r26260: Store loadparm context in gensec context.

(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)

source4/auth/gensec/cyrus_sasl.c

@@ -112,7 +112,7 @@ static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
 	return 0;
 }
 
-static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security, struct loadparm_context *lp_ctx)
+static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
 {
 	struct gensec_sasl_state *gensec_sasl_state;
 	const char *service = gensec_get_target_service(gensec_security);

source4/auth/gensec/gensec.c

@@ -477,6 +477,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security,
 */
 static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, 
 			     struct event_context *ev,
+			     struct loadparm_context *lp_ctx,
 			     struct messaging_context *msg,
 			     struct gensec_security **gensec_security)
 {
@@ -502,6 +503,7 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
 
 	(*gensec_security)->event_ctx = ev;
 	(*gensec_security)->msg_ctx = msg;
+	(*gensec_security)->lp_ctx = lp_ctx;
 
 	return NT_STATUS_OK;
 }
@@ -528,6 +530,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
 	(*gensec_security)->subcontext = true;
 	(*gensec_security)->event_ctx = parent->event_ctx;
 	(*gensec_security)->msg_ctx = parent->msg_ctx;
+	(*gensec_security)->lp_ctx = parent->lp_ctx;
 
 	return NT_STATUS_OK;
 }
@@ -540,7 +543,8 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
 */
 _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, 
 			     struct gensec_security **gensec_security,
-			     struct event_context *ev)
+			     struct event_context *ev,
+			     struct loadparm_context *lp_ctx)
 {
 	NTSTATUS status;
 	struct event_context *new_ev = NULL;
@@ -551,7 +555,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
 		ev = new_ev;
 	}
 
-	status = gensec_start(mem_ctx, ev, NULL, gensec_security);
+	status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security);
 	if (!NT_STATUS_IS_OK(status)) {
 		talloc_free(new_ev);
 		return status;
@@ -570,6 +574,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
 */
 NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, 
 			     struct event_context *ev,
+			     struct loadparm_context *lp_ctx,
 			     struct messaging_context *msg,
 			     struct gensec_security **gensec_security)
 {
@@ -585,7 +590,7 @@ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
-	status = gensec_start(mem_ctx, ev, msg, gensec_security);
+	status = gensec_start(mem_ctx, ev, lp_ctx, msg, gensec_security);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -603,7 +608,7 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
 	switch (gensec_security->gensec_role) {
 	case GENSEC_CLIENT:
 		if (gensec_security->ops->client_start) {
-			status = gensec_security->ops->client_start(gensec_security, global_loadparm);
+			status = gensec_security->ops->client_start(gensec_security);
 			if (!NT_STATUS_IS_OK(status)) {
 				DEBUG(2, ("Failed to start GENSEC client mech %s: %s\n",
 					  gensec_security->ops->name, nt_errstr(status))); 
@@ -1108,7 +1113,7 @@ _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_secu
 _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) 
 {
 	/* We allow the target hostname to be overriden for testing purposes */
-	const char *target_hostname = lp_parm_string(global_loadparm, NULL, "gensec", "target_hostname");
+	const char *target_hostname = lp_parm_string(gensec_security->lp_ctx, NULL, "gensec", "target_hostname");
 	if (target_hostname) {
 		return target_hostname;
 	}

source4/auth/gensec/gensec.h

@@ -75,15 +75,12 @@ struct gensec_update_request {
 	} callback;
 };
 
