out.rep = talloc_zero(r, union samr_ValidatePasswordRep *);
 	if (r->out.rep == NULL) {
 		talloc_free(r);
 		return false;
--- a/source3/librpc/idl/dom_sid.idl
+++ b/source3/librpc/idl/dom_sid.idl
@ -0,0 +1,29 @@
 /*
   use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
   just a dom sid, but with the sub_auths represented as a conformant
   array. As with all in-structure conformant arrays, the array length
   is placed before the start of the structure. That's what gives rise
   to the extra num_auths elemenent. We don't want the Samba code to
   have to bother with such esoteric NDR details, so its easier to just
   define it as a dom_sid and use pidl magic to make it all work. It
   just means you need to mark a sid as a "dom_sid2" in the IDL when you
   know it is of the conformant array variety
 */
 cpp_quote("#define dom_sid2 dom_sid")
 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
 cpp_quote("#define dom_sid28 dom_sid")
 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
 cpp_quote("#define dom_sid0 dom_sid")
 [
 	pointer_default(unique)
 ]
 interface dom_sid
 {
 	struct _dummy_domsid {
 		uint8 dummy;
 	};
 }
--- a/source3/librpc/ndr/ndr_sec.h
+++ b/source3/librpc/ndr/ndr_sec.h
@ -1,35 +0,0 @@
 #ifndef __LIBRPC_NDR_NDR_SEC_H__
 #define __LIBRPC_NDR_NDR_SEC_H__
 #undef _PRINTF_ATTRIBUTE
 #define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2)
 /* This file was automatically generated by mkproto.pl. DO NOT EDIT */
 #ifndef _PUBLIC_
 #define _PUBLIC_
 #endif
 /* The following definitions come from librpc/ndr/ndr_sec_helper.c  */
 size_t ndr_size_dom_sid(const struct dom_sid *sid);
 size_t ndr_length_dom_sid(const struct dom_sid *sid);
 size_t ndr_size_security_ace(const struct security_ace *ace);
 size_t ndr_size_security_acl(const struct security_acl *acl);
 size_t ndr_size_security_descriptor(const struct security_descriptor *sd);
 void ndr_print_dom_sid(struct ndr_print *ndr, const char *name, const struct dom_sid *sid);
 void ndr_print_dom_sid2(struct ndr_print *ndr, const char *name, const struct dom_sid *sid);
 void ndr_print_dom_sid28(struct ndr_print *ndr, const char *name, const struct dom_sid *sid);
 char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
 /* The following definitions come from librpc/ndr/ndr_sec.c  */
 enum ndr_err_code ndr_pull_dom_sid2(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid);
 enum ndr_err_code ndr_push_dom_sid2(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid);
 enum ndr_err_code ndr_pull_dom_sid28(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid);
 enum ndr_err_code ndr_push_dom_sid28(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid);
 #undef _PRINTF_ATTRIBUTE
 #define _PRINTF_ATTRIBUTE(a1, a2)
 #endif /* __LIBRPC_NDR_NDR_SEC_H__ */
--- a/source3/librpc/ndr/ndr_sec_helper.c
+++ b/source3/librpc/ndr/ndr_sec_helper.c
@ -1,117 +0,0 @@
 /* 
   Unix SMB/CIFS implementation.
   fast routines for getting the wire size of security objects
   Copyright (C) Andrew Tridgell 2003
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 #include "includes.h"
 /*
  return the wire size of a dom_sid
 */
 size_t ndr_size_dom_sid(const struct dom_sid *sid, int flags)
 {
 	if (!sid) return 0;
 	return 8 + 4*sid->num_auths;
 }
 size_t ndr_size_dom_sid28(const struct dom_sid *sid, int flags)
 {
 	struct dom_sid zero_sid;
 	if (!sid) return 0;
 	ZERO_STRUCT(zero_sid);
 	if (memcmp(&zero_sid, sid, sizeof(zero_sid)) == 0) {
 		return 0;
 	}
 	return 8 + 4*sid->num_auths;
 }
 size_t ndr_size_dom_sid0(const struct dom_sid *sid, int flags)
 {
 	return ndr_size_dom_sid28(sid, flags);
 }
 /*
  return the wire size of a security_ace
 */
 size_t ndr_size_security_ace(const struct security_ace *ace, int flags)
 {
 	if (!ace) return 0;
 	return 8 + ndr_size_dom_sid(&ace->trustee, flags);
 }
 /*
  return the wire size of a security_acl
 */
 size_t ndr_size_security_acl(const struct security_acl *acl, int flags)
 {
 	size_t ret;
 	int i;
 	if (!acl) return 0;
 	ret = 8;
 	for (i=0;i<acl->num_aces;i++) {
 		ret += ndr_size_security_ace(&acl->aces[i], flags);
 	}
 	return ret;
 }
 /*
  return the wire size of a security descriptor
 */
 size_t ndr_size_security_descriptor(const struct security_descriptor *sd, int flags)
 {
 	size_t ret;
 	if (!sd) return 0;
 	ret = 20;
 	ret += ndr_size_dom_sid(sd->owner_sid, flags);
 	ret += ndr_size_dom_sid(sd->group_sid, flags);
 	ret += ndr_size_security_acl(sd->dacl, flags);
 	ret += ndr_size_security_acl(sd->sacl, flags);
 	return ret;
 }
 /*
  print a dom_sid
 */
 void ndr_print_dom_sid(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 {
 	ndr->print(ndr, "%-25s: %s", name, dom_sid_string(ndr, sid));
 }
 void ndr_print_dom_sid2(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 {
 	ndr_print_dom_sid(ndr, name, sid);
 }
 void ndr_print_dom_sid28(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 {
 	ndr_print_dom_sid(ndr, name, sid);
 }
 void ndr_print_dom_sid0(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 {
 	ndr_print_dom_sid(ndr, name, sid);
 }
--- a/source3/librpc/ndr/sid.c
+++ b/source3/librpc/ndr/sid.c
@ -21,6 +21,35 @@
 #include "includes.h"
 /*
  return the wire size of a dom_sid
 */
 size_t ndr_size_dom_sid(const struct dom_sid *sid, int flags)
 {
 	if (!sid) return 0;
 	return 8 + 4*sid->num_auths;
 }
 size_t ndr_size_dom_sid28(const struct dom_sid *sid, int flags)
 {
 	struct dom_sid zero_sid;
 	if (!sid) return 0;
 	ZERO_STRUCT(zero_sid);
 	if (memcmp(&zero_sid, sid, sizeof(zero_sid)) == 0) {
 		return 0;
 	}
 	return 8 + 4*sid->num_auths;
 }
 size_t ndr_size_dom_sid0(const struct dom_sid *sid, int flags)
 {
 	return ndr_size_dom_sid28(sid, flags);
 }
 enum ndr_err_code ndr_push_dom_sid(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *r)
 {
 	uint32_t cntr_sub_auths_0;
@ -228,3 +257,27 @@ enum ndr_err_code ndr_push_dom_sid0(struct ndr_push *ndr, int ndr_flags, const s
 	return ndr_push_dom_sid(ndr, ndr_flags, sid);
 }
 /*
  print a dom_sid
 */
 void ndr_print_dom_sid(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 {
 	ndr->print(ndr, "%-25s: %s", name, dom_sid_string(ndr, sid));
 }
 void ndr_print_dom_sid2(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 {
 	ndr_print_dom_sid(ndr, name, sid);
 }
 void ndr_print_dom_sid28(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 {
 	ndr_print_dom_sid(ndr, name, sid);
 }
 void ndr_print_dom_sid0(struct ndr_print *ndr, const char *name, const struct dom_sid *sid)
 {
 	ndr_print_dom_sid(ndr, name, sid);
 }
--- a/source3/librpc/ndr/util.c
+++ b/source3/librpc/ndr/util.c
@ -166,7 +166,7 @@ _PUBLIC_ void ndr_print_sockaddr_storage(struct ndr_print *ndr, const char *name
 	ndr->print(ndr, "%-25s: %s", name, print_sockaddr(addr, sizeof(addr), ss));
 }
-void *global_loadparm;
+void *global_iconv_convenience;
 void *cmdline_lp_ctx;
 struct smb_iconv_convenience *lp_iconv_convenience(void *lp_ctx)
 {
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@ -516,7 +516,7 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
 	p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE);
 	/* w2k with kerberos doesn't properly null terminate this field */
-	len = smb_buflen(cli->inbuf) - PTR_DIFF(p, smb_buf(cli->inbuf));
+	len = smb_bufrem(cli->inbuf, p);
 	p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), len, 0);
 	return blob2;
--- a/source3/libsmb/doserr.c
+++ b/source3/libsmb/doserr.c
@ -1,202 +0,0 @@
 /*
 *  Unix SMB/CIFS implementation.
 *  DOS error routines
 *  Copyright (C) Tim Potter 2002.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, see <http://www.gnu.org/licenses/>.
 */
 /* DOS error codes.  please read doserr.h */
 #include "includes.h"
 typedef const struct {
 	const char *dos_errstr;
 	WERROR werror;
 } werror_code_struct;
 typedef const struct {
 	WERROR werror;
 	const char *friendly_errstr;
 } werror_str_struct;
 werror_code_struct dos_errs[] =
 {
 	{ "WERR_OK", WERR_OK },
 	{ "WERR_GENERAL_FAILURE", WERR_GENERAL_FAILURE },
 	{ "WERR_BADFILE", WERR_BADFILE },
 	{ "WERR_ACCESS_DENIED", WERR_ACCESS_DENIED },
 	{ "WERR_BADFID", WERR_BADFID },
 	{ "WERR_BADFUNC", WERR_BADFUNC },
 	{ "WERR_INSUFFICIENT_BUFFER", WERR_INSUFFICIENT_BUFFER },
 	{ "WERR_SEM_TIMEOUT", WERR_SEM_TIMEOUT },
 	{ "WERR_NO_SUCH_SHARE", WERR_NO_SUCH_SHARE },
 	{ "WERR_FILE_EXISTS", WERR_FILE_EXISTS },
 	{ "WERR_INVALID_PARAM", WERR_INVALID_PARAM },
 	{ "WERR_NOT_SUPPORTED", WERR_NOT_SUPPORTED },
 	{ "WERR_BAD_PASSWORD", WERR_BAD_PASSWORD },
 	{ "WERR_NOMEM", WERR_NOMEM },
 	{ "WERR_INVALID_NAME", WERR_INVALID_NAME },
 	{ "WERR_UNKNOWN_LEVEL", WERR_UNKNOWN_LEVEL },
 	{ "WERR_OBJECT_PATH_INVALID", WERR_OBJECT_PATH_INVALID },
 	{ "WERR_NO_MORE_ITEMS", WERR_NO_MORE_ITEMS },
 	{ "WERR_MORE_DATA", WERR_MORE_DATA },
 	{ "WERR_UNKNOWN_PRINTER_DRIVER", WERR_UNKNOWN_PRINTER_DRIVER },
 	{ "WERR_INVALID_PRINTER_NAME", WERR_INVALID_PRINTER_NAME },
 	{ "WERR_PRINTER_ALREADY_EXISTS", WERR_PRINTER_ALREADY_EXISTS },
 	{ "WERR_INVALID_DATATYPE", WERR_INVALID_DATATYPE },
 	{ "WERR_INVALID_ENVIRONMENT", WERR_INVALID_ENVIRONMENT },
 	{ "WERR_INVALID_FORM_NAME", WERR_INVALID_FORM_NAME },
 	{ "WERR_INVALID_FORM_SIZE", WERR_INVALID_FORM_SIZE },
 	{ "WERR_BUF_TOO_SMALL", WERR_BUF_TOO_SMALL },
 	{ "WERR_JOB_NOT_FOUND", WERR_JOB_NOT_FOUND },
 	{ "WERR_DEST_NOT_FOUND", WERR_DEST_NOT_FOUND },
 	{ "WERR_GROUP_NOT_FOUND", WERR_GROUP_NOT_FOUND },
 	{ "WERR_USER_NOT_FOUND", WERR_USER_NOT_FOUND },
 	{ "WERR_NOT_LOCAL_DOMAIN", WERR_NOT_LOCAL_DOMAIN },
 	{ "WERR_USER_EXISTS", WERR_USER_EXISTS },
 	{ "WERR_REVISION_MISMATCH", WERR_REVISION_MISMATCH },
 	{ "WERR_NO_LOGON_SERVERS", WERR_NO_LOGON_SERVERS },
 	{ "WERR_NO_SUCH_LOGON_SESSION", WERR_NO_SUCH_LOGON_SESSION },
 	{ "WERR_USER_ALREADY_EXISTS", WERR_USER_ALREADY_EXISTS },
 	{ "WERR_NO_SUCH_USER", WERR_NO_SUCH_USER },
 	{ "WERR_GROUP_EXISTS", WERR_GROUP_EXISTS },
 	{ "WERR_MEMBER_IN_GROUP", WERR_MEMBER_IN_GROUP },
 	{ "WERR_USER_NOT_IN_GROUP", WERR_USER_NOT_IN_GROUP },
 	{ "WERR_PRINTER_DRIVER_IN_USE", WERR_PRINTER_DRIVER_IN_USE },
 	{ "WERR_STATUS_MORE_ENTRIES  ", WERR_STATUS_MORE_ENTRIES },
 	{ "WERR_DFS_NO_SUCH_VOL", WERR_DFS_NO_SUCH_VOL },
 	{ "WERR_DFS_NO_SUCH_SHARE", WERR_DFS_NO_SUCH_SHARE },
 	{ "WERR_DFS_NO_SUCH_SERVER", WERR_DFS_NO_SUCH_SERVER },
 	{ "WERR_DFS_INTERNAL_ERROR", WERR_DFS_INTERNAL_ERROR },
 	{ "WERR_DFS_CANT_CREATE_JUNCT", WERR_DFS_CANT_CREATE_JUNCT },
 	{ "WERR_INVALID_COMPUTERNAME", WERR_INVALID_COMPUTERNAME },
 	{ "WERR_INVALID_DOMAINNAME", WERR_INVALID_DOMAINNAME },
 	{ "WERR_MACHINE_LOCKED", WERR_MACHINE_LOCKED },
 	{ "WERR_DC_NOT_FOUND", WERR_DC_NOT_FOUND },
 	{ "WERR_SETUP_NOT_JOINED", WERR_SETUP_NOT_JOINED },
 	{ "WERR_SETUP_ALREADY_JOINED", WERR_SETUP_ALREADY_JOINED },
 	{ "WERR_SETUP_DOMAIN_CONTROLLER", WERR_SETUP_DOMAIN_CONTROLLER },
 	{ "WERR_DEFAULT_JOIN_REQUIRED", WERR_DEFAULT_JOIN_REQUIRED },
 	{ "WERR_DEVICE_NOT_AVAILABLE", WERR_DEVICE_NOT_AVAILABLE },
 	{ "WERR_LOGON_FAILURE", WERR_LOGON_FAILURE },
 	{ "WERR_WRONG_PASSWORD", WERR_WRONG_PASSWORD },
 	{ "WERR_PASSWORD_RESTRICTION", WERR_PASSWORD_RESTRICTION },
 	{ "WERR_NO_SUCH_DOMAIN", WERR_NO_SUCH_DOMAIN },
 	{ "WERR_NONE_MAPPED", WERR_NONE_MAPPED },
 	{ "WERR_INVALID_SECURITY_DESCRIPTOR", WERR_INVALID_SECURITY_DESCRIPTOR },
 	{ "WERR_INVALID_DOMAIN_STATE", WERR_INVALID_DOMAIN_STATE },
 	{ "WERR_INVALID_DOMAIN_ROLE", WERR_INVALID_DOMAIN_ROLE },
 	{ "WERR_SPECIAL_ACCOUNT", WERR_SPECIAL_ACCOUNT },
 	{ "WERR_ALIAS_EXISTS", WERR_ALIAS_EXISTS },
 	{ "WERR_NO_SUCH_ALIAS", WERR_NO_SUCH_ALIAS },
 	{ "WERR_MEMBER_IN_ALIAS", WERR_MEMBER_IN_ALIAS },
 	{ "WERR_TIME_SKEW", WERR_TIME_SKEW },
 	{ "WERR_INVALID_OWNER", WERR_INVALID_OWNER },
 	{ "WERR_SERVER_UNAVAILABLE", WERR_SERVER_UNAVAILABLE },
 	{ "WERR_IO_PENDING", WERR_IO_PENDING },
 	{ "WERR_INVALID_SERVICE_CONTROL", WERR_INVALID_SERVICE_CONTROL },
 	{ "WERR_SERVICE_ALREADY_RUNNING", WERR_SERVICE_ALREADY_RUNNING },
 	{ "WERR_NET_NAME_NOT_FOUND", WERR_NET_NAME_NOT_FOUND },
 	{ "WERR_REG_CORRUPT", WERR_REG_CORRUPT },
 	{ "WERR_REG_IO_FAILURE", WERR_REG_IO_FAILURE },
 	{ "WERR_REG_FILE_INVALID", WERR_REG_FILE_INVALID },
 	{ "WERR_NO_SUCH_SERVICE", WERR_NO_SUCH_SERVICE },
 	{ "WERR_SERVICE_DISABLED", WERR_SERVICE_DISABLED },
 	{ "WERR_SERVICE_NEVER_STARTED", WERR_SERVICE_NEVER_STARTED },
 	{ "WERR_NOT_FOUND", WERR_NOT_FOUND },
 	{ "WERR_CAN_NOT_COMPLETE", WERR_CAN_NOT_COMPLETE},
 	{ "WERR_INVALID_FLAGS", WERR_INVALID_FLAGS},
 	{ "WERR_PASSWORD_MUST_CHANGE", WERR_PASSWORD_MUST_CHANGE },
 	{ "WERR_DOMAIN_CONTROLLER_NOT_FOUND", WERR_DOMAIN_CONTROLLER_NOT_FOUND },
 	{ "WERR_ACCOUNT_LOCKED_OUT", WERR_ACCOUNT_LOCKED_OUT },
 	{ "WERR_DS_DRA_BAD_DN", WERR_DS_DRA_BAD_DN },
 	{ "WERR_DS_DRA_BAD_NC", WERR_DS_DRA_BAD_NC },
 	{ NULL, W_ERROR(0) }
 };
 werror_str_struct dos_err_strs[] = {
 	{ WERR_OK, "Success" },
 	{ WERR_ACCESS_DENIED, "Access is denied" },
 	{ WERR_INVALID_PARAM, "Invalid parameter" },
 	{ WERR_NOT_SUPPORTED, "Not supported" },
 	{ WERR_BAD_PASSWORD, "A bad password was supplied" },
 	{ WERR_NOMEM, "Out of memory" },
 	{ WERR_NO_LOGON_SERVERS, "No logon servers found" },
 	{ WERR_NO_SUCH_LOGON_SESSION, "No such logon session" },
 	{ WERR_DOMAIN_CONTROLLER_NOT_FOUND, "A domain controller could not be found" },
 	{ WERR_DC_NOT_FOUND, "A domain controller could not be found" },
 	{ WERR_SETUP_NOT_JOINED, "Join failed" },
 	{ WERR_SETUP_ALREADY_JOINED, "Machine is already joined" },
 	{ WERR_SETUP_DOMAIN_CONTROLLER, "Machine is a Domain Controller" },