-struct loadparm_context;
-
 struct gensec_security_ops {
 	const char *name;
 	const char *sasl_name;
 	uint8_t auth_type;  /* 0 if not offered on DCE-RPC */
 	const char **oid;  /* NULL if not offered by SPNEGO */
-	NTSTATUS (*client_start)(struct gensec_security *gensec_security, 
-				 struct loadparm_context *lp_ctx);
+	NTSTATUS (*client_start)(struct gensec_security *gensec_security);
 	NTSTATUS (*server_start)(struct gensec_security *gensec_security);
 	/**
 	   Determine if a packet has the right 'magic' for this mechanism
@@ -150,6 +147,7 @@ struct gensec_security_ops_wrapper {
 
 struct gensec_security {
 	const struct gensec_security_ops *ops;
+	struct loadparm_context *lp_ctx;
 	void *private_data;
 	struct cli_credentials *credentials;
 	struct gensec_target target;

source4/auth/gensec/gensec_gssapi.c

@@ -142,8 +142,7 @@ static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_st
 	return 0;
 }
 
-static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security,
-				    struct loadparm_context *lp_ctx)
+static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 {
 	struct gensec_gssapi_state *gensec_gssapi_state;
 	krb5_error_code ret;
@@ -156,7 +155,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security,
 	
 	gensec_gssapi_state->gss_exchange_count = 0;
 	gensec_gssapi_state->max_wrap_buf_size
-		= lp_parm_int(lp_ctx, NULL, "gensec_gssapi", "max wrap buf size", 65536);
+		= lp_parm_int(gensec_security->lp_ctx, NULL, "gensec_gssapi", "max wrap buf size", 65536);
 		
 	gensec_gssapi_state->sasl = false;
 	gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
@@ -171,16 +170,16 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security,
 	gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
 	
 	gensec_gssapi_state->want_flags = 0;
-	if (lp_parm_bool(lp_ctx, NULL, "gensec_gssapi", "mutual", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "mutual", true)) {
 		gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
 	}
-	if (lp_parm_bool(lp_ctx, NULL, "gensec_gssapi", "delegation", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "delegation", true)) {
 		gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
 	}
-	if (lp_parm_bool(lp_ctx, NULL, "gensec_gssapi", "replay", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "replay", true)) {
 		gensec_gssapi_state->want_flags |= GSS_C_REPLAY_FLAG;
 	}
-	if (lp_parm_bool(lp_ctx, NULL, "gensec_gssapi", "sequence", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "sequence", true)) {
 		gensec_gssapi_state->want_flags |= GSS_C_SEQUENCE_FLAG;
 	}
 
@@ -214,10 +213,10 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security,
 		talloc_free(gensec_gssapi_state);
 		return NT_STATUS_INTERNAL_ERROR;
 	}
-	if (lp_realm(lp_ctx) && *lp_realm(lp_ctx)) {
-		char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(lp_ctx));
+	if (lp_realm(gensec_security->lp_ctx) && *lp_realm(gensec_security->lp_ctx)) {
+		char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->lp_ctx));
 		if (!upper_realm) {
-			DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(lp_ctx)));
+			DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->lp_ctx)));
 			talloc_free(gensec_gssapi_state);
 			return NT_STATUS_NO_MEMORY;
 		}
@@ -231,7 +230,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security,
 	}
 
 	/* don't do DNS lookups of any kind, it might/will fail for a netbios name */
-	ret = gsskrb5_set_dns_canonicalize(lp_parm_bool(lp_ctx, NULL, "krb5", "set_dns_canonicalize", false));
+	ret = gsskrb5_set_dns_canonicalize(lp_parm_bool(gensec_security->lp_ctx, NULL, "krb5", "set_dns_canonicalize", false));
 	if (ret) {
 		DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
 		talloc_free(gensec_gssapi_state);
@@ -240,7 +239,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security,
 
 	ret = smb_krb5_init_context(gensec_gssapi_state, 
 				    gensec_security->event_ctx,
-				    lp_ctx,
+				    gensec_security->lp_ctx,
 				    &gensec_gssapi_state->smb_krb5_context);
 	if (ret) {
 		DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
@@ -259,7 +258,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
 	struct cli_credentials *machine_account;
 	struct gssapi_creds_container *gcc;
 
-	nt_status = gensec_gssapi_start(gensec_security, global_loadparm);
+	nt_status = gensec_gssapi_start(gensec_security);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
@@ -298,7 +297,7 @@ static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_s
 	return nt_status;
 }
 