 	{ WERR_LOGON_FAILURE, "Invalid logon credentials" },
 	{ WERR_USER_EXISTS, "User account already exists" },
 	{ WERR_PASSWORD_MUST_CHANGE, "The password must be changed" },
 	{ WERR_ACCOUNT_LOCKED_OUT, "Account locked out" },
 	{ WERR_TIME_SKEW, "Time difference between client and server" },
 	{ WERR_USER_ALREADY_EXISTS, "User already exists" },
 	{ WERR_PASSWORD_RESTRICTION, "Password does not meet restrictions" },
 	{ WERR_NONE_MAPPED, "Could not map names to SIDs" },
 	{ WERR_NO_SUCH_USER, "No such User" },
 	{ WERR_GROUP_EXISTS, "Group already exists" },
 	{ WERR_DS_DRA_BAD_DN, "An invalid distinguished name was specified for this replication" },
 	{ WERR_DS_DRA_BAD_NC, "An invalid naming context was specified for this replication operation" },
 	{ WERR_WRONG_PASSWORD, "The current password is incorrect" }
 };
 /*****************************************************************************
 Returns a DOS error message.  not amazingly helpful, but better than a number.
 *****************************************************************************/
 const char *dos_errstr(WERROR werror)
 {
 	char *result;
        int idx = 0;
 	while (dos_errs[idx].dos_errstr != NULL) {
 		if (W_ERROR_V(dos_errs[idx].werror) ==
                    W_ERROR_V(werror))
                        return dos_errs[idx].dos_errstr;
 		idx++;
 	}
 	result = talloc_asprintf(talloc_tos(), "DOS code 0x%08x",
 				 W_ERROR_V(werror));
 	SMB_ASSERT(result != NULL);
        return result;
 }
 /*****************************************************************************
 Get friendly error string for WERRORs
 *****************************************************************************/
 const char *get_friendly_werror_msg(WERROR werror)
 {
 	int i = 0;
 	for (i = 0; i < ARRAY_SIZE(dos_err_strs); i++) {
 		if (W_ERROR_V(dos_err_strs[i].werror) ==
                    W_ERROR_V(werror)) {
 			return dos_err_strs[i].friendly_errstr;
 		}
 	}
 	return dos_errstr(werror);
 }
 /* compat function for samba4 */
 const char *win_errstr(WERROR werror)
 {
 	return dos_errstr(werror);
 }
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@ -1040,6 +1040,8 @@ static NTSTATUS process_dc_netbios(TALLOC_CTX *mem_ctx,
 			r->data.nt4 = logon1;
 			r->ntver = nt_version;
 			map_netlogon_samlogon_response(r);
 			namecache_store(tmp_dc_name, NBT_NAME_SERVER, 1, &ip_list);
 			goto make_reply;
--- a/source3/libsmb/nterr.c
+++ b/source3/libsmb/nterr.c
@ -532,6 +532,7 @@ static const nt_err_code_struct nt_errs[] =
 	{ "NT_STATUS_TOO_MANY_LINKS", NT_STATUS_TOO_MANY_LINKS },
 	{ "NT_STATUS_QUOTA_LIST_INCONSISTENT", NT_STATUS_QUOTA_LIST_INCONSISTENT },
 	{ "NT_STATUS_FILE_IS_OFFLINE", NT_STATUS_FILE_IS_OFFLINE },
 	{ "NT_STATUS_DS_BUSY", NT_STATUS_DS_BUSY },
 	{ "NT_STATUS_DS_NO_MORE_RIDS", NT_STATUS_DS_NO_MORE_RIDS },
 	{ "NT_STATUS_NOT_A_REPARSE_POINT", NT_STATUS_NOT_A_REPARSE_POINT },
 	{ "NT_STATUS_DOWNGRADE_DETECTED", NT_STATUS_DOWNGRADE_DETECTED },
--- a/source3/libsmb/ntlm_check.c
+++ b/source3/libsmb/ntlm_check.c
@ -40,19 +40,19 @@ static bool smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
 	if (part_passwd == NULL) {
 		DEBUG(10,("No password set - DISALLOWING access\n"));
 		/* No password set - always false ! */
-		return False;
+		return false;
 	}
 	if (sec_blob->length != 8) {
 		DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", 
 			  (unsigned long)sec_blob->length));
-		return False;
+		return false;
 	}
 	if (nt_response->length != 24) {
 		DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", 
 			  (unsigned long)nt_response->length));
-		return False;
+		return false;
 	}
 	SMBOWFencrypt(part_passwd, sec_blob->data, p24);
@ -62,7 +62,7 @@ static bool smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
 	}
-#ifdef DEBUG_PASSWORD
+#if DEBUG_PASSWORD
 	DEBUG(100,("Part password (P16) was |\n"));
 	dump_data(100, part_passwd, 16);
 	DEBUGADD(100,("Password from client was |\n"));
@ -80,30 +80,31 @@ static bool smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
 Note:  The same code works with both NTLMv2 and LMv2.
 ****************************************************************************/
-static bool smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
+static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
-				 const uchar *part_passwd,
+				 const DATA_BLOB *ntv2_response,
 				 const uint8_t *part_passwd,
 				 const DATA_BLOB *sec_blob,
 				 const char *user, const char *domain,
 				 bool upper_case_domain, /* should the domain be transformed into upper case? */
 				 DATA_BLOB *user_sess_key)
 {
 	/* Finish the encryption of part_passwd. */
-	uchar kr[16];
+	uint8_t kr[16];
-	uchar value_from_encryption[16];
+	uint8_t value_from_encryption[16];
-	uchar client_response[16];
+	uint8_t client_response[16];
 	DATA_BLOB client_key_data;
 	bool res;
 	if (part_passwd == NULL) {
 		DEBUG(10,("No password set - DISALLOWING access\n"));
-		/* No password set - always False */
+		/* No password set - always false */
-		return False;
+		return false;
 	}
 	if (sec_blob->length != 8) {
 		DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n", 
 			  (unsigned long)sec_blob->length));
-		return False;
+		return false;
 	}
 	if (ntv2_response->length < 24) {
@ -112,10 +113,10 @@ static bool smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
 		   for LMv2, let alone NTLMv2. */
 		DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", 
 			  (unsigned long)ntv2_response->length));
-		return False;
+		return false;
 	}
-	client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16);
+	client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
 	/* 
 	   todo:  should we be checking this for anything?  We can't for LMv2, 
 	   but for NTLMv2 it is meant to contain the current time etc.