-static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security, struct loadparm_context *lp_ctx)
+static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security)
 {
 	struct gensec_gssapi_state *gensec_gssapi_state;
 	struct cli_credentials *creds = gensec_get_credentials(gensec_security);
@@ -324,7 +323,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	nt_status = gensec_gssapi_start(gensec_security, lp_ctx);
+	nt_status = gensec_gssapi_start(gensec_security);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
@@ -334,7 +333,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 	gensec_gssapi_state->gss_oid = gss_mech_krb5;
 
 	principal = gensec_get_target_principal(gensec_security);
-	if (principal && lp_client_use_spnego_principal(lp_ctx)) {
+	if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) {
 		name_type = GSS_C_NULL_OID;
 	} else {
 		principal = talloc_asprintf(gensec_gssapi_state, "%s@%s", 
@@ -380,11 +379,11 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security, struct loadparm_context *lp_ctx)
+static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security)
 {
 	NTSTATUS nt_status;
 	struct gensec_gssapi_state *gensec_gssapi_state;
-	nt_status = gensec_gssapi_client_start(gensec_security, lp_ctx);
+	nt_status = gensec_gssapi_client_start(gensec_security);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
@@ -1319,10 +1318,10 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 			talloc_free(mem_ctx);
 			return nt_status;
 		}
-	} else if (!lp_parm_bool(global_loadparm, NULL, "gensec", "require_pac", false)) {
+	} else if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
 		DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
 			  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
-		nt_status = sam_get_server_info_principal(mem_ctx, global_loadparm, principal_string,
+		nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->lp_ctx, principal_string,
 							  &server_info);
 
 		if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1361,7 +1360,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		}
 
 		cli_credentials_set_event_context(session_info->credentials, gensec_security->event_ctx);
-		cli_credentials_set_conf(session_info->credentials, global_loadparm);
+		cli_credentials_set_conf(session_info->credentials, gensec_security->lp_ctx);
 		/* Just so we don't segfault trying to get at a username */
 		cli_credentials_set_anonymous(session_info->credentials);
 		

source4/auth/gensec/gensec_krb5.c

@@ -116,7 +116,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 
 	talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); 
 
-	if (cli_credentials_get_krb5_context(creds, global_loadparm, &gensec_krb5_state->smb_krb5_context)) {
+	if (cli_credentials_get_krb5_context(creds, gensec_security->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
 		talloc_free(gensec_krb5_state);
 		return NT_STATUS_INTERNAL_ERROR;
 	}
@@ -210,7 +210,7 @@ static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gen
 	return nt_status;
 }
 
-static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security, struct loadparm_context *lp_ctx)
+static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
 {
 	struct gensec_krb5_state *gensec_krb5_state;
 	krb5_error_code ret;
@@ -261,7 +261,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 	}
 	in_data.length = 0;
 	
-	if (principal && lp_client_use_spnego_principal(global_loadparm)) {
+	if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) {
 		krb5_principal target_principal;
 		ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
 				      &target_principal);
@@ -322,9 +322,9 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 	}
 }
 
-static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security, struct loadparm_context *lp_ctx)
+static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security)
 {
-	NTSTATUS nt_status = gensec_krb5_client_start(gensec_security, lp_ctx);
+	NTSTATUS nt_status = gensec_krb5_client_start(gensec_security);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		struct gensec_krb5_state *gensec_krb5_state;
@@ -582,7 +582,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 						      KRB5_AUTHDATA_WIN2K_PAC, 
 						      &pac_data);
 	