@ -124,7 +125,7 @@ static bool smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
 	memcpy(client_response, ntv2_response->data, sizeof(client_response));
 	if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
-		return False;
+		return false;
 	}
 	SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
@ -178,7 +179,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			     const char *username, 
 			     const char *client_username, 
 			     const char *client_domain,
-			     const uint8 *lm_pw, const uint8 *nt_pw, 
+			     const uint8_t *lm_pw, const uint8_t *nt_pw, 
 			     DATA_BLOB *user_sess_key, 
 			     DATA_BLOB *lm_sess_key)
 {
@ -288,7 +289,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			   use it 
 			*/
 			DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
-			if (smb_pwd_check_ntlmv2( nt_response, 
+			if (smb_pwd_check_ntlmv2(mem_ctx,
 						  nt_response, 
 						  nt_pw, challenge, 
 						  client_username, 
 						  client_domain,
@ -298,17 +300,19 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			}
 			DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
-			if (smb_pwd_check_ntlmv2( nt_response, 
+			if (smb_pwd_check_ntlmv2(mem_ctx,
 						  nt_response, 
 						  nt_pw, challenge, 
 						  client_username, 
 						  client_domain,
-						  True,
+						  true,
 						  user_sess_key)) {
 				return NT_STATUS_OK;
 			}
 			DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
-			if (smb_pwd_check_ntlmv2( nt_response, 
+			if (smb_pwd_check_ntlmv2(mem_ctx,
 						  nt_response, 
 						  nt_pw, challenge, 
 						  client_username, 
 						  "",
@ -333,7 +337,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 				   so use it only if we otherwise allow LM authentication */
 				if (lp_lanman_auth() && lm_pw) {
-					uint8 first_8_lm_hash[16];
+					uint8_t first_8_lm_hash[16];
 					memcpy(first_8_lm_hash, lm_pw, 8);
 					memset(first_8_lm_hash + 8, '\0', 8);
 					if (lm_sess_key) {
@ -376,7 +380,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 		if (smb_pwd_check_ntlmv1(lm_response, 
 					 lm_pw, challenge,
 					 NULL)) {
-			uint8 first_8_lm_hash[16];
+			uint8_t first_8_lm_hash[16];
 			memcpy(first_8_lm_hash, lm_pw, 8);
 			memset(first_8_lm_hash + 8, '\0', 8);
 			if (user_sess_key) {
@ -399,31 +403,34 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 	   - related to Win9X, legacy NAS pass-though authentication
 	*/
 	DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
-	if (smb_pwd_check_ntlmv2( lm_response, 
+	if (smb_pwd_check_ntlmv2(mem_ctx,
 				 lm_response, 
 				  nt_pw, challenge, 
 				  client_username,
 				  client_domain,
-				  False,
+				  false,
 				  NULL)) {
 		return NT_STATUS_OK;
 	}
 	DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
-	if (smb_pwd_check_ntlmv2( lm_response, 
+	if (smb_pwd_check_ntlmv2(mem_ctx,
 				 lm_response, 
 				  nt_pw, challenge, 
 				  client_username,
 				  client_domain,
-				  True,
+				  true,
 				  NULL)) {
 		return NT_STATUS_OK;
 	}
 	DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
-	if (smb_pwd_check_ntlmv2( lm_response, 
+	if (smb_pwd_check_ntlmv2(mem_ctx,
 				 lm_response, 
 				  nt_pw, challenge, 
 				  client_username,
 				  "",
-				  False,
+				  false,
 				  NULL)) {
 		return NT_STATUS_OK;
 	}
@ -441,7 +448,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			   allow LM authentication */
 			if (lp_lanman_auth() && lm_pw) {
-				uint8 first_8_lm_hash[16];
+				uint8_t first_8_lm_hash[16];
 				memcpy(first_8_lm_hash, lm_pw, 8);
 				memset(first_8_lm_hash + 8, '\0', 8);
 				if (user_sess_key) {
--- a/source3/modules/gpfs.c
+++ b/source3/modules/gpfs.c
@ -141,40 +141,40 @@ void init_gpfs(void)
 		return;
 	}
-	libgpfs_handle = sys_dlopen("libgpfs_gpl.so", RTLD_LAZY);
+	libgpfs_handle = dlopen("libgpfs_gpl.so", RTLD_LAZY);
 	if (libgpfs_handle == NULL) {
-		DEBUG(10, ("sys_dlopen for libgpfs_gpl failed: %s\n",
+		DEBUG(10, ("dlopen for libgpfs_gpl failed: %s\n",
 			   strerror(errno)));
 		return;
 	}
 	DEBUG(10, ("libgpfs_gpl.so loaded\n"));
-	gpfs_set_share_fn = sys_dlsym(libgpfs_handle, "gpfs_set_share");
+	gpfs_set_share_fn = dlsym(libgpfs_handle, "gpfs_set_share");
 	if (gpfs_set_share_fn == NULL) {
 		DEBUG(3, ("libgpfs_gpl.so does not contain the symbol "
 			  "'gpfs_set_share'\n"));
 		goto failed;
 	}
-	gpfs_set_lease_fn = sys_dlsym(libgpfs_handle, "gpfs_set_lease");
+	gpfs_set_lease_fn = dlsym(libgpfs_handle, "gpfs_set_lease");
 	if (gpfs_set_lease_fn == NULL) {
 		DEBUG(3, ("libgpfs_gpl.so does not contain the symbol "
 			  "'gpfs_set_lease'\n"));
-		sys_dlclose(libgpfs_handle);
+		dlclose(libgpfs_handle);
 		goto failed;
 	}
-	gpfs_getacl_fn = sys_dlsym(libgpfs_handle, "gpfs_getacl");
+	gpfs_getacl_fn = dlsym(libgpfs_handle, "gpfs_getacl");
 	if (gpfs_getacl_fn == NULL) {
 		DEBUG(3, ("libgpfs_gpl.so does not contain the symbol "
 			  "'gpfs_getacl'\n"));
 		goto failed;
 	}
-	gpfs_putacl_fn = sys_dlsym(libgpfs_handle, "gpfs_putacl");
+	gpfs_putacl_fn = dlsym(libgpfs_handle, "gpfs_putacl");
 	if (gpfs_putacl_fn == NULL) {
 		DEBUG(3, ("libgpfs_gpl.so does not contain the symbol "
 			  "'gpfs_putacl'\n"));
@ -187,7 +187,7 @@ void init_gpfs(void)
 	return;
 failed:
-	sys_dlclose(libgpfs_handle);
+	dlclose(libgpfs_handle);
 	/* leave libgpfs_handle != NULL around, no point
 	   in trying twice */
 	gpfs_set_share_fn = NULL;
--- a/source3/modules/vfs_acl_tdb.c
+++ b/source3/modules/vfs_acl_tdb.c
@ -0,0 +1,843 @@
 /*
 * Store Windows ACLs in xattrs, or a tdb if configured that way.
 *
 * Copyright (C) Volker Lendecke, 2008
 * Copyright (C) Jeremy Allison, 2008
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <http://www.gnu.org/licenses/>.
 */
 /* NOTE: This is an experimental module, not yet finished. JRA. */
 #include "includes.h"
 #include "librpc/gen_ndr/xattr.h"
 #include "librpc/gen_ndr/ndr_xattr.h"
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_VFS
 static unsigned int ref_count;
 static struct db_context *acl_db;
 /*******************************************************************
 Open acl_db if not already open, increment ref count.
 *******************************************************************/
 static bool acl_tdb_init(struct db_context **pp_db)
 {
 	const char *dbname;
 	if (acl_db) {
 		*pp_db = acl_db;
 		ref_count++;
 		return true;
 	}
 	dbname = lock_path("file_ntacls.tdb");
 	if (dbname == NULL) {
 		errno = ENOSYS;
 		return false;
 	}
 	become_root();
 	*pp_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
 	unbecome_root();
 	if (*pp_db == NULL) {
 #if defined(ENOTSUP)
 		errno = ENOTSUP;
 #else
 		errno = ENOSYS;
 #endif
 		return false;
 	}
 	ref_count++;
 	return true;
 }
 /*******************************************************************
 Lower ref count and close acl_db if zero.
 *******************************************************************/
 static void free_acl_xattr_data(void **pptr)
 {
 	struct db_context **pp_db = (struct db_context **)pptr;
 	ref_count--;
 	if (ref_count == 0) {
 		TALLOC_FREE(*pp_db);
 		acl_db = NULL;
 	}
 }
 /*******************************************************************
 Fetch_lock the tdb acl record for a file
 *******************************************************************/
 static struct db_record *acl_xattr_tdb_lock(TALLOC_CTX *mem_ctx,
 					struct db_context *db,
 					const struct file_id *id)
 {
 	uint8 id_buf[16];
 	push_file_id_16((char *)id_buf, id);
 	return db->fetch_locked(db,
 				mem_ctx,
 				make_tdb_data(id_buf,
 					sizeof(id_buf)));
 }
 /*******************************************************************
 Parse out a struct security_descriptor from a DATA_BLOB.
 *******************************************************************/
 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
 				uint32 security_info,
 				struct security_descriptor **ppdesc)
 {
 	TALLOC_CTX *ctx = talloc_tos();
 	struct xattr_NTACL xacl;
 	enum ndr_err_code ndr_err;
 	size_t sd_size;
 	ndr_err = ndr_pull_struct_blob(pblob, ctx, NULL, &xacl,
 			(ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
 			ndr_errstr(ndr_err)));
 		return ndr_map_error2ntstatus(ndr_err);;
 	}
 	if (xacl.version != 2) {
 		return NT_STATUS_REVISION_MISMATCH;
 	}
 	*ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_ts->sd->type | SEC_DESC_SELF_RELATIVE,
 			(security_info & OWNER_SECURITY_INFORMATION)
 			? xacl.info.sd_ts->sd->owner_sid : NULL,
 			(security_info & GROUP_SECURITY_INFORMATION)
 			? xacl.info.sd_ts->sd->group_sid : NULL,
 			(security_info & SACL_SECURITY_INFORMATION)
 			? xacl.info.sd_ts->sd->sacl : NULL,
 			(security_info & DACL_SECURITY_INFORMATION)
 			? xacl.info.sd_ts->sd->dacl : NULL,
 			&sd_size);
 	TALLOC_FREE(xacl.info.sd);
 	return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
 }
 /*******************************************************************
 Pull a security descriptor into a DATA_BLOB from a tdb store.
 *******************************************************************/
 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
 			vfs_handle_struct *handle,
 			files_struct *fsp,
 			const char *name,
 			DATA_BLOB *pblob)
 {
 	uint8 id_buf[16];
 	TDB_DATA data;
 	struct file_id id;
 	struct db_context *db;
 	SMB_STRUCT_STAT sbuf;
 	SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context,
 		return NT_STATUS_INTERNAL_DB_CORRUPTION);
 	if (fsp && fsp->fh->fd != -1) {
 		if (SMB_VFS_FSTAT(fsp, &sbuf) == -1) {
 			return map_nt_error_from_unix(errno);
 		}
 	} else {
 		if (SMB_VFS_STAT(handle->conn, name, &sbuf) == -1) {
 			return map_nt_error_from_unix(errno);
 		}
 	}
 	id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
 	push_file_id_16((char *)id_buf, &id);
 	if (db->fetch(db,
 			ctx,
 			make_tdb_data(id_buf, sizeof(id_buf)),
 			&data) == -1) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 	pblob->data = data.dptr;
 	pblob->length = data.dsize;
 	DEBUG(10,("get_acl_blob: returned %u bytes from file %s\n",
 		(unsigned int)data.dsize, name ));
 	if (pblob->length == 0 || pblob->data == NULL) {
 		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
 	}
 	return NT_STATUS_OK;
 }
 /*******************************************************************
 Create a DATA_BLOB from a security descriptor.
 *******************************************************************/
 static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob)
 {
 	struct xattr_NTACL xacl;
 	struct security_descriptor_timestamp sd_ts;
 	enum ndr_err_code ndr_err;
 	TALLOC_CTX *ctx = talloc_tos();
 	struct timespec curr = timespec_current();
 	ZERO_STRUCT(xacl);
 	ZERO_STRUCT(sd_ts);
 	/* Horrid hack as setting an xattr changes the ctime
 	 * on Linux. This gives a race of 1 second during
 	 * which we would not see a POSIX ACL set.
 	 */
 	curr.tv_sec += 1;
 	xacl.version = 2;
 	xacl.info.sd_ts = &sd_ts;
 	xacl.info.sd_ts->sd = CONST_DISCARD(struct security_descriptor *, psd);
 	unix_timespec_to_nt_time(&xacl.info.sd_ts->last_changed, curr);
 	DEBUG(10, ("create_acl_blob: timestamp stored as %s\n",
 		timestring(ctx, curr.tv_sec) ));
 	ndr_err = ndr_push_struct_blob(
 			pblob, ctx, NULL, &xacl,
 			(ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
 			ndr_errstr(ndr_err)));
 		return ndr_map_error2ntstatus(ndr_err);;
 	}
 	return NT_STATUS_OK;
 }
 /*******************************************************************
 Store a DATA_BLOB into a tdb record given an fsp pointer.
 *******************************************************************/
 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
 				files_struct *fsp,
 				DATA_BLOB *pblob)
 {
 	uint8 id_buf[16];
 	struct file_id id;
 	SMB_STRUCT_STAT sbuf;
 	TDB_DATA data;
 	struct db_context *db;
 	struct db_record *rec;
 	DEBUG(10,("store_acl_blob_fsp: storing blob length %u on file %s\n",
 			(unsigned int)pblob->length, fsp->fsp_name));
 	SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context,
 		return NT_STATUS_INTERNAL_DB_CORRUPTION);
 	if (fsp->fh->fd != -1) {
 		if (SMB_VFS_FSTAT(fsp, &sbuf) == -1) {
 			return map_nt_error_from_unix(errno);
 		}
 	} else {
 		if (SMB_VFS_STAT(handle->conn, fsp->fsp_name, &sbuf) == -1) {
 			return map_nt_error_from_unix(errno);
 		}
 	}
 	id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
 	push_file_id_16((char *)id_buf, &id);
 	rec = db->fetch_locked(db, talloc_tos(),
 				make_tdb_data(id_buf,
 					sizeof(id_buf)));
 	if (rec == NULL) {
 		DEBUG(0, ("store_acl_blob_fsp_tdb: fetch_lock failed\n"));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 	data.dptr = pblob->data;
 	data.dsize = pblob->length;
 	return rec->store(rec, data, 0);
 }
 /*******************************************************************
 Store a DATA_BLOB into a tdb record given a pathname.
 *******************************************************************/
 static NTSTATUS store_acl_blob_pathname(vfs_handle_struct *handle,
 					const char *fname,
 					DATA_BLOB *pblob)
 {
 	uint8 id_buf[16];
 	struct file_id id;
 	TDB_DATA data;
 	SMB_STRUCT_STAT sbuf;
 	struct db_context *db;
 	struct db_record *rec;
 	DEBUG(10,("store_acl_blob_pathname: storing blob "
 			"length %u on file %s\n",
 			(unsigned int)pblob->length, fname));
 	SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context,
 		return NT_STATUS_INTERNAL_DB_CORRUPTION);
 	if (SMB_VFS_STAT(handle->conn, fname, &sbuf) == -1) {
 		return map_nt_error_from_unix(errno);
 	}
 	id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
 	push_file_id_16((char *)id_buf, &id);
 	rec = db->fetch_locked(db, talloc_tos(),
 				make_tdb_data(id_buf,
 					sizeof(id_buf)));
 	if (rec == NULL) {
 		DEBUG(0, ("store_acl_blob_pathname_tdb: fetch_lock failed\n"));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 	data.dptr = pblob->data;
 	data.dsize = pblob->length;
 	return rec->store(rec, data, 0);
 }
 /*******************************************************************
 Store a DATA_BLOB into an xattr given a pathname.
 *******************************************************************/
 static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
 					files_struct *fsp,
 					const char *name,
 				        uint32 security_info,
 					struct security_descriptor **ppdesc)
 {
 	TALLOC_CTX *ctx = talloc_tos();
 	DATA_BLOB blob;
 	NTSTATUS status;
 	if (fsp && name == NULL) {
 		name = fsp->fsp_name;
 	}
 	DEBUG(10, ("get_nt_acl_xattr_internal: name=%s\n", name));
 	status = get_acl_blob(ctx, handle, fsp, name, &blob);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("get_acl_blob returned %s\n", nt_errstr(status)));
 		return status;
 	}
 	status = parse_acl_blob(&blob, security_info, ppdesc);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("parse_acl_blob returned %s\n",
 				nt_errstr(status)));
 		return status;
 	}
 	TALLOC_FREE(blob.data);
 	return status;
 }
 /*********************************************************************
 Create a default security descriptor for a file in case no inheritance
 exists. All permissions to the owner and SYSTEM.