-	if (ret && lp_parm_bool(global_loadparm, NULL, "gensec", "require_pac", false)) {
+	if (ret && lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
 		DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
 			  principal_string,
 			  smb_get_krb5_error_message(context, 
@@ -595,7 +595,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 		DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", 
 			  smb_get_krb5_error_message(context, 
 						     ret, mem_ctx)));
-		nt_status = sam_get_server_info_principal(mem_ctx, global_loadparm, principal_string,
+		nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->lp_ctx, principal_string,
 							  &server_info);
 		krb5_free_principal(context, client_principal);
 		free(principal_string);

source4/auth/gensec/schannel.c

@@ -120,7 +120,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 		}
 		
 		/* pull the session key for this client */
-		status = schannel_fetch_session_key(out_mem_ctx, global_loadparm, workstation, 
+		status = schannel_fetch_session_key(out_mem_ctx, gensec_security->lp_ctx, workstation, 
 						    domain, &creds);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
@@ -183,7 +183,7 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
 					 struct auth_session_info **_session_info) 
 {
 	struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
-	return auth_anonymous_session_info(state, global_loadparm, _session_info);
+	return auth_anonymous_session_info(state, gensec_security->lp_ctx, _session_info);
 }
 
 static NTSTATUS schannel_start(struct gensec_security *gensec_security)
@@ -218,8 +218,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS schannel_client_start(struct gensec_security *gensec_security, 
-				      struct loadparm_context *lp_ctx) 
+static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
 {
 	NTSTATUS status;
 	struct schannel_state *state;

source4/auth/gensec/spnego.c

@@ -47,7 +47,7 @@ struct spnego_state {
 };
 
 
-static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security, struct loadparm_context *lp_ctx)
+static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
 {
 	struct spnego_state *spnego_state;
 

source4/auth/ntlmssp/ntlmssp_client.c

@@ -181,7 +181,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	if (gensec_ntlmssp_state->use_nt_response) {
 		flags |= CLI_CRED_NTLM_AUTH;
 	}
-	if (lp_client_lanman_auth(global_loadparm)) {
+	if (lp_client_lanman_auth(gensec_security->lp_ctx)) {
 		flags |= CLI_CRED_LANMAN_AUTH;
 	}
 
@@ -206,7 +206,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	}
 	
 	if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) 
-	    && lp_client_lanman_auth(global_loadparm) && lm_session_key.length == 16) {
+	    && lp_client_lanman_auth(gensec_security->lp_ctx) && lm_session_key.length == 16) {
 		DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
 		if (lm_response.length == 24) {
 			SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, 
@@ -285,8 +285,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security,
-				     struct loadparm_context *lp_ctx)
+NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 {
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state;
 	NTSTATUS nt_status;
@@ -298,17 +297,17 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security,
 
 	gensec_ntlmssp_state->role = NTLMSSP_CLIENT;
 
-	gensec_ntlmssp_state->domain = lp_workgroup(lp_ctx);
+	gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx);
 
-	gensec_ntlmssp_state->unicode = lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "unicode", true);
+	gensec_ntlmssp_state->unicode = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "unicode", true);
 
-	gensec_ntlmssp_state->use_nt_response = lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "send_nt_reponse", true);
+	gensec_ntlmssp_state->use_nt_response = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "send_nt_reponse", true);
 
-	gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(lp_ctx) 
-					      && (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "allow_lm_key", false)
-						  || lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "lm_key", false)));
+	gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->lp_ctx) 
+					      && (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "allow_lm_key", false)
+						  || lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false)));
 
-	gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(lp_ctx);
+	gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->lp_ctx);
 
 	gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL;
 
@@ -316,27 +315,27 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security,
 		NTLMSSP_NEGOTIATE_NTLM |
 		NTLMSSP_REQUEST_TARGET;
 
-	if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "128bit", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "128bit", true)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;		
 	}
 
-	if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "56bit", false)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "56bit", false)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;		
 	}
 
-	if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "lm_key", false)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
 	}
 
-	if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "keyexchange", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "keyexchange", true)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;		
 	}
 
-	if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "alwayssign", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "alwayssign", true)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;		
 	}
 