 *********************************************************************/
 static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
 						SMB_STRUCT_STAT *psbuf)
 {
 	struct dom_sid owner_sid, group_sid;
 	size_t sd_size;
 	struct security_ace *pace = NULL;
 	struct security_acl *pacl = NULL;
 	uid_to_sid(&owner_sid, psbuf->st_uid);
 	gid_to_sid(&group_sid, psbuf->st_gid);
 	pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2);
 	if (!pace) {
 		return NULL;
 	}
 	init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
 			SEC_RIGHTS_FILE_ALL, 0);
 	init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
 			SEC_RIGHTS_FILE_ALL, 0);
 	pacl = make_sec_acl(mem_ctx,
 				NT4_ACL_REVISION,
 				2,
 				pace);
 	if (!pacl) {
 		return NULL;
 	}
 	return make_sec_desc(mem_ctx,
 			SECURITY_DESCRIPTOR_REVISION_1,
 			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
 			&owner_sid,
 			&group_sid,
 			NULL,
                        pacl,
 			&sd_size);
 }
 /*********************************************************************
 *********************************************************************/
 static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 					const char *fname,
 					files_struct *fsp,
 					bool container)
 {
 	TALLOC_CTX *ctx = talloc_tos();
 	NTSTATUS status;
 	struct security_descriptor *parent_desc = NULL;
 	struct security_descriptor *psd = NULL;
 	DATA_BLOB blob;
 	size_t size;
 	char *parent_name;
 	if (!parent_dirname_talloc(ctx,
 				fname,
 				&parent_name,
 				NULL)) {
 		return NT_STATUS_NO_MEMORY;
 	}
 	DEBUG(10,("inherit_new_acl: check directory %s\n",
 			parent_name));
 	status = get_nt_acl_xattr_internal(handle,
 					NULL,
 					parent_name,
 					(OWNER_SECURITY_INFORMATION |
 					 GROUP_SECURITY_INFORMATION |
 					 DACL_SECURITY_INFORMATION),
 					&parent_desc);
        if (NT_STATUS_IS_OK(status)) {
 		/* Create an inherited descriptor from the parent. */
 		if (DEBUGLEVEL >= 10) {
 			DEBUG(10,("inherit_new_acl: parent acl is:\n"));
 			NDR_PRINT_DEBUG(security_descriptor, parent_desc);
 		}
 		status = se_create_child_secdesc(ctx,
 				&psd,
 				&size,
 				parent_desc,
 				&handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX],
 				&handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX],
 				container);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
 		if (DEBUGLEVEL >= 10) {
 			DEBUG(10,("inherit_new_acl: child acl is:\n"));
 			NDR_PRINT_DEBUG(security_descriptor, psd);
 		}
 	} else {
 		DEBUG(10,("inherit_new_acl: directory %s failed "
 			"to get acl %s\n",
 			parent_name,
 			nt_errstr(status) ));
 	}
 	if (!psd || psd->dacl == NULL) {
 		SMB_STRUCT_STAT sbuf;
 		int ret;
 		TALLOC_FREE(psd);
 		if (fsp && !fsp->is_directory && fsp->fh->fd != -1) {
 			ret = SMB_VFS_FSTAT(fsp, &sbuf);
 		} else {
 			ret = SMB_VFS_STAT(handle->conn,fname, &sbuf);
 		}
 		if (ret == -1) {
 			return map_nt_error_from_unix(errno);
 		}
 		psd = default_file_sd(ctx, &sbuf);
 		if (!psd) {
 			return NT_STATUS_NO_MEMORY;
 		}
 		if (DEBUGLEVEL >= 10) {
 			DEBUG(10,("inherit_new_acl: default acl is:\n"));
 			NDR_PRINT_DEBUG(security_descriptor, psd);
 		}
 	}
 	status = create_acl_blob(psd, &blob);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 	if (fsp) {
 		return store_acl_blob_fsp(handle, fsp, &blob);
 	} else {
 		return store_acl_blob_pathname(handle, fname, &blob);
 	}
 }
 /*********************************************************************
 Check ACL on open. For new files inherit from parent directory.
 *********************************************************************/
 static int open_acl_xattr(vfs_handle_struct *handle,
 					const char *fname,
 					files_struct *fsp,
 					int flags,
 					mode_t mode)
 {
 	uint32_t access_granted = 0;
 	struct security_descriptor *pdesc = NULL;
 	bool file_existed = true;
 	NTSTATUS status = get_nt_acl_xattr_internal(handle,
 					NULL,
 					fname,
 					(OWNER_SECURITY_INFORMATION |
 					 GROUP_SECURITY_INFORMATION |
 					 DACL_SECURITY_INFORMATION),
 					&pdesc);
        if (NT_STATUS_IS_OK(status)) {
 		/* See if we can access it. */
 		status = smb1_file_se_access_check(pdesc,
 					handle->conn->server_info->ptok,
 					fsp->access_mask,
 					&access_granted);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(10,("open_acl_xattr: file %s open "
 				"refused with error %s\n",
 				fname,
 				nt_errstr(status) ));
 			errno = map_errno_from_nt_status(status);
 			return -1;
 		}
        } else if (NT_STATUS_EQUAL(status,NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
 		file_existed = false;
 	}
 	DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
 		"file %s returned %s\n",
 		fname,
 		nt_errstr(status) ));
 	fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, fname, fsp, flags, mode);
 	if (!file_existed && fsp->fh->fd != -1) {
 		/* File was created. Inherit from parent directory. */
 		string_set(&fsp->fsp_name, fname);
 		inherit_new_acl(handle, fname, fsp, false);
 	}
 	return fsp->fh->fd;
 }
 /*********************************************************************
 On unlink we need to delete the tdb record (if using tdb).
 *********************************************************************/
 static int unlink_acl_xattr(vfs_handle_struct *handle, const char *path)
 {
 	SMB_STRUCT_STAT sbuf;
 	struct file_id id;
 	struct db_context *db;
 	struct db_record *rec;
 	int ret;
 	SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1);
 	if (SMB_VFS_STAT(handle->conn, path, &sbuf) == -1) {
 		return -1;
 	}
 	ret = SMB_VFS_NEXT_UNLINK(handle, path);
 	if (ret == -1) {
 		return -1;
 	}
 	id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
 	rec = acl_xattr_tdb_lock(talloc_tos(), db, &id);
 	/*
 	 * If rec == NULL there's not much we can do about it
 	 */
 	if (rec == NULL) {
 		DEBUG(10,("unlink_acl_xattr: path %s rec == NULL\n",
 			path ));
 		TALLOC_FREE(rec);
 		return 0;
 	}
 	rec->delete_rec(rec);
 	TALLOC_FREE(rec);
 	return 0;
 }
 /*********************************************************************
 Store an inherited SD on mkdir.
 *********************************************************************/
 static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t mode)
 {
 	int ret = SMB_VFS_NEXT_MKDIR(handle, path, mode);
 	if (ret == -1) {
 		return ret;
 	}
 	/* New directory - inherit from parent. */
 	inherit_new_acl(handle, path, NULL, true);
 	return ret;
 }
 /*********************************************************************
 On rmdir we need to delete the tdb record (if using tdb).
 *********************************************************************/
 static int rmdir_acl_xattr(vfs_handle_struct *handle, const char *path)
 {
 	SMB_STRUCT_STAT sbuf;
 	struct file_id id;
 	struct db_context *db;
 	struct db_record *rec;
 	int ret;
 	SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1);
 	if (SMB_VFS_STAT(handle->conn, path, &sbuf) == -1) {
 		return -1;
 	}
 	ret = SMB_VFS_NEXT_RMDIR(handle, path);
 	if (ret == -1) {
 		return -1;
 	}
 	id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
 	rec = acl_xattr_tdb_lock(talloc_tos(), db, &id);
 	/*
 	 * If rec == NULL there's not much we can do about it
 	 */
 	if (rec == NULL) {
 		DEBUG(10,("rmdir_acl_xattr: path %s rec == NULL\n",
 			path ));
 		TALLOC_FREE(rec);
 		return 0;
 	}
 	rec->delete_rec(rec);
 	TALLOC_FREE(rec);
 	return 0;
 }
 /*********************************************************************
 Fetch a security descriptor given an fsp.
 *********************************************************************/
 static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
        uint32 security_info, struct security_descriptor **ppdesc)
 {
 	NTSTATUS status = get_nt_acl_xattr_internal(handle, fsp,
 				NULL, security_info, ppdesc);
 	if (NT_STATUS_IS_OK(status)) {
 		if (DEBUGLEVEL >= 10) {
 			DEBUG(10,("fget_nt_acl_xattr: returning xattr sd for file %s\n",
 				fsp->fsp_name));
 			NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
 		}
 		return NT_STATUS_OK;
 	}
 	DEBUG(10,("fget_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
 			fsp->fsp_name,
 			nt_errstr(status) ));
 	return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp,
 			security_info, ppdesc);
 }
 /*********************************************************************
 Fetch a security descriptor given a pathname.
 *********************************************************************/
 static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
        const char *name, uint32 security_info, struct security_descriptor **ppdesc)
 {
 	NTSTATUS status = get_nt_acl_xattr_internal(handle, NULL,
 				name, security_info, ppdesc);
 	if (NT_STATUS_IS_OK(status)) {
 		if (DEBUGLEVEL >= 10) {
 			DEBUG(10,("get_nt_acl_xattr: returning xattr sd for file %s\n",
 				name));
 			NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
 		}
 		return NT_STATUS_OK;
 	}
 	DEBUG(10,("get_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
 			name,
 			nt_errstr(status) ));
 	return SMB_VFS_NEXT_GET_NT_ACL(handle, name,
 			security_info, ppdesc);
 }
 /*********************************************************************
 Store a security descriptor given an fsp.