-	if (lp_parm_bool(lp_ctx, NULL, "ntlmssp_client", "ntlm2", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "ntlm2", true)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;		
 	} else {
 		/* apparently we can't do ntlmv2 if we don't do ntlm2 */

source4/auth/ntlmssp/ntlmssp_server.c

@@ -744,14 +744,14 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 	gensec_ntlmssp_state->role = NTLMSSP_SERVER;
 
 	gensec_ntlmssp_state->workstation = NULL;
-	gensec_ntlmssp_state->server_name = lp_netbios_name(global_loadparm);
+	gensec_ntlmssp_state->server_name = lp_netbios_name(gensec_security->lp_ctx);
 
-	gensec_ntlmssp_state->domain = lp_workgroup(global_loadparm);
+	gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx);
 
 	gensec_ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
 
-	gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth(global_loadparm) 
-					  && lp_parm_bool(global_loadparm, NULL, "ntlmssp_server", "allow_lm_key", false));
+	gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth(gensec_security->lp_ctx) 
+					  && lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "allow_lm_key", false));
 
 	gensec_ntlmssp_state->server_multiple_authentications = false;
 	
@@ -762,23 +762,23 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 	gensec_ntlmssp_state->nt_resp = data_blob(NULL, 0);
 	gensec_ntlmssp_state->encrypted_session_key = data_blob(NULL, 0);
 
-	if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_server", "128bit", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "128bit", true)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;		
 	}
 
-	if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_server", "56bit", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "56bit", true)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;		
 	}
 
-	if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_server", "keyexchange", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "keyexchange", true)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;		
 	}
 
-	if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_server", "alwayssign", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "alwayssign", true)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;		
 	}
 
-	if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_server", "ntlm2", true)) {
+	if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "ntlm2", true)) {
 		gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;		
 	}
 
@@ -792,7 +792,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 	nt_status = auth_context_create(gensec_ntlmssp_state, 
 					gensec_security->event_ctx,
 					gensec_security->msg_ctx,
-					global_loadparm,
+					gensec_security->lp_ctx,
 					&gensec_ntlmssp_state->auth_context);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
@@ -800,7 +800,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 	gensec_ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 	gensec_ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 	gensec_ntlmssp_state->check_password = auth_ntlmssp_check_password;
-	gensec_ntlmssp_state->server_role = lp_server_role(global_loadparm);
+	gensec_ntlmssp_state->server_role = lp_server_role(gensec_security->lp_ctx);
 
 	return NT_STATUS_OK;
 }

source4/auth/session.c

@@ -29,11 +29,12 @@
 #include "auth/credentials/credentials.h"
 #include "param/param.h"
 
-struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx) 
+struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, 
+					    struct loadparm_context *lp_ctx) 
 {
 	NTSTATUS nt_status;
 	struct auth_session_info *session_info = NULL;
-	nt_status = auth_anonymous_session_info(mem_ctx, global_loadparm, &session_info);
+	nt_status = auth_anonymous_session_info(mem_ctx, lp_ctx, &session_info);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return NULL;
 	}

source4/cldap_server/cldap_server.c

@@ -181,7 +181,7 @@ static void cldapd_task_init(struct task_server *task)
 	}
 
 	cldapd->task = task;
-	cldapd->samctx = samdb_connect(cldapd, task->lp_ctx, anonymous_session(cldapd));
+	cldapd->samctx = samdb_connect(cldapd, task->lp_ctx, anonymous_session(cldapd, task->lp_ctx));
 	if (cldapd->samctx == NULL) {
 		task_server_terminate(task, "cldapd failed to open samdb");
 		return;

source4/kdc/kpasswdd.c

@@ -458,7 +458,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
 	ap_req = data_blob_const(&input->data[header_len], ap_req_len);
 	krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
 	
-	nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, kdc->task->msg_ctx, &gensec_security);
+	nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, kdc->task->msg_ctx, &gensec_security);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
 		return false;

source4/ldap_server/ldap_bind.c

@@ -143,6 +143,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 
 		status = gensec_server_start(conn,
 					     conn->connection->event.ctx,
+					     global_loadparm,
 					     conn->connection->msg_ctx,
 					     &conn->gensec);
 		if (!NT_STATUS_IS_OK(status)) {

source4/libcli/ldap/ldap_bind.c

@@ -29,6 +29,7 @@
 #include "auth/gensec/socket.h"
 #include "auth/credentials/credentials.h"
 #include "lib/stream/packet.h"
+#include "param/param.h"
 
 struct ldap_simple_creds {
 	const char *dn;
@@ -217,7 +218,7 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr
 		NULL 
 	};
 
-	status = gensec_client_start(conn, &conn->gensec, NULL);
+	status = gensec_client_start(conn, &conn->gensec, NULL, global_loadparm);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
 		goto failed;

source4/libcli/smb2/session.c

@@ -25,8 +25,9 @@
 #include "libcli/smb2/smb2_calls.h"
 #include "libcli/composite/composite.h"
 #include "auth/gensec/gensec.h"
+#include "param/param.h"
 
-/*
+/**
   initialise a smb2_session structure
  */
 struct smb2_session *smb2_session_init(struct smb2_transport *transport,
@@ -47,7 +48,8 @@ struct smb2_session *smb2_session_init(struct smb2_transport *transport,
 
 	/* prepare a gensec context for later use */
 	status = gensec_client_start(session, &session->gensec, 
-				     session->transport->socket->event.ctx);
+				     session->transport->socket->event.ctx, 
+				     global_loadparm);
 	if (!NT_STATUS_IS_OK(status)) {
 		talloc_free(session);
 		return NULL;
@@ -58,7 +60,7 @@ struct smb2_session *smb2_session_init(struct smb2_transport *transport,
 	return session;
 }
 
-/*
+/**
   send a session setup request
 */
 struct smb2_request *smb2_session_setup_send(struct smb2_session *session, 
@@ -91,7 +93,7 @@ struct smb2_request *smb2_session_setup_send(struct smb2_session *session,
 }
 
 
-/*
+/**
   recv a session setup reply
 */
 NTSTATUS smb2_session_setup_recv(struct smb2_request *req, TALLOC_CTX *mem_ctx, 

source4/libcli/smb_composite/sesssetup.c

@@ -365,7 +365,8 @@ static NTSTATUS session_setup_spnego(struct composite_context *c,
 
 	smbcli_temp_set_signing(session->transport);
 
-	status = gensec_client_start(session, &session->gensec, c->event_ctx);
+	status = gensec_client_start(session, &session->gensec, c->event_ctx,
+				     global_loadparm);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
 		return status;

source4/librpc/rpc/dcerpc_auth.c

@@ -25,6 +25,7 @@
 #include "libcli/composite/composite.h"
 #include "auth/gensec/gensec.h"
 #include "librpc/rpc/dcerpc.h"
+#include "param/param.h"
 
 /*
   return the rpc syntax and transfer syntax given the pipe uuid and version
@@ -238,7 +239,8 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 	sec = &p->conn->security_state;
 
 	c->status = gensec_client_start(p, &sec->generic_state,
-					p->conn->event_ctx);
+					p->conn->event_ctx,
+					global_loadparm);
 	if (!NT_STATUS_IS_OK(c->status)) {
 		DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
 			  nt_errstr(c->status)));

source4/nbt_server/dgram/netlogon.c

@@ -53,7 +53,7 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot,
 		return;
 	}
 
-	samctx = samdb_connect(packet, global_loadparm, anonymous_session(packet));
+	samctx = samdb_connect(packet, global_loadparm, anonymous_session(packet, global_loadparm));
 	if (samctx == NULL) {
 		DEBUG(2,("Unable to open sam in getdc reply\n"));
 		return;
@@ -123,7 +123,7 @@ static void nbtd_netlogon_getdc2(struct dgram_mailslot_handler *dgmslot,
 		return;
 	}
 