 *********************************************************************/
 static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
        uint32 security_info_sent, const struct security_descriptor *psd)
 {
 	NTSTATUS status;
 	DATA_BLOB blob;
 	if (DEBUGLEVEL >= 10) {
 		DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
 			fsp->fsp_name));
 		NDR_PRINT_DEBUG(security_descriptor,
 			CONST_DISCARD(struct security_descriptor *,psd));
 	}
 	status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 	/* Ensure owner and group are set. */
 	if (!psd->owner_sid || !psd->group_sid) {
 		int ret;
 		SMB_STRUCT_STAT sbuf;
 		DOM_SID owner_sid, group_sid;
 		struct security_descriptor *nc_psd = dup_sec_desc(talloc_tos(), psd);
 		if (!nc_psd) {
 			return NT_STATUS_OK;
 		}
 		if (fsp->is_directory || fsp->fh->fd == -1) {
 			ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf);
 		} else {
 			ret = SMB_VFS_FSTAT(fsp, &sbuf);
 		}
 		if (ret == -1) {
 			/* Lower level acl set succeeded,
 			 * so still return OK. */
 			return NT_STATUS_OK;
 		}
 		create_file_sids(&sbuf, &owner_sid, &group_sid);
 		/* This is safe as nc_psd is discarded at fn exit. */
 		nc_psd->owner_sid = &owner_sid;
 		nc_psd->group_sid = &group_sid;
 		security_info_sent |= (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION);
 		psd = nc_psd;
 	}
 	if ((security_info_sent & DACL_SECURITY_INFORMATION) &&
 			psd->dacl != NULL &&
 			(psd->type & (SE_DESC_DACL_AUTO_INHERITED|
 				SE_DESC_DACL_AUTO_INHERIT_REQ))==
 				(SE_DESC_DACL_AUTO_INHERITED|
 				SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
 		struct security_descriptor *new_psd = NULL;
 		status = append_parent_acl(fsp, psd, &new_psd);
 		if (!NT_STATUS_IS_OK(status)) {
 			/* Lower level acl set succeeded,
 			 * so still return OK. */
 			return NT_STATUS_OK;
 		}
 		psd = new_psd;
 	}
 	if (DEBUGLEVEL >= 10) {
 		DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
 			fsp->fsp_name));
 		NDR_PRINT_DEBUG(security_descriptor,
 			CONST_DISCARD(struct security_descriptor *,psd));
 	}
 	create_acl_blob(psd, &blob);
 	store_acl_blob_fsp(handle, fsp, &blob);
 	return NT_STATUS_OK;
 }
 /*******************************************************************
 Handle opening the storage tdb if so configured.
 *******************************************************************/
 static int connect_acl_xattr(struct vfs_handle_struct *handle,
 				const char *service,
 				const char *user)
 {
 	struct db_context *db;
 	int res;
        res = SMB_VFS_NEXT_CONNECT(handle, service, user);
        if (res < 0) {
                return res;
        }
 	if (!acl_tdb_init(&db)) {
 		SMB_VFS_NEXT_DISCONNECT(handle);
 		return -1;
 	}
 	SMB_VFS_HANDLE_SET_DATA(handle, db, free_acl_xattr_data,
 				struct db_context, return -1);
 	return 0;
 }
 /* VFS operations structure */
 static vfs_op_tuple skel_op_tuples[] =
 {
 	{SMB_VFS_OP(connect_acl_xattr), SMB_VFS_OP_CONNECT,  SMB_VFS_LAYER_TRANSPARENT},
 	{SMB_VFS_OP(mkdir_acl_xattr), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_TRANSPARENT},
 	{SMB_VFS_OP(rmdir_acl_xattr), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT},
 	{SMB_VFS_OP(open_acl_xattr),  SMB_VFS_OP_OPEN,  SMB_VFS_LAYER_TRANSPARENT},
 	{SMB_VFS_OP(unlink_acl_xattr), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT},
        /* NT File ACL operations */
 	{SMB_VFS_OP(fget_nt_acl_xattr),SMB_VFS_OP_FGET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
 	{SMB_VFS_OP(get_nt_acl_xattr), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
 	{SMB_VFS_OP(fset_nt_acl_xattr),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
 	{SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
 };
 NTSTATUS vfs_acl_xattr_init(void)
 {
 	return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "acl_tdb", skel_op_tuples);
 }
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@ -27,8 +27,11 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_VFS
 /*******************************************************************
 Parse out a struct security_descriptor from a DATA_BLOB.
 *******************************************************************/
 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
 				const struct timespec cts,
 				uint32 security_info,
 				struct security_descriptor **ppdesc)
 {
@ -50,31 +53,7 @@ static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
 		return NT_STATUS_REVISION_MISMATCH;
 	}
-#if 0
+	*ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_ts->sd->type | SEC_DESC_SELF_RELATIVE,
 	{
 		struct timespec ts;
 		/* Arg. This doesn't work. Too many activities
 		 * change the ctime. May have to roll back to
 		 * version 1.
 		 */
 		/*
 		 * Check that the ctime timestamp is ealier
 		 * than the stored timestamp.
 		 */
 		ts = nt_time_to_unix_timespec(&xacl.info.sd_ts->last_changed);
 		if (timespec_compare(&cts, &ts) > 0) {
 			DEBUG(5, ("parse_acl_blob: stored ACL out of date "
 				"(%s > %s.\n",
 				timestring(ctx, cts.tv_sec),
 				timestring(ctx, ts.tv_sec)));
 			return NT_STATUS_EA_CORRUPT_ERROR;
 		}
 	}
 #endif
 	*ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE,
 			(security_info & OWNER_SECURITY_INFORMATION)
 			? xacl.info.sd_ts->sd->owner_sid : NULL,
 			(security_info & GROUP_SECURITY_INFORMATION)
@ -90,6 +69,10 @@ static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
 	return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
 }
 /*******************************************************************
 Pull a security descriptor into a DATA_BLOB from a xattr.
 *******************************************************************/
 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
 			vfs_handle_struct *handle,
 			files_struct *fsp,
@ -144,7 +127,11 @@ static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
 	return NT_STATUS_OK;
 }
-static NTSTATUS create_acl_blob(const SEC_DESC *psd, DATA_BLOB *pblob)
+/*******************************************************************
 Create a DATA_BLOB from a security descriptor.
 *******************************************************************/
 static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob)
 {
 	struct xattr_NTACL xacl;
 	struct security_descriptor_timestamp sd_ts;
@ -163,7 +150,7 @@ static NTSTATUS create_acl_blob(const SEC_DESC *psd, DATA_BLOB *pblob)
 	xacl.version = 2;
 	xacl.info.sd_ts = &sd_ts;
-	xacl.info.sd_ts->sd = CONST_DISCARD(SEC_DESC *, psd);
+	xacl.info.sd_ts->sd = CONST_DISCARD(struct security_descriptor *, psd);
 	unix_timespec_to_nt_time(&xacl.info.sd_ts->last_changed, curr);
 	DEBUG(10, ("create_acl_blob: timestamp stored as %s\n",
@ -182,7 +169,12 @@ static NTSTATUS create_acl_blob(const SEC_DESC *psd, DATA_BLOB *pblob)
 	return NT_STATUS_OK;
 }
-static NTSTATUS store_acl_blob_fsp(files_struct *fsp,
+/*******************************************************************
 Store a DATA_BLOB into an xattr given an fsp pointer.
 *******************************************************************/
 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
 				files_struct *fsp,
 				DATA_BLOB *pblob)
 {
 	int ret;
@ -215,10 +207,15 @@ static NTSTATUS store_acl_blob_fsp(files_struct *fsp,
 	return NT_STATUS_OK;
 }
-static NTSTATUS store_acl_blob_pathname(connection_struct *conn,
+/*******************************************************************
 Store a DATA_BLOB into an xattr given a pathname.
 *******************************************************************/
 static NTSTATUS store_acl_blob_pathname(vfs_handle_struct *handle,
 					const char *fname,
 					DATA_BLOB *pblob)
 {
 	connection_struct *conn = handle->conn;
 	int ret;
 	int saved_errno = 0;
@ -245,16 +242,18 @@ static NTSTATUS store_acl_blob_pathname(connection_struct *conn,
 	return NT_STATUS_OK;
 }
 /*******************************************************************
 Store a DATA_BLOB into an xattr given a pathname.
 *******************************************************************/
 static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
 					files_struct *fsp,
 					const char *name,
 				        uint32 security_info,
-					SEC_DESC **ppdesc)
+					struct security_descriptor **ppdesc)
 {
 	TALLOC_CTX *ctx = talloc_tos();
 	DATA_BLOB blob;
 	SMB_STRUCT_STAT sbuf;
 	NTSTATUS status;
 	if (fsp && name == NULL) {
@ -269,18 +268,7 @@ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
 		return status;
 	}
-	if (fsp && fsp->fh->fd != -1) {
+	status = parse_acl_blob(&blob, security_info, ppdesc);
 		if (SMB_VFS_FSTAT(fsp, &sbuf) == -1) {
 			return map_nt_error_from_unix(errno);
 		}
 	} else {
 		if (SMB_VFS_STAT(handle->conn, name, &sbuf) == -1) {
 			return map_nt_error_from_unix(errno);
 		}
 	}
 	status = parse_acl_blob(&blob, get_ctimespec(&sbuf),
 			security_info, ppdesc);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("parse_acl_blob returned %s\n",
 				nt_errstr(status)));
@ -292,8 +280,49 @@ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
 }
 /*********************************************************************
- * Currently this only works for existing files. Need to work on
+ Create a default security descriptor for a file in case no inheritance
- * inheritance for new files.
+ exists. All permissions to the owner and SYSTEM.