-	samctx = samdb_connect(packet, global_loadparm, anonymous_session(packet));
+	samctx = samdb_connect(packet, global_loadparm, anonymous_session(packet, global_loadparm));
 	if (samctx == NULL) {
 		DEBUG(2,("Unable to open sam in getdc reply\n"));
 		return;

source4/nbt_server/nbt_server.c

@@ -28,6 +28,7 @@
 #include "lib/socket/netif.h"
 #include "auth/auth.h"
 #include "dsdb/samdb/samdb.h"
+#include "param/param.h"
 
 /*
   startup the nbtd task
@@ -62,7 +63,7 @@ static void nbtd_task_init(struct task_server *task)
 		return;
 	}
 
-	nbtsrv->sam_ctx = samdb_connect(nbtsrv, task->lp_ctx, anonymous_session(nbtsrv));
+	nbtsrv->sam_ctx = samdb_connect(nbtsrv, task->lp_ctx, anonymous_session(nbtsrv, global_loadparm));
 	if (nbtsrv->sam_ctx == NULL) {
 		task_server_terminate(task, "nbtd failed to open samdb");
 		return;

source4/param/loadparm.c

@@ -2468,7 +2468,7 @@ bool lp_load(const char *filename)
 		lp_do_global_parameter(lp_ctx, "wins server", "127.0.0.1");
 	}
 
-	init_iconv();
+	close_iconv();
 
 	return bRetval;
 }

source4/rpc_server/common/server_info.c

@@ -118,7 +118,7 @@ _PUBLIC_ uint32_t dcesrv_common_get_server_type(TALLOC_CTX *mem_ctx, struct dces
 				break;
 			}
 			/* open main ldb */
-			samctx = samdb_connect(tmp_ctx, global_loadparm, anonymous_session(tmp_ctx));
+			samctx = samdb_connect(tmp_ctx, global_loadparm, anonymous_session(tmp_ctx, global_loadparm));
 			if (samctx == NULL) {
 				DEBUG(2,("Unable to open samdb in determining server announce flags\n"));
 			} else {

source4/rpc_server/dcesrv_auth.c

@@ -59,7 +59,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
 		return false;
 	}
 
-	status = gensec_server_start(dce_conn, call->event_ctx, call->msg_ctx, &auth->gensec_security);
+	status = gensec_server_start(dce_conn, call->event_ctx, global_loadparm, call->msg_ctx, &auth->gensec_security);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status)));
 		return false;

source4/smb_server/smb/negprot.c

@@ -352,6 +352,7 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice)
 
 		nt_status = gensec_server_start(req->smb_conn,
 						req->smb_conn->connection->event.ctx,
+						global_loadparm,
 						req->smb_conn->connection->msg_ctx,
 						&gensec_security);
 		if (!NT_STATUS_IS_OK(nt_status)) {

source4/smb_server/smb/sesssetup.c

@@ -380,6 +380,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
 
 		status = gensec_server_start(req,
 					     req->smb_conn->connection->event.ctx,
+					     global_loadparm,
 					     req->smb_conn->connection->msg_ctx,
 					     &gensec_ctx);
 		if (!NT_STATUS_IS_OK(status)) {

source4/smb_server/smb2/negprot.c

@@ -39,6 +39,7 @@ static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB *
 
 	nt_status = gensec_server_start(req,
 					req->smb_conn->connection->event.ctx,
+					global_loadparm,
 					req->smb_conn->connection->msg_ctx,
 					&gensec_security);
 	if (!NT_STATUS_IS_OK(nt_status)) {

source4/smb_server/smb2/sesssetup.c

@@ -28,6 +28,7 @@
 #include "smb_server/service_smb_proto.h"
 #include "smb_server/smb2/smb2_server.h"
 #include "smbd/service_stream.h"
+#include "param/param.h"
 
 static void smb2srv_sesssetup_send(struct smb2srv_request *req, union smb_sesssetup *io)
 {
@@ -121,6 +122,7 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
 
 		status = gensec_server_start(req,
 					     req->smb_conn->connection->event.ctx,
+					     global_loadparm,
 					     req->smb_conn->connection->msg_ctx,
 					     &gensec_ctx);
 		if (!NT_STATUS_IS_OK(status)) {

source4/smbd/process_standard.c

@@ -195,9 +195,9 @@ _NORETURN_ static void standard_terminate(struct event_context *ev, const char *
 {
 	DEBUG(2,("standard_terminate: reason[%s]\n",reason));
 