 *********************************************************************/
 static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
 						SMB_STRUCT_STAT *psbuf)
 {
 	struct dom_sid owner_sid, group_sid;
 	size_t sd_size;
 	struct security_ace *pace = NULL;
 	struct security_acl *pacl = NULL;
 	uid_to_sid(&owner_sid, psbuf->st_uid);
 	gid_to_sid(&group_sid, psbuf->st_gid);
 	pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2);
 	if (!pace) {
 		return NULL;
 	}
 	init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
 			SEC_RIGHTS_FILE_ALL, 0);
 	init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
 			SEC_RIGHTS_FILE_ALL, 0);
 	pacl = make_sec_acl(mem_ctx,
 				NT4_ACL_REVISION,
 				2,
 				pace);
 	if (!pacl) {
 		return NULL;
 	}
 	return make_sec_desc(mem_ctx,
 			SECURITY_DESCRIPTOR_REVISION_1,
 			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
 			&owner_sid,
 			&group_sid,
 			NULL,
                        pacl,
 			&sd_size);
 }
 /*********************************************************************
 *********************************************************************/
 static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
@ -303,8 +332,8 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 {
 	TALLOC_CTX *ctx = talloc_tos();
 	NTSTATUS status;
-	SEC_DESC *parent_desc = NULL;
+	struct security_descriptor *parent_desc = NULL;
-	SEC_DESC *psd = NULL;
+	struct security_descriptor *psd = NULL;
 	DATA_BLOB blob;
 	size_t size;
 	char *parent_name;
@ -322,35 +351,73 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 	status = get_nt_acl_xattr_internal(handle,
 					NULL,
 					parent_name,
-					DACL_SECURITY_INFORMATION,
+					(OWNER_SECURITY_INFORMATION |
 					 GROUP_SECURITY_INFORMATION |
 					 DACL_SECURITY_INFORMATION),
 					&parent_desc);
-        if (!NT_STATUS_IS_OK(status)) {
+        if (NT_STATUS_IS_OK(status)) {
-		DEBUG(10,("inherit_new_acl: directory %s failed "
+		/* Create an inherited descriptor from the parent. */
 			"to get acl %s\n",
 			parent_name,
 			nt_errstr(status) ));
 		return status;
 	}
-	/* Create an inherited descriptor from the parent. */
+		if (DEBUGLEVEL >= 10) {
-	status = se_create_child_secdesc(ctx,
+			DEBUG(10,("inherit_new_acl: parent acl is:\n"));
 			NDR_PRINT_DEBUG(security_descriptor, parent_desc);
 		}
 		status = se_create_child_secdesc(ctx,
 				&psd,
 				&size,
 				parent_desc,
 				&handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX],
 				&handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX],
 				container);
-	if (!NT_STATUS_IS_OK(status)) {
+		if (!NT_STATUS_IS_OK(status)) {
-		return status;
+			return status;
 		}
 		if (DEBUGLEVEL >= 10) {
 			DEBUG(10,("inherit_new_acl: child acl is:\n"));
 			NDR_PRINT_DEBUG(security_descriptor, psd);
 		}
 	} else {
 		DEBUG(10,("inherit_new_acl: directory %s failed "
 			"to get acl %s\n",
 			parent_name,
 			nt_errstr(status) ));
 	}
 	if (!psd || psd->dacl == NULL) {
 		SMB_STRUCT_STAT sbuf;
 		int ret;
 		TALLOC_FREE(psd);
 		if (fsp && !fsp->is_directory && fsp->fh->fd != -1) {
 			ret = SMB_VFS_FSTAT(fsp, &sbuf);
 		} else {
 			ret = SMB_VFS_STAT(handle->conn,fname, &sbuf);
 		}
 		if (ret == -1) {
 			return map_nt_error_from_unix(errno);
 		}
 		psd = default_file_sd(ctx, &sbuf);
 		if (!psd) {
 			return NT_STATUS_NO_MEMORY;
 		}
 		if (DEBUGLEVEL >= 10) {
 			DEBUG(10,("inherit_new_acl: default acl is:\n"));
 			NDR_PRINT_DEBUG(security_descriptor, psd);
 		}
 	}
 	status = create_acl_blob(psd, &blob);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 	if (fsp) {
-		return store_acl_blob_fsp(fsp, &blob);
+		return store_acl_blob_fsp(handle, fsp, &blob);
 	} else {
-		return store_acl_blob_pathname(handle->conn, fname, &blob);
+		return store_acl_blob_pathname(handle, fname, &blob);
 	}
 }
@ -365,7 +432,7 @@ static int open_acl_xattr(vfs_handle_struct *handle,
 					mode_t mode)
 {
 	uint32_t access_granted = 0;
-	SEC_DESC *pdesc = NULL;
+	struct security_descriptor *pdesc = NULL;
 	bool file_existed = true;
 	NTSTATUS status = get_nt_acl_xattr_internal(handle,
 					NULL,
@ -376,11 +443,15 @@ static int open_acl_xattr(vfs_handle_struct *handle,
 					&pdesc);
        if (NT_STATUS_IS_OK(status)) {
 		/* See if we can access it. */
-		status = se_access_check(pdesc,
+		status = smb1_file_se_access_check(pdesc,
 					handle->conn->server_info->ptok,
 					fsp->access_mask,
 					&access_granted);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(10,("open_acl_xattr: file %s open "
 				"refused with error %s\n",
 				fname,
 				nt_errstr(status) ));
 			errno = map_errno_from_nt_status(status);
 			return -1;
 		}
@ -416,8 +487,12 @@ static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t m
 	return ret;
 }
 /*********************************************************************
 Fetch a security descriptor given an fsp.
 *********************************************************************/
 static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
-        uint32 security_info, SEC_DESC **ppdesc)
+        uint32 security_info, struct security_descriptor **ppdesc)
 {
 	NTSTATUS status = get_nt_acl_xattr_internal(handle, fsp,
 				NULL, security_info, ppdesc);
@ -429,12 +504,21 @@ static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 		}
 		return NT_STATUS_OK;
 	}
 	DEBUG(10,("fget_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
 			fsp->fsp_name,
 			nt_errstr(status) ));
 	return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp,
 			security_info, ppdesc);
 }
 /*********************************************************************
 Fetch a security descriptor given a pathname.
 *********************************************************************/
 static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
-        const char *name, uint32 security_info, SEC_DESC **ppdesc)
+        const char *name, uint32 security_info, struct security_descriptor **ppdesc)
 {
 	NTSTATUS status = get_nt_acl_xattr_internal(handle, NULL,
 				name, security_info, ppdesc);
@ -446,12 +530,21 @@ static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
 		}
 		return NT_STATUS_OK;
 	}
 	DEBUG(10,("get_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
 			name,
 			nt_errstr(status) ));
 	return SMB_VFS_NEXT_GET_NT_ACL(handle, name,
 			security_info, ppdesc);
 }
 /*********************************************************************
 Store a security descriptor given an fsp.
 *********************************************************************/
 static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
-        uint32 security_info_sent, const SEC_DESC *psd)
+        uint32 security_info_sent, const struct security_descriptor *psd)
 {
 	NTSTATUS status;
 	DATA_BLOB blob;
@ -460,7 +553,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 		DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
 			fsp->fsp_name));
 		NDR_PRINT_DEBUG(security_descriptor,
-			CONST_DISCARD(SEC_DESC *,psd));
+			CONST_DISCARD(struct security_descriptor *,psd));
 	}
 	status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
@ -473,7 +566,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 		int ret;
 		SMB_STRUCT_STAT sbuf;
 		DOM_SID owner_sid, group_sid;
-		SEC_DESC *nc_psd = dup_sec_desc(talloc_tos(), psd);
+		struct security_descriptor *nc_psd = dup_sec_desc(talloc_tos(), psd);
 		if (!nc_psd) {
 			return NT_STATUS_OK;
@ -502,7 +595,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 				SE_DESC_DACL_AUTO_INHERIT_REQ))==
 				(SE_DESC_DACL_AUTO_INHERITED|
 				SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
-		SEC_DESC *new_psd = NULL;
+		struct security_descriptor *new_psd = NULL;
 		status = append_parent_acl(fsp, psd, &new_psd);
 		if (!NT_STATUS_IS_OK(status)) {
 			/* Lower level acl set succeeded,
@ -516,10 +609,10 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 		DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
 			fsp->fsp_name));
 		NDR_PRINT_DEBUG(security_descriptor,
-			CONST_DISCARD(SEC_DESC *,psd));
+			CONST_DISCARD(struct security_descriptor *,psd));
 	}
 	create_acl_blob(psd, &blob);
-	store_acl_blob_fsp(fsp, &blob);
+	store_acl_blob_fsp(handle, fsp, &blob);
 	return NT_STATUS_OK;
 }
@ -537,7 +630,7 @@ static vfs_op_tuple skel_op_tuples[] =
 	{SMB_VFS_OP(get_nt_acl_xattr), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
 	{SMB_VFS_OP(fset_nt_acl_xattr),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
-        {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
+	{SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
 };
 NTSTATUS vfs_acl_xattr_init(void)
--- a/Show More
+++ b/Show More