-	/* this init_iconv() has the effect of freeing the iconv context memory,
+	/* this close_iconv() has the effect of freeing the iconv context memory,
 	   which makes leak checking easier */
-	init_iconv();
+	close_iconv();
 
 	/* the secrets db should really hang off the connection structure */
 	secrets_shutdown();

source4/torture/auth/ntlmssp.c

@@ -32,7 +32,7 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx)
 	TALLOC_CTX *mem_ctx = tctx;
 
 	torture_assert_ntstatus_ok(tctx, 
-		gensec_client_start(mem_ctx, &gensec_security, NULL),
+		gensec_client_start(mem_ctx, &gensec_security, NULL, tctx->lp_ctx),
 		"gensec client start");
 
 	gensec_set_credentials(gensec_security, cmdline_credentials);
@@ -86,7 +86,7 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx)
 	talloc_free(gensec_security);
 
 	torture_assert_ntstatus_ok(tctx, 
-		gensec_client_start(mem_ctx, &gensec_security, NULL),
+		gensec_client_start(mem_ctx, &gensec_security, NULL, tctx->lp_ctx),
 		"Failed to start GENSEC for NTLMSSP");
 
 	gensec_set_credentials(gensec_security, cmdline_credentials);

source4/torture/masktest.c

@@ -309,7 +309,7 @@ static void usage(void)
 
 	seed = time(NULL);
 
-	init_iconv();
+	close_iconv();
 
 	while ((opt = getopt(argc, argv, "n:d:U:s:hm:f:aoW:M:vEl:")) != EOF) {
 		switch (opt) {

source4/torture/smbtorture.c

@@ -50,7 +50,7 @@ static bool run_matching(struct torture_context *torture,
 		for (o = torture_root->children; o; o = o->next) {
 			if (gen_fnmatch(expr, o->name) == 0) {
 				*matched = true;
-				init_iconv();
+				close_iconv();
 				ret &= torture_run_suite(torture, o);
 				continue;
 			}
@@ -67,7 +67,7 @@ static bool run_matching(struct torture_context *torture,
 
 			if (gen_fnmatch(expr, name) == 0) {
 				*matched = true;
-				init_iconv();
+				close_iconv();
 				torture->active_testname = talloc_strdup(torture, prefix);
 				ret &= torture_run_suite(torture, c);
 				free(name);
@@ -83,7 +83,7 @@ static bool run_matching(struct torture_context *torture,
 			asprintf(&name, "%s-%s", prefix, t->name);
 			if (gen_fnmatch(expr, name) == 0) {
 				*matched = true;
-				init_iconv();
+				close_iconv();
 				torture->active_testname = talloc_strdup(torture, prefix);
 				ret &= torture_run_tcase(torture, t);
 				talloc_free(torture->active_testname);

source4/utils/ntlm_auth.c

@@ -458,7 +458,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 		case NTLMSSP_CLIENT_1:
 			/* setup the client side */
 
-			nt_status = gensec_client_start(NULL, &state->gensec_state, NULL);
+			nt_status = gensec_client_start(NULL, &state->gensec_state, NULL, lp_ctx);
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				exit(1);
 			}
@@ -474,7 +474,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 			if (!msg) {
 				exit(1);
 			}
-			if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, msg, &state->gensec_state))) {
+			if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, lp_ctx, msg, &state->gensec_state))) {
 				exit(1);
 			}
 			break